zoukankan      html  css  js  c++  java

  • gmssl 生成证书以及生成crl

    配置环境:

     

    mkdir  demoCA
cd  demoCA
mkdir certs crl newcerts private
touch index.txt
touch index.txt.attr
echo "01" > serial
echo "01" > crlnumber

    index.txt:openSSL定义的已签发证书的文本数据库文件,这个文件通常在初始化的时候是空的;

    serial:证书签发时使用的序列号参考文件,该文件的序列号是以16进制格式进行存放的,该文件必须提供并且包含一个有效的序列号。

     

    修改配置文件/usr/local/gmssl/openssl.cnf中“[ usr_cert ]”中的属性值

    [ CA_default ]

    dir = ./demoCA # Where everything is kept

    [ usr_cert ]

    

    # These extensions are added when 'ca' signs a request.
    

    

    # This goes against PKIX guidelines but some CAs do it and some software
    # requires this to avoid interpreting an end user certificate as a CA.
    

    

    basicConstraints=CA:FALSE
    

    

    # Here are some examples of the usage of nsCertType. If it is omitted
    # the certificate can be used for anything *except* object signing.
    

    

    # This is OK for an SSL server.
    # nsCertType                    = server
    

    

    # For an object signing certificate this would be used.
    # nsCertType = objsign
    

    

    # For normal client use this is typical
    # nsCertType = client, email
    

    

    # and for everything including object signing:
    

    

    # nsCertType = client, email, objsign
    

    

    # This is typical in keyUsage for a client certificate.
    

    #密钥用途根据需要修改
    keyUsage = nonRepudiation, digitalSignature, keyEncipherment
    # keyUsage = digitalSignature
    # keyUsage = keyEncipherment
    

    

    # This will be displayed in Netscape's comment listbox.
    nsComment                       = "GmSSL Generated Certificate"
    

    

    # PKIX recommendations harmless if included in all certificates.
    subjectKeyIdentifier=hash
    authorityKeyIdentifier=keyid,issuer
    

    #增加CRL分发点
    

    crlDistributionPoints = URI:http://127.0.0.1/test.crl
    

    #增加OCSP
    extendedKeyUsage = critical, OCSPSigning
    authorityInfoAccess = OCSP;URI:http:/127.0.0.1:8888
    

    

    # This stuff is for subjectAltName and issuerAltname.
    # Import the email address.
    # subjectAltName=email:copy
    # An alternative to produce certificates that aren't
    # deprecated according to PKIX.
    # subjectAltName=email:move
    

    

    # Copy subject details
    # issuerAltName=issuer:copy
    

    

    #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
    #nsBaseUrl
    #nsRevocationUrl
    #nsRenewalUrl
    #nsCaPolicyUrl
    #nsSslServerName
    

    

    # This is required for TSA certificates.
    # extendedKeyUsage = critical,timeStamping
    






    

     
    

    root证书
    

    

    gmssl ecparam -genkey -name sm2p256v1 -out Root.key

gmssl req -x509 -sm3 -days 3650 -key Root.key -out RootCA.crt -subj /C="CN"/ST="Beijing"/L="Beijing"/O="Hy"/OU="hy"/CN="hyR"
    

    

     
    

    注:为了不修改openssl.cnf配置文件默认设置,在生成root证书后,在demoCA文件中做一个软连接。
    

    

    cd demoCA

ln -sf RootCA.crt cacert.pem

cd demoCA/private

ln -sf Root.key cakey.pem
    

    



    ca证书
    

    

    gmssl ecparam -genkey -name sm2p256v1 -out ca.key

gmssl req  -new -sm3 -extensions v3_req -key ca.key -out ca.csr -subj /C="CN"/ST="Beijing"/L="Beijing"/O="Hy"/OU="hy"/CN="hyI"

gmssl ca -md sm3 -extensions v3_ca -batch -in ca.csr -out ca.crt -days 1850 -cert RootCA.crt -keyfile Root.key 
    

    

     
    

    下一级CA证书
    

    

    gmssl ecparam -genkey -name sm2p256v1 -out ca2.key

gmssl req  -new -sm3 -extensions v3_req -key ca2.key -out ca2.csr -subj /C="CN"/ST="Beijing"/L="Beijing"/O="Hy"/OU="hy"/CN="hyS"

gmssl ca -md sm3 -extensions v3_ca -batch -in ca2.csr -out ca2.crt -days 1850 -cert ca.crt -keyfile ca.key 
    

    

     
    

    使用ca证书颁发用户证书
    

    

    gmssl ecparam -genkey -name sm2p256v1 -text -out user.key

gmssl req -new -key user.key -out user.req -subj /C="CN"/ST="Beijing"/L="Beijing"/O="Hy"/OU="hy"/CN="hy"

gmssl ca -md sm3 -batch -in user.req -out user.crt -days 365 -cert ca.crt -keyfile ca.key 
    

    

     
    

    用户证书转换为pfx格式
    

    

    gmssl pkcs12 -export -out user.pfx -inkey user.key -in user.crt
    

    


    吊销证书

    

    

    gmssl ca -revoke user.crt
    

    


    生成吊销证书列表

    

    

    gmssl ca -gencrl -out test.crl
    

    


    更新CRL(每次吊销后都需要手动更新CRL)
    

    

    gmssl ca -gencrl  (-crldays 7 [指定CRL更新天数,默认是一个月]) -cert user.crt -keyfile user.key -out test.crl
    

    


    查看吊销证书列表

    

    

    gmssl crl -in test.crl -noout -text
    

    

     
    

    加密和签名证书属性的配置:
    

    修改配置文件openssl.cnf中“[ usr_cert ]”中的属性值
    

    

    # This is typical in keyUsage for a client certificate.
 keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# keyUsage = digitalSignature
# keyUsage = keyEncipherment
    

    

     
    

    key usage扩展为Digital Signature, Non-Repudiation, Key Encipherment (e0),证书可以用来加密和签名。
    key usage扩展为Digital Signature没有加密功能,只能用来签名。
    key usage扩展为keyEncipherment没有签名功能,只能用来加密。
    

     
    

     
    

     
    

                                                    日子匆匆穿过我而行,奔向海洋!
    

      

    • 添加到短语集

       
      








拷贝

        

      • 没有此单词集:英语 -> 中文(简体)...

         
        












        • 

      • 创建新的单词集...
        • 












      












      • 

    • 












    

    
    
                
    
                
              
    • 
              
    
              
  • 

                相关阅读:
    
                
                  Word 2007 测试 
                    
    全硬盘安装Win Vista 6000 RTM方法(转) 
                    
    Javascript 解析,格式化日期 (转) 
                    
    转:使用hgfs实现vmare文件传输一法,无需任何网络相关设置 
                    
    配置和运行版本验证测试(转自msdn) 
                    
    TFS错误一则(資料集 'IterationParam' 的查詢執行失敗) 
                    
    ghostdoc 1.9.5 for vista install 
                    
    January 2007 Community Technology Preview 1 安装 
                    
    Changing to a friendly Team Foundation Server Name (舶来品) 
                    
    命令行使用小结 
                    
                        
              
    • 
              
    
              
  • 
                原文地址:https://www.cnblogs.com/marshu/p/13645569.html
              
    • 

            

          



          
          

            

            

          

        

      

      



      

      

        

          Copyright © 2011-2022 走看看