openssl配置自建CA

个人学习笔记，谢绝转载！！！

原文：https://www.cnblogs.com/wshenjin/p/12519455.html

---

自建CA

自签证书：
说明：证书的默认配置文档说明在/etc/pki/tls/openssl.cnf，查看里面关于[CA_default] 的内容可以大体了解CA相关信息的存放位置。

[ CA_default ]
dir             = /etc/pki/CA             # 定义路径变量
certs           = $dir/certs              # 已颁发证书的保存目录
database        = $dir/index.txt          # 数据库索引文件
new_certs_dir   = $dir/newcerts           # 新签署的证书保存目录
certificate     = $dir/cacert.pem         # CA证书路径名
serial          = $dir/serial             # 当前证书序列号
private_key     = $dir/private/cakey.pem  # CA的私钥路径名

1.创建CA下相关目录和文档

# mkdir /etc/pki/CA/{certs,crl,newcerts,private}
# touch /etc/pki/CA/{serial,index.txt}

其中目录/etc/pki/CA/{certs,newcerts,private}在安装openssl后就默认存在，所以无需独立创建。
但证书的database文件index.txt和序列文件serial必须创建好，且序列号文件中得先给定一个序号，如"01"：

# echo 01 > /etc/pki/CA/serial 

2.生成CA私钥

CA的私钥存放位置为配置文件中private_key所指定的值，默认为/etc/pki/CA/private/cakey.pem：

# (umask 077 ; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)

3.生成CA自签证书

配置文件中的"certificate=$dir/cacert.pem"项，CA证书应该放在/etc/pki/CA目录下，且命名为cacert.pem，只有这样以后才能签署其它证书请求：

# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3650 
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:GuangDong
Locality Name (eg, city) [Default City]:GuangZhou
Organization Name (eg, company) [Default Company Ltd]:Im CA
Organizational Unit Name (eg, section) []:ca
Common Name (eg, your name or your server's hostname) []:imca.com
Email Address []:root@imca.com

创建请求文件时，其中Country Name、State or Province Name、Organization Name和Common Name默认是必须提供的。

至此，自建CA就完成。

用自建CA签发证书

1.创建私钥

# (umask 077;openssl genrsa -out example.com.key 2048)

2.创建证书申请文件

# openssl req -new -key example.com.key -out example.com.csr
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:GuangDong
Locality Name (eg, city) [Default City]:GuangZhou
Organization Name (eg, company) [Default Company Ltd]:lulu
Organizational Unit Name (eg, section) []:game 
Common Name (eg, your name or your server's hostname) []:example.com
Email Address []:example@lulu.com 

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:

3.签署证书

# openssl ca -in example.com.csr -out example.com.crt -days 365

4.查看

# openssl x509 -in example.com.crt  -noout -serial -subject
serial=02
subject= /C=CN/ST=GuangDong/O=lulu/OU=game/CN=*.example.com/emailAddress=root@lulu.com

5.说明

在填写证书申请文件时，Country Name、State or Province Name、Organization Name和Common Name必须提供，且前三者必须和CA对应项完全相同。
这些是由配置文件/etc/pki/tls/openssl.cnf匹配策略决定的：

[ ca ]
default_ca      = CA_default            # The default ca section
[ CA_default ]
policy          = policy_match
[ policy_match ]
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

"match"表示openssl ca要签署的证书请求文件中的项要和CA证书中的项匹配，即要相同，
"supplied"表示必须要提供的项，
"optional"表示可选项，所以可以留空。

签署成功后，我们看看CA目录的文件结构：

# tree /etc/pki/CA/
/etc/pki/CA
├── cacert.pem
├── certs
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│   └── 01.pem
├── private
│   └── cakey.pem
├── serial
└── serial.old

01.pem 就是刚才签署成功的证书，md5是一样的：

# md5sum example.com.crt  /etc/pki/CA/newcerts/01.pem 
bea8caec9183addbe8df2b293e8694a1  example.com.crt
bea8caec9183addbe8df2b293e8694a1  /etc/pki/CA/newcerts/01.pem

6.将自建CA证书加入系统

# cat/etc/pki/CA/cacert.pem >> /etc/pki/tls/certs/ca-bundle.crt 

这样自签证书就可以被系统信任了：

# curl -Iv -s  https://example.com/index.html 
* About to connect() to example.com port 443 (#0)
*   Trying 127.0.0.1...
* Connected to example.com (127.0.0.1) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
*       subject: E=example@lulu.com,CN=example.com,OU=game,O=lulu,ST=GuangDong,C=CN
*       start date: Mar 18 10:03:22 2020 GMT
*       expire date: Mar 18 10:03:22 2021 GMT
*       common name: example.com
*       issuer: E=root@imca.com,CN=imca.com,OU=ca,O=Im CA,L=GuangZhou,ST=GuangDong,C=CN
> HEAD /index.html HTTP/1.1
> User-Agent: curl/7.29.0
> Host: example.com
> Accept: */*

证书签署成功后，查看一下/etc/pki/CA的目录结构：

/etc/pki/CA/
├── cacert.pem
├── certs
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│   └── 01.pem
├── private
│   └── cakey.pem
├── serial
└── serial.old

再看下数据库索引文件和序列号文件:

# cat /etc/pki/CA/index.txt
V       210318100322Z           01      unknown /C=CN/ST=GuangDong/O=lulu/OU=game/CN=example.com/emailAddress=example@lulu.com
# cat /etc/pki/CA/serial
02

那么，下次签署证书请求时，序列号将是"02"。

错误处理

错误处理1：

Using configuration from /etc/pki/tls/openssl.cnf
Error opening CA certificate /etc/pki/CA/cacert.pem
140003788384144:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/pki/CA/cacert.pem','r')
140003788384144:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:
unable to load certificate

CA证书/etc/pki/CA/cacert.pem 和配置文件/etc/pki/tls/openssl.cnf中certificate指定的位置不一样.

错误处理2：

Using configuration from /etc/pki/tls/openssl.cnf
unable to load number from /etc/pki/CA/serial
error while loading serial number
140422411036560:error:0D066096:asn1 encoding routines:a2i_ASN1_INTEGER:short line:f_int.c:210:

一般是因为serial文件中没有赋初值,echo 01 > /etc/pki/CA/serial

错误处理3：

Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
The organizationName field needed to be the same in the
CA certificate (comm) and the request (lulu)

因为默认使用/etc/pki/tls/openssl.cnf，里面要求其一致，修改organizationName=supplied

参考链接

https://www.cnblogs.com/f-ck-need-u/p/7115871.html