基於 OpenSSL 的 CA 創建及證書籤發

http://rhythm-zju.blog.163.com/blog/static/310042008015115718637/

創建 CA

創建 CA 目錄結構

按照 OpenSSL 的默認配置創建 CA ，須要在文件系統中創建相應的目錄結構。相關的配置內容通常位於 /usr/ssl/openssl.cnf 內，詳情可參見 config (1) 。在終端中使用以下命令創建目錄結構：

$ mkdir -p ./demoCA/{private,newcerts}
$ touch ./demoCA/index.txt
$ echo 01 > ./demoCA/serial

產生的目錄結構以下：

.
`-- demoCA/
    |-- index.txt
    |-- newcerts/
    |-- private/
    `-- serial

生成 CA 證書的 RSA 密鑰對

首先，咱們要爲 CA 創建 RSA 密鑰對。打開終端，使用以下命令生成 RSA 密鑰對：

$ openssl genrsa -des3 -out ./demoCA/private/cakey.pem 2048

參數解釋

genrsa

用於生成 RSA 密鑰對的 OpenSSL 命令。

-des3

使用 3-DES 對稱加密算法加密密鑰對，該參數須要用戶在密鑰生成過程當中輸入一個口令用於加密。從此使用該密鑰對時，須要輸入相應的口令。若是不加該選項，則不對密鑰進行加密。

-out ./demoCA/private/cakey.pem

令生成的密鑰對保存到文件 ./demoCA/private/cakey.pem 。

2048

RSA 模數位數，在必定程度上表徵了密鑰強度。

該命令輸出以下，用戶應輸入本身的密鑰口令並確認：

Generating RSA private key, 2048 bit long modulus
................................................+++
.........................+++
e is 65537 (0x10001)
Enter pass phrase for ./demoCA/private/cakey.pem:<enter your pass-phrase>
Verifying - Enter pass phrase for ./demoCA/private/cakey.pem:<re-enter your pass-phrase>

生成 CA 證書請求

爲了獲取一個 CA 根證書，咱們須要先製做一份證書請求。先前生成的 CA 密鑰對被用於對證書請求籤名。

$ openssl req -new -days 365 -key ./demoCA/private/cakey.pem -out careq.pem

參數解釋

req

用於生成證書請求的 OpenSSL 命令。

-new

生成一個新的證書請求。該參數將令 OpenSSL 在證書請求生成過程當中要求用戶填寫一些相應的字段。

-days 365

從生成之時算起，證書時效爲 365 天。

-key ./demoCA/private/cakey.pem

指定 ./demoCA/private/cakey.pem 爲證書所使用的密鑰對文件。

-out careq.pem

令生成的證書請求保存到文件 careq.pem 。

該命令將提示用戶輸入密鑰口令並填寫證書相關信息字段，輸出以下：

Enter pass phrase for ./demoCA/private/cakey.pem:<enter you pass-phrase>
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:ZJ
Locality Name (eg, city) []:HZ
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Some Ltd. Corp.
Organizational Unit Name (eg, section) []:Some Unit
Common Name (eg, YOUR name) []:Someone
Email Address []:some@email.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

對 CA 證書請求進行簽名

在實際應用中，用戶能夠經過向知名 CA 遞交證書請求來申請證書。可是在這裏，咱們須要創建的是一個根 CA ，只能由咱們本身來對證書請求進行簽名。因此咱們讓 OpenSSL 使用證書請求中附帶的密鑰對對該請求進行簽名，也就是所謂的「 self sign 」：

$ openssl ca -selfsign -in careq.pem -out cacert.pem

參數解釋

ca

用於執行 CA 相關操做的 OpenSSL 命令。

-selfsign

使用對證書請求進行簽名的密鑰對來簽發證書。

-in careq.pem

指定 careq.pem 爲證書請求文件。

-out ./demoCA/cacert.pem

指定 ./demoCA/cacert.pem 爲輸出的證書。

該命令要求用戶輸入密鑰口令並輸出相關證書信息，請求用戶確認：

Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:<enter your pass-phrase>
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 2 (0x2)
        Validity
            Not Before: Jan 16 13:05:09 2008 GMT
            Not After : Jan 15 13:05:09 2009 GMT
        Subject:
            countryName = CN
            stateOrProvinceName = ZJ
            organizationName = Some Ltd. Corp.
            organizationalUnitName = Some Unit
            commonName = Someone
            emailAddress = some@email.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                75:F5:3C:CC:C1:5E:6D:C3:8B:46:A8:08:E6:EA:29:E8:22:7E:70:03
            X509v3 Authority Key Identifier:
                keyid:75:F5:3C:CC:C1:5E:6D:C3:8B:46:A8:08:E6:EA:29:E8:22:7E:70:03
Certificate is to be certified until Jan 15 13:05:09 2009 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

一步完成 CA 證書請求生成及簽名

以上兩個步驟能夠合二爲一。利用 ca 命令的 -x509 參數，經過如下命令同時完成證書請求生成和簽名從而生成 CA 根證書：

$ openssl req -new -x509 -days 365 -key ./demoCA/private/cakey.pem -out ./demoCA/cacert.pem

參數解釋

req

用於生成證書請求的 OpenSSL 命令。

-new

生成一個新的證書請求。該參數將令 OpenSSL 在證書請求生成過程當中要求用戶填寫一些相應的字段。

-x509

生成一份 X.509 證書。

-days 365

從生成之時算起，證書時效爲 365 天。

-key ./demoCA/private/cakey.pem

指定 cakey.pem 爲證書所使用的密鑰對文件。

-out ./demoCA/cacert.pem

令生成的證書保存到文件 ./demoCA/cacert.pem 。

該命令輸出以下，用戶應輸入相應的字段：

Enter pass phrase for ./demoCA/private/cakey.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:ZJ
Locality Name (eg, city) []:HZ
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Some Ltd. Corp.
Organizational Unit Name (eg, section) []:Some Unit
Common Name (eg, YOUR name) []:Someone
Email Address []:some@email.com

至此，咱們便已成功創建了一個私有根 CA 。在這個過程當中，咱們得到了一份 CA 密鑰對文件./demoCA/private/cakey.pem 以及一份由此密鑰對簽名的 CA 根證書文件./demoCA/cacert.pem ，獲得的 CA 目錄結構以下：

.
|-- careq.pem
`-- demoCA/
    |-- cacert.pem
    |-- index.txt
    |-- index.txt.attr
    |-- index.txt.old
    |-- newcerts/
    |   `-- 01.pem
    |-- private/
    |   `-- cakey.pem
    |-- serial
    `-- serial.old

注：若是在 CA 創建過程當中跳過證書請求生成的步驟，則不會產生 careq.pem 文件。

簽發證書

下面咱們就能夠利用創建起來的 CA 進行證書籤發了。

生成用戶證書 RSA 密鑰對

參照 CA 的 RSA 密鑰對生成過程，使用以下命令生成新的密鑰對：

$ openssl genrsa -des3 -out userkey.pem
Generating RSA private key, 512 bit long modulus
....++++++++++++
...++++++++++++
e is 65537 (0x10001)
Enter pass phrase for userkey.pem:<enter your pass-phrase>
Verifying - Enter pass phrase for userkey.pem:<re-enter your pass-phrase>

生成用戶證書請求

參照 CA 的證書請求生成過程，使用以下命令生成新的證書請求：

$ openssl req -new -days 365 -key userkey.pem -out userreq.pem
Enter pass phrase for userkey.pem:<enter your pass-phrase>
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:ZJ
Locality Name (eg, city) []:HZ
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Some Ltd. Corp.
Organizational Unit Name (eg, section) []:Some Other Unit
Common Name (eg, YOUR name) []:Another
Email Address []:another@email.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

簽發用戶證書

如今，咱們能夠用先前創建的 CA 來對用戶的證書請求進行簽名來爲用戶簽發證書了。使用以下命令：

$ openssl ca -in userreq.pem -out usercert.pem

參數解釋

ca

用於執行 CA 相關操做的 OpenSSL 命令。

-in userreq.pem

指定用戶證書請求文件爲 userreq.pem 。

-out usercert.pem

指定輸出的用戶證書文件爲 usercert.pem 。

該命令要求用戶輸入密鑰口令並輸出相關證書信息，請求用戶確認：

Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:<enter your pass-phrase>
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 2 (0x2)
        Validity
            Not Before: Jan 16 14:50:22 2008 GMT
            Not After : Jan 15 14:50:22 2009 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = ZJ
            organizationName          = Some Ltd. Corp.
            organizationalUnitName    = Some Other Unit
            commonName                = Another
            emailAddress              = another@email.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                97:E7:8E:84:B1:45:27:83:94:A0:DC:24:79:7B:83:97:99:0B:36:A9
            X509v3 Authority Key Identifier:
                keyid:D9:87:12:94:B2:20:C7:22:AB:D4:D5:DF:33:DB:84:F3:B0:4A:EC:A2
Certificate is to be certified until Jan 15 14:50:22 2009 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

至此，咱們便完成了 CA 的創建及用戶證書籤發的所有工做。不妨把全部 shell 命令放到一塊兒縱覽一下：

# 創建 CA 目錄結構
mkdir -p ./demoCA/{private,newcerts}
touch ./demoCA/index.txt
echo 01 > ./demoCA/serial
# 生成 CA 的 RSA 密鑰對
openssl genrsa -des3 -out ./demoCA/private/cakey.pem 2048
# 生成 CA 證書請求
openssl req -new -days 365 -key ./demoCA/private/cakey.pem -out careq.pem
# 自簽發 CA 證書
openssl ca -selfsign -in careq.pem -out ./demoCA/cacert.pem
# 以上兩步能夠合二爲一
openssl req -new -x509 -days 365 -key ./demoCA/private/cakey.pem -out ./demoCA/cacert.pem
# 生成用戶的 RSA 密鑰對
openssl genrsa -des3 -out userkey.pem
# 生成用戶證書請求
openssl req -new -days 365 -key userkey.pem -out userreq.pem
# 使用 CA 簽發用戶證書
openssl ca -in userreq.pem -out usercert.pem

瞭解了這些基礎步驟以後，就能夠經過腳本甚至 makefile 的方式來將這些工做自動化。 CA.pl 和CA.sh 即是對 OpenSSL 的 CA 相關功能的簡單封裝，在 Debian 系統中，安裝了 OpenSSL 後，能夠在 /usr/lib/ssl/misc/ 目錄下找到這兩個文件。而 makefile 的解決方案則能夠參考這裏。

參考文獻

• The Open–source PKI Book: A guide to PKIs and Open–source Implementations, Initialisation of the Certification Authority
  http://ospkibook.sourceforge.net/docs/OSPKI-2.4.7/OSPKI-html/initialisation.htm
• OpenSSL: Documents, OpenSSL(1)
  http://www.openssl.org/docs/apps/openssl.html
• OpenSSL Certificate Authority Setup
  http://sial.org/howto/openssl/ca/