• openssl生成v3版自签证书


    openssl默认生成的是v1版本的证书,需要特殊的openssl.cnf文件如下:

    tsa_policy2 = 1.2.3.4.5.6
    tsa_policy3 = 1.2.3.4.5.7
    
    ####################################################################
    [ ca ]
    default_ca = CA_default  # The default ca section
    
    ####################################################################
    [ CA_default ]
    
    dir  = ./demoCA  # Where everything is kept
    certs  = $dir/certs  # Where the issued certs are kept
    crl_dir  = $dir/crl  # Where the issued crl are kept
    database = $dir/index.txt # database index file.
    #unique_subject = no   # Set to 'no' to allow creation of
         # several ctificates with same subject.
    new_certs_dir = $dir/newcerts  # default place for new certs.
    
    certificate = $dir/cacert.pem  # The CA certificate
    serial  = $dir/serial   # The current serial number
    crlnumber = $dir/crlnumber # the current crl number
         # must be commented out to leave a V1 CRL
    crl  = $dir/crl.pem   # The current CRL
    private_key = $dir/private/cakey.pem# The private key
    RANDFILE = $dir/private/.rand # private random number file
    
    x509_extensions = usr_cert  # The extentions to add to the cert
    
    # Comment out the following two lines for the "traditional"
    # (and highly broken) format.
    name_opt  = ca_default  # Subject Name options
    cert_opt  = ca_default  # Certificate field options
    
    # Extension copying option: use with caution.
    # copy_extensions = copy
    
    # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
    # so this is commented out by default to leave a V1 CRL.
    # crlnumber must also be commented out to leave a V1 CRL.
    # crl_extensions = crl_ext
    
    default_days = 365   # how long to certify for
    default_crl_days= 30   # how long before next CRL
    default_md = default  # use public key default MD
    preserve = no   # keep passed DN ordering
    
    # A few difference way of specifying how similar the request should look
    # For type CA, the listed attributes must be the same, and the optional
    # and supplied fields are just that :-)
    policy  = policy_match
    
    # For the CA policy
    [ policy_match ]
    countryName  = match
    stateOrProvinceName = match
    organizationName = match
    organizationalUnitName = optional
    commonName  = supplied
    emailAddress  = optional
    
    # For the 'anything' policy
    # At this point in time, you must list all acceptable 'object'
    # types.
    [ policy_anything ]
    countryName  = optional
    stateOrProvinceName = optional
    localityName  = optional
    organizationName = optional
    organizationalUnitName = optional
    commonName  = supplied
    emailAddress  = optional
    
    ####################################################################
    [ req ]
    default_bits  = 1024
    default_keyfile  = privkey.pem
    distinguished_name = req_distinguished_name
    attributes  = req_attributes
    x509_extensions = v3_ca # The extentions to add to the self signed cert
    
    # Passwords for private keys if not present they will be prompted for
    # input_password = secret
    # output_password = secret
    
    # This sets a mask for permitted string types. There are several options. 
    # default: PrintableString, T61String, BMPString.
    # pkix  : PrintableString, BMPString (PKIX recommendation before 2004)
    # utf8only: only UTF8Strings (PKIX recommendation after 2004).
    # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
    # MASK:XXXX a literal mask value.
    # WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
    string_mask = utf8only
    
    req_extensions = v3_req # The extensions to add to a certificate request
    
    [ req_distinguished_name ]
    countryName   = Country Name (2 letter code)
    countryName_default  = CN
    countryName_min   = 2
    countryName_max   = 2
    
    stateOrProvinceName  = State or Province Name (full name)
    stateOrProvinceName_default = BeiJing
    
    localityName   = Locality Name (eg, city)
    
    0.organizationName  = Organization Name (eg, company)
    0.organizationName_default = myca
    
    # we can do this but it is not needed normally :-)
    #1.organizationName  = Second Organization Name (eg, company)
    #1.organizationName_default = World Wide Web Pty Ltd
    
    organizationalUnitName  = Organizational Unit Name (eg, section)
    #organizationalUnitName_default =
    
    commonName   = Common Name (e.g. server FQDN or YOUR name)
    commonName_max   = 64
    
    emailAddress   = Email Address
    emailAddress_max  = 64
    
    # SET-ex3   = SET extension number 3
    
    [ req_attributes ]
    challengePassword  = A challenge password
    challengePassword_min  = 4
    challengePassword_max  = 20
    
    unstructuredName  = An optional company name
    
    [ usr_cert ]
    
    # These extensions are added when 'ca' signs a request.
    
    # This goes against PKIX guidelines but some CAs do it and some software
    # requires this to avoid interpreting an end user certificate as a CA.
    
    basicConstraints=CA:FALSE
    
    # Here are some examples of the usage of nsCertType. If it is omitted
    # the certificate can be used for anything *except* object signing.
    
    # This is OK for an SSL server.
    # nsCertType   = server
    
    # For an object signing certificate this would be used.
    # nsCertType = objsign
    
    # For normal client use this is typical
    # nsCertType = client, email
    
    # and for everything including object signing:
    nsCertType = client, email, objsign
    
    # This is typical in keyUsage for a client certificate.
    keyUsage = nonRepudiation, digitalSignature, keyEncipherment
    
    # This will be displayed in Netscape's comment listbox.
    nsComment   = "OpenSSL Generated Certificate"
    
    # PKIX recommendations harmless if included in all certificates.
    subjectKeyIdentifier=hash
    authorityKeyIdentifier=keyid,issuer
    
    # This stuff is for subjectAltName and issuerAltname.
    # Import the email address.
    # subjectAltName=email:copy
    # An alternative to produce certificates that aren't
    # deprecated according to PKIX.
    # subjectAltName=email:move
    
    # Copy subject details
    # issuerAltName=issuer:copy
    
    #nsCaRevocationUrl  = http://www.domain.dom/ca-crl.pem
    #nsBaseUrl
    #nsRevocationUrl
    #nsRenewalUrl
    #nsCaPolicyUrl
    #nsSslServerName
    
    # This is required for TSA certificates.
    # extendedKeyUsage = critical,timeStamping
    
    [ svr_cert ]
    
    # These extensions are added when 'ca' signs a request.
    
    # This goes against PKIX guidelines but some CAs do it and some software
    # requires this to avoid interpreting an end user certificate as a CA.
    
    basicConstraints=CA:FALSE
    
    # Here are some examples of the usage of nsCertType. If it is omitted
    # the certificate can be used for anything *except* object signing.
    
    # This is OK for an SSL server.
    nsCertType   = server
    
    # For an object signing certificate this would be used.
    # nsCertType = objsign
    
    # For normal client use this is typical
    # nsCertType = client, email
    
    # and for everything including object signing:
    # nsCertType = client, email, objsign
    
    # This is typical in keyUsage for a client certificate.
    #  digitalSignature nonRepudiation keyEncipherment dataEncipherment  
    #  keyAgreement keyCertSign cRLSign encipherOnly decipherOnly 
    keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment, keyAgreement
    
    # This will be displayed in Netscape's comment listbox.
    #nsComment   = "OpenSSL Generated Certificate"
    
    # PKIX recommendations harmless if included in all certificates.
    subjectKeyIdentifier=hash
    authorityKeyIdentifier=keyid,issuer
    
    # This stuff is for subjectAltName and issuerAltname.
    # Import the email address.
    # subjectAltName=email:copy
    # An alternative to produce certificates that aren't
    # deprecated according to PKIX.
    # subjectAltName=email:move
    
    # Copy subject details
    # issuerAltName=issuer:copy
    
    #nsCaRevocationUrl  = http://www.domain.dom/ca-crl.pem
    #nsBaseUrl
    #nsRevocationUrl
    #nsRenewalUrl
    #nsCaPolicyUrl
    #nsSslServerName
    
    # This is required for TSA certificates.
    extendedKeyUsage = serverAuth,clientAuth
    
    [ v3_req ]
    
    # Extensions to add to a certificate request
    
    basicConstraints = CA:FALSE
    keyUsage = nonRepudiation, digitalSignature, keyEncipherment
    
    [ v3_ca ]
    
    
    # Extensions for a typical CA
    
    
    # PKIX recommendation.
    
    subjectKeyIdentifier=hash
    
    authorityKeyIdentifier=keyid:always,issuer
    
    # This is what PKIX recommends but some broken software chokes on critical
    # extensions.
    #basicConstraints = critical,CA:true
    # So we do this instead.
    basicConstraints = CA:true
    
    # Key usage: this is typical for a CA certificate. However since it will
    # prevent it being used as an test self-signed certificate it is best
    # left out by default.
    # keyUsage = cRLSign, keyCertSign
    
    # Some might want this also
    # nsCertType = sslCA, emailCA
    
    # Include email address in subject alt name: another PKIX recommendation
    # subjectAltName=email:copy
    # Copy issuer details
    # issuerAltName=issuer:copy
    
    # DER hex encoding of an extension: beware experts only!
    # obj=DER:02:03
    # Where 'obj' is a standard or added object
    # You can even override a supported extension:
    # basicConstraints= critical, DER:30:03:01:01:FF
    
    [ crl_ext ]
    
    # CRL extensions.
    # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
    
    # issuerAltName=issuer:copy
    authorityKeyIdentifier=keyid:always
    
    [ proxy_cert_ext ]
    # These extensions should be added when creating a proxy certificate
    
    # This goes against PKIX guidelines but some CAs do it and some software
    # requires this to avoid interpreting an end user certificate as a CA.
    
    basicConstraints=CA:FALSE
    
    # Here are some examples of the usage of nsCertType. If it is omitted
    # the certificate can be used for anything *except* object signing.
    
    # This is OK for an SSL server.
    # nsCertType   = server
    
    # For an object signing certificate this would be used.
    # nsCertType = objsign
    
    # For normal client use this is typical
    # nsCertType = client, email
    
    # and for everything including object signing:
    # nsCertType = client, email, objsign
    
    # This is typical in keyUsage for a client certificate.
    # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
    
    # This will be displayed in Netscape's comment listbox.
    nsComment   = "OpenSSL Generated Certificate"
    
    # PKIX recommendations harmless if included in all certificates.
    subjectKeyIdentifier=hash
    authorityKeyIdentifier=keyid,issuer
    
    # This stuff is for subjectAltName and issuerAltname.
    # Import the email address.
    # subjectAltName=email:copy
    # An alternative to produce certificates that aren't
    # deprecated according to PKIX.
    # subjectAltName=email:move
    
    # Copy subject details
    # issuerAltName=issuer:copy
    
    #nsCaRevocationUrl  = http://www.domain.dom/ca-crl.pem
    #nsBaseUrl
    #nsRevocationUrl
    #nsRenewalUrl
    #nsCaPolicyUrl
    #nsSslServerName
    
    # This really needs to be in place for it to be a proxy certificate.
    proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
    
    ####################################################################
    [ tsa ]
    
    default_tsa = tsa_config1 # the default TSA section
    
    [ tsa_config1 ]
    
    # These are used by the TSA reply generation only.
    dir  = ./demoCA  # TSA root directory
    serial  = $dir/tsaserial # The current serial number (mandatory)
    crypto_device = builtin  # OpenSSL engine to use for signing
    signer_cert = $dir/tsacert.pem  # The TSA signing certificate
         # (optional)
    certs  = $dir/cacert.pem # Certificate chain to include in reply
         # (optional)
    signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
    
    default_policy = tsa_policy1  # Policy if request did not specify it
         # (optional)
    other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
    digests  = md5, sha1  # Acceptable message digests (mandatory)
    accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
    clock_precision_digits  = 0 # number of digits after dot. (optional)
    ordering  = yes # Is ordering defined for timestamps?
        # (optional, default: no)
    tsa_name  = yes # Must the TSA name be included in the reply?
        # (optional, default: no)
    ess_cert_id_chain = no # Must the ESS cert id chain be included?
        # (optional, default: no)
    View Code

    x509证书一般会用到三个文件:key,csr,crt

    key是私钥

    csr是证书请求文件(Certficate signing request),申请证书的时候要用到,必须用自己的私钥来签署申请

    crt是证书文件

    CA证书生成步骤

    生成私钥->生成证书请求->自签得到.crt

    具体流程如下。红色部分是需要输入的命令。

    root@ubuntu:/home/bert/x64/openssl/bin# openssl genrsa -out ca.key 2048
    Generating RSA private key, 2048 bit long modulus
    ...................................................+++
    ........+++
    e is 65537 (0x10001)
    root@ubuntu:/home/bert/x64/openssl/bin# openssl req -new -key ca.key -out ca.csr

    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]:CN
    State or Province Name (full name) [Some-State]:Guangdong
    Locality Name (eg, city) []:Shenzhen
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:saturday
    Organizational Unit Name (eg, section) []:saturday
    Common Name (e.g. server FQDN or YOUR name) []:saturday
    Email Address []:bert@saturday.com

    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:********
    An optional company name []:

    root@ubuntu:/home/bert/x64/openssl/bin# openssl x509 -req -days 3650 -sha256 -extfile openssl.cnf -extensions v3_req -in ca.csr -signkey ca.key -out ca.crt
    Signature ok
    subject=/C=CN/ST=Guangdong/L=Shenzhen/O=saturday/OU=saturday/CN=saturday/emailAddress=bert@saturday.com
    Getting Private key

  • 相关阅读:
    忍者X2简介+安装包+安装环境说明 [复制链接]
    拖拽的功能,可以看看这个
    openNI驱动控制kinect马达
    室内机器人漫游
    石头剪子布 C++多态实现
    PCL的KinectFusion开源实现
    Microsoft Kinect SDK中的Event Model
    小说下载阅读器_章节保存为XML并显示
    面试题:猫叫、老鼠跑、人醒的一点看法
    JQuery EasyUI之treegrid级联勾选的简单改进版
  • 原文地址:https://www.cnblogs.com/real-bert/p/11807225.html
Copyright © 2020-2023  润新知