使用 OpenSSL 命令行构建 CA 及证书

共计 9956 个字符，预计需要花费 25 分钟才能阅读完成。

这是一篇快速指南，使用 OpenSSL 来生成 CA（证书授权中心（certificate authority））、中级 CA（intermediate CA）和末端证书（end certificate）。包括 OCSP、CRL 和 CA 颁发者（Issuer）信息、具体颁发和失效日期。

我们将设置我们自己的根 CA（root CA），然后使用根 CA 生成一个示例的中级 CA，并使用中级 CA 签发最终用户证书。

根 CA

为根 CA 创建一个目录，并进入：

1. mkdir-p ~/SSLCA/root/
2. cd~/SSLCA/root/

生成根 CA 的 8192 位长的 RSA 密钥：

1. openssl genrsa -out rootca.key 8192

输出类似如下：

1. Generating RSA private key,8192 bit long modulus
2. .........++
3. ....................................................................................................................++
4. e is65537(0x10001)

如果你要用密码保护这个密钥，在命令行添加选项 -aes256。

创建 SHA-256 自签名的根 CA 证书 ca.crt；你需要为你的根 CA 提供识别信息：

1. openssl req -sha256 -new-x509 -days 1826-key rootca.key -out rootca.crt

输出类似如下：

1. You are about to be asked to enter information that will be incorporated
2. into your certificate request.
3. What you are about to enter is what is called a DistinguishedNameor a DN.
4. There are quite a few fields but you can leave some blank
5. For some fields there will be a default value,
6. If you enter '.', the field will be left blank.
7. -----
8. CountryName(2 letter code)[AU]:CN
9. StateorProvinceName(full name)[Some-State]:Beijing
10. LocalityName(eg, city)[]:Chaoyang dist.
11. OrganizationName(eg, company)[InternetWidgitsPtyLtd]:Linux.CN
12. OrganizationalUnitName(eg, section)[]:Linux.CN CA
13. CommonName(e.g. server FQDN or YOUR name)[]:Linux.CN Root CA
14. EmailAddress[]:ca@linux.cn

创建几个文件，用于该 CA 存储其序列号：

1. touch certindex
2. echo1000> certserial
3. echo1000> crlnumber

创建 CA 的配置文件，该文件包含 CRL 和 OCSP 终端的存根。

1. #vim ca.conf
2. [ ca ]
3. default_ca = myca
4. [ crl_ext ]
5. issuerAltName=issuer:copy
6. authorityKeyIdentifier=keyid:always
7. [ myca ]
8. dir=./
9. new_certs_dir = $dir
10. unique_subject =no
11. certificate = $dir/rootca.crt
12. database = $dir/certindex
13. private_key = $dir/rootca.key
14. serial = $dir/certserial
15. default_days =730
16. default_md = sha1
17. policy = myca_policy
18. x509_extensions = myca_extensions
19. crlnumber = $dir/crlnumber
20. default_crl_days =730
21. [ myca_policy ]
22. commonName = supplied
23. stateOrProvinceName = supplied
24. countryName = optional
25. emailAddress = optional
26. organizationName = supplied
27. organizationalUnitName = optional
28. [ myca_extensions ]
29. basicConstraints = critical,CA:TRUE
30. keyUsage = critical,any
31. subjectKeyIdentifier = hash
32. authorityKeyIdentifier = keyid:always,issuer
33. keyUsage = digitalSignature,keyEncipherment,cRLSign,keyCertSign
34. extendedKeyUsage = serverAuth
35. crlDistributionPoints =@crl_section
36. subjectAltName =@alt_names
37. authorityInfoAccess =@ocsp_section
38. [ v3_ca ]
39. basicConstraints = critical,CA:TRUE,pathlen:0
40. keyUsage = critical,any
41. subjectKeyIdentifier = hash
42. authorityKeyIdentifier = keyid:always,issuer
43. keyUsage = digitalSignature,keyEncipherment,cRLSign,keyCertSign
44. extendedKeyUsage = serverAuth
45. crlDistributionPoints =@crl_section
46. subjectAltName =@alt_names
47. authorityInfoAccess =@ocsp_section
48. [ alt_names ]
49. DNS.0=Linux.CN Root CA
50. DNS.1=Linux.CN CA Root
51. 
[crl_section]
52. URI.0= http://pki.linux.cn/rootca.crl
53. URI.1= http://pki2.linux.cn/rootca.crl
54. [ ocsp_section ]
55. caIssuers;URI.0= http://pki.linux.cn/rootca.crt
56. caIssuers;URI.1= http://pki2.linux.cn/rootca.crt
57. OCSP;URI.0= http://pki.linux.cn/ocsp/
58. OCSP;URI.1= http://pki2.linux.cn/ocsp/

如果你要设置一个特定的证书起止时间，添加下述内容到 [myca]。

1. # format: YYYYMMDDHHMMSS
2. default_enddate =20191222035911
3. default_startdate =20181222035911

创建 1 号中级 CA 

生成中级 CA 的私钥

1. openssl genrsa -out intermediate1.key 4096

生成其 CSR：

1. openssl req -new-sha256 -key intermediate1.key -out intermediate1.csr

输出类似如下：

1. You are about to be asked to enter information that will be incorporated
2. into your certificate request.
3. What you are about to enter is what is called a DistinguishedNameor a DN.
4. There are quite a few fields but you can leave some blank
5. For some fields there will be a default value,
6. If you enter '.', the field will be left blank.
7. -----
8. CountryName(2 letter code)[AU]:CN
9. StateorProvinceName(full name)[Some-State]:Beijing
10. LocalityName(eg, city)[]:Chaoyang dist.
11. OrganizationName(eg, company)[InternetWidgitsPtyLtd]:Linux.CN
12. OrganizationalUnitName(eg, section)[]:Linux.CN CA
13. CommonName(e.g. server FQDN or YOUR name)[]:Linux.CN Intermediate CA
14. EmailAddress[]:
15. Please enter the following 'extra' attributes
16. to be sent with your certificate request
17. A challenge password []:
18. An optional company name []:

请确保中级 CA 的主题名（CN，Common Name）和根 CA 的不同。

使用根 CA 为你创建的中级 CA 的 CSR 签名：

1. openssl ca -batch -config ca.conf -notext -in intermediate1.csr -out intermediate1.crt

输出类似如下：

1. Using configuration from ca.conf
2. Check that the request matches the signature
3. Signature ok
4. TheSubject's Distinguished Name is as follows
5. countryName :PRINTABLE:'CN'
6. stateOrProvinceName :ASN.1 12:'Beijing'
7. localityName :ASN.1 12:'chaoyang dist.'
8. organizationName :ASN.1 12:'Linux.CN'
9. organizationalUnitName:ASN.1 12:'Linux.CN CA'
10. commonName :ASN.1 12:'Linux.CN Intermediate CA'
11. Certificate is to be certified until Mar 30 15:07:43 2017 GMT (730 days)
12. Write out database with 1 new entries
13. Data Base Updated

生成 CRL（包括 PEM 和 DER 两种格式）：

1. openssl ca -config ca.conf -gencrl -keyfile rootca.key -cert rootca.crt -out rootca.crl.pem
2. openssl crl -inform PEM -in rootca.crl.pem -outform DER -out rootca.crl

每次使用该 CA 签名证书后都需要生成 CRL。

如果需要的话，你可以撤销（revoke）这个中级证书：

1. openssl ca -config ca.conf -revoke intermediate1.crt -keyfile rootca.key -cert rootca.crt

配置 1 号中级 CA

给该中级 CA 创建新目录，并进入：

1. mkdir~/SSLCA/intermediate1/
2. cd~/SSLCA/intermediate1/

从根 CA 那边复制这个中级 CA 的证书和私钥：

1. cp../root/intermediate1.key ./
2. cp../root/intermediate1.crt ./

创建索引文件：

1. touch certindex
2. echo1000> certserial
3. echo1000> crlnumber

创建一个新的 ca.conf：

1. #vim ca.conf
2. [ ca ]
3. default_ca = myca
4. [ crl_ext ]
5. issuerAltName=issuer:copy
6. authorityKeyIdentifier=keyid:always
7. [ myca ]
8. dir=./
9. new_certs_dir = $dir
10. unique_subject =no
11. certificate = $dir/intermediate1.crt
12. database = $dir/certindex
13. private_key = $dir/intermediate1.key
14. serial = $dir/certserial
15. default_days =365
16. default_md = sha1
17. policy = myca_policy
18. x509_extensions = myca_extensions
19. crlnumber = $dir/crlnumber
20. default_crl_days =365
21. [ myca_policy ]
22. commonName = supplied
23. stateOrProvinceName = supplied
24. countryName = optional
25. emailAddress = optional
26. organizationName = supplied
27. organizationalUnitName = optional
28. [ myca_extensions ]
29. basicConstraints = critical,CA:FALSE
30. keyUsage = critical,any
31. subjectKeyIdentifier = hash
32. authorityKeyIdentifier = keyid:always,issuer
33. keyUsage = digitalSignature,keyEncipherment
34. extendedKeyUsage = serverAuth
35. crlDistributionPoints =@crl_section
36. subjectAltName =@alt_names
37. authorityInfoAccess =@ocsp_section
38. [ alt_names ]
39. DNS.0=Linux.CN Intermidiate CA 1
40. DNS.1=Linux.CN CA Intermidiate1
41. [ crl_section ]
42. URI.0= http://pki.linux.cn/intermediate1.crl
43. URI.1= http://pki2.linux.cn/intermediate1.crl
44. [ ocsp_section ]
45. caIssuers;URI.0= http://pki.linux.cn/intermediate1.crt
46. caIssuers;URI.1= http://pki2.linux.cn/intermediate1.crt
47. OCSP;URI.0= http://pki.linux.cn/ocsp/
48. OCSP;URI.1= http://pki2.linux.cn/ocsp/

修改 [alt_names] 小节为你所需的替代主题名（Subject Alternative names）。如果不需要就删除引入它的 subjectAltName = @alt_names 行。

如果你需要指定起止时间，添加如下行到 [myca] 中。

1. # format: YYYYMMDDHHMMSS
2. default_enddate =20191222035911
3. default_startdate =20181222035911

生成一个空的 CRL（包括 PEM 和 DER 两种格式）：

1. openssl ca -config ca.conf -gencrl -keyfile intermediate1.key -cert intermediate1.crt -out intermediate1.crl.pem
2. openssl crl -inform PEM -in intermediate1.crl.pem -outform DER -out intermediate1.crl

创建最终用户证书

我们使用新的中级 CA 来生成最终用户的证书。为每个你需要用此 CA 签名的最终用户证书重复这些步骤。

1. mkdir~/enduser-certs
2. cd~/enduser-certs

生成最终用户的私钥：

1. openssl genrsa -out enduser-example.com.key 4096

生成最终用户的 CSR：

1. openssl req -new-sha256 -key enduser-example.com.key -out enduser-example.com.csr

输出类似如下：

1. You are about to be asked to enter information that will be incorporated
2. into your certificate request.
3. What you are about to enter is what is called a DistinguishedNameor a DN.
4. There are quite a few fields but you can leave some blank
5. For some fields there will be a default value,
6. If you enter '.', the field will be left blank.
7. -----
8. CountryName(2 letter code)[AU]:CN
9. StateorProvinceName(full name)[Some-State]:Shanghai
10. LocalityName(eg, city)[]:Xuhui dist.
11. OrganizationName(eg, company)[InternetWidgitsPtyLtd]:ExampleInc
12. OrganizationalUnitName(eg, section)[]:IT Dept
13. CommonName(e.g. server FQDN or YOUR name)[]:example.com
14. EmailAddress[]:
15. Please enter the following 'extra' attributes
16. to be sent with your certificate request
17. A challenge password []:
18. An optional company name []:

用 1 号中级 CA 签名最终用户的证书：

1. cd~/SSLCA/intermediate1
2. openssl ca -batch -config ca.conf -notext -in~/enduser-certs/enduser-example.com.csr -out ~/enduser-certs/enduser-example.com.crt

输出类似如下：

1. Using configuration from ca.conf
2. Check that the request matches the signature
3. Signature ok
4. TheSubject's Distinguished Name is as follows
5. countryName :PRINTABLE:'CN'
6. stateOrProvinceName :ASN.1 12:'Shanghai'
7. localityName :ASN.1 12:'Xuhui dist.'
8. organizationName :ASN.1 12:'ExampleInc'
9. organizationalUnitName:ASN.1 12:'IT Dept'
10. commonName :ASN.1 12:'example.com'
11. Certificate is to be certified until Mar 30 15:18:26 2016 GMT (365 days)
12. Write out database with 1 new entries
13. Data Base Updated

生成 CRL（包括 PEM 和 DER 两种格式）：

1. cd~/SSLCA/intermediate1/
2. openssl ca -config ca.conf -gencrl -keyfile intermediate1.key -cert intermediate1.crt -out intermediate1.crl.pem
3. openssl crl -inform PEM -in intermediate1.crl.pem -outform DER -out intermediate1.crl

每次使用该 CA 签名证书后都需要生成 CRL。

如果需要的话，你可以撤销 revoke 这个最终用户证书：

1. cd~/SSLCA/intermediate1/
openssl ca -config ca.conf -revoke ~/enduser-certs/enduser-example.com.crt -keyfile intermediate1.key -cert intermediate1.crt

输出类似如下：

1. Using configuration from ca.conf
2. RevokingCertificate1000.
3. DataBaseUpdated

将根证书和中级证书连接起来创建证书链文件：

1. cat../root/rootca.crt intermediate1.crt >~/enduser-certs/enduser-example.com.chain

将这些文件发送给最终用户：

1. enduser-example.com.crt
2. enduser-example.com.key
3. enduser-example.com.chain

你也可以让最终用户提供他们中级的 CSR 文件，而只发回给他们 这个 .crt 文件。不要从服务器上删除它们，否则就不能撤销了。

校验证书

你可以通过如下命令使用证书链来验证最终用户证书：

1. cd~/enduser-certs
2. openssl verify -CAfile enduser-example.com.chain enduser-example.com.crt
3. enduser-example.com.crt: OK

你也可以用 CRL 来校验它。首先将 PEM CRL 连接到证书链文件：

1. cd~/SSLCA/intermediate1
2. cat../root/rootca.crt intermediate1.crt intermediate1.crl.pem >~/enduser-certs/enduser-example.com.crl.chain

校验证书：

1. cd~/enduser-certs
2. openssl verify -crl_check -CAfile enduser-example.com.crl.chain enduser-example.com.crt

如果该证书未撤销，输出如下：

1. enduser-example.com.crt: OK

如果撤销了，输出如下：

1. enduser-example.com.crt: CN = example.com, ST =Beijing, C = CN, O =ExampleInc, OU = IT Dept
2. error 23 at 0 depth lookup:certificate revoked

更多 OpenSSH 相关内容可以查看以下的有用链接：

在 Ubuntu Server 13.10 系统中安装配置 OpenSSH http://www.linuxidc.com/Linux/2014-02/96953.htm

Ubuntu 安装远程登录 OpenSSH 服务 http://www.linuxidc.com/Linux/2014-02/97218.htm

通过 OpenSSH 远程登录时的延迟问题解决 http://www.linuxidc.com/Linux/2013-07/86879.htm

Ubuntu 12.10 下 OpenSSH 的离线安装方法 http://www.linuxidc.com/Linux/2013-04/82814.htm

OpenSSH 升级步骤及注意事项详解 http://www.linuxidc.com/Linux/2013-04/82123.htm

OpenSSH 普通用户无法登录的几种情况的解决方法 http://www.linuxidc.com/Linux/2012-05/59457.htm

通用线程: OpenSSH 密钥管理，第 1 部分理解 RSA/DSA 认证 http://www.linuxidc.com/Linux/2011-08/39871.htm

RedHat 安装 OpenSSH 和配置 sftp 锁定目录 http://www.linuxidc.com/Linux/2012-12/75398.htm

OpenSSL 的详细介绍：请点这里
OpenSSL 的下载地址：请点这里

本文永久更新链接地址：http://www.linuxidc.com/Linux/2015-10/124682.htm