openssl制作证书链
更新时间:2025/10/15
在Gitcode上查看源码OpenSSL制作证书链
1. 配置文件
1.1 制作初始文件
制作openssl.cnf等初始文件:
bash
mkdir newcerts
touch index.txt
echo 00 > serial1.2 创建openssl.cnf配置文件
在本地目录创建一个openssl.cnf文件,复制以下内容:
ini
HOME = .
# Use this in order to automatically load providers.
openssl_conf = openssl_init
config_diagnostics = 1
oid_section = new_oids
[ new_oids ]
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7
[openssl_init]
providers = provider_sect
[provider_sect]
default = default_sect
[default_sect]
[ ca ]
default_ca = CA_default # The default ca section
[ CA_default ]
dir = . # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
# several certs with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
x509_extensions = usr_cert # The extensions to add to the cert
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = default # use public key default MD
preserve = no # keep passed DN ordering
policy = policy_match
[ policy_match ]
countryName = match
stateOrProvinceName = optional
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extensions to add to the self signed cert
string_mask = utf8only
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = AU
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Some-State
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Internet Widgits Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
basicConstraints=CA:FALSE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = critical,CA:true
keyUsage = cRLSign, keyCertSign
[ crl_ext ]
authorityKeyIdentifier=keyid:always
[ proxy_cert_ext ]
basicConstraints=CA:FALSE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
[ tsa ]
default_tsa = tsa_config1 # the default TSA section
[ tsa_config1 ]
dir = . # TSA root directory
serial = $dir/tsaserial # The current serial number (mandatory)
crypto_device = builtin # OpenSSL engine to use for signing
signer_cert = $dir/tsacert.pem # The TSA signing certificate
# (optional)
certs = $dir/cacert.pem # Certificate chain to include in reply
# (optional)
signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
signer_digest = sha256 # Signing digest to use. (Optional)
default_policy = tsa_policy1 # Policy if request did not specify it
# (optional)
other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
clock_precision_digits = 0 # number of digits after dot. (optional)
ordering = yes # Is ordering defined for timestamps?
# (optional, default: no)
tsa_name = yes # Must the TSA name be included in the reply?
# (optional, default: no)
ess_cert_id_chain = no # Must the ESS cert id chain be included?
# (optional, default: no)
ess_cert_id_alg = sha1 # algorithm to compute certificate
# identifier (optional, default: sha1)
[insta] # CMP using Insta Demo CA
server = pki.certificate.fi:8700
path = pkix/
recipient = "/C=FI/O=Insta Demo/CN=Insta Demo CA" # or set srvcert or issuer
ignore_keyusage = 1 # potentially needed quirk
unprotected_errors = 1 # potentially needed quirk
extracertsout = insta.extracerts.pem
ref = 3078 # user identification
secret = pass:insta # can be used for both client and server side
cmd = ir # default operation, can be overridden on cmd line with, e.g., kur
subject = "/CN=openssl-cmp-test"
newkey = insta.priv.pem
out_trusted = insta.ca.crt
certout = insta.cert.pem
[pbm] # Password-based protection for Insta CA
ref = $insta::ref # 3078
secret = $insta::secret # pass:insta
[signature] # Signature-based protection for Insta CA
trusted = insta.ca.crt # does not include keyUsage digitalSignature
secret = # disable PBM
key = $insta::newkey # insta.priv.pem
cert = $insta::certout # insta.cert.pem
[ir]
cmd = ir
[cr]
cmd = cr
[kur]
cmd = kur
oldcert = $insta::certout # insta.cert.pem
[rr]
cmd = rr
oldcert = $insta::certout # insta.cert.pem2. 证书链
2.1 生成所有密钥
bash
# 生成根CA密钥
openssl genrsa -aes-256-ofb -out RootCA.key -passout pass:123456 2048
# 生成二级CA密钥并去除密码
openssl genrsa -aes-256-ofb -out secondCA.key -passout pass:123456 2048
openssl rsa -in secondCA.key -out secondCA.key -passin pass:123456
# 生成三级CA密钥并去除密码
openssl genrsa -aes-256-ofb -out thirdCA.key -passout pass:123456 2048
openssl rsa -in thirdCA.key -out thirdCA.key -passin pass:123456
# 生成服务器密钥并去除密码
openssl genrsa -aes-256-ofb -out server.key -passout pass:123456 2048
openssl rsa -in server.key -out server.key -passin pass:1234562.2 证书生成逻辑
2.2.1 生成根CA并自签
Common Name填写:RootCA
bash
openssl req -new -x509 -subj "/C=CN/ST=Utah/L=Lehi/O=Huawei/OU=IT/CN=Huawei IT Product CA0" -days 7300 -key RootCA.key -out RootCA.crt -passin pass:1234562.2.2 生成二级CA
Common Name填写:secondCA
bash
openssl req -new -subj "/C=CN/ST=Utah/L=Lehi/O=Huawei/OU=IT/CN=Huawei IT Product CA1" -key secondCA.key -out secondCA.csr -passin pass:123456
openssl ca -batch -in secondCA.csr -extfile openssl.cnf -extensions v3_ca -days 7300 -out secondCA.crt -cert RootCA.crt -keyfile RootCA.key -passin pass:1234562.2.3 生成三级CA
Common Name填写:thirdCA
- 新装备名称:Huawei Computing RSA-PSS Equipment CA 1
- 老装备名称:Huawei IT Product CA
bash
openssl req -new -subj "/C=CN/ST=Utah/L=Lehi/O=Huawei/OU=IT/CN=Huawei IT Product CA" -key thirdCA.key -out thirdCA.csr -passin pass:123456
openssl ca -batch -in thirdCA.csr -extfile openssl.cnf -extensions v3_ca -days 7300 -out thirdCA.crt -cert secondCA.crt -keyfile secondCA.key -passin pass:1234562.2.4 使用三级CA签发服务器证书
bash
openssl req -new -subj "/C=CN/ST=Utah/L=Lehi/O=Huawei/OU=IT/CN=Huawei IT Product Server" -key server.key -out server.csr -passin pass:123456
openssl ca -batch -in server.csr -days 7300 -out server.crt -cert thirdCA.crt -keyfile thirdCA.key -passin pass:1234562.3 服务器证书合成P12
bash
openssl pkcs12 -inkey server.key -in server.crt -export -out server.p12 -passout pass:1234562.4 打包证书链
bash
# 打包CA证书链
cat RootCA.crt secondCA.crt thirdCA.crt > chain-ca.crt
openssl pkcs12 -export -in server.crt -inkey server.key -chain -CAfile chain-ca.crt -name server -out server_chain.p12 -password pass:123456
# 打包SSL证书的证书链
cat RootCA.crt secondCA.crt thirdCA.crt server.crt > chain-ssl.crt