格式
生成证书需要使用 openssl 工具,包括根证书和用户证书。在生成证书的具体步骤之前,我们需要知道几个与证书相关的文件格式,所有这些格式都属于 PKCS(The Public-Key Cryptography Standards)标准:
.key文件:私钥文件,通常使用 rsa 算法,私钥需要自己保存,无需提交给 CA 机构.csr文件:证书签名请求(证书请求文件),含有公钥信息,certificate signing request 的缩写。生成该文件时需要用到自己的私钥。.crt文件:CA 认证后的证书文件,certificate 的缩写。.crl文件:证书吊销列表,Certificate Revocation List的缩写.pem文件:用于导出,导入证书时候的证书的格式。该文件实际上是.crt文件和.key文件的合体,与 windows 下使用.pfx类似,不同的是.pem使用 base64字符存储,而.pfx使用二进制存储。
用途
SSL(Secure Sockets Layer,安全套接字协议)是为网络通信提供安全及数据完整性的一种安全协议,支持单向认证和双向认证。
- 单向认证: client 校验 server 合法性。client 需要 ca.crt,server 需要 server.crt、server.key
- 双向认证: client 与 server 相互校验。client 需要 client.key、client.crt、ca.crt,server 需要 server.key、server.crt、ca.crt
生成 CA 根证书
步骤:
- 生成 CA 私钥(.key)
- 生成 CA 证书请求(.csr)
- 自签名得到根证书(.crt)
生成 CA 私钥:
openssl genrsa -out ca.key 2048生成 CA 证书请求:
openssl req -new -key ca.key -out ca.csr自签名得到根证书:
openssl x509 -req -in ca.csr -signkey ca.key -out ca.crt生成用户证书
步骤:
- 生成私钥(.key)
- 生成证书请求(.csr)
- 用 CA 根证书签名得到证书(.crt)
生成私钥(.key):
openssl genrsa -des3 -out server.key 1024生成证书请求(.csr):
openssl req -new -key server.key -out server.csr注意这里需要填写 Common Name,如果不填写的话会遇到下面的问题 4,举个例子:
$ openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:Server
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:用 CA 根证书签名得到证书:
openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key最后生成 pem 文件:
cat server.crt server.key > server.pem各种问题
问题 1:
$ openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key
Using configuration from /<some-path>/ssl/openssl.cnf
ca: ./demoCA/newcerts is not a directory
./demoCA/newcerts: No such file or directory解决:
mkdir -p demoCA/newcerts问题 2:
$ openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key
Using configuration from /<some-path>/ssl/openssl.cnf
140567359198528:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:69:fopen('./demoCA/index.txt','r')
140567359198528:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:76:解决:
touch demoCA/index.txt问题 3:
$ openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key
Using configuration from /<some-path>/ssl/openssl.cnf
./demoCA/serial: No such file or directory
error while loading serial number
140604893304128:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:69:fopen('./demoCA/serial','r')
140604893304128:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:76:解决:
echo "01" > demoCA/serial
问题 4:
$ openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key
Using configuration from /<some-path>/ssl/openssl.cnf
Check that the request matches the signature
Signature ok
The commonName field needed to be supplied and was missing
见生成用户证书的第二步。