证书链制作
目录结构
certs/
├── root/
│ ├── private/
│ │ ├── root-ca.key
│ │ └── root-ca-unencrypted.key
│ ├── certs/
│ │ └── root-ca.crt
│ ├── index.txt
│ ├── serial
│ └── newcerts/
├── intermediate/
│ ├── private/
│ │ ├── intermediate-ca.key
│ │ └── intermediate-ca-unencrypted.key
│ ├── certs/
│ │ ├── intermediate-ca.crt
│ │ └── intermediate-ca.csr
│ ├── index.txt
│ ├── serial
│ └── newcerts/
└── server/
├── private/
│ └── server.key
└── certs/
├── server.crt
├── server.csr
├── server-chain.crt
└── server-bundle.crt
根证书配置文件 root-openssl.cnf
[ ca ]
default_ca = CA_root
[ CA_root ]
dir = ./certs/root
database = $dir/index.txt
new_certs_dir = $dir/newcerts
certificate = $dir/certs/root-ca.crt
private_key = $dir/private/root-ca.key
serial = $dir/serial
default_days = 3650
default_md = sha256
policy = policy_strict
[ policy_strict ]
countryName = optional
stateOrProvinceName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
x509_extensions = v3_ca
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = CN
stateOrProvinceName = State or Province Name
stateOrProvinceName_default = Beijing
localityName = Locality Name
localityName_default = Beijing
organizationName = Organization Name
organizationName_default = My Company Root CA
organizationalUnitName = Organizational Unit Name
organizationalUnitName_default = IT Department
commonName = Common Name
commonName_default = My Root CA
[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
中间证书配置文件 intermediate-openssl.cnf
[ ca ] default_ca = CA_intermediate [ CA_intermediate ] dir = ./certs/intermediate database = $dir/index.txt new_certs_dir = $dir/newcerts certificate = $dir/certs/intermediate-ca.crt private_key = $dir/private/intermediate-ca.key serial = $dir/serial default_days = 1825 default_md = sha256 policy = policy_loose [ policy_loose ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional [ req ] default_bits = 4096 distinguished_name = req_distinguished_name x509_extensions = v3_ca [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = CN stateOrProvinceName = State or Province Name stateOrProvinceName_default = Beijing localityName = Locality Name localityName_default = Beijing organizationName = Organization Name organizationName_default = My Company Intermediate CA organizationalUnitName = Organizational Unit Name organizationalUnitName_default = IT Department commonName = Common Name commonName_default = My Intermediate CA [ v3_ca ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer basicConstraints = critical, CA:true, pathlen:0 keyUsage = critical, digitalSignature, cRLSign, keyCertSign [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = serverAuth, clientAuth subjectAltName = @alt_names [ alt_names ] DNS.1 = myserver.example.com DNS.2 = www.example.com DNS.3 = localhost IP.1 = 127.0.0.1
服务器证书 配置文件 server-openssl.cnf
[ req ] default_bits = 2048 distinguished_name = req_distinguished_name req_extensions = v3_req [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = CN stateOrProvinceName = State or Province Name stateOrProvinceName_default = Beijing localityName = Locality Name localityName_default = Beijing organizationName = Organization Name organizationName_default = My Company organizationalUnitName = Organizational Unit Name organizationalUnitName_default = IT Department commonName = Common Name commonName_default = myserver.example.com [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = serverAuth, clientAuth subjectAltName = @alt_names [ alt_names ] DNS.1 = myserver.example.com DNS.2 = www.example.com DNS.3 = localhost IP.1 = 127.0.0.1
生成根证书
# 生成根CA私钥 openssl genrsa -aes256 -out certs/root/private/root-ca.key 4096 # 生成根CA证书 openssl req -config root-openssl.cnf \ -key certs/root/private/root-ca.key \ -new -x509 -days 7300 -sha256 -extensions v3_ca \ -out certs/root/certs/root-ca.crt # 移除私钥密码(可选,便于自动化) openssl rsa -in certs/root/private/root-ca.key \ -out certs/root/private/root-ca-unencrypted.key
生成中间证书
# 生成中间CA私钥 openssl genrsa -aes256 -out certs/intermediate/private/intermediate-ca.key 4096 # 生成中间CA证书签名请求 openssl req -config intermediate-openssl.cnf \ -key certs/intermediate/private/intermediate-ca.key \ -new -sha256 \ -out certs/intermediate/certs/intermediate-ca.csr # 使用根CA签发中间CA证书 openssl ca -config root-openssl.cnf \ -extensions v3_ca -days 3650 -notext -md sha256 \ -in certs/intermediate/certs/intermediate-ca.csr \ -out certs/intermediate/certs/intermediate-ca.crt # 移除私钥密码 openssl rsa -in certs/intermediate/private/intermediate-ca.key \ -out certs/intermediate/private/intermediate-ca-unencrypted.key
生成服务器证书
# 生成服务器私钥 openssl genrsa -out certs/server/private/server.key 2048 # 生成服务器证书签名请求 openssl req -config server-openssl.cnf \ -key certs/server/private/server.key \ -new -sha256 \ -out certs/server/certs/server.csr # 使用中间CA签发服务器证书 openssl ca -config intermediate-openssl.cnf \ -extensions v3_req -days 375 -notext -md sha256 \ -in certs/server/certs/server.csr \ -out certs/server/certs/server.crt
创建证书链文件
# 创建完整的证书链
cat certs/server/certs/server.crt \
certs/intermediate/certs/intermediate-ca.crt \
certs/root/certs/root-ca.crt > certs/server/certs/server-chain.crt
# 创建服务器证书 + 中间CA的链
cat certs/server/certs/server.crt \
certs/intermediate/certs/intermediate-ca.crt > certs/server/certs/server-bundle.crt
验证证书链
# 验证服务器证书 openssl verify -CAfile certs/root/certs/root-ca.crt \ -untrusted certs/intermediate/certs/intermediate-ca.crt \ certs/server/certs/server.crt # 查看证书详细信息 openssl x509 -in certs/server/certs/server.crt -text -noout
浙公网安备 33010602011771号