建立SLL證書的根證書

2021-10-24 11:55:58 字數 3892 閱讀 6258

第一步我們建立根證書:(#是注釋)


#1.進入根目錄,建立檔案


cd /


mkdir ca


mkdir ca/root


#2.建立根證書目錄


cd /ca/root


#3.#建立相關目錄,private存放根憑證的私鑰,cert存放根憑證的憑證,signed_certs存放根憑證簽發過的憑證的副本.


mkdir private cert signed_certs


#變更private目錄的訪問許可權.


chmod 700 private


#建立index.txt,此檔案會用來紀錄根憑證簽發過的憑證的紀錄,每次根憑證簽發憑證openssl會自動更新此檔案.


touch index.txt


#建立serial,並在檔案中填入0001,被簽發的憑證都會有序號的字段,紀錄此憑證在上一層簽發單位所簽發的憑證的序號,此檔案會用來紀錄根憑證簽發的憑證的序號,每次根憑證簽發憑證openssl會自動更新此檔案.


echo 0001 > serial
建立openssl_root_ca.cnf並放置在root目錄內


touch openssl_root_ca.cnf


內容:
[ ca ]


default_ca = ca_default


[ ca_default ]


#放置相關的檔案和目錄. 


dir = /ca/root


certs = $dir/cert


new_certs_dir = $dir/signed_certs


database = $dir/index.txt


serial = $dir/serial


randfile = $dir/private/.rand


#放置私鑰和憑證的路徑.


private_key = $dir/private/root_ca.key.pem


certificate = $dir/cert/root_ca.cert.pem


default_md = sha256


name_opt = ca_default


cert_opt = ca_default


default_days = 365


preserve = no


policy = policy_defualt


[ policy_defualt ]


#簽發中繼憑證時資料的檢查(是否必須和根憑證一樣). 


countryname = optional


stateorprovincename = optional


organizationname = optional


organizationalunitname = optional


commonname = supplied


emailaddress = optional


[ req ]


# req工具需要的引數. 


default_bits = 2048


distinguished_name = req_distinguished_name


string_mask = utf8only


default_md = sha256


[ req_distinguished_name ]


#產生憑證時要輸入的資料的說明.


countryname = country name (2 letter code)


stateorprovincename = state or province name


localityname = locality name


0.organizationname = organization name


organizationalunitname = organizational unit name


commonname = common name


emailaddress = email address


[ root_ca ]


#簽發根憑證使用.


subjectkeyidentifier = hash


authoritykeyidentifier = keyid:always,issuer


basicconstraints = critical, ca:true


keyusage = critical, digitalsignature, crlsign, keycertsign


[ intermediate_ca ]


#簽發中繼憑證使用. 


subjectkeyidentifier = hash


authoritykeyidentifier = keyid:always,issuer


basicconstraints = critical, ca:true, pathlen:0


keyusage = critical, digitalsignature, crlsign, keycertsign
openssl genrsa -aes256 -out private/root_ca.key.pem 4096


#會提示需要輸入私鑰使用的密碼


#再次確認密碼


verifying - enter pass phrase for private/root_ca.key.pem: alice123


#變更私鑰的訪問許可權


chmod 400 private/root_ca.key.pem


在根憑證目錄產生根憑證的自簽憑證,檔名是 root_ca.cert.pem


openssl req -config openssl_root_ca.cnf \


-new -x509 -days 7300 -sha256 -extensions root_ca \


-key private/root_ca.key.pem \


-out cert/root_ca.cert.pem


#會提示需要輸入根憑證的私鑰密碼


enter pass phrase for private/root_ca.key.pem: ******


輸入你設定密碼


#接著需要輸入憑證擁有者的資訊.


#所在的國家的縮寫, 2個字母,例如taiwan = tw, unit state = us.


country name (2 letter code) : tw


#所在的州或省.


state or province name : taiwan


#所在的城市.


locality name : ****ei


#所在的公司.


organization name : alice ltd


#所在的公司的單位.


organizational unit name [ ]: alice ltd certificate authority


#憑證的名稱.


common name : alice ltd root ca


#聯絡信箱.


email address : alice@local


#變更憑證的訪問許可權.


chmod 444 cert/root_ca.cert.pem


檢查自簽的根憑證是否無誤.


openssl x509 -noout -text -in cert/root_ca.cert.pem

自建ca根證書 如何建立私有 CA 並簽發證書

為什麼需要自己的 ca?因為公共 ca 比如排名前幾的這幾家 comodo,symantec,globalsign,digicert,startcom 頒發證書要收費,而且 很貴。當然現在也有了像 letsencrypt 這樣的免費 ca。我們的應用是企業內網,網域名稱使用私有網域名稱,沒有辦法使用...

OpenSSL建立根CA並簽發證書

windows下安裝配置openssl,建立democa資料夾,建立相應資料夾和檔案,命令列進入openssl 生成根ca金鑰 生成根證書 req new x509 days 7300 key ca.key out ca.crt subj c cn st provin l city o org ou...

openssl生成CA根證書及子證書

生成根證書 1.生成ca秘鑰,得到ca.key openssl genrsa out ca.key 4096 2.生成ca證書簽發請求,得到ca.csr openssl req new key ca.key out ca.csr subj c cn st jiangsu l nanjing o ji...