構建自己的證書頒發服務(CA)

本文原創自 http://blog.csdn.net/voipmaker  轉載註明出處。

本系列文章分爲三篇，主要介紹構建自己的證書頒發服務，生成證書請求，以及通過自己構建的CA給生成的證書請求籤名並最終應用到服務。

通過構建自己的證書服務，可以給自己的應用證書籤名，無需購買商業證書頒發機構的簽名，但自己授權的不利之處是客戶端需要導入你的root證書後才能信任證書。

下面爲在centos上構建自己的CA過程

1. 構建相關目錄和文件

#mkdir /home/cg/myca
#cd /home/cg/myca/
#mkdir private certs newcerts conf export csr
#echo '01' > serial
#touch index.txt


#vim /home/cg/myca/conf/caconfig.cnf


添加如下內容：
[ ca ]
default_ca = CA_default


[ CA_default ]
dir = /home/cg/myca/
certs = $dir/certs
crl_dir = $dir/crl
database = $dir/index.txt
new_certs_dir = $dir/newcerts
certificate = $dir/certs/cacert.pem
serial = $dir/serial
#crl = $dir/crl.pem
private_key = $dir/private/cakey.pem
#RANDFILE = $dir/private/.rand
x509_extensions = usr_cert
#crl_extensions = crl_ext
default_days = 3650
#default_startdate = YYMMDDHHMMSSZ
#default_enddate = YYMMDDHHMMSSZ
#default_crl_days= 30
#default_crl_hours = 24
default_md = sha1
preserve = no
#msie_hack
policy = policy_match


[ policy_match ]
countryName = match
stateOrProvinceName = match
localityName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional


[ req ]
default_bits = 4096 # Size of keys
default_keyfile = key.pem # name of generated keys
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca
#input_password
#output_password
string_mask = nombstr # permitted characters
req_extensions = v3_req


[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = US
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = New York
localityName = Locality Name (city, district)
localityName_default = New York
organizationName = Organization Name (company)
organizationName_default = Code Ghar
organizationalUnitName = Organizational Unit Name (department, division)
organizationalUnitName_default = IT
commonName = Common Name (hostname, FQDN, IP, or your name)
commonName_max = 64
commonName_default = CGIT
emailAddress = Email Address
emailAddress_max = 40
emailAddress_default = [email protected]


[ req_attributes ]
#challengePassword = A challenege password
#challengePassword_min = 4
#challengePassword_max = 20
#unstructuredName = An optional company name


[ usr_cert ]
basicConstraints= CA:FALSE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
#nsComment = ''OpenSSL Generated Certificate''
#nsCertType = client, email, objsign for ''everything including object signing''
subjectAltName=email:copy
issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl = 
#nsRenewalUrl =
#nsCaPolicyUrl = 
#nsSslServerName =


[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment


[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = CA:TRUE
#keyUsage = cRLSign, keyCertSign
#nsCertType = sslCA, emailCA
#subjectAltName=email:copy
#issuerAltName=issuer:copy
#obj=DER:02:03


[ crl_ext ]
#issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always,issuer:always


2. 生成root 證書：

openssl req -new -x509 -days 3650 -config conf/caconfig.cnf -keyform PEM -keyout private/key.ca.cg.pem -outform PEM -out certs/crt.ca.cg.pem

兩個文件key.ca.cg.pem and crt.ca.cg.pem會在 $dir/private 和 $dir/certs 目錄


3. 檢查root證書的正確性


openssl x509 -in certs/crt.ca.cg.pem -inform pem -noout -text


5. 導出root證書


導出爲PKCS12格式，可直接在windows系統點擊即可自動安裝


openssl pkcs12 -export -out export/ca.cg.p12 -in certs/crt.ca.cg.pem -inkey private/key.ca.cg.pem


發送到windows系統，雙擊ca.cg.p12即可按照提示安裝