1. 創建 catest 目錄,複製 openssl.cnf 文件到此目錄,然後編輯此文件,修改certificate 和 private_key的名稱
mkdir catest
cd catest
/catest$ cp /etc/ssl/openssl.cnf .
/catest$ vim openssl.cnf
...
[ CA_default ]
certificate = $dir/root/ca.crt
private_key = $dir/private/ca.key
2.根據 openssl.cnf裏面的 CA_default配置創建相應目錄和文件
catest$ mkdir demoCA
catest$ cd demoCA
catest$ mkdir certs root newcerts private crl
catest$ touch index.txt serial
catest$ echo 01 >> serial
catest$ cd ..
3. 創建根證書
catest$ openssl genrsa -out demoCA/private/ca.key 2048
catest$ openssl req -new -key demoCA/private/ca.key -out ca.csr
catest$ openssl x509 -req -days 3650 -in ca.csr -out demoCA/root/ca.crt -signkey demoCA/private/ca.key -extensions v3_ca
Signature ok
4. 創建 client 證書
catest$ openssl genrsa -out client.key 2048
catest$ openssl req -new -key client.key -out client.csr
catest$ openssl ca -in client.csr -out client.crt -config ./openssl.cnf
catest$ openssl verify -CAfile ./demoCA/root/ca.crt client.crt
client.crt: OK
5. 創建二級代理
創建subCA目錄,參考 demoCA 目錄結構初始化。
複製 openssl.cnf 爲 openssl-sub.cnf 編輯裏面的路徑 deomCA變爲 subCA
catest$ openssl genrsa -out ./subCA/private/ca.key 2048
catest$ openssl req -new -key ./subCA/private/ca.key -out subca.csr
catest$ openssl ca -in subca.csr -out ./subCA/root/ca.crt -config ./openssl.cnf
catest$ openssl verify -CAfile ./demoCA/root/ca.crt ./subCA/root/ca.crt
./subCA/root/ca.crt: OK
6. 二級代理簽發證書
catest$ openssl genrsa -out subclient.key 2048
catest$ openssl req -new -key subclient.key -out subclient.csr
catest$ openssl ca -in subclient.csr -out subclient.crt -config ./subCA/openssl.cnf
catest$ openssl verify -CAfile ./subCA/root/ca.crt subclient.crt
subclient.crt: C = cn, ST = sh, O = bt, OU = utest, CN = subca
error 2 at 1 depth lookup:unable to get issuer certificate
簽發成功了,但是驗證的時候出錯了。這是因爲subca的證書鏈不完整。將根證書內容複製到subca證書末尾再驗證就好了。
catest$ cat ./demoCA/root/ca.crt >> ./subCA/root/ca.crt
catest$ openssl verify -CAfile ./subCA/root/ca.crt subclient.crt
subclient.crt: OK