linux下使用openssl生成 csr crt CA证书

本文主要借鉴和引用了下面2个地址的内容,然后在自己的机器上进行了测试和执行,并做了如下记录。

ref:




创建测试目录
mkdir /tmp/create_key/ca
cd /tmp/create_key/

证书文件生成:
一.服务器端
1.生成服务器端    私钥(key文件);
openssl genrsa -des3 -out server.key 1024
运行时会提示输入密码,此密码用于加密key文件(参数des3是加密算法,也可以选用其他安全的算法),以后每当需读取此文件(通过openssl提供的命令或API)都需输入口令.如果不要口令,则去除口令:openssl rsa -in server.key -out server.key

2.生成服务器端    证书签名请求文件(csr文件);
openssl req -new -key server.key -out server.csr
生成Certificate Signing Request(CSR),生成的csr文件交给CA签名后形成服务端自己的证书.屏幕上将有提示,依照其 提示一步一步输入要求的个人信息即可(如:Country,province,city,company等).

二.客户端
1.生成客户端     私钥(key文件);
openssl genrsa -des3 -out client.key 1024
2.生成客户端    证书签名请求文件(csr文件);
openssl req -new -key client.key -out client.csr


cd  /tmp/create_key/ca
三.生成CA证书文件
#server.csr与client.csr文件必须有CA的签名才可形成证书.
1.首先生成CA的key文件:
openssl genrsa -des3 -out ca.key 1024
2.生成CA自签名证书:
openssl req -new -x509 -key ca.key -out ca.crt 
可以加证书过期时间选项 "-days 365".

四.利用CA证书进行签名
openssl ca -in ../server.csr -out ../server.crt -cert ca.crt -keyfile ca.key 
openssl ca -in ../client.csr -out ../client.crt -cert ca.crt -keyfile ca.key 
这两条执行的时候因为没有指定openssl.cnf 会报错,不过没关系,我们用默认的 /etc/pki/tls/openssl.cnf 就可以。
不过用默认的时候需要先执行下面两行:
touch /etc/pki/CA/index.txt 
echo 00 > /etc/pki/CA/serial    

下面有错误案例分析
#############################################################
根据server.csr 通过CA的ca.crt   ca.key  生成server.crt文件
openssl ca -in ../server.csr -out ../server.crt -cert ca.crt -keyfile ca.key 
Using configuration from /etc/pki/tls/openssl.cnf 
Enter pass phrase for ca.key: 
/etc/pki/CA/index.txt: No such file or directory 
unable to open ‘/etc/pki/CA/index.txt‘ 
140423531685704:error:02001002:system library:fopen:No such file or directory:bss_file.c:355:fopen(‘/etc/pki/CA/index.txt‘,‘r‘) 
140423531685704:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:357: 
[root@monitor ca]# touch /etc/pki/CA/index.txt             #创建index文件,因为不存在
[root@monitor ca]# openssl ca -in ../server.csr -out ../server.crt -cert ca.crt -keyfile ca.key 
Using configuration from /etc/pki/tls/openssl.cnf 
Enter pass phrase for ca.key: 
/etc/pki/CA/serial: No such file or directory 
error while loading serial number 
139949960836936:error:02001002:system library:fopen:No such file or directory:bss_file.c:355:fopen(‘/etc/pki/CA/serial‘,‘r‘) 
139949960836936:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:357: 
[root@monitor ca]# echo 00 > /etc/pki/CA/serial                 #创建serial号文件
[root@monitor ca]# openssl ca -in ../server.csr -out ../server.crt -cert ca.crt -keyfile ca.key 
Using configuration from /etc/pki/tls/openssl.cnf 
Enter pass phrase for ca.key: 
Check that the request matches the signature 
Signature ok 
The organizationName field needed to be the same in the 
CA certificate (homelink-ca) and the request (homelink)                
#此处报错是因为创建CA的ca.crt 时候 和创建server的server.csr时候    
#Organization Name (eg, company) [Default Company Ltd]:homelink-ca  和
#Organization Name (eg, company) [Default Company Ltd]:homelink  
#配置的不再一个域,所以不行,下面重建ca.crt

[root@monitor ca]# openssl req -new -x509 -key ca.key -out ca.crt 
Enter pass phrase for ca.key: 
You are about to be asked to enter information that will be incorporated 
into your certificate request. 
What you are about to enter is what is called a Distinguished Name or a DN. 
There are quite a few fields but you can leave some blank 
For some fields there will be a default value, 
If you enter ‘.‘, the field will be left blank. 
----- 
Country Name (2 letter code) [XX]:CN 
State or Province Name (full name) []:bj 
Locality Name (eg, city) [Default City]:bj 
Organization Name (eg, company) [Default Company Ltd]:homelink 
Organizational Unit Name (eg, section) []:homelink-lft 
Common Name (eg, your name or your server‘s hostname) []:lft 
Email Address []: 
[root@monitor ca]# ls -lrt 
total 8 
-rw-r--r-- 1 root root 963 May 22 14:39 ca.key 
-rw-r--r-- 1 root root 944 May 22 16:16 ca.crt 
#重新创建ca.crt后,重新执行,生成成功
[root@monitor ca]# openssl ca -in ../server.csr -out ../server.crt -cert ca.crt -keyfile ca.key 
Using configuration from /etc/pki/tls/openssl.cnf 
Enter pass phrase for ca.key: 
Check that the request matches the signature 
Signature ok 
Certificate Details: 
Serial Number: 0 (0x0) 
Validity 
Not Before: May 22 08:16:25 2015 GMT 
Not After : May 21 08:16:25 2016 GMT 
Subject: 
countryName = CN 
stateOrProvinceName = bj 
organizationName = homelink 
organizationalUnitName = homelink-lft 
commonName = lft 
X509v3 extensions: 
X509v3 Basic Constraints: 
CA:FALSE 
Netscape Comment: 
OpenSSL Generated Certificate 
X509v3 Subject Key Identifier: 
00:2C:34:0A:73:5C:1A:E6:39:48:28:6F:8F:02:F6:BC:58:6F:25:55 
X509v3 Authority Key Identifier: 
keyid:83:70:9D:4E:3F:39:01:3E:7A:CE:B9:2B:0E:1A:FB:00:2A:C3:11:D9 

Certificate is to be certified until May 21 08:16:25 2016 GMT (365 days) 
Sign the certificate? [y/n]:y 


1 out of 1 certificate requests certified, commit? [y/n]y 
Write out database with 1 new entries 
Data Base Updated 
[root@monitor ca]# ls -lrt 
total 8 
-rw-r--r-- 1 root root 963 May 22 14:39 ca.key 
-rw-r--r-- 1 root root 944 May 22 16:16 ca.crt 
[root@monitor ca]# ls -lrt .. 
total 28 
-rw-r--r-- 1 root root 963 May 22 13:51 server.key 
-rw-r--r-- 1 root root 672 May 22 13:52 server.csr 
-rw-r--r-- 1 root root 963 May 22 14:36 client.key 
-rw-r--r-- 1 root root 672 May 22 14:37 client.csr 
drwxr-xr-x 2 root root 4096 May 22 14:40 ca 
-rw-r--r-- 1 root root 238 May 22 15:07 readme.txt 
-rw-r--r-- 1 root root 3036 May 22 16:16 server.crt
#然后生成客户端的client.crt 文件
openssl ca -in ../client.csr -out ../client.crt -cert ca.crt -keyfile ca.key 

郑重声明:本站内容如果来自互联网及其他传播媒体,其版权均属原媒体及文章作者所有。转载目的在于传递更多信息及用于网络分享,并不代表本站赞同其观点和对其真实性负责,也不构成任何其他建议。