格式

生成证书需要使用 openssl 工具,包括根证书和用户证书。在生成证书的具体步骤之前,我们需要知道几个与证书相关的文件格式,所有这些格式都属于 PKCS(The Public-Key Cryptography Standards)标准:

  • .key文件:私钥文件,通常使用 rsa 算法,私钥需要自己保存,无需提交给 CA 机构
  • .csr 文件:证书签名请求(证书请求文件),含有公钥信息,certificate signing request 的缩写。生成该文件时需要用到自己的私钥。
  • .crt 文件:CA 认证后的证书文件,certificate 的缩写。
  • .crl文件:证书吊销列表,Certificate Revocation List的缩写
  • .pem 文件:用于导出,导入证书时候的证书的格式。该文件实际上是 .crt 文件和 .key 文件的合体,与 windows 下使用 .pfx 类似,不同的是 .pem 使用 base64字符存储,而 .pfx 使用二进制存储。

用途

SSL(Secure Sockets Layer,安全套接字协议)是为网络通信提供安全及数据完整性的一种安全协议,支持单向认证和双向认证。

  • 单向认证: client 校验 server 合法性。client 需要 ca.crt,server 需要 server.crt、server.key
  • 双向认证: client 与 server 相互校验。client 需要 client.key、client.crt、ca.crt,server 需要 server.key、server.crt、ca.crt

生成 CA 根证书

步骤:

  1. 生成 CA 私钥(.key)
  2. 生成 CA 证书请求(.csr)
  3. 自签名得到根证书(.crt)

生成 CA 私钥:

openssl genrsa -out ca.key 2048

生成 CA 证书请求:

openssl req -new -key ca.key -out ca.csr

自签名得到根证书:

openssl x509 -req -in ca.csr -signkey ca.key -out ca.crt

生成用户证书

步骤:

  1. 生成私钥(.key)
  2. 生成证书请求(.csr)
  3. 用 CA 根证书签名得到证书(.crt)

生成私钥(.key):

openssl genrsa -des3 -out server.key 1024

生成证书请求(.csr):

openssl req -new -key server.key -out server.csr

注意这里需要填写 Common Name,如果不填写的话会遇到下面的问题 4,举个例子:

$ openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:Server
Email Address []:
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

用 CA 根证书签名得到证书:

openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key

最后生成 pem 文件:

cat server.crt server.key > server.pem

各种问题

问题 1:

$ openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key
Using configuration from /<some-path>/ssl/openssl.cnf
ca: ./demoCA/newcerts is not a directory
./demoCA/newcerts: No such file or directory

解决:

mkdir -p demoCA/newcerts

问题 2:

$ openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key
Using configuration from /<some-path>/ssl/openssl.cnf
140567359198528:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:69:fopen('./demoCA/index.txt','r')
140567359198528:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:76:

解决:

touch demoCA/index.txt

问题 3:

$ openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key
Using configuration from /<some-path>/ssl/openssl.cnf
./demoCA/serial: No such file or directory
error while loading serial number
140604893304128:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:69:fopen('./demoCA/serial','r')
140604893304128:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:76:

解决:

echo "01" > demoCA/serial

问题 4:

$ openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key
Using configuration from /<some-path>/ssl/openssl.cnf
Check that the request matches the signature
Signature ok
The commonName field needed to be supplied and was missing

见生成用户证书的第二步。

参考资料