Detailed introduction about openssl ca

# Regarding the concept of CA and digital certificates for certificate authorization center, please move the concept sticker of OpenSSL and SSL digital certificate.

openssl is a suite of open source programs. This suite consists of three parts: First, libcryto, which is an encryption library with general functions, which implements many encryption libraries; second, libssl, which implements The ssl mechanism is used to implement TLS/SSL functions; the third is openssl, which is a multi-functional command line tool that can implement encryption and decryption, and can even be used as a CA, allowing you to create certificates and revoke certificates.

By default, openssl is installed on ubuntu and CentOS. Directory structure of SSL certificates on CentOS 6.x:

/etc/pki/CA/
newcerts stores digital certificates signed (issued) by CA (certificate backup directory)
                                                                                                                                                                           
certs/ The certificate storage directory on the server, you can store your own certificates and built-in certificates
File


Since the openssl ca command is very dependent on the configuration file (default is /etc/pki/tls/openssl.cnf), it is recommended to combine it with my other article

Configuration file openssl.cnf

to read. If you don’t understand the configuration file, the following content may be incomprehensible.

The structure of the files required when signing the certificate is specified in the configuration file. The default structure requirements in openssl.cnf are as follows:

[ CA_default ]dir             = /etc/pki/CA             # 定义路径变量
certs           = $dir/certs              # 已颁发证书的保存目录
database        = $dir/index.txt          # 数据库索引文件
new_certs_dir   = $dir/newcerts           # 新签署的证书保存目录
certificate     = $dir/cacert.pem         # CA证书路径名
serial          = $dir/serial             # 当前证书序列号
private_key     = $dir/private/cakey.pem  # CA的私钥路径名

The directory /etc/pki /CA/{certs,newcerts,private} exists by default after installing openssl, so there is no need to create it independently, but the certificate's database file index.txt and serial file serial must be created, and a serial number must be given first in the serial number file , such as "01".

[root@xuexi tmp]# touch /etc/pki/CA/index.txt 

[root@xuexi tmp]# echo "01" > /etc/pki/CA/serial

In addition, to sign the certificate request, you need the CA's own private key file and the CA's own certificate. First create the CA's private key and store it at The value specified by private_key in the configuration file defaults to /etc/pki/CA/private/cakey.pem.

[root@xuexi tmp]# openssl genrsa -out /etc/pki/CA/private/cakey.pem

(1). Use openssl ca to build your own CA

You need to provide the CA's own certificate and test environment The CA can only self-sign. You can use "openssl req -x509", "openssl x509" and "openssl ca" to self-sign the certificate request file. Here we only introduce the self-signing method of the openssl ca command itself.

First create the CA's certificate request file. It is recommended to use the CA's private key file /etc/pki/CA/private/cakey.pem to create the certificate request file to be self-signed. Although it is not necessary, it is convenient for management. . When creating a request file, the Country Name, State or Province Name, Organization Name, and Common Name must be provided by default.

[root@xuexi tmp]# openssl req -new -key /etc/pki/CA/private/cakey.pem -out rootCA.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:FJLocality Name (eg, city) [Default City]:XMOrganization Name (eg, company) [Default Company Ltd]:JMOrganizational Unit Name (eg, section) []:ITCommon Name (eg, your name or your server's hostname) []:www.iwant.comEmail Address []:.
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:.
An optional company name []:.

Then use the openssl ca command to self-sign the certificate request file. If there are two interactive queries, it means that the self-signing will be successful. If it fails, consider whether the database file index.txt is created, whether the serial number file serial exists and has a serial number value, whether the path of the private key file cakey.pem is correct, and whether the certificate is created. Whether what should be provided when requesting a file is not provided, etc.

[root@xuexi tmp]# openssl ca -selfsign -in rootCA.csr
Using configuration from /etc/pki/tls/openssl.cnf    # 默认采用/etc/pki/tls/openssl.cnf作为配置文件
Check that the request matches the signature         # 验证证书请求文件的数字签名，确保该证书请求文件是完整未修改过的
Signature ok
Certificate Details:                                 # 待生成证书的信息
        Serial Number: 1 (0x1)                        # 序列号为1
        Validity
            Not Before: Jun 27 10:06:29 2017 GMT      # 证书有效期起始日为2017-6-17 10:06:29Not After : Jun 27 10:06:29 2018 GMT      # 证书有效期终止日为2018-6-17 10:06:29Subject:                                      # Subject信息，subject是非常重要的信息
            countryName               = CN
            stateOrProvinceName       = FJ
            organizationName          = JM
            organizationalUnitName    = IT
            commonName                = www.iwant.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                A5:0D:DD:D6:47:C6:24:74:20:F4:62:77:F6:A9:63:3E:52:D2:8A:66X509v3 Authority Key Identifier:
                keyid:A5:0D:DD:D6:47:C6:24:74:20:F4:62:77:F6:A9:63:3E:52:D2:8A:66
 Certificate is to be certified until Jun 27 10:06:29 2018 GMT (365 days)
Sign the certificate? [y/n]:y 
 
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries           # 向数据库文件添加一条该证书的记录
Certificate:                                    # 该证书的信息
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=CN, ST=FJ, O=JM, OU=IT, CN=www.iwant.com
        Validity
            Not Before: Jun 27 10:06:29 2017 GMT
            Not After : Jun 27 10:06:29 2018 GMT
        Subject: C=CN, ST=FJ, O=JM, OU=IT, CN=www.iwant.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:00:94:49:33:f4:90:a4:fc:a4:6b:65:75:4c:be:4f:
                    d1:3f:95:bd:24:60:c8:45:f9:eb:00:31:ac:45:6b:
                    ae:bb:63:bf:f2:a3:0c:e3:d3:50:20:33:1e:d9:e1:
                    8a:49:42:c6:e0:67:6d:3a:cb:2f:9c:90:ab:4c:10:
                    7a:4a:82:e1:6e:a0:6a:63:84:56:1c:a2:5f:11:60:99:e0:cd:20:68:e9:98:40:68:c2:43:7c:97:12:ee:31:8e:b1:73:7d:36:99:97:49:31:50:c1:8c:47:10:16:f9:5d:37:11:00:73:3b:01:62:9b:36:36:97:08:48:31:93:56:3f:6a:d9:a6:99Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                A5:0D:DD:D6:47:C6:24:74:20:F4:62:77:F6:A9:63:3E:52:D2:8A:66X509v3 Authority Key Identifier:
                keyid:A5:0D:DD:D6:47:C6:24:74:20:F4:62:77:F6:A9:63:3E:52:D2:8A:66
 
    Signature Algorithm: sha1WithRSAEncryption
         1e:4e:f4:e4:c9:33:52:85:69:ae:b4:2a:37:37:44:90:9b:52:
         b3:e9:89:1c:b2:f2:17:41:d8:05:02:63:9a:4f:64:4d:c9:ce:
         0c:81:48:22:4f:73:8a:4c:f7:b8:bf:64:b2:77:8a:2e:43:80:         39:03:de:27:19:09:d2:88:39:11:8f:8b:4b:37:c0:12:68:ef:         79:5b:28:d4:cf:c9:b8:e1:77:24:6e:b4:5b:83:4a:46:49:a1:
         ad:5c:b7:d8:da:49:9a:45:73:b9:8e:eb:1a:9c:2e:6c:70:d3:
         c5:db:9c:46:02:59:42:bf:ad:bc:21:4c:d1:6b:6b:a7:87:33:
         1a:6b-----BEGIN CERTIFICATE-----MIICiTCCAfKgAwIBAgIBATANBgkqhkiG9w0BAQUFADBMMQswCQYDVQQGEwJDTjEL
MAkGA1UECAwCRkoxCzAJBgNVBAoMAkpNMQswCQYDVQQLDAJJVDEWMBQGA1UEAwwN
d3d3Lml3YW50LmNvbTAeFw0xNzA2MjcxMDA2MjlaFw0xODA2MjcxMDA2MjlaMEwx
CzAJBgNVBAYTAkNOMQswCQYDVQQIDAJGSjELMAkGA1UECgwCSk0xCzAJBgNVBAsM
AklUMRYwFAYDVQQDDA13d3cuaXdhbnQuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GN
ADCBiQKBgQCUSTP0kKT8pGtldUy+T9E/lb0kYMhF+esAMaxFa667Y7/yowzj01Ag
Mx7Z4YpJQsbgZ206yy+ckKtMEHpKguFuoGpjhFYcol8RYJngzSBo6ZhAaMJDfJcS
7jGOsXN9NpmXSTFQwYxHEBb5XTcRAHM7AWKbNjaXCEgxk1Y/atmmmQIDAQABo3sw
eTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBD
ZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUpQ3d1kfGJHQg9GJ39qljPlLSimYwHwYDVR0j
BBgwFoAUpQ3d1kfGJHQg9GJ39qljPlLSimYwDQYJKoZIhvcNAQEFBQADgYEAHk70
5MkzUoVprrQqNzdEkJtSs+mJHLLyF0HYBQJjmk9kTcnODIFIIk9zikz3uL9ksneK
LkOAOQPeJxkJ0og5EY+LSzfAEmjveVso1M/JuOF3JG60W4NKRkmhrVy32NpJmkVz
uY7rGpwubHDTxducRgJZQr+tvCFM0Wtrp4czGms=
-----END CERTIFICATE-----Data Base Updated

After successful signing, a series of files will be generated in the /etc/pki/CA directory.

[root@xuexi tmp]# tree -C /etc/pki/CA/etc/pki/CA
├── certs
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│   └── 01.pem
├── private
│   └── cakey.pem
├── serial
└── serial.old

The 01.pem in the newcerts directory is the self-signed certificate file just now. Because it is the CA's own certificate, according to the configuration file The "certificate=$dir/cacert.pem" item should be placed in the /etc/pki/CA directory and named cacert.pem. Only in this way can other certificate requests be signed in the future.

[root@xuexi tmp]# cp /etc/pki/CA/newcerts/01.pem /etc/pki/CA/cacert.pem

At this point, the self-built CA is completed. Check the database index file and serial number file.

[root@xuexi tmp]# cat /etc/pki/CA/index.txt
V       180627100629Z           01      unknown /C=CN/ST=FJ/O=JM/OU=IT/CN=www.iwant.com

[root@xuexi tmp]# cat /etc/pki/CA/serial02

Then, the next time a certificate request is signed, the serial number will be "02".

The above process of self-building CA is summarized as follows:

[root@xuexi tmp]# touch /etc/pki/CA/index.txt 
[root@xuexi tmp]# echo "01" > /etc/pki/CA/serial
[root@xuexi tmp]# openssl genrsa -out /etc/pki/CA/private/cakey.pem
[root@xuexi tmp]# openssl req -new -key /etc/pki/CA/private/cakey.pem -out rootCA.csr
[root@xuexi tmp]# openssl ca -selfsign -in rootCA.csr
[root@xuexi tmp]# cp /etc/pki/CA/newcerts/01.pem /etc/pki/CA/cacert.pem

以上过程是完全读取默认配置文件创建的，其实很多过程是没有那么严格的，openssl ca命令自身可以指定很多选项覆盖配置文件中的项，但既然提供了默认的配置文件及目录结构，为了方便管理，仍然建议完全采用配置文件中的项。

(2).为他人颁发证书。

首先申请者创建一个证书请求文件。

[root@xuexi tmp]# openssl req -new -key privatekey.pem -out youwant1.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:FJLocality Name (eg, city) [Default City]:XMOrganization Name (eg, company) [Default Company Ltd]:JMOrganizational Unit Name (eg, section) []:.Common Name (eg, your name or your server's hostname) []:www.youwant.comEmail Address []:.
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:.
An optional company name []:.

其中Country Name、State or Province Name、Organization Name和Common Name必须提供，且前三者必须和CA的subject中的对应项完全相同。这些是由配置文件中的匹配策略决定的。

[ ca ]
default_ca      = CA_default            # The default ca section
[ CA_default ]
policy          = policy_match
[ policy_match ]
countryName             = matchstateOrProvinceName     = matchorganizationName        = matchorganizationalUnitName  = optional
commonName              = suppliedemailAddress            = optional

"match"表示openssl ca要签署的证书请求文件中的项要和CA证书中的项匹配，即要相同，"supplied"表示必须要提供的项，"optional"表示可选项，所以可以留空。

现在就可以将证书请求文件发送给CA，让CA帮忙签署。

[root@xuexi tmp]# openssl ca -in youwant1.csr

签署成功后，查看下/etc/pki/CA下的文件结构。

[root@xuexi tmp]# tree -C /etc/pki/CA/
/etc/pki/CA/├── cacert.pem
├── certs
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── newcerts
│   ├── 01.pem
│   └── 02.pem
├── private
│   └── cakey.pem
├── serial
└── serial.old 
4 directories, 10 files

其中"02.pem"就是刚才签署成功的证书，将此证书发送给申请者即表示颁发完成。

再看下数据库索引文件和序列号文件。

[root@xuexi tmp]# cat /etc/pki/CA/index.txt
V       180627100629Z           01      unknown /C=CN/ST=FJ/O=JM/OU=IT/CN=www.iwant.com
V       180627110022Z           02      unknown /C=CN/ST=FJ/O=JM/CN=www.youwant.com

[root@xuexi tmp]# cat /etc/pki/CA/serial03

(3).openssl ca命令用法

经过上面的示例，应该对openssl ca命令的用法大致了解了，下面是其完整的用法说明，不包括crl相关功能。

openssl ca [-verbose] [-config filename] [-name section] [-startdate ] [-enddate ] [-days arg] [-md arg] [-policy arg] [-keyfile arg] [-key arg] [-passin arg] [-cert ]
[-selfsign] [- ] [-out ] [-notext] [-outdir ] [-infiles] [-ss_cert ] [-preserveDN] [-noemailDN] [-batch] [-extensions section] [-extfile section] [-subj arg] [-utf8]

要注意，ca命令是用于签署证书的，所以它所需要的文件除了配置文件外就是私钥文件和证书请求文件，而签名后生成的文件是证书文件，因此使用"-in"指定的对象是待签署文件，"-infiles"则是指定多个待签署文件，"-keyfile"是指定私钥文件，"-out"是指定输出的证书文件。

【选项说明：】-config filename ：指定要使用的配置文件，指定后将忽略openssl.cnf中指定的关于ca的配置选项。-name section    ：指定使用配置文件中的那个section。指定后将忽略openssl.cnf中的default_ca段。-in filename     ：指定要被CA签署的单个证书请求文件。根CA为其他证书签署时使用。-infiles         ：该选项只能是最后一个选项，该选项所接的所有参数都被认为是要被签署的证书请求文件，即一次性签署多个请求文件时使用的选项。-selfsign        ：自签署。指定-ss_cert选项时该选项被忽略。-ss_cert filename：将被CA自签署的单个证书文件。也就是说要重新签署证书。-out filename    ：证书的输出文件，同时也会输出到屏幕。不指定时默认输出到stdout。-outdir dir_name ：证书的输出目录。指定该选项时，将自动在此目录下生成一个文件名包含16进制serial值的".pem"证书文件。-cert            ：CA自己的证书文件。-keyfile filename：指定签署证书请求时的私钥文件，即CA自己的私钥文件。-key passwd_value：指定私钥的加密密码。-passin arg      ：传递解密密码-verbose         ：打印操作执行时的详细信息-notext          ：禁止以文本格式将证书输出到"-out"指定的文件中-days arg        ：证书有效期限，从创建时刻开始算startdate，有效期结束点为enddate。-startdate       ：自定义证书的开始时间，和"-enddate"一起使用可以推算出证书有效期。-enddate         ：自定义证书的结束时间。-md alg          ：指定单向加密算法-policy arg      ：该选项是配置文件中的section内容，该选项指定了证书信息中的field部分是否需要强制提供还是要强制匹配，
                 ：或者可提供可不提供。详细的见配置文件说明。-extensions section：指定当前创建的证书使用配置文件中的哪个section作为扩展属性。-batch           ：签署时使用批处理模式，即非交互模式。该模式下不会有两次询问(是否签署、是否提交)。-subj arg        ：替换证书请求中的subject，格式/type0=value0/type1=value1/type2=...

配置文件关于ca的部分，其中被标记为必须项的表示配置文件中或者命令行中必须给出该选项及其值。

new_certs_dir    ：等同于"-outdir"选项。必须项
certificat       ：等同于"-cert"选项，CA自己的证书文件。必须项
private_key      ：等同于"-keyfile"选项，签署证书请求文件时的私钥文件，即CA自己的私钥文件。必须项
default_days     ：等同于"-days"选项
default_startdate：等同于"-startdate"选项。
default_enddate  ：等同于"-enddate"选项。
default_md       ：等同于"-md"选项。必须项
database         ：openssl维护的数据库文件。存放证书条目信息及状态信息。必须项
serial           ：已颁发证书的序列号(16进制)文件。必须项且该文件中必须存在一个序列值
unique_subject   ：如果设置为yes，database中的subject列值必须不重复。如果设置为no，允许subject重复。默认是yes，
                 ：这是为了兼容老版本的Openssl，推荐设置为no。
x509_extensions  ：等同于"-extensions"选项。
policy           ：等同于"-policy"选项。必须项
name_opt/cert_opt：证书的展示格式，虽非必须但建议设置为ca_default，若不设置将默认使用老版本的证书格式(不建议如此)。
                 ：伪命令ca无法直接设置这两个选项，而伪命令x509的"-nameopt"和"-certopt"选项可以分别设置。
copy_extensions  ：决定证书请求中的扩展项如何处理的。如果设置为none或不写该选项，则扩展项被忽略并且不复制到证书中去。
                 ：如果设置为copy，则证书请求中已存在而证书中不存在的扩展项将复制到证书中。
                 ：如果设置为copyall，则证书请求中所有的扩展项都复制到证书中，此时若证书中已存在某扩展项，则先删除再复制。
                 ：该选项的主要作用是允许证书请求为特定的扩展项如subjectAltName提供值。
                 ：使用该选项前请先查看man ca中的WARNINGS部分。建议一般简单使用时设置为none或不设置。

The above is the detailed content of Detailed introduction about openssl ca. For more information, please follow other related articles on the PHP Chinese website!