openssl生成tls(x509)证书

  1. 1. 概述
  2. 2. 证书生成
    1. 2.1 根证书生成
    2. 2.2 服务端证书生成
    3. 2.3 客户端证书生成
  3. 3. shell脚本

openssl生成tls(x509)证书

1. 概述

x509证书包含三种文件: key,csr,crt

  • key: 私钥
  • csr: 请求
  • crt: 公钥

2. 证书生成

生成单向认证证书,单向认证证书包含:根证书,服务端证书,客户端证书。
根证书能够认证服务端证书和客户端证书

参数 CN EN
/C 国家 Country Name
/ST 地区 State or Province Name
/L 城市 Locality Name
/O 组织/公司 Organization Name
/OU 组织单位 Organizational Unit Name
/CN 目标名称 Common Name
/emailAddress 邮箱 Email Address

2.1 根证书生成

openssl genrsa -out root.key 2048
openssl req -new -key root.key -out root.csr -subj "/C=CN/ST=LiaoNing/L=DaLian/O=kaisawind/OU=wind.kaisa/CN=www.kaisawind.com/emailAddress=wind.kaisa@gmail.com"
openssl x509 -req -sha256 -extensions v3_ca -days 3650 -in root.csr -signkey root.key -out root.crt

2.2 服务端证书生成

CAcreateserial会自动为根证书生成16hex编码字符串

openssl genrsa -out server.key 2048 
openssl req -new -key server.key -out server.csr -subj "/C=CN/ST=LiaoNing/L=DaLian/O=kaisawind/OU=wind.kaisa/CN=server.kaisawind.com/emailAddress=wind.kaisa@gmail.com"
if [ -f "../root/root.srl" ];then
openssl x509 -req -sha256 -extensions v3_req -days 3650 -in server.csr -CAkey ../root/root.key -CA ../root/root.crt -CAserial ../root/root.srl -out server.crt;
else
openssl x509 -req -sha256 -extensions v3_req -days 3650 -in server.csr -CAkey ../root/root.key -CA ../root/root.crt -CAcreateserial -out server.crt;
fi

2.3 客户端证书生成

openssl genrsa -out client.key 2048
openssl req -new -key client.key -out client.csr -subj "/C=CN/ST=LiaoNing/L=DaLian/O=kaisawind/OU=wind.kaisa/CN=client.kaisawind.com/emailAddress=wind.kaisa@gmail.com"
if [ -f "../root/root.srl" ];then
openssl x509 -req -sha256 -extensions v3_req -days 3650 -in client.csr -CAkey ../root/root.key -CA ../root/root.crt -CAserial ../root/root.srl -out client.crt;
else
openssl x509 -req -sha256 -extensions v3_req -days 3650 -in client.csr -CAkey ../root/root.key -CA ../root/root.crt -CAcreateserial -out client.crt;
fi

3. shell脚本

#!/bin/bash

# RSA private key gen
# openssl genrsa -out ./scripts/certs/root/root.key 2048
# Certificate signing request
# /C 国家 Country Name
# /ST 地区 State or Province Name
# /L 城市 Locality Name
# /O 组织/公司 Organization Name
# /OU 组织单位 Organizational Unit Name
# /CN 目标名称 Common Name
# /emailAddress 邮箱 Email Address
# openssl req -new -key ./scripts/certs/root/root.key -out ./scripts/certs/root/root.csr -subj "/C=CN/ST=LiaoNing/L=DaLian/O=kaisawind/OU=wind.kaisa/CN=www.kaisawind.com/emailAddress=wind.kaisa@gmail.com"
# Self-signed certificate
# openssl req -x509 -sha256 -days 3650 -in ./scripts/certs/root/root.csr -key ./scripts/certs/root/root.key -out ./scripts/certs/root/root.crt
ROOT_CERTS_GEN="pushd ./scripts/certs/root && \
                openssl genrsa -out root.key 2048 && \
                openssl req -new -key root.key -out root.csr -subj \"/C=CN/ST=LiaoNing/L=DaLian/O=kaisawind/OU=wind.kaisa/CN=www.kaisawind.com/emailAddress=wind.kaisa@gmail.com\" && \
                openssl x509 -req -sha256 -extensions v3_ca -days 3650 -in root.csr -signkey root.key -out root.crt && \
                popd"
SERVER_CERTS_GEN="pushd ./scripts/certs/server && \
                openssl genrsa -out server.key 2048 && \
                openssl req -new -key server.key -out server.csr -subj \"/C=CN/ST=LiaoNing/L=DaLian/O=kaisawind/OU=wind.kaisa/CN=server.kaisawind.com/emailAddress=wind.kaisa@gmail.com\" && \
                if [ -f \"../root/root.srl\" ];then \
                openssl x509 -req -sha256 -extensions v3_req -days 3650 -in server.csr -CAkey ../root/root.key -CA ../root/root.crt -CAserial ../root/root.srl -out server.crt; \
                else \
                openssl x509 -req -sha256 -extensions v3_req -days 3650 -in server.csr -CAkey ../root/root.key -CA ../root/root.crt -CAcreateserial -out server.crt; \
                fi && \
                popd"

CLIENT_CERTS_GEN="pushd ./scripts/certs/client && \
                openssl genrsa -out client.key 2048 && \
                openssl req -new -key client.key -out client.csr -subj \"/C=CN/ST=LiaoNing/L=DaLian/O=kaisawind/OU=wind.kaisa/CN=client.kaisawind.com/emailAddress=wind.kaisa@gmail.com\" && \
                if [ -f \"../root/root.srl\" ];then \
                openssl x509 -req -sha256 -extensions v3_req -days 3650 -in client.csr -CAkey ../root/root.key -CA ../root/root.crt -CAserial ../root/root.srl -out client.crt; \
                else \
                openssl x509 -req -sha256 -extensions v3_req -days 3650 -in client.csr -CAkey ../root/root.key -CA ../root/root.crt -CAcreateserial -out client.crt; \
                fi && \
                popd"

CHECK_CERTS="pushd ./scripts/certs && \
            openssl verify -CAfile ./root/root.crt ./server/server.crt && \
            openssl verify -CAfile ./root/root.crt ./client/client.crt && \
            popd"

case $1 in
    check)
        bash -c "${CHECK_CERTS}"
        ;;
    root)
        bash -c "${ROOT_CERTS_GEN}"
        ;;
    server)
        bash -c "${SERVER_CERTS_GEN}"
        ;;
    client)
        bash -c "${CLIENT_CERTS_GEN}"
        ;;
    *)
        bash -c "${CLIENT_CERTS_GEN}"
esac

转载请注明来源,欢迎对文章中的引用来源进行考证,欢迎指出任何有错误或不够清晰的表达。可以在下面评论区评论,也可以邮件至 wind.kaisa@gmail.com

文章标题:openssl生成tls(x509)证书

本文作者:kaisawind

发布时间:2020-07-12, 09:26:04

最后更新:2020-11-18, 15:55:44

原始链接:https://kaisawind.gitee.io/2020/07/12/2020-07-12-openssl/

版权声明: "署名-非商用-相同方式共享 4.0" 转载请保留原文链接及作者。

目录
×

喜欢就点赞,疼爱就打赏