openssl生成tls(x509)证书 - Sun, Jul 12, 2020
openssl生成tls(x509)证书
1. 概述
x509证书包含三种文件: key,csr,crt
- key: 私钥
- csr: 请求
- crt: 公钥
2. 证书生成
生成单向认证证书,单向认证证书包含:根证书,服务端证书,客户端证书。 根证书能够认证服务端证书和客户端证书
| 参数 | CN | EN |
|---|---|---|
/C | 国家 | Country Name |
/ST | 地区 | State or Province Name |
/L | 城市 | Locality Name |
/O | 组织/公司 | Organization Name |
/OU | 组织单位 | Organizational Unit Name |
/CN | 目标名称 | Common Name |
/emailAddress | 邮箱 | Email Address |
2.1 根证书生成
openssl genrsa -out root.key 2048
openssl req -new -key root.key -out root.csr -subj "/C=CN/ST=LiaoNing/L=DaLian/O=kaisawind/OU=wind.kaisa/CN=www.kaisawind.com/emailAddress=wind.kaisa@gmail.com"
openssl x509 -req -sha256 -extensions v3_ca -days 3650 -in root.csr -signkey root.key -out root.crt
2.2 服务端证书生成
CAcreateserial会自动为根证书生成16hex编码字符串
openssl genrsa -out server.key 2048
openssl req -new -key server.key -out server.csr -subj "/C=CN/ST=LiaoNing/L=DaLian/O=kaisawind/OU=wind.kaisa/CN=server.kaisawind.com/emailAddress=wind.kaisa@gmail.com"
if [ -f "../root/root.srl" ];then
openssl x509 -req -sha256 -extensions v3_req -days 3650 -in server.csr -CAkey ../root/root.key -CA ../root/root.crt -CAserial ../root/root.srl -out server.crt;
else
openssl x509 -req -sha256 -extensions v3_req -days 3650 -in server.csr -CAkey ../root/root.key -CA ../root/root.crt -CAcreateserial -out server.crt;
fi
2.3 客户端证书生成
openssl genrsa -out client.key 2048
openssl req -new -key client.key -out client.csr -subj "/C=CN/ST=LiaoNing/L=DaLian/O=kaisawind/OU=wind.kaisa/CN=client.kaisawind.com/emailAddress=wind.kaisa@gmail.com"
if [ -f "../root/root.srl" ];then
openssl x509 -req -sha256 -extensions v3_req -days 3650 -in client.csr -CAkey ../root/root.key -CA ../root/root.crt -CAserial ../root/root.srl -out client.crt;
else
openssl x509 -req -sha256 -extensions v3_req -days 3650 -in client.csr -CAkey ../root/root.key -CA ../root/root.crt -CAcreateserial -out client.crt;
fi
3. shell脚本
#!/bin/bash
# RSA private key gen
# openssl genrsa -out ./scripts/certs/root/root.key 2048
# Certificate signing request
# /C 国家 Country Name
# /ST 地区 State or Province Name
# /L 城市 Locality Name
# /O 组织/公司 Organization Name
# /OU 组织单位 Organizational Unit Name
# /CN 目标名称 Common Name
# /emailAddress 邮箱 Email Address
# openssl req -new -key ./scripts/certs/root/root.key -out ./scripts/certs/root/root.csr -subj "/C=CN/ST=LiaoNing/L=DaLian/O=kaisawind/OU=wind.kaisa/CN=www.kaisawind.com/emailAddress=wind.kaisa@gmail.com"
# Self-signed certificate
# openssl req -x509 -sha256 -days 3650 -in ./scripts/certs/root/root.csr -key ./scripts/certs/root/root.key -out ./scripts/certs/root/root.crt
ROOT_CERTS_GEN="pushd ./scripts/certs/root && \
openssl genrsa -out root.key 2048 && \
openssl req -new -key root.key -out root.csr -subj \"/C=CN/ST=LiaoNing/L=DaLian/O=kaisawind/OU=wind.kaisa/CN=www.kaisawind.com/emailAddress=wind.kaisa@gmail.com\" && \
openssl x509 -req -sha256 -extensions v3_ca -days 3650 -in root.csr -signkey root.key -out root.crt && \
popd"
SERVER_CERTS_GEN="pushd ./scripts/certs/server && \
openssl genrsa -out server.key 2048 && \
openssl req -new -key server.key -out server.csr -subj \"/C=CN/ST=LiaoNing/L=DaLian/O=kaisawind/OU=wind.kaisa/CN=server.kaisawind.com/emailAddress=wind.kaisa@gmail.com\" && \
if [ -f \"../root/root.srl\" ];then \
openssl x509 -req -sha256 -extensions v3_req -days 3650 -in server.csr -CAkey ../root/root.key -CA ../root/root.crt -CAserial ../root/root.srl -out server.crt; \
else \
openssl x509 -req -sha256 -extensions v3_req -days 3650 -in server.csr -CAkey ../root/root.key -CA ../root/root.crt -CAcreateserial -out server.crt; \
fi && \
popd"
CLIENT_CERTS_GEN="pushd ./scripts/certs/client && \
openssl genrsa -out client.key 2048 && \
openssl req -new -key client.key -out client.csr -subj \"/C=CN/ST=LiaoNing/L=DaLian/O=kaisawind/OU=wind.kaisa/CN=client.kaisawind.com/emailAddress=wind.kaisa@gmail.com\" && \
if [ -f \"../root/root.srl\" ];then \
openssl x509 -req -sha256 -extensions v3_req -days 3650 -in client.csr -CAkey ../root/root.key -CA ../root/root.crt -CAserial ../root/root.srl -out client.crt; \
else \
openssl x509 -req -sha256 -extensions v3_req -days 3650 -in client.csr -CAkey ../root/root.key -CA ../root/root.crt -CAcreateserial -out client.crt; \
fi && \
popd"
CHECK_CERTS="pushd ./scripts/certs && \
openssl verify -CAfile ./root/root.crt ./server/server.crt && \
openssl verify -CAfile ./root/root.crt ./client/client.crt && \
popd"
case $1 in
check)
bash -c "${CHECK_CERTS}"
;;
root)
bash -c "${ROOT_CERTS_GEN}"
;;
server)
bash -c "${SERVER_CERTS_GEN}"
;;
client)
bash -c "${CLIENT_CERTS_GEN}"
;;
*)
bash -c "${CLIENT_CERTS_GEN}"
esac