2014-11-05 81 views

回答

8

只是一個旁註,任何人想要生成一個鏈和一些證書。精煉@ EpicPandaForce自己的答案,這裏是一個腳本,它在root-ca/中創建一個根CA,在intermediate/中創建一箇中間CA,三個證書到out/,每個都使用中間CA簽名。

#!/bin/bash -x 

set -e 

for C in `echo root-ca intermediate`; do 

    mkdir $C 
    cd $C 
    mkdir certs crl newcerts private 
    cd .. 

    echo 1000 > $C/serial 
    touch $C/index.txt $C/index.txt.attr 

    echo ' 
[ ca ] 
default_ca = CA_default 
[ CA_default ] 
dir   = '$C' # Where everything is kept 
certs   = $dir/certs    # Where the issued certs are kept 
crl_dir  = $dir/crl    # Where the issued crl are kept 
database  = $dir/index.txt   # database index file. 
new_certs_dir = $dir/newcerts   # default place for new certs. 
certificate = $dir/cacert.pem    # The CA certificate 
serial   = $dir/serial    # The current serial number 
crl   = $dir/crl.pem    # The current CRL 
private_key = $dir/private/ca.key.pem  # The private key 
RANDFILE  = $dir/.rnd  # private random number file 
nameopt  = default_ca 
certopt  = default_ca 
policy   = policy_match 
default_days = 365 
default_md  = sha256 

[ policy_match ] 
countryName   = optional 
stateOrProvinceName = optional 
organizationName  = optional 
organizationalUnitName = optional 
commonName    = supplied 
emailAddress   = optional 

[req] 
req_extensions = v3_req 
distinguished_name = req_distinguished_name 

[req_distinguished_name] 

[v3_req] 
basicConstraints = CA:TRUE 
' > $C/openssl.conf 
done 

openssl genrsa -out root-ca/private/ca.key 2048 
openssl req -config root-ca/openssl.conf -new -x509 -days 3650 -key root-ca/private/ca.key -sha256 -extensions v3_req -out root-ca/certs/ca.crt -subj '/CN=Root-ca' 

openssl genrsa -out intermediate/private/intermediate.key 2048 
openssl req -config intermediate/openssl.conf -sha256 -new -key intermediate/private/intermediate.key -out intermediate/certs/intermediate.csr -subj '/CN=Interm.' 
openssl ca -batch -config root-ca/openssl.conf -keyfile root-ca/private/ca.key -cert root-ca/certs/ca.crt -extensions v3_req -notext -md sha256 -in intermediate/certs/intermediate.csr -out intermediate/certs/intermediate.crt 

mkdir out 

for I in `seq 1 3` ; do 
    openssl req -new -keyout out/$I.key -out out/$I.request -days 365 -nodes -subj "/CN=$I.example.com" -newkey rsa:2048 
    openssl ca -batch -config root-ca/openssl.conf -keyfile intermediate/private/intermediate.key -cert intermediate/certs/intermediate.crt -out out/$I.crt -infiles out/$I.request 
done 
5

根據以下指南,特別感謝Jamie Nguyen製作指南使其成爲可能,謝謝!

通過以下對https://jamielinux.com/articles/2013/08/act-as-your-own-certificate-authority/指導做到以下幾點:

  • 將OpenSSL安裝的Windows:http://slproweb.com/products/Win32OpenSSL.html

  • bin文件夾添加到環境變量PATH

  • 創建一個目錄對於證書,我會打電話給cert-test

  • 使用以下openssl.cfg數據爲[CA_default]標籤:

[ CA_default ] 
dir  = . # Where everything is kept 
certs  = $dir/certs    # Where the issued certs are kept 
crl_dir = $dir/crl    # Where the issued crl are kept 
database = $dir/index.txt   # database index file. 
new_certs_dir = $dir/newcerts   # default place for new certs. 

certificate = $dir/cacert.pem    # The CA certificate 
serial  = $dir/serial    # The current serial number 
crl  = $dir/crl.pem    # The current CRL 
private_key = $dir/private/ca.key.pem  # The private key 
RANDFILE = $dir/.rnd  # private random number file 
  • cert_test創建目錄:certs crl newcerts private

  • 使用下面的命令創建

根CA:

openssl genrsa -aes256 -out /etc/pki/CA/private/ca.key.pem 4096 

openssl req -new -x509 -days 3650 -key /etc/pki/CA/private/ca.key.pem -sha256 -extensions v3_ca -out /etc/pki/CA/certs/ca.cert.pem 
  • 創建文件夾intermediate

  • 創建文件夾certs crl newcerts private

  • 創建文件index.txt

  • 創建文件serial,寫一個數字,它像1000

  • 執行以下

命令:

openssl genrsa -aes256 -out intermediate/private/intermediate.key.pem 4096 

openssl req -config intermediate/openssl.cfg -sha256 -new -key intermediate/private/intermediate.key.pem -out intermediate/certs/intermediate.csr.pem 

openssl ca -keyfile private/ca.key.pem -cert certs/ca.cert.pem -extensions v3_ca -notext -md sha256 -in intermediate/certs/intermediate.csr.pem -out intermediate/certs/intermediate.cert.pem 
  • 創建

鏈文件:從鏈

cat intermediate/certs/intermediate.cert.pem certs/ca.cert.pem > intermediate/certs/ca-chain.cert.pem 
  • 創建JKS文件,

keytool

keytool -importkeystore -srckeystore ia.p12 -srcstoretype PKCS12 -destkeystore ia.jks 

keytool -import -noprompt -trustcacerts -alias test_certificate -file ia.crt -keystore ia.jks -storepass helloworld 

keytool -importcert -alias test_cert_ca -keystore "c:\Program Files\Java\jdk1.8.0\jre\lib\security\cacerts" -file ca.crt 

keytool -importcert -alias test_cert_ia -keystore "c:\Program Files\Java\jdk1.8.0\jre\lib\security\cacerts" -file ia.crt 

,你可能需要導入CA證書到ia.jks。

+1

我必須缺少一些東西。我沒有看到如何從「openssl」步驟中的pem文件獲取「keytool」使用的「ca.crt」和「ia.crt」文件。 – mnemotronic 2015-08-15 19:18:36

+0

@mnemotronic不幸的是我近一年前寫過這篇文章,而且我手邊沒有這些步驟,但我認爲你很不幸是正確的。您需要從私鑰和證書(公鑰)創建PKCS12密鑰庫文件。查看如何從pem文件創建密鑰庫,如果您指定密鑰庫和提供者的類型(我記得使用它來使用bouncycastle提供者創建BKS密鑰庫),我認爲Keytool可以做到這一點。 – EpicPandaForce 2015-08-15 19:24:58

+2

爲什麼要將中間證書添加到信任庫(或任何'ia.crt')?根證書應該足夠了,因爲中間名是由root簽名的,並且此信息存儲在由中間通過擴展名簽署的所有證書中。即使在您提供的手冊(jammielinux頁面)中,也聲明根證書應該足夠了。 – waste 2016-08-21 12:47:22

相關問題