Openssl 生成自签名证书, self-signed cert

自签名证书, self-signed cert

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
sudo pacman -S openssl

# 查看默认的 OpenSSL 配置目录
openssl version -d

# Create two directories for all certs and root private key that you will generate
mkdir certs private

# list all available curves
openssl ecparam -list_curves

# 生成 ECDSA（椭圆曲线数字签名算法）密钥对, CA 密钥, root private key
# 参数: -noout - 抑制输出椭圆曲线参数, 如果不加这个参数，命令会同时输出曲线参数和私钥,加上后只输出私钥部分
# -genkey：生成密钥对
# prime256v1 secp256r1 / NIST P-256 256 默认、安全性好、广泛兼容（TLS 默认）
openssl ecparam -name prime256v1 -genkey -out private/ca-key.pem

# read ca key
openssl ec -in private/ca-key.pem -text -noout

准备一个生成 CA 证书的配置文件 ca-cert.cnf

the value in the basicConstrains is CA:true

修改 dir

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
[ ca ]
default_ca = ca_default

[ ca_default ]
dir           = /home/wiloon/apps/self-signed-cert
database      = $dir/index.txt
serial        = $dir/serial
new_certs_dir = $dir/certs

certificate   = $dir/certs/ca-cert.pem
private_key   = $dir/private/ca-key.pem

default_days  = 365
default_md    = sha256
policy        = policy

# Policy dictates what these values in any certificate signed by your root certificate should be.
[ policy ]
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

############################################################################################

[ req ]
prompt              = no
distinguished_name  = req_distinguished_name
x509_extensions     = v3_ca
string_mask         = utf8only

[ req_distinguished_name ]
countryName                     = CN
stateOrProvinceName             = Liaoning
localityName                    = Dalian
0.organizationName              = wiloon
organizationalUnitName          = xpd
commonName                      = *.wiloon.com
emailAddress                    = wangyue@wiloon.com

[ v3_ca ]
subjectKeyIdentifier      = hash
authorityKeyIdentifier    = keyid:always,issuer
basicConstraints          = critical,CA:true
keyUsage                  = critical,digitalSignature,keyCertSign
nsComment                 = "OpenSSL Generated Certificate"

index.txt

每次生成新证书, 这两个文件会被自动更新, 比如后面生成 wiloon.crt 的时候

1
2
touch index.txt
echo 01 > serial

1
2
3
4
5
# Generate the root certificate from the private key and the configs
openssl req -new -x509 -days 3650 -config ca-cert.cnf -extensions v3_ca -key private/ca-key.pem -out certs/ca-cert.pem

# read ca pem, root pem 
openssl x509 -in certs/ca-cert.pem -text -noout

客户端安装自签名证书

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
# ubuntu
sudo rm /usr/local/share/ca-certificates/foo_cert.crt
sudo update-ca-certificates --fresh
# 将证书拷贝到目录“/usr/local/share/ca-certificates”
sudo cp foo_cert.crt /usr/local/share/ca-certificates
# 更新CA存储
sudo update-ca-certificates

# remove from Ubuntu
sudo rm /usr/local/share/ca-certificates/ca-cert.crt
sudo update-ca-certificates --fresh

1
2
3
# Generate the private key for one domain (某一个域名的私钥)
openssl ecparam -name prime256v1 -genkey -out wiloon.key

wiloon.cnf

the value in the basicConstrains is CA:false instead

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
[ ca ]
default_ca = ca_default

[ ca_default ]
dir           = /home/wiloon/apps/self-signed-cert
certs         = $dir/certs
database      = $dir/index.txt
new_certs_dir = $dir/certs
serial        = $dir/serial

default_days  = 365
default_md    = sha256
policy        = ca_policy

[ ca_policy ]
countryName            = supplied
stateOrProvinceName    = optional
organizationName       = supplied
organizationalUnitName = optional
commonName             = supplied
emailAddress           = optional

############################################################################################

[ req ]
prompt              = no
distinguished_name  = req_distinguished_name
req_extensions      = v3_req
string_mask         = utf8only

[ req_distinguished_name ]
countryName                     = CN
stateOrProvinceName             = Liaoning
localityName                    = Dalian
0.organizationName              = wiloon
organizationalUnitName          = xpd
commonName                      = *.wiloon.com
emailAddress                    = wangyue@wiloon.com

[ v3_req ]
basicConstraints     = critical,CA:false
keyUsage             = critical,digitalSignature
extendedKeyUsage     = serverAuth
subjectAltName       = @alternate_names
nsComment            = "OpenSSL Generated Certificate"

[ alternate_names ]
DNS.1       = wiloon.com
DNS.2       = www.wiloon.com
DNS.3       = enx-dev.wiloon.com
DNS.4       = localhost
DNS.5       = localhost.localdomain
DNS.6       = kong.wiloon.com
IP.1        = 127.0.0.1
IP.2        = 10.124.44.91 # localhost IP from Android emulators. Only for Android Developers.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
# Create Certificate Signing Request (CSR)
# -key wiloon.key 指定私钥文件（用于签名 CSR）
# -config wiloon.cnf 使用自定义的 OpenSSL 配置文件
# wiloon.csr 是包含公钥信息和签名(私钥对 CSR 内容进行数字签名) 的请求文件，可以发送给 CA 来生成 .crt 证书。
openssl req -new -key wiloon.key -out wiloon.csr -sha256 -config wiloon.cnf -extensions v3_req

# read csr
openssl req -in wiloon.csr -text -noout
# 显示 CSR 里嵌的公钥
# 同时自动验证签名（如果签名无效，会报错）

# Generate Signed Certificate using the private key, configs and the CSR. 
# You also need to specify the root private key and root certifcate for signing.
# CA 会使用 CSR 里包含的公钥，来验证这个 CSR 的签名。
openssl ca -keyfile private/ca-key.pem -cert certs/ca-cert.pem -in wiloon.csr -out wiloon.crt -config wiloon.cnf -extensions v3_req

# read crt
openssl x509 -noout -text -in wiloon.crt

# To verify that the certificate is built correctly
openssl verify -CAfile certs/ca-cert.pem -verify_hostname enx-dev.wiloon.com wiloon.crt

# check crt of web site
openssl s_client -connect site.domain:443



# R 代表已经撤销的证书
cat index.txt

# deploy to nginx
scp wiloon.crt root@192.168.50.130:/var/lib/containers/storage/volumes/certbot-conf/_data/fullchain.pem
scp wiloon.key root@192.168.50.130:/var/lib/containers/storage/volumes/certbot-conf/_data/privkey.pem
podman restart nginx

增加一个域名之后重新生成证书

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
#撤消旧证书, 
# 查看 index.txt, 找到最新的版本号
cat index.txt

# 更新 csr 信息之后, 重新签发证书
# 撤销旧证书
# 注意 01.pem 是要撤消的证书
openssl ca -config ca-cert.cnf -revoke certs/04.pem

# 修改 wiloon.cnf, 加入新域名

# 重新生成  csr
openssl req -new -key wiloon.key -out wiloon.csr -sha256 -config wiloon.cnf -extensions v3_req

# 重新签发证书, 跟前面的命令是一样的
openssl ca -keyfile private/ca-key.pem -cert certs/ca-cert.pem -in wiloon.csr -out wiloon.crt -config wiloon.cnf -extensions v3_req

1
2
3
4
5
# kong upload crt
curl -i -X POST http://192.168.50.64:8001/certificates \
  --data "cert=@wiloon.crt" \
  --data "key=@wiloon.key" \
  --data "snis=kong.wiloon.com"