CA根证书的制作与签发 – 中间证书
之前写了《CA根证书的制作与签发 – CA根证书》
今天我们继续第二章:中间证书的制作
Tips:如果您是直接看到这篇文章,请先看下上一章,本文内容是上一章的延续。
我们在制作我们的CA根证书的时候,证书扩展我们只有
root_ca_ext、signing_ca_ext以及crl_ext
今天我们制作一个中间证书,专门用于EMAIL与TLS证书的签发。
中间证书的制作过程与CA根证书,基本一致。
跟之前一样,先建立相关目录
# mkdir -p ca/signing-ca/private ca/signing-ca/db
更改文件夹权限
# chmod 700 ca/signing-ca/private
创建自己的数据库
# cp /dev/null ca/signing-ca/db/signing-ca.db # cp /dev/null ca/signing-ca/db/signing-ca.db.attr # echo 01 > ca/signing-ca/db/signing-ca.crt.srl # echo 01 > ca/signing-ca/db/signing-ca.crl.srl
创建配置文件,这里跟之前就有些不一样了。
证书扩展我们移除了root_ca_ext与signing_ca_ext追加了email_ext 与server_ext
# vim conf/signing-ca.conf
# Harde Test Signing CA [ default ] ca = signing-ca dir = . [ req ] default_bits = 2048 encrypt_key = yes default_md = sha1 utf8 = yes string_mask = utf8only prompt = no distinguished_name = ca_dn req_extensions = ca_reqext [ ca_dn ] 0.domainComponent = "org" 1.domainComponent = "harde" organizationName = "Harde.org Inc" organizationalUnitName = "Signing CA" commonName = "Harde Signing CA" [ ca_reqext ] keyUsage = critical,keyCertSign,cRLSign basicConstraints = critical,CA:true,pathlen:0 subjectKeyIdentifier = hash [ ca ] default_ca = signing_ca [ signing_ca ] certificate = $dir/ca/$ca.crt private_key = $dir/ca/$ca/private/$ca.key new_certs_dir = $dir/ca/$ca serial = $dir/ca/$ca/db/$ca.crt.srl crlnumber = $dir/ca/$ca/db/$ca.crl.srl database = $dir/ca/$ca/db/$ca.db unique_subject = no default_days = 730 default_md = sha1 policy = match_pol email_in_dn = no preserve = no name_opt = ca_default cert_opt = ca_default copy_extensions = copy x509_extensions = email_ext default_crl_days = 7 crl_extensions = crl_ext [ match_pol ] domainComponent = match organizationName = match organizationalUnitName = optional commonName = supplied [ any_pol ] domainComponent = optional countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = optional emailAddress = optional [ email_ext ] keyUsage = critical,digitalSignature,keyEncipherment basicConstraints = CA:false extendedKeyUsage = emailProtection,clientAuth subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always [ server_ext ] keyUsage = critical,digitalSignature,keyEncipherment basicConstraints = CA:false extendedKeyUsage = serverAuth,clientAuth subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always [ crl_ext ] authorityKeyIdentifier = keyid:always
创建证书请求
# openssl req -new \
-config conf/signing-ca.conf \
-out ca/signing-ca.csr \
-keyout ca/signing-ca/private/signing-ca.key
我们也设置个简单的密码:signkey
签发证书:
注意,这里我们要用test-ca来签signing-ca
# openssl ca \
-config conf/test-ca.conf \
-in ca/signing-ca.csr \
-out ca/signing-ca.crt \
-extensions signing_ca_ext
这里提示的密码,不再是signkey,而是之前CA根证书的私钥密码testcakey
OK,在ca下的signing-ca.crt就是我们的中间证书了。
文本比较简单,只是上一章的简单延续。
下一章我们进入正题,也是大家比较关心的问题:如何签发证书。
zhang
2014-04-18 下午 2:20
下一章我们进入正题,也是大家比较关心的问题:如何签发证书。————为什么没有了?求大神完成啊~
gocode
2014-11-04 上午 12:35
大神~后续呢。。。不能这样…