OpenSSL製作自簽名CA證書
2020-09-29 17:00:54
一、自簽名證書生成環境
生成工具: openssl(OpenSSL 1.1.1f)
生成系統:ubuntu(Ubuntu 9.3.0-10ubuntu2)
測試工具: curl(curl 7.68.0)
二、準備系統環境:
#進入使用者目錄
fhh@ubuntu:~$ cd /home/fhh/
fhh@ubuntu:~$ pwd
/home/fhh
#建立相關資料夾keys、demoCA、newcerts
fhh@ubuntu:~$ mkdir -p ./keys/demoCA/newcerts
#安裝tree元件用來檢視目錄
fhh@ubuntu:~$ sudo apt install tree
[sudo] password for fhh:
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
tree
0 upgraded, 1 newly installed, 0 to remove and 251 not upgraded.
Need to get 43.0 kB of archives.
After this operation, 115 kB of additional disk space will be used.
Get:1 http://us.archive.ubuntu.com/ubuntu focal/universe amd64 tree amd64 1.8.0-1 [43.0 kB]
Fetched 43.0 kB in 1s (45.2 kB/s)
Selecting previously unselected package tree.
(Reading database ... 183583 files and directories currently installed.)
Preparing to unpack .../tree_1.8.0-1_amd64.deb ...
Unpacking tree (1.8.0-1) ...
Setting up tree (1.8.0-1) ...
Processing triggers for man-db (2.9.1-1) ...
#檢視建立的目錄結構
fhh@ubuntu:~$ tree
.
├── Desktop
├── Documents
├── Downloads
├── keys
│ └── demoCA
│ └── newcerts
├── Music
├── Pictures
├── Public
├── Templates
└── Videos
11 directories, 0 files
#建立index.txt、serial檔案
fhh@ubuntu:~$ touch ./keys/demoCA/index.txt ./keys/demoCA/serial
#檢視建立的檔案
fhh@ubuntu:~$ tree
.
├── Desktop
├── Documents
├── Downloads
├── keys
│ └── demoCA
│ ├── index.txt
│ ├── newcerts
│ └── serial
├── Music
├── Pictures
├── Public
├── Templates
└── Videos
11 directories, 2 files
#將00寫入到檔案serial
fhh@ubuntu:~$ echo 00 > ./keys/demoCA/serial
#檢視寫入的內容
fhh@ubuntu:~$ cat ./keys/demoCA/serial
00
#修改ssl組態檔openssl.cnf
#查詢openssl.con 不同的系統位置不一樣
fhh@ubuntu:~$ openssl version -a
OpenSSL 1.1.1f 31 Mar 2020
built on: Mon Apr 20 11:53:50 2020 UTC
platform: debian-amd64
options: bn(64,64) rc4(16x,int) des(int) blowfish(ptr)
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -Wa,--noexecstack -g -O2 -fdebug-prefix-map=/build/openssl-P_ODHM/openssl-1.1.1f=. -fstack-protector-strong -Wformat -Werror=format-security -DOPENSSL_TLS_SECURITY_LEVEL=2 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DNDEBUG -Wdate-time -D_FORTIFY_SOURCE=2
OPENSSLDIR: "/usr/lib/ssl"
ENGINESDIR: "/usr/lib/x86_64-linux-gnu/engines-1.1"
Seeding source: os-specific
#本系統openssl.cnf的目錄是 /usr/lib/ssl
#修改openssl.cnf,把match 改為supplied
fhh@ubuntu:~$ vi /usr/lib/ssl/openssl.cnf
# For the CA policy
[ policy_match ]
countryName = supplied #match
stateOrProvinceName = supplied #match
organizationName = supplied #match
三、CA證書生成:
#進入keys目錄
fhh@ubuntu:~/keys$ cd /home/fhh/keys/
fhh@ubuntu:~/keys$ pwd
/home/fhh/keys
#生成CA私鑰,密碼設定為123456
fhh@ubuntu:~$ openssl genrsa -des3 -out ca.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
.................................+++++
........................................+++++
e is 65537 (0x010001)
Enter pass phrase for ca.key:
Verifying - Enter pass phrase for ca.key:
#簽發CA根證書,密碼123456
fhh@ubuntu:~/keys$ openssl req -sha256 -new -x509 -days 365 -key ca.key -out ca.crt \-subj "/C=CN/ST=Beijing/L=Beijing/O=Beijing CSSCA Technologies Co., Ltd./OU=Government affairs program development department/CN=CSSCA Root Certificate Authority"
Enter pass phrase for ca.key:
四、伺服器證書生成:
#進入keys目錄
fhh@ubuntu:~/keys$ cd /home/fhh/keys/
fhh@ubuntu:~/keys$ pwd
/home/fhh/keys
#伺服器私鑰生成
fhh@ubuntu:~/keys$ openssl genrsa -des3 -out server.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
..............................+++++
......................................+++++
e is 65537 (0x010001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
#伺服器生成請求證書crs生成,注意cat /usr/lib/ssl/openssl.cnf 路徑, 密碼123456
openssl req -new \
-sha256 \
-key server.key \
-subj "/C=NA/ST=WINDHOEK/L=WINDHOEK/O=MHAI/OU=MHAI/CN=acs.mhai.gov.na" \
-reqexts SAN \
-config <(cat /usr/lib/ssl/openssl.cnf \
<(printf "[SAN]\nsubjectAltName=DNS:*.acs.mhai.gov.na,DNS:acs.mhai.gov.na")) \
-out server.csr
fhh@ubuntu:~/keys$ openssl req -new \
> -sha256 \
> -key server.key \
> -subj "/C=NA/ST=WINDHOEK/L=WINDHOEK/O=MHAI/OU=MHAI/CN=acs.mhai.gov.na" \
> -reqexts SAN \
> -config <(cat /usr/lib/ssl/openssl.cnf \
> <(printf "[SAN]\nsubjectAltName=DNS:*.acs.mhai.gov.na,DNS:acs.mhai.gov.na")) \
> -out server.csr
Enter pass phrase for server.key:
五、CA簽發伺服器證書
#進入keys目錄
fhh@ubuntu:~/keys$ cd /home/fhh/keys/
fhh@ubuntu:~/keys$ pwd
/home/fhh/keys
#CA簽發發伺服器證書 密碼123456
openssl ca -in server.csr \
-md sha256 \
-keyfile ca.key \
-cert ca.crt \
-extensions SAN \
-config <(cat /usr/lib/ssl/openssl.cnf \
<(printf "[SAN]\nsubjectAltName=DNS:*.acs.mhai.gov.na,DNS:acs.mhai.gov.na")) \
-out server.crt
fhh@ubuntu:~/keys$ openssl ca -in server.csr \
> -md sha256 \
> -keyfile ca.key \
> -cert ca.crt \
> -extensions SAN \
> -config <(cat /usr/lib/ssl/openssl.cnf \
> <(printf "[SAN]\nsubjectAltName=DNS:*.acs.mhai.gov.na,DNS:acs.mhai.gov.na")) \
> -out server.crt
Using configuration from /dev/fd/63
Enter pass phrase for ca.key:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Sep 27 06:46:21 2020 GMT
Not After : Sep 27 06:46:21 2021 GMT
Subject:
countryName = NA
stateOrProvinceName = WINDHOEK
organizationName = MHAI
organizationalUnitName = MHAI
commonName = acs.mhai.gov.na
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:*.acs.mhai.gov.na, DNS:acs.mhai.gov.na
Certificate is to be certified until Sep 27 06:46:21 2021 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
六、生成應用伺服器p12證書
#進入keys目錄
fhh@ubuntu:~/keys$ cd /home/fhh/keys/
fhh@ubuntu:~/keys$ pwd
/home/fhh/keys
#生成伺服器應用p12證書,三次密碼都是123456
fhh@ubuntu:~/keys$ openssl pkcs12 -export -in server.crt -inkey server.key -out server.pkcs12
Enter pass phrase for server.key:
Enter Export Password:
Verifying - Enter Export Password:
七、SpringBoot設定:
1、把server.pkcs12拷貝到工程source目錄下
2、修改application.yml組態檔
server:
port: 443
session-timeout: 0 #Session 超時設定,單位分(0或者-1表示永不超時)
#HTTS相關設定
ssl:
key-store: classpath:server.pkcs12
enabled: true
key-store-type: PKCS12
key-store-password: 123456
八、curl測試
#設定hosts,增加acs.mhai.gov.na域名
fhh@ubuntu:~/keys$ sudo vim /etc/hosts
127.0.0.1 localhost
127.0.1.1 ubuntu
10.10.2.200 acs.mhai.gov.na
#測試連線,ca.crt是CA的根證書
fhh@ubuntu:~/keys$ curl -v --cacert ca.crt https://acs.mhai.gov.na
* Trying 10.10.2.200:443...
* TCP_NODELAY set
* Connected to acs.mhai.gov.na (10.10.2.200) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: ca.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: C=NA; ST=WINDHOEK; O=MHAI; OU=MHAI; CN=acs.mhai.gov.na
* start date: Sep 27 06:46:21 2020 GMT
* expire date: Sep 27 06:46:21 2021 GMT
* subjectAltName: host "acs.mhai.gov.na" matched cert's "acs.mhai.gov.na"
* issuer: C=CN; ST=Beijing; L=Beijing; O=Beijing CSSCA Technologies Co., Ltd.; OU=Government affairs program development department; CN=CSSCA Root Certificate Authority
* SSL certificate verify ok.
> GET / HTTP/1.1
> Host: acs.mhai.gov.na
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200
< Content-Type: text/plain;charset=UTF-8
< Content-Length: 92
< Date: Sun, 27 Sep 2020 06:57:25 GMT
<
* Connection #0 to host acs.mhai.gov.na left intact
<div style='margin-top:50px;font-size:50px;text-align:center'>Welcome to the mhai api!</div>fhh@ubuntu:~/keys$九、瀏覽器測試
1、雙擊ca.crt證書進入安裝證書業面
2、瀏覽器存取
