OpenSSL是什么

OpenSSL是一个开源的程序套件,这个套件由三部分组成:

本文主要介绍,使用OpenSSL自建CA、使用OpennSSL生成SSL证书、吊销证书。


基础概念

数字证书颁发过程一般为:

数字证书工作原理:

证书的内容包括:CA的信息、公钥用户的信息、公钥、CA的签字和有效期等等。证书的格式和验证方法普遍遵循X.509国际标准。

由CA吊销证书意味着,CA在证书正常到期之前撤销其使用该密钥对的有关声明。在吊销的证书到期之后,CRL中的有关条目被删除,以缩短CRL列表的大小。
在验证签名期间,应用程序可以检查CRL,以确定给定证书和密钥对是否可信。如果不可信,应用程序可以判断吊销的理由或日期对使用有疑问的证书是否有影响。如果日期早于该证书被吊销的日期,那么该证书仍被认为是有效的。
应用程序在获得CRL之后,可以缓存下来,在它到期之前将一直使用它。如果CA发布了新的CRL,那么拥有有效CRL的应用程序并不使用新的CRL,直到应用程序拥有的CRL到期为止。


使用OpenSSL自建CA

初始化环境:

$ mkdir /var/MyCA
$ cd /var/MyCA
$ mkdir certs private
$ chmod g-rwx,o-rwx private
$ echo "01" > serial
$ touch index.txt

创建完CA之后的目录结构如下:

[root@iZ23dastruaZ MyCA]# tree .
.
├── cacert.pem             # CA证书(内含公钥)
├── certs                # 该目录下保存CA颁发的所有证书的副本
├── index.txt              # 排序数据库,用来追踪已经颁发的证书
├── openssl.cnf            # openssl的配置文件
├── private              # 保存CA证书的私钥的目录
│   └── cakey.pem        # CA证书的私钥
└── serial               # 用来追踪最后一次颁发的证书的序列号

2 directories, 5 files

创建openssl的配置文件openssl.cnf,内容如下:

[ ca ]
default_ca = myca

[ myca ]
dir = /var/MyCA
certificate = $dir/cacert.pem
database = $dir/index.txt
new_certs_dir = $dir/certs
private_key = $dir/private/cakey.pem
serial = $dir/serial

default_crl_days = 7
default_days = 365
default_md = sha256

policy = myca_policy
x509_extensions = certificate_extensions

[ myca_policy ]
commonName = supplied
stateOrProvinceName = supplied
countryName = supplied
emailAddress = supplied
organizationName= supplied
organizationalUnitName = optional

[ certificate_extensions ]
basicConstraints= CA:false
[ req ]
default_bits = 2048
default_keyfile = /var/MyCA/private/cakey.pem
default_md = sha256
prompt = no
distinguished_name = root_ca_distinguished_name
x509_extensions = root_ca_extensions
[ root_ca_distinguished_name ]
commonName = My Test CA                     # 名称
stateOrProvinceName = BJ                     # 州或省的码
countryName = CN                          # 国家的码
emailAddress = test@cert.com                 # 邮箱地址
organizationName = Root Certification Authority
[ root_ca_extensions ]
basicConstraints = CA:true

把所有必要的信息都写进配置文件,而不是在命令行输入,这是唯一指定X.509v3扩展的方式,也能让我们对如何创建根证书有清晰的把握。

openssl命令指定配置文件有两种方式:

使用下面的命令:
openssl req -x509 -newkey rsa -out cacert.pem -outform PEM -days 365 -config /var/MyCA/openssl.cnf
OPENSSL_CONF=/var/MyCA/openssl.cnf openssl req -x509 -newkey rsa -out cacert.pem -outform PEM -days 365生成根证书(其中,-days 365是证书的有效期)。

下面验证一下CA证书:

[root@iZ23dastruaZ MyCA]# openssl x509 -in cacert.pem -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 12778548659037981755 (0xb156864d3f00cc3b)
    Signature Algorithm: md5WithRSAEncryption
        Issuer: CN=Test 06 29 2016, ST=BJ, C=CN/emailAddress=jordan23nbastar@yeah.net, O=Root Certification Authority
        Validity
            Not Before: Jun 29 07:08:24 2016 GMT
            Not After : Jun 29 07:08:24 2017 GMT
        Subject: CN=Test 06 29 2016, ST=BJ, C=CN/emailAddress=jordan23nbastar@yeah.net, O=Root Certification Authority
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:ce:2c:54:34:2b:a9:30:3e:51:20:c3:ad:21:b7:
                    21:9e:5c:f8:23:7a:4a:12:0f:9b:30:a8:1b:5f:10:
                    7e:51:01:ed:64:61:04:bb:28:82:16:05:5b:5a:e8:
                    5b:b6:21:73:68:eb:d7:89:db:a0:d7:ce:8a:92:f5:
                    8f:b3:92:ea:cd:d5:05:dd:49:a1:c4:7e:fd:1e:60:
                    8d:71:a4:e9:d5:35:ad:e8:c7:1a:e8:6d:52:6d:ff:
                    30:b1:ff:80:7d:59:4c:91:ca:67:c2:56:d6:ad:5b:
                    8c:58:ea:70:b3:60:97:0e:98:d5:35:46:f3:fb:ad:
                    57:ef:a6:55:b2:b5:13:f7:47:a8:c1:31:06:86:fc:
                    8a:ae:08:2e:fd:9e:ae:fe:f7:d5:35:c7:d4:45:de:
                    79:70:d8:c6:73:bd:47:75:90:24:d0:22:f4:f8:76:
                    f2:e8:2a:ef:3f:64:16:a7:8d:40:b0:94:76:f3:56:
                    7f:61:b4:54:c0:76:5f:33:a1:61:97:33:98:21:5c:
                    ec:88:95:3e:56:f1:2f:be:d9:68:cb:90:84:42:00:
                    24:49:c0:26:19:0f:f3:09:f7:06:1d:3b:b7:29:ac:
                    b3:31:ee:23:f5:58:c9:4e:de:5f:82:02:5a:50:87:
                    fe:72:5d:6c:4c:65:bb:59:1e:42:ab:20:42:c8:6b:
                    4f:f7
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:TRUE
    Signature Algorithm: md5WithRSAEncryption
         af:9a:28:1b:67:44:87:d1:cc:cb:1f:e7:88:e5:74:f3:cd:d5:
         ca:cc:f6:51:f9:e6:31:c2:93:c4:37:18:0a:29:29:68:b2:41:
         d7:37:be:40:5d:87:04:d8:b2:03:4a:8e:fc:5e:b0:9a:bc:4c:
         2d:88:69:90:63:21:34:16:e2:30:7f:76:c0:b8:64:79:e3:0f:
         2e:f6:91:af:a3:fd:c2:45:40:68:5f:19:a0:e3:6e:19:d1:2a:
         21:32:76:32:15:03:79:c3:da:aa:1d:1e:97:c4:de:d8:40:4a:
         df:75:4f:a6:61:ed:d5:54:40:be:30:f4:0d:ac:86:2a:30:7d:
         c3:28:69:e9:7b:b3:c0:19:8e:86:e7:7d:f3:55:04:ee:b1:6f:
         98:f8:33:0d:16:4b:bb:d5:3d:e1:0c:31:13:1d:a6:ee:40:1f:
         5f:d8:fb:b9:bc:4c:8b:4b:b9:d9:5b:b2:0d:f9:3c:84:16:90:
         eb:25:33:af:cf:e5:94:94:dc:a5:64:8b:22:d0:ad:55:a7:50:
         fe:e6:91:9e:98:2e:3c:03:04:2d:5a:54:97:7a:a7:c6:9f:dc:
         11:86:2d:43:1d:7c:b1:48:27:c9:77:a7:3f:93:d6:ee:96:f5:
         ef:27:2c:88:fd:64:30:28:fb:72:4b:cc:be:99:d4:67:00:e4:
         c7:21:b4:4b

使用OpenSSL生成证书

使用上面自建的CA给CSR文件签名:

$cd /var/MyCA/
$openssl ca -in cert.csr -config /var/MyCA/openssl.cnf

生成的证书被放到了certs目录,并且index.txt和serial的内容也发生了变化。


使用OpenSSL吊销证书和生成CRL

[root@iZ23dastruaZ MyCA]# openssl ca -revoke certs/01.pem -config /var/MyCA/openssl.cnf 
Using configuration from /var/MyCA/openssl.cnf
Enter pass phrase for /var/MyCA/private/cakey.pem:
Revoking Certificate 01.
Data Base Updated
openssl ca -gencrl -out testca.crl -config /var/MyCA/openssl.cnf #还可以添加-crldays和-crlhours参数来说明下一个吊销列表将在多少天(或多少小时候)后发布

可以用以下命令检查testca.crl的内容:

[root@iZ23dastruaZ MyCA]# openssl crl -in testca.crl -text -noout
Certificate Revocation List (CRL):
        Version 1 (0x0)
    Signature Algorithm: md5WithRSAEncryption
        Issuer: /CN=Test 06 29 2016/ST=BJ/C=CN/emailAddress=jordan23nbastar@yeah.net/O=Root Certification Authority
        Last Update: Jun 29 07:45:30 2016 GMT
        Next Update: Jul  6 07:45:30 2016 GMT
Revoked Certificates:
    Serial Number: 01
        Revocation Date: Jun 29 07:34:11 2016 GMT
    Signature Algorithm: md5WithRSAEncryption
         45:ac:4e:f5:be:e2:ee:87:5f:99:d7:20:a3:14:aa:3c:18:46:
         e9:75:92:0b:86:f2:52:1a:cf:24:70:f5:da:ec:fc:77:6f:2d:
         ee:be:4f:ab:39:89:89:ff:6c:b8:89:a9:10:4a:4a:45:3c:15:
         cc:78:5b:de:b0:99:40:72:bd:5d:d2:a3:49:4a:90:94:74:4d:
         80:4e:6f:21:29:81:f8:a7:25:c7:b9:6c:e5:68:76:a9:d3:89:
         8d:a0:f3:ce:42:6e:f0:34:63:a0:47:37:2d:12:e6:16:8e:c6:
         20:4c:e8:77:6b:8a:77:ff:95:83:02:b9:3f:d7:46:3d:64:62:
         f5:a6:39:db:c8:26:e0:e0:a0:eb:97:6a:7e:2c:2c:6d:78:32:
         2d:fc:09:f4:92:96:1d:22:7b:6c:37:71:53:51:26:bb:4d:b7:
         cd:7b:51:ae:49:7e:54:06:55:c1:db:5d:e5:61:4a:c2:ac:93:
         7b:c8:c6:fc:f0:ee:68:bd:67:33:78:1e:9c:a3:dd:1c:48:2d:
         93:0c:e5:2b:ae:f1:55:07:ae:03:e3:17:f5:d5:b7:4d:b1:26:
         ce:c7:6a:78:46:a4:cb:e1:35:07:8f:60:c1:98:44:4a:f4:3d:
         1a:2f:9f:4a:2c:c8:a3:8a:2e:2a:5a:dd:d9:54:4e:54:73:c1:
         75:b0:77:cd