用OpenSSL搭建PKI证书体系

1 创建PKI结构目录

bash 复制代码
mkdir 07_PKI
cd 07_PKI
mkdir 01_RootCA 02_SubCA 03_Client

2 创建根CA

bash 复制代码
cd 01_RootCA
mkdir key csr cert newcerts
touch index.txt index.txt.attr
echo 01 > serial

2.1 创建根CA密钥对

2.1.1 生成 长度为2048 bit 的RSA私钥。

bash 复制代码
cd key
openssl genrsa -out pri_key.pem 2048

2.1.2 查看生成的RSA私钥。

bash 复制代码
openssl rsa -in pri_key.pem -text

2.1.3 从私钥文件中提取RSA公钥

bash 复制代码
openssl rsa -in pri_key.pem -pubout -out pub_key.pem#

2.2 创建根CA的证书签名请求(CSR)

2.2.1 创建CSR

创建根 CA 配置文件 rootca.conf:

bash 复制代码
cd ..
touch rootca.conf

根 CA 配置文件 rootca.conf 内容如下:

dart 复制代码
[ ca ]
default_ca  = CA_default
  
[ CA_default ]
dir         = E:/07_PKI/01_RootCA
certs       = $dir/cert
crl_dir     = $dir/crl
database    = $dir/index.txt
new_certs_dir   = $dir/newcerts
certificate = $dir/cert/rootca_cert.crt
serial      = $dir/serial
crlnumber   = $dir/crlnumber
crl         = $dir/crl.pem
private_key = $dir/key/pri_key.pem
RANDFILE    = $dir/key/.rand
unique_subject  = no
  
x509_extensions = usr_cert
copy_extensions = copy
  
name_opt    = ca_default
cert_opt    = ca_default
  
default_days    = 5475
default_crl_days= 60
default_md  = sha256
preserve    = no
policy      = policy_ca
  
[ policy_ca ]
countryName     = supplied
stateOrProvinceName = supplied
localityName        = supplied
organizationName    = supplied
organizationalUnitName  = optional
commonName      = supplied
emailAddress    = optional
  
[ req ]
default_bits        = 2048
default_keyfile     = pri_key.pem
distinguished_name  = req_distinguished_name
attributes      = req_attributes
x509_extensions = v3_ca
string_mask = utf8only
utf8 = yes
prompt                  = no
  
[ req_distinguished_name ]
countryName         = CN
stateOrProvinceName = GuangDong
localityName        = ShenZhen
organizationName    = TangTring
commonName          = RootCA
  
[ usr_cert ]
basicConstraints = CA:TRUE
  
[ v3_ca ]
basicConstraints = CA:TRUE
  
[ req_attributes ]

创建根 CA 证书签名请求文件,指定签名算法为 sha256,默认为 sha1 算法。

bash 复制代码
cd csr
openssl req -new -key ../key/pri_key.pem -out rootca_csr.pem -config ../rootca.conf

2.2.2 查看CSR

bash 复制代码
openssl req -in rootca_csr.pem

输出内容如下:

bash 复制代码
-----BEGIN CERTIFICATE REQUEST-----
MIICnjCCAYYCAQAwWTELMAkGA1UEBhMCQ04xEjAQBgNVBAgMCUd1YW5nRG9uZzER
MA8GA1UEBwwIU2hlblpoZW4xEjAQBgNVBAoMCVRhbmdUcmluZzEPMA0GA1UEAwwG
Um9vdENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsGjDN8ge3f9i
CrAfsrLln/RMXz7EAqMMIjGmChMlQdXEArCT/FdxfoomOWfTHRTREnFthZ9w+TOq
kvgOyQuiFGTJRZ2c3T2FidfFJ5yA06UOELBXWXqhjvYYP+EWGtdn0kOg/tA7QKTG
ZyggQzJQmsAfZkk5vpV1Ok+ZtwoxWZPL0/xBRxZAuF2gxByN4Mt81rsgWLowPX5X
tINDCifEx1BlHZGxlWUWVIVj1SAf+g2S42s5d1xNrZNpKTMe46bduLuYGk4SqeZP
uXyTkVLq00VmgM7Ma9UHucrBmYQ/ybDJlOjgON1rVQqXR0dWTwx65iOVzAf+0hYj
Lc96+ZarEwIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBAAecVqSze262UIRgBYWG
RQAri+DM84tfVzj7ayIZnpBCHpi2dsatFRxAmwgKwhv/syE7xyTRQ8kUzBBIts6s
hqDblMRl/RDO05iXlk1US3rIoWhJvUrK++aWLHQTYfMMCCdEblRg4IMi1E1CFWSW
nmsnqHsb/JSdWKrGlpZFHamLHafR0IcTWwLierQ30DEvDuLLYbWO2VKq2u2r69V8
MDhOc8em1PEEdLGZR+QkJ+wKj1xt5ICn2KuQfrQXk5QdnkR2Wti/hZMm4rOQd8A1
APOWJAroYwdgNam/csyNF7binpEczCSamseWgrajTPhIdB+IUfjk3ha+djP10ivo
JYo=
-----END CERTIFICATE REQUEST-----

以文本形式输出请求文件头使用 -noout -text 参数.

bash 复制代码
openssl req -in rootca_csr.pem -text -noout

输出如下:

bash 复制代码
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: C=CN, ST=GuangDong, L=ShenZhen, O=TangTring, CN=RootCA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b0:68:c3:37:c8:1e:dd:ff:62:0a:b0:1f:b2:b2:
                    e5:9f:f4:4c:5f:3e:c4:02:a3:0c:22:31:a6:0a:13:
                    25:41:d5:c4:02:b0:93:fc:57:71:7e:8a:26:39:67:
                    d3:1d:14:d1:12:71:6d:85:9f:70:f9:33:aa:92:f8:
                    0e:c9:0b:a2:14:64:c9:45:9d:9c:dd:3d:85:89:d7:
                    c5:27:9c:80:d3:a5:0e:10:b0:57:59:7a:a1:8e:f6:
                    18:3f:e1:16:1a:d7:67:d2:43:a0:fe:d0:3b:40:a4:
                    c6:67:28:20:43:32:50:9a:c0:1f:66:49:39:be:95:
                    75:3a:4f:99:b7:0a:31:59:93:cb:d3:fc:41:47:16:
                    40:b8:5d:a0:c4:1c:8d:e0:cb:7c:d6:bb:20:58:ba:
                    30:3d:7e:57:b4:83:43:0a:27:c4:c7:50:65:1d:91:
                    b1:95:65:16:54:85:63:d5:20:1f:fa:0d:92:e3:6b:
                    39:77:5c:4d:ad:93:69:29:33:1e:e3:a6:dd:b8:bb:
                    98:1a:4e:12:a9:e6:4f:b9:7c:93:91:52:ea:d3:45:
                    66:80:ce:cc:6b:d5:07:b9:ca:c1:99:84:3f:c9:b0:
                    c9:94:e8:e0:38:dd:6b:55:0a:97:47:47:56:4f:0c:
                    7a:e6:23:95:cc:07:fe:d2:16:23:2d:cf:7a:f9:96:
                    ab:13
                Exponent: 65537 (0x10001)
        Attributes:
            (none)
            Requested Extensions:
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        07:9c:56:a4:b3:7b:6e:b6:50:84:60:05:85:86:45:00:2b:8b:
        e0:cc:f3:8b:5f:57:38:fb:6b:22:19:9e:90:42:1e:98:b6:76:
        c6:ad:15:1c:40:9b:08:0a:c2:1b:ff:b3:21:3b:c7:24:d1:43:
        c9:14:cc:10:48:b6:ce:ac:86:a0:db:94:c4:65:fd:10:ce:d3:
        98:97:96:4d:54:4b:7a:c8:a1:68:49:bd:4a:ca:fb:e6:96:2c:
        74:13:61:f3:0c:08:27:44:6e:54:60:e0:83:22:d4:4d:42:15:
        64:96:9e:6b:27:a8:7b:1b:fc:94:9d:58:aa:c6:96:96:45:1d:
        a9:8b:1d:a7:d1:d0:87:13:5b:02:e2:7a:b4:37:d0:31:2f:0e:
        e2:cb:61:b5:8e:d9:52:aa:da:ed:ab:eb:d5:7c:30:38:4e:73:
        c7:a6:d4:f1:04:74:b1:99:47:e4:24:27:ec:0a:8f:5c:6d:e4:
        80:a7:d8:ab:90:7e:b4:17:93:94:1d:9e:44:76:5a:d8:bf:85:
        93:26:e2:b3:90:77:c0:35:00:f3:96:24:0a:e8:63:07:60:35:
        a9:bf:72:cc:8d:17:b6:e2:9e:91:1c:cc:24:9a:9a:c7:96:82:
        b6:a3:4c:f8:48:74:1f:88:51:f8:e4:de:16:be:76:33:f5:d2:
        2b:e8:25:8a

2.2.3 验证CSR的签名

bash 复制代码
openssl req -verify -in rootca_csr.pem -noout

输出:

bash 复制代码
Certificate request self-signature verify OK

2.3 创建根CA自签名证书

2.3.1 生成根CA证书

生成自签名的根CA证书:

bash 复制代码
cd ../cert
openssl ca -selfsign -in ../csr/rootca_csr.pem -out rootca_cert.crt -config ../rootca.conf

输出内容如下:

dart 复制代码
Using configuration from ../rootca.conf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Sep 24 07:32:28 2024 GMT
            Not After : Sep 21 07:32:28 2039 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = GuangDong
            localityName              = ShenZhen
            organizationName          = TangTring
            commonName                = RootCA
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:TRUE
Certificate is to be certified until Sep 21 07:32:28 2039 GMT (5475 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Database updated

2.3.2 查看证书文件:

以文本形式查看证书文件:

bash 复制代码
openssl x509 -in rootca_cert.crt -text -noout

输出内容如下:

bash 复制代码
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            54:31:e1:11:20:6c:0e:7b:a2:3b:fc:17:64:a4:30:a3:d7:75:b2:00
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=GuangDong, L=ShenZhen, O=TangTring, CN=RootCA
        Validity
            Not Before: Sep 24 02:52:22 2024 GMT
            Not After : Sep 22 02:52:22 2034 GMT
        Subject: C=CN, ST=GuangDong, L=ShenZhen, O=TangTring, CN=RootCA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b0:68:c3:37:c8:1e:dd:ff:62:0a:b0:1f:b2:b2:
                    e5:9f:f4:4c:5f:3e:c4:02:a3:0c:22:31:a6:0a:13:
                    25:41:d5:c4:02:b0:93:fc:57:71:7e:8a:26:39:67:
                    d3:1d:14:d1:12:71:6d:85:9f:70:f9:33:aa:92:f8:
                    0e:c9:0b:a2:14:64:c9:45:9d:9c:dd:3d:85:89:d7:
                    c5:27:9c:80:d3:a5:0e:10:b0:57:59:7a:a1:8e:f6:
                    18:3f:e1:16:1a:d7:67:d2:43:a0:fe:d0:3b:40:a4:
                    c6:67:28:20:43:32:50:9a:c0:1f:66:49:39:be:95:
                    75:3a:4f:99:b7:0a:31:59:93:cb:d3:fc:41:47:16:
                    40:b8:5d:a0:c4:1c:8d:e0:cb:7c:d6:bb:20:58:ba:
                    30:3d:7e:57:b4:83:43:0a:27:c4:c7:50:65:1d:91:
                    b1:95:65:16:54:85:63:d5:20:1f:fa:0d:92:e3:6b:
                    39:77:5c:4d:ad:93:69:29:33:1e:e3:a6:dd:b8:bb:
                    98:1a:4e:12:a9:e6:4f:b9:7c:93:91:52:ea:d3:45:
                    66:80:ce:cc:6b:d5:07:b9:ca:c1:99:84:3f:c9:b0:
                    c9:94:e8:e0:38:dd:6b:55:0a:97:47:47:56:4f:0c:
                    7a:e6:23:95:cc:07:fe:d2:16:23:2d:cf:7a:f9:96:
                    ab:13
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                D9:C2:22:B4:CA:46:BA:AC:32:D6:AC:97:BF:81:17:09:A9:D5:04:F6
            X509v3 Authority Key Identifier:
                D9:C2:22:B4:CA:46:BA:AC:32:D6:AC:97:BF:81:17:09:A9:D5:04:F6
            X509v3 Basic Constraints: critical
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        76:02:c3:e9:da:e5:c9:37:75:57:fd:97:62:80:9f:3b:67:a0:
        f3:32:7d:1e:3a:f4:bd:c2:e4:10:3f:b6:64:7c:2e:9a:47:e4:
        5a:56:c6:c4:fc:b9:68:2a:ef:83:d9:10:b3:e2:23:93:2c:47:
        49:4c:df:d4:3f:ea:c2:76:bb:2a:c4:a0:c6:c0:f9:2c:5a:43:
        1f:dd:84:16:89:6d:a6:b4:7c:16:58:fa:90:a9:36:0c:b1:e4:
        d8:57:30:a4:47:d9:ec:a4:df:df:57:ea:69:9a:fa:27:7c:db:
        77:5f:ad:25:84:78:8b:a5:2c:cc:22:93:01:f8:9d:65:ce:dc:
        4a:b3:a2:e7:df:b8:c4:74:ee:99:d3:27:db:1e:6a:13:e2:b1:
        d2:6d:86:05:be:f7:46:e6:4d:14:67:85:27:a2:af:6b:39:95:
        ed:b3:a3:43:3d:17:4c:5c:53:2d:42:97:47:6a:9b:bb:d2:3a:
        4e:7d:92:74:a3:51:a8:dd:d4:c7:c1:9a:e1:31:68:3c:71:ea:
        42:1b:77:09:d0:1d:29:ca:16:a7:87:28:47:f4:c9:c9:43:c1:
        1d:d6:9d:4a:27:40:c8:86:e2:39:c0:3d:a7:ad:d6:0a:ae:d2:
        f9:bf:21:aa:b8:68:23:db:83:fd:d9:72:f8:39:d4:be:1d:3f:
        f6:2c:39:e8

3 创建二级CA证书

bash 复制代码
cd ../../02_SubCA
mkdir key csr cert newcerts
touch index.txt index.txt.attr
echo 01 > serial

3.1 创建二级CA秘钥对

bash 复制代码
cd key
openssl genrsa -out pri_key.pem 2048

3.2 创建二级CA证书签名请求

创建二级CA配置文件

bash 复制代码
cd ../
vim subca.conf

subca.conf 文件内容如下:

bash 复制代码
[ ca ]
default_ca  = CA_default
  
[ CA_default ]
dir         = E:/07_PKI/02_SubCA
certs       = $dir/cert
crl_dir     = $dir/crl
database    = $dir/index.txt
new_certs_dir   = $dir/newcerts
certificate = $dir/cert/subca_cert.crt
serial      = $dir/serial
crlnumber   = $dir/crlnumber
crl         = $dir/crl.pem
private_key = $dir/key/pri_key.pem
RANDFILE    = $dir/key/.rand
unique_subject  = no
  
x509_extensions = usr_cert
copy_extensions = copy
  
name_opt    = ca_default
cert_opt    = ca_default
  
default_days = 3650
default_crl_days = 30
default_md  = sha256
preserve    = no
policy      = policy_ca
  
[ policy_ca ]
countryName = supplied
stateOrProvinceName = supplied
localityName = supplied
organizationName    = supplied
organizationalUnitName = optional
commonName   = supplied
emailAddress = optional
  
[ req ]
default_bits        = 2048
default_keyfile     = pri_key.pem
distinguished_name  = req_distinguished_name
attributes      = req_attributes
x509_extensions = v3_ca
string_mask = utf8only
utf8 = yes
prompt = no
  
[ req_distinguished_name ]
countryName = CN
stateOrProvinceName = GuangDong
localityName = ShenZhen
organizationName = TangTring
commonName = SubCA
  
[ usr_cert ]
basicConstraints = CA:FALSE
  
[ v3_ca ]
basicConstraints = CA:TRUE
  
[ req_attributes ]
bash 复制代码
cd csr
openssl req -new -key ../key/pri_key.pem -out subca_csr.pem -config ../subca.conf

3.3 创建二级CA证书

bash 复制代码
cd ../cert
openssl ca -in ../csr/subca_csr.pem -out subca_cert.crt -config ../../01_RootCA/rootca.conf -days 3650

输出内容如下:

dart 复制代码
Using configuration from ../../01_RootCA/rootca.conf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 3 (0x3)
        Validity
            Not Before: Sep 24 07:55:39 2024 GMT
            Not After : Sep 22 07:55:39 2034 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = GuangDong
            localityName              = ShenZhen
            organizationName          = TangTring
            commonName                = SubCA
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:TRUE
Certificate is to be certified until Sep 22 07:55:39 2034 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Database updated

生成的二级CA证书如下:

bash 复制代码
$ openssl x509 -in subca_cert.crt -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 3 (0x3)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=GuangDong, L=ShenZhen, O=TangTring, CN=RootCA
        Validity
            Not Before: Sep 24 07:55:39 2024 GMT
            Not After : Sep 22 07:55:39 2034 GMT
        Subject: C=CN, ST=GuangDong, L=ShenZhen, O=TangTring, CN=SubCA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:be:8b:38:47:90:f9:dd:6d:79:3d:0d:1f:8e:ee:
                    e1:2b:8d:7b:ce:a9:3b:0a:03:4b:c0:d2:dc:3d:a9:
                    69:d2:49:5e:22:65:bc:96:cf:05:1d:a9:ed:a7:fb:
                    a5:03:71:30:0f:4d:7c:cb:4d:b5:bd:d0:22:5c:42:
                    83:ff:27:1f:31:c2:e3:e9:d4:b8:d1:c9:9a:3d:d1:
                    91:31:f0:56:c3:85:b9:e9:06:5b:f6:fb:82:bc:33:
                    f6:c4:e7:58:36:f3:eb:6c:ea:2d:24:b7:ca:ff:21:
                    e2:b1:00:7f:5f:d6:39:c1:16:5a:d1:c6:58:a7:db:
                    1f:cd:43:df:f3:c0:b9:ca:88:3d:f9:6d:a4:08:d2:
                    f9:58:d5:50:ea:60:e1:92:89:21:df:30:42:f6:b5:
                    ec:fe:2d:c0:03:cb:77:da:46:02:5c:ea:cf:fc:80:
                    21:1e:10:83:d0:b8:19:bc:68:77:45:ce:53:98:c9:
                    c8:89:af:3e:19:73:f1:cd:9c:92:05:34:0b:f3:4d:
                    77:2d:cc:c5:db:f0:0e:cf:c8:d9:e3:1b:da:31:d6:
                    9c:c9:3e:2c:f3:a3:90:0e:c0:a2:f5:0c:35:9e:95:
                    ed:8e:26:c8:97:2c:ec:5d:5c:93:8b:70:18:3b:a5:
                    30:c8:4c:77:3f:fe:47:10:f9:bc:1a:81:1f:13:07:
                    58:a5
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:TRUE
            X509v3 Subject Key Identifier:
                B6:CC:8A:AD:75:53:3A:5A:95:3D:53:20:7B:87:2E:E4:8A:90:63:F9
            X509v3 Authority Key Identifier:
                D9:C2:22:B4:CA:46:BA:AC:32:D6:AC:97:BF:81:17:09:A9:D5:04:F6
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        8f:37:94:68:95:fe:91:d4:f3:ea:eb:70:10:24:02:c4:af:87:
        a6:09:60:d3:e7:5b:c4:b5:62:4b:58:d4:7a:d0:b4:15:ca:2e:
        d1:1b:32:a1:8c:7f:8b:68:43:1a:61:e4:7a:01:b1:56:30:b3:
        a5:1e:5e:d9:35:8f:cf:9a:34:80:8a:ab:7c:68:f3:54:fb:71:
        45:87:09:5f:71:0d:d2:c8:a9:36:fc:6a:5d:00:7a:d3:2a:7a:
        00:f5:d4:37:25:66:ed:0d:b2:df:3f:fd:7c:11:71:17:f0:a6:
        41:2c:d6:70:3d:76:af:ef:4d:03:ee:ba:05:8a:1b:ea:0c:5a:
        dc:ca:5e:07:b4:fc:b0:71:80:f2:bd:20:e7:5f:ca:42:51:f7:
        90:2a:cc:f5:de:be:cf:42:22:58:51:28:fa:43:af:e3:68:7b:
        11:20:35:a1:9e:0f:da:bc:e2:2a:4e:c4:9b:f7:ed:e1:65:96:
        68:4a:24:59:c2:fd:04:3d:e5:e3:4d:38:4a:0d:38:7a:0a:e3:
        fd:48:ad:88:93:f0:bb:a0:21:c3:fe:9e:ce:b5:e6:11:8b:2a:
        4b:3a:12:b0:9c:92:4c:bb:a6:1c:ba:f7:de:6f:9e:ff:6b:fa:
        d0:fa:8b:37:7b:76:be:cd:e5:e4:c6:7f:6e:43:49:ff:70:64:
        86:c0:35:e0

4 使用二级CA证书签发实体端证书

4.1 创建实体端证书配置文件

bash 复制代码
cd ../../03_Client/
mkdir key csr cert
touch client.conf

client.conf文件内容如下:

dart 复制代码
[ req ]
prompt             = no
distinguished_name = server_distinguished_name
req_extensions     = req_ext
x509_extensions = v3_req
attributes      = req_attributes
  
[ server_distinguished_name ]
countryName         = CN
stateOrProvinceName = GuangDong
localityName        = ShenZhen
organizationName    = TangTring
commonName          = SPNM04_CN
  
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
  
[ req_attributes ]
  
[ req_ext ]
subjectAltName = @alternate_names
  
[ alternate_names ]
DNS.1 = SPNM04_CN.cn
DNS.2 = bbs.SPNM04_CN.cn

4.2 创建实体端证书秘钥

bash 复制代码
cd key
openssl genrsa -out pri_key.pem 2048

4.3 创建实体端证书签名请求

bash 复制代码
cd ../csr
openssl req -new -key ../key/pri_key.pem -out client_csr.pem -config ../client.conf

4.4 生成实体端证书

bash 复制代码
cd ../cert
openssl ca -in ../csr/client_csr.pem -out client_cert.crt -config ../../02_SubCA/subca.conf -days 1825

输出内容如下:

dart 复制代码
Using configuration from ../../02_SubCA/subca.conf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Sep 24 08:22:57 2024 GMT
            Not After : Sep 23 08:22:57 2029 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = GuangDong
            localityName              = ShenZhen
            organizationName          = TangTring
            commonName                = SPNM04_CN
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Subject Alternative Name:
                DNS:SPNM04_CN.cn, DNS:bbs.SPNM04_CN.cn
Certificate is to be certified until Sep 23 08:22:57 2029 GMT (1825 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Database updated

生成的实体端证书如下:

bash 复制代码
$ openssl x509 -in client_cert.crt -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=GuangDong, L=ShenZhen, O=TangTring, CN=SubCA
        Validity
            Not Before: Sep 24 08:22:57 2024 GMT
            Not After : Sep 23 08:22:57 2029 GMT
        Subject: C=CN, ST=GuangDong, L=ShenZhen, O=TangTring, CN=SPNM04_CN
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:e4:5c:fd:94:01:11:47:8e:25:6a:76:42:1d:65:
                    bc:68:dd:52:ba:1b:0e:43:98:c9:f2:27:a9:bb:13:
                    a1:e9:76:43:e3:ac:c7:7e:ab:2e:cf:fc:e6:72:0a:
                    1f:b4:0d:6c:dc:f1:c7:09:b2:09:72:d2:8f:53:6f:
                    65:bf:1a:4d:dc:80:ca:5c:c0:66:be:4c:8a:77:e5:
                    47:95:b6:96:eb:75:83:13:09:95:d6:e8:3c:ac:bf:
                    e3:96:54:b7:c6:16:ea:5c:84:15:9a:c7:9a:22:c5:
                    33:60:97:30:63:1d:37:c0:8a:6d:b4:50:1f:86:99:
                    86:1c:88:0e:bf:9e:db:c6:03:e2:85:90:32:53:2a:
                    7c:72:7c:40:1f:d7:ba:46:88:56:d8:5d:7c:c1:0c:
                    4f:95:4a:ec:53:5f:63:cf:fc:aa:43:b9:f0:23:e2:
                    f9:4c:29:30:95:4f:3b:57:af:51:ff:27:05:f9:4f:
                    15:63:2f:34:92:c6:b3:ad:fd:21:3b:9d:36:b0:c1:
                    6b:12:9c:60:d9:15:85:8f:d2:f1:ee:3c:1e:d3:c9:
                    f0:86:ee:57:36:0c:07:2a:c6:d6:85:aa:96:a2:a4:
                    7b:5c:8f:c1:22:3c:d5:4e:23:47:fa:99:87:fc:5c:
                    90:3d:5f:3d:f4:57:e6:40:c2:a9:7d:6b:47:09:87:
                    10:ef
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Subject Alternative Name:
                DNS:SPNM04_CN.cn, DNS:bbs.SPNM04_CN.cn
            X509v3 Subject Key Identifier:
                C1:B6:B5:FC:8A:8D:8A:21:E9:60:DE:5B:8C:C1:AB:CA:59:44:57:D4
            X509v3 Authority Key Identifier:
                B6:CC:8A:AD:75:53:3A:5A:95:3D:53:20:7B:87:2E:E4:8A:90:63:F9
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        24:2c:17:dc:80:0b:a4:61:20:18:f6:70:0b:72:26:a5:44:41:
        af:8c:76:be:d3:a9:25:e1:26:95:a2:5c:2c:5d:bd:7b:26:00:
        91:29:69:5b:20:4c:09:4a:4d:7a:b6:41:8e:d3:b7:df:7e:05:
        26:af:7f:4a:d4:97:88:10:d9:61:1b:03:1a:b4:48:db:0c:c8:
        fc:ec:58:49:dc:50:c5:8a:1c:22:7e:4a:40:a2:b3:43:b8:f9:
        f6:32:98:6e:31:46:2e:bd:2a:7e:ca:ba:07:2d:c3:9b:5f:14:
        33:2e:99:64:c0:dc:74:d3:a3:10:4c:7d:9f:26:59:5e:d5:a4:
        c7:1a:c2:08:9a:fd:eb:4d:7e:9a:23:78:94:7c:f0:1b:a5:2d:
        81:35:71:84:b1:66:dd:4e:b7:78:f6:79:ed:b6:37:e2:e8:9d:
        89:25:3e:94:76:78:00:20:d7:3f:9d:e1:71:ea:e1:5a:2d:da:
        c5:20:70:65:e5:9d:48:06:91:3a:5f:d3:92:0a:68:f2:84:de:
        a3:3f:11:10:f3:61:be:a8:eb:85:88:a1:95:f8:a5:c7:bf:d9:
        85:a7:8e:5e:38:3f:3c:dc:e3:41:0d:9d:94:c8:d5:3f:c3:33:
        59:21:da:47:03:10:49:78:12:5f:ca:55:9b:e2:54:b9:bd:75:
        92:0d:d7:79

5 其他常用openssl命令

5.1 聚合证书

聚合的时候要注意顺序

bash 复制代码
cd ../../
cat 03_Client/cert/client_cert.crt 02_SubCA/cert/subca_cert.crt 01_RootCA/cert/rootca_cert.crt | tee 03_Client/all_cert.crt

5.2 pem和der格式转换

转换 RSA 秘钥格式:

bash 复制代码
openssl rsa -inform pem -in pri_key.pem -outform der -out pri_key.der

crt证书转换为pem证书:

bash 复制代码
openssl x509 -in client_cert.crt -outform pem -out client_cert.pem

crt、pem证书转换为der证书格式:

bash 复制代码
openssl x509 -inform pem -in client_cert.crt -outform der -out client_cert.der
openssl x509 -inform pem -in client_cert.pem -outform der -out client_cert.der

pem证书转换为der证书:

bash 复制代码
openssl x509 -inform der -in client_cert.der -outform pem -out client_cert.pem
相关推荐
布说在见2 小时前
个人实施工作的一天 —— 繁琐的数据输入与未来的句里录数据
经验分享·实习实施
梅见十柒2 小时前
wsl2中kali linux下的docker使用教程(教程总结)
linux·经验分享·docker·云原生
管家婆客服中心4 小时前
提成制是什么?如何高效管理提成制?
经验分享·管家婆软件
zy张起灵10 小时前
48v72v-100v转12v 10A大功率转换电源方案CSM3100SK
经验分享·嵌入式硬件·硬件工程
努力的小雨21 小时前
零基础入门gRPC:从 0 实现一个Hello World
经验分享
有过~1 天前
XviD4PSP视频无损转换器
经验分享·电脑
催催121 天前
手机领夹麦克风哪个牌子好,哪种领夹麦性价比高,热门麦克风推荐
网络·人工智能·经验分享·其他·智能手机
cczixun2 天前
局域网协同办公软件,2024安全的协同办公软件推荐
经验分享·其他·政务
别下那么会看场合的雨啊2 天前
删除缓存之后,浏览器显示登录新设备
经验分享
志-AOX2 天前
现在转前端怎么样?
经验分享