ca子命令使用事前准备的CSR文件,可通过-selfsign选项指定私钥生成自签名证书。使用req子命令也可以生成自签名证书,自签名证书在实际的使用中用处一般是用来创建ca证书的,这篇文章介绍一下如何使用x509子命令结合自签名的ca证书对其他证书签名请求CSR文件进行签名。
事前准备: 准备自签名证书
有多种方式可以生成自签名证书,这里使用最为简单的方式,直接生成可以用作ca的私钥和证书文件。
[root@liumiaocn x509]# openssl req -new -x509 -keyout ca.key -nodes -out ca.crt -subj "/C=CN/ST=LiaoNing/L=DaLian/O=devops/OU=unicorn/CN=devops.com"
Generating a RSA private key
...........................................................................................................................................+++++
............+++++
writing new private key to 'ca.key'
-----
[root@liumiaocn x509]# ls -l
total 8
-rw-r--r--. 1 root root 1342 Dec 14 21:04 ca.crt
-rw-------. 1 root root 1708 Dec 14 21:04 ca.key
[root@liumiaocn x509]#
结果确认
[root@liumiaocn x509]# openssl x509 -noout -in ca.crt -issuer -subject
issuer=C = CN, ST = LiaoNing, L = DaLian, O = devops, OU = unicorn, CN = devops.com
subject=C = CN, ST = LiaoNing, L = DaLian, O = devops, OU = unicorn, CN = devops.com
[root@liumiaocn x509]#
[root@liumiaocn x509]# openssl x509 -noout -in ca.crt -dates
notBefore=Dec 15 02:04:19 2019 GMT
notAfter=Jan 14 02:04:19 2020 GMT
[root@liumiaocn x509]#
详细信息如下所示:
[root@liumiaocn x509]# cat ca.key
-----BEGIN PRIVATE KEY-----
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDVriM5yVAuDDOx
RO8i5h1ttuN405U+FvOqBPKvkSB9bOP5ewfUnQpJZqR45H1dXqQU3nSyZtbGMyvI
vbfu4ZItbcNuDUiPVeZIt938PfXauzTLJFneSkBMh3e08D4IIQC7xfRGY0eNljvN
E9aaQ610W5sn8UsHNS+M8/TQFuP7wHr4OUtVjkdQTgNdFZxIvuNbmZ47YxmsULgh
OpuRvLkluh4fJ1go7ourZRzyP+vTRmfQCsuwcx5P0aOGt1Sf7P7OjVyKaif5hJWl
fJaCr7fcUCggici9eWZq+AjfIGCzN9vAJ+ypQPhNrdOA1mk6IbBN5CiUOnPHMj+9
XOehzP6vAgMBAAECggEACxAN8NL0XL3y+y2Hd/YT9fcvBbVml6VWjindaquH1BaM
IwF0oVRUEQLIZx3lQ60/r3jo78eVPQOvM6Bm4m45RDLXmF4FsK4Q0xj53DJVBTMG
A7JpGLIdbBjjYLHDdGZJBG+2OuKu9KyfgfmR9cClPU301XePm9rsEE8dEJzuxrzT
KOT4V0JanwEdVTbop2mdgjRF3dodrnAgCwLqioEPKGUDCcZyji0cXCELMMYaTcov
dSs2uUfS8qi6ln/snyhavHcAHgO7raeLGDC4eYhQKFsnYONM8kGR8cRPS9aap0vX
uvXx2gyzpkv174cHCMsAxVxy7JQec8QETWD0nWrqUQKBgQDsUWt10BqfbPV7F5BE
FEdmtQHQBS04lO7R2fWVBCZNmG6JVWisLBslJF/IZZvGZHEItjAYWpCl6c5VYZ29
cdLqKefWtprymQrbD6HZbQWxZMvaBzaH7WLadgIKeId8dkjb8byXfFDgN/g2I1G2
TFVuVAeLUKDlgbViJXiadcb/JwKBgQDneg1+41V8LQEi6wnrTqCc4ZxnEBwcWlIY
I+MM7z/UZHbbRh/TZo4/k9EYWr86CeuvlC7CY1lJNMTQgRwSO2H98k3Oe+wNqUR7
AGcs4bIL2UabgcV/BEKYFC2FER7aSUUVxuYaZp1slptD675MyKyGwinaYERySdQU
fZ2uZe25OQKBgQCwk3HRGQsbfqW6MPQp+mETnEJbddLBSX9dLBg1HWGlbzWAxmGs
7FPoH9K2AT4xMlHHaaJsQBd+8UGsSIE90bQAJgnGRLFoffQ/lOGhfbXYQ/GR2vvi
+vx3Md/6hO7vj86HEYySQGCJ+SgtA50FsunOw1jTvw5KDu5CBK+l8kUb1wKBgQDX
evc1N8tMXVjBeKszMW6ynBNMneKNQkdJ0Z57W/y/awZ5+T2HPeENrjznvxJkpPeR
6w/cRT/ItibBMm8/SahfDkEABrwnu3rURfvF/BQSk6D3Akcnhn+3spDtXpKqAase
Kpnp2bySaWEASWRNdkGk8PqlHxiYi8GxkX5H6vrxgQKBgQDOsKRtCk+MaXCac7fF
IYtOaF8Qj9IOdKadRO/GUXtOohVcL7+eBtvl/jQnaO635t/TNLyPFosIBmLazXxm
iUIe3itl5+blVq6kU+vVBMTx573Z1QLw8/mDHgXeA1dRaNGTD/czvD2RnPnvsOA7
7SMpQR4sPxVc9lfPzN0GpKnSYw==
-----END PRIVATE KEY-----
[root@liumiaocn x509]#
[root@liumiaocn x509]# cat ca.crt
-----BEGIN CERTIFICATE-----
MIIDszCCApugAwIBAgIUNFq4+JNadWetjTuSrrmIcJz9l5YwDQYJKoZIhvcNAQEL
BQAwaTELMAkGA1UEBhMCQ04xETAPBgNVBAgMCExpYW9OaW5nMQ8wDQYDVQQHDAZE
YUxpYW4xDzANBgNVBAoMBmRldm9wczEQMA4GA1UECwwHdW5pY29ybjETMBEGA1UE
AwwKZGV2b3BzLmNvbTAeFw0xOTEyMTUwMjA0MTlaFw0yMDAxMTQwMjA0MTlaMGkx
CzAJBgNVBAYTAkNOMREwDwYDVQQIDAhMaWFvTmluZzEPMA0GA1UEBwwGRGFMaWFu
MQ8wDQYDVQQKDAZkZXZvcHMxEDAOBgNVBAsMB3VuaWNvcm4xEzARBgNVBAMMCmRl
dm9wcy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDVriM5yVAu
DDOxRO8i5h1ttuN405U+FvOqBPKvkSB9bOP5ewfUnQpJZqR45H1dXqQU3nSyZtbG
MyvIvbfu4ZItbcNuDUiPVeZIt938PfXauzTLJFneSkBMh3e08D4IIQC7xfRGY0eN
ljvNE9aaQ610W5sn8UsHNS+M8/TQFuP7wHr4OUtVjkdQTgNdFZxIvuNbmZ47Yxms
ULghOpuRvLkluh4fJ1go7ourZRzyP+vTRmfQCsuwcx5P0aOGt1Sf7P7OjVyKaif5
hJWlfJaCr7fcUCggici9eWZq+AjfIGCzN9vAJ+ypQPhNrdOA1mk6IbBN5CiUOnPH
Mj+9XOehzP6vAgMBAAGjUzBRMB0GA1UdDgQWBBS0Ltz0qsIrMLZRZA5C7fsFvB+g
5TAfBgNVHSMEGDAWgBS0Ltz0qsIrMLZRZA5C7fsFvB+g5TAPBgNVHRMBAf8EBTAD
AQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBABzki38lSrAPSYgC3m4+BYEHZnpBqyZII
CZvmN/jttAjaJ5K8DWDH3MOQH4G79OiA7nlNdMFEtV+rp0UI1VLul2KpSqJ2q5Pf
lZPyLok4SRVV7tXIUo4Ilwqnp0RQEZXpEbOQix+xWvfypHvTzkJ5dCQ1lxXODtPV
/wAq1HN+D7G5p+U4HycHRCbT9u1eBxap0EkTI3j/++kHWxvYZanMnEn6jEgCdyv4
FA2Z8KT9Ek0zBTT6wUicdYuHN8dS1CuIHqYLTHq+z10rmvuBS/RqiGDW3VWJwmUp
Kt3PLg8vnrIifhMZiv+tTCL9j/JP5gTX7J1Xsn+uSSwJnaUA0UT2
-----END CERTIFICATE-----
[root@liumiaocn x509]#
使用x509子命令进行签名
步骤1: 生成证书签名请求CSR文件
签名的动作是需要求前提的,CSR文件就是这个前提,而实际向各个CA机构进行收费的证书申请也是需要提供CSR文件,只是可能会以另外一种格式出现,最终CA机构也是类似的需要生成类似的CSR文件。
执行示例文件:openssl req -new -out request-bj.csr -nodes -subj “/C=CN/ST=BeiJing/L=BeiJing/O=devops/OU=dev/CN=devops.com”
比如这里生成如下的CSR文件:
[root@liumiaocn x509]# ls
ca.crt ca.key
[root@liumiaocn x509]# openssl req -new -out request-bj.csr -nodes -subj "/C=CN/ST=BeiJing/L=BeiJing/O=devops/OU=dev/CN=devops.com"
Generating a RSA private key
................................+++++
...................+++++
writing new private key to 'privkey.pem'
-----
[root@liumiaocn x509]# ls
ca.crt ca.key privkey.pem request-bj.csr
[root@liumiaocn x509]# cat request-bj.csr
-----BEGIN CERTIFICATE REQUEST-----
MIICqjCCAZICAQAwZTELMAkGA1UEBhMCQ04xEDAOBgNVBAgMB0JlaUppbmcxEDAO
BgNVBAcMB0JlaUppbmcxDzANBgNVBAoMBmRldm9wczEMMAoGA1UECwwDZGV2MRMw
EQYDVQQDDApkZXZvcHMuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAxyozo4nkONn1A7QG8okv7eKrSiWYQ2fgLSzfaYdUcUBV21GDQksOLHDoxle+
kPTV0yLZFJPnDvA41Pi+Iv7dWsKoLgHwWmbQ9tpwVPpVN7Az01vwQAAObiYpcvlr
50DNjWjtInN9gzkj3wfkHHShVErpwmFE7RQIwEjUHIJzTvXaJuhxyvC6usWQsQzO
aIwxUKYaeoxcoS2TN61Mzdx2Rtxij4sebjSjyECKVs5yCxiFh7RFvSo+pliHl0VP
6DrFA/AouC6WrR8coysln0qtBnpUdcBvV8QGuLAaO1kfpRQAFFhGMF4SQagUbW6m
TwQbyHYwGz+FAkk51amg6QiGdQIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBAGOA
wt8OvY4T+d2gEF9Gyrsl6/PxiWLDgTPiPHE8Qr4bmJLb88aG2rYdZtDVf/gEc4Ip
a3Qht6eF4YVzpbAZBgo3xSPCEqC6ut8sCPdjOMjna3n2sCuRo0Pkktx9oJXD5ofd
d6nh9k8JlBbGtUINBW2JEhlZdLOjcd9OEG9VHA84PSBJu7yvjAF1/LxI0skV79Xb
z5j3bVgJJYN7Lydu0LKl+ebkqohBkplx1eUV48sPPyu89lnnJoK7SzhIlCoCRVi5
6/c/enV6VdMaEoHIM0HzML6tnxbGBJlpUC4XgrVi6ft7gLUnSBc9i+cF8JPg9RYm
pWtjkbDPOc8lx7xTw0s=
-----END CERTIFICATE REQUEST-----
[root@liumiaocn x509]# cat privkey.pem
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDHKjOjieQ42fUD
tAbyiS/t4qtKJZhDZ+AtLN9ph1RxQFXbUYNCSw4scOjGV76Q9NXTItkUk+cO8DjU
+L4i/t1awqguAfBaZtD22nBU+lU3sDPTW/BAAA5uJily+WvnQM2NaO0ic32DOSPf
B+QcdKFUSunCYUTtFAjASNQcgnNO9dom6HHK8Lq6xZCxDM5ojDFQphp6jFyhLZM3
rUzN3HZG3GKPix5uNKPIQIpWznILGIWHtEW9Kj6mWIeXRU/oOsUD8Ci4LpatHxyj
KyWfSq0GelR1wG9XxAa4sBo7WR+lFAAUWEYwXhJBqBRtbqZPBBvIdjAbP4UCSTnV
qaDpCIZ1AgMBAAECggEAT0S4sMpdD1OQdRzd9wIrFV82FZjI9WsOimxlrzaxoTGd
+mCDAYul5II741Vg/4iy4gnopIwJVqS9ueYWpw8RQuJe1ZDn/NMXMGjYdLn92OBE
gEcDZDWhiK2fqackDzJ3nWS5nRCiT+waHtahL8Irw8TdLQRRzpo+sWlLIt24zx/P
IeQHFfXiIV37E1f+HO2IGRvahII24sNxET90BcG5oXnba5FKUnefwMdA+ac3OMYa
arQZ/TzC3SNXuZYAOoXxw0gs08GSPwtNyEvYODImxUq1/yY9jcMCvUILosM6b5lO
uYM1XXMT2gM7uLmfk/6Np3pVVv9v62IU6owkOXSoMQKBgQDmBQZ8NpZk2/MzgQBQ
7e2eIT8X2Y9wD0ERVUffc59BJcS1ktpaXF56R3M5WLdJ30x/wdzo8ulkbSv0/7TQ
qOuG8CImo58CPhE25ThonHGTZdodBactcvKRmCYcIBw+Mzz+MPs30Rhe4tmut/Qk
oZPS1qgT4aOUfniM5OdAs7i5HwKBgQDdqQQkq1kyMUMRmnxcTBAtSQnG1fCGSzys
ZM4xlxxa0xegr3alVU01jSOCXrO1V5h8Kpddj+OnSY/s9FBK82clzdQNgUgIURXb
0E4L/1SxmYt+1FxXkGiOSei2fgWD8bR6G2eWlxetgp5KHHBB3iL4Xh4SAUQ/jWnl
TvezLvuJ6wKBgQDaRb6HtI02nHnGUA3qvj0UJ1xl13AD2JXYSuLvKhrfiWWHIBnQ
UYLd6ltu+b7EfP9s5Jwq+gd74xUpYlVFBGasH8dofy/uwtM3EoFa08n7I1W84JZp
zIBepNDVM6tZYunoFLbvmp3TvNTwtWMaN7G9CzFn3GCMEw92M+k2PtV15QKBgB2y
Iwf2nMCIsP+OvtJurkwi2Nh2mP6k3cAK0UT7haT1WtkAKNkFkI54FiXFIjZNQfSA
kD7MpCcpR8rrAEbKTStXY+1bQJc8pb0JLyuUTXhtpa6cLLLeeeN2K2Mnhv2iSBeD
zGD0ZQut0B8FqFRquiykD0tCOC57d5Bs/+pVhQV5AoGBAMP38T6xGhtSmvu5af9p
XSgGhR3EHIEZ1GoIuwY7FBoLdhGZPZAKx72Q4vq/PXCqRA8p/mUdORJPwfQ8iKKU
G66hLJQK/BEjvgo+ldRabwa8ZNB6VTT0XVspWCILlw16GQFGhB7B2Wekos9gI54c
8nXn93kEOuuI4LxBMZhq+2/N
-----END PRIVATE KEY-----
[root@liumiaocn x509]#
步骤2: 使用x509子命令和ca证书进行签名
使用CA和CAkey指定CA的私钥和证书文件,然后对CSR文件进行签名,得到签名之后的证书文件cert-test-bj.crt
[root@liumiaocn x509]# ls
ca.crt ca.key privkey.pem request-bj.csr
[root@liumiaocn x509]# openssl x509 -req -in request-bj.csr -CA ca.crt -CAkey ca.key -out cert-test-bj.crt -CAcreateserial
Signature ok
subject=C = CN, ST = BeiJing, L = BeiJing, O = devops, OU = dev, CN = devops.com
Getting CA Private Key
[root@liumiaocn x509]#
结果确认如下所示
[root@liumiaocn x509]# ls
ca.crt ca.key ca.srl cert-test-bj.crt privkey.pem request-bj.csr
[root@liumiaocn x509]#
[root@liumiaocn x509]# cat ca.srl
7501AB7B9A89D78837CB3C6B2F38B224D0E0BF13
[root@liumiaocn x509]# cat cert-test-bj.crt
-----BEGIN CERTIFICATE-----
MIIDVTCCAj0CFHUBq3uaideIN8s8ay84siTQ4L8TMA0GCSqGSIb3DQEBCwUAMGkx
CzAJBgNVBAYTAkNOMREwDwYDVQQIDAhMaWFvTmluZzEPMA0GA1UEBwwGRGFMaWFu
MQ8wDQYDVQQKDAZkZXZvcHMxEDAOBgNVBAsMB3VuaWNvcm4xEzARBgNVBAMMCmRl
dm9wcy5jb20wHhcNMTkxMjE1MDIxMzExWhcNMjAwMTE0MDIxMzExWjBlMQswCQYD
VQQGEwJDTjEQMA4GA1UECAwHQmVpSmluZzEQMA4GA1UEBwwHQmVpSmluZzEPMA0G
A1UECgwGZGV2b3BzMQwwCgYDVQQLDANkZXYxEzARBgNVBAMMCmRldm9wcy5jb20w
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDHKjOjieQ42fUDtAbyiS/t
4qtKJZhDZ+AtLN9ph1RxQFXbUYNCSw4scOjGV76Q9NXTItkUk+cO8DjU+L4i/t1a
wqguAfBaZtD22nBU+lU3sDPTW/BAAA5uJily+WvnQM2NaO0ic32DOSPfB+QcdKFU
SunCYUTtFAjASNQcgnNO9dom6HHK8Lq6xZCxDM5ojDFQphp6jFyhLZM3rUzN3HZG
3GKPix5uNKPIQIpWznILGIWHtEW9Kj6mWIeXRU/oOsUD8Ci4LpatHxyjKyWfSq0G
elR1wG9XxAa4sBo7WR+lFAAUWEYwXhJBqBRtbqZPBBvIdjAbP4UCSTnVqaDpCIZ1
AgMBAAEwDQYJKoZIhvcNAQELBQADggEBALSbIVoHTCkswi4scaqlje4ZDfceQv/a
J70pWUiGn3t6gvvSRpIz4C8Sc55B2/p4DAum4NGHZNPxV7cLwO9XmSHL5vSsRfuM
5+jDYWinlUV5MLK7LCwvBhqzMS7CRU1MrJlpOd5pu8O0beOY0lUx+EDJ3fwzy6IP
On9v/e/UUR7sI4YZZe8t1iZY+TSynPBswhikbM21JIzGRZw9xn3b8IXpL+CEgwm5
QjKsmidxqt0+GJ7Z0H/owmEFUOrA0x596/gjlMemJNf/+YlS3Ju0Wh6FTb5FsbGG
gNQ6E9Or863nFZ1KZIVOMF9WTQi8IuMDAO4vwU3WYJTUViQdQZUOkDs=
-----END CERTIFICATE-----
[root@liumiaocn x509]# openssl x509 -noout -issuer -subject -dates -in cert-test-bj.crt
issuer=C = CN, ST = LiaoNing, L = DaLian, O = devops, OU = unicorn, CN = devops.com
subject=C = CN, ST = BeiJing, L = BeiJing, O = devops, OU = dev, CN = devops.com
notBefore=Dec 15 02:13:11 2019 GMT
notAfter=Jan 14 02:13:11 2020 GMT
[root@liumiaocn x509]#
可以看到证书的发行者和拥有者不再跟之前自签名的示例那样都是相同的,这里的issuer是作为CA的证书ca.crt所提供,而subject显示的内容正是证书签名请求中所设定的内容。
