CA OpenSSL自签名证书（服务器/客户端）

• 参考文章

https://juejin.cn/post/7092789498823573518
https://blog.csdn.net/mengting2040/article/details/120001810

使用 OpenSSL 生成证书

创建根证书

创建 Root Pair

Root Pair 即根证书的公钥和私钥，创建 Root Pair 需要在绝对安全的环境下，可以断开网络、拔掉网线和网卡，如果是在测试环境则无所谓。
首先我们创建一个 root 文件夹，用来存放根证书相关的文件：

mkdir root

创建 Root Key

可以使用 genrsa 命令创建 Root key，如下创建一个4096位的RSA私钥，并用aes256加密(密码为lettin11)，保存为root/ca.key文件

openssl genrsa -aes256 -passout pass:lettin11 -out root/ca.key 4096

创建 Root Crt

这一步就是创建根证书了，需要通过 req 子命令来创建，而且需要一个 Root CA 的 openssl.cnf 配置文件，可以复制下来自己修改（文件路径：root/openssl.cnf）

# OpenSSL root CA configuration file.
# Copy to `./root/openssl.cnf`.[ ca ]
# `man ca`
default_ca = CA_default[ CA_default ]
# Directory and file locations.
dir               = ./root
new_certs_dir     = $dir
database          = $dir/index.txt
serial            = $dir/serial# The root key and root certificate.
private_key       = $dir/ca.key
certificate       = $dir/ca.crtpolicy            = policy_strict[ policy_strict ]
# The root CA should only sign intermediate certificates that match.
# See the POLICY FORMAT section of `man ca`.
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional[ req ]
# Options for the `req` tool (`man req`).
default_bits        = 2048
distinguished_name  = req_distinguished_name
string_mask         = utf8only# Extension to add when the -x509 option is used.
x509_extensions     = v3_ca[ req_distinguished_name ]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName                     = Country Name (2 letter code)
stateOrProvinceName             = State or Province Name
localityName                    = Locality Name
0.organizationName              = Organization Name
organizationalUnitName          = Organizational Unit Name
commonName                      = Common Name
emailAddress                    = Email Address[ v3_ca ]
# Extensions for a typical CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign[ v3_intermediate_ca ]
# Extensions for a typical intermediate CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign

用私钥ca.key生成CA认证机构的证书ca.crt
其实就是相当于用私钥生成公钥，再把公钥包装成证书

openssl req -config root/openssl.cnf \-key root/ca.key \-passin pass:lettin11\-new \-x509 \-days 36500\-sha256 \-extensions v3_ca \-out root/ca.crt \-subj /C=CN/ST=Shanghai/L=Shanghai/O=Lettin/OU=Lettin/CN=Lettin/emailAddress=zhangyunxin@lettin.cn

创建服务器端证书

创建一个 server文件夹，用来存放服务器证书相关的文件：

mkdir server

创建服务器端key

openssl genrsa -out server/server.key 4096

ip需要换成自己服务器的外网ip地址，或者域名都可以

openssl req -subj "/CN=172.17.0.1" -sha256 -new -key server/server.key -out server/server.csr

配置白名单，多个用逗号隔开，例如： IP:172.17.0.1,IP:0.0.0.0，这里需要注意，虽然0.0.0.0可以匹配任意，但是仍然需要配置你的服务器外网ip，如果省略会造成错误，后面会讲到

echo subjectAltName = IP:172.17.0.1,IP:0.0.0.0 >> extfile.cnf

把 extendedKeyUsage = serverAuth 键值设置到extfile.cnf文件里，限制扩展只能用在服务器认证

echo extendedKeyUsage = serverAuth >> extfile.cnf

生成服务器签名的证书

openssl x509 -req -days 36500 -sha256 -passin pass:lettin11 -in server/server.csr -CA root/ca.crt -CAkey root/ca.key \-CAcreateserial -out server/server.crt -extfile extfile.cnf

创建客户端证书

创建一个 clinet文件夹，用来存放客户端证书相关的文件：

mkdir client

创建客户端key

openssl genrsa -out client/client.key 4096

生成客户端签名请求需要用到的临时文件

openssl req -subj '/CN=client' -new -key client/client.key -out client/client.csr

继续设置证书扩展属性

echo extendedKeyUsage = clientAuth >> extfile.cnf

生成客户端签名证书

openssl x509 -req -days 36500 -sha256 -passin pass:lettin11 -in client/client.csr -CA root/ca.crt -CAkey root/ca.key \-CAcreateserial -out client/client.crt -extfile extfile.cnf