实验环境:
|
1
2
|
Linux ubuntu/Centos 64
x86_64 x86_64 x86_64 GNU/Linux
|
1、根据官网说明安装gmssl
|
1
2
3
4
5
|
$ unzip GmSSL-master.zip
$
cd
GmSSL-master
$ .
/config
no-saf no-sdf no-skf no-sof no-zuc no-shared
#不去编译动态库,编译出来的gmssl不再依赖libssl.so
$
make
$
sudo
make
install
|
2、修改/usr/local/ssl/openssl.cnf配置
|
1
|
$
vi
/usr/local/sslopenssl
.cnf
|
|
1
2
3
4
|
[ ca ]
default_ca = CA_default
# The default ca section
[ CA_default ]
#dir = ./demoCA # Where everything is kept
dir
=
/home/myapp/demoCA
#此处修改
|
3、初始化CA目录
1)创建根目录
|
1
2
|
$
mkdir
-p
/home/myapp/demoCA
$
cd
/home/myapp/demoCA
|
2)创建其他目录
在此路径下要创建好/usr/local/ssl/openssl.cnf中需要的certs, crl ,new_certs_dir和private_key的子目录,默认是newcerts和private
|
1
|
$
mkdir
certs crl newcerts private
|
3)创建好database文件index.txt
|
1
|
touch
index.txt
|
4)创建好serial文件,并写入初始序号,如01
|
1
|
echo
"01"
> serial
|
4、生成国密证书步骤
(1)生成根证书
1)生成私钥key
|
1
|
$ gmssl ecparam -genkey -name sm2p256v1 -text -out Root.key -config
/usr/local/ssl/openssl
.cnf
|
2)生成证书签名请求
|
1
2
|
$ gmssl req -new -key Root.key -out Root.req -subj
/C
=CN
/ST
=Guang\ Zhou
/L
=GZ
/O
=Root
/OU
=Root\ Sign
/CN
=RootCA
/emailAddress
=Root@gmail.com
-config
/usr/local/ssl/openssl
.cnf
|
3)生成根证书
|
1
2
|
$ gmssl x509 -req -days 3650 -sm3 -
in
Root.req -signkey Root.key -out RootCA.crt $
cp
RootCA.crt demoCA/
$
cp
Root.key demoCA
/private/
|
类似于 apache/ssl/ca.crt和apache/ssl/ca.key
(2)生成中间证书(即客户端证书)
1)生成私钥
|
1
|
$ gmssl ecparam -genkey -name sm2p256v1 -text -out Medium.key -config
/usr/local/ssl/openssl
.cnf
|
2)生成客户证书请求
|
1
|
$ gmssl req -new -key Medium.key -out Medium.req -subj
/C
=CN
/ST
=Guang\ Zhou
/L
=GZ
/O
=Medium
/OU
=Medium\ Sign
/CN
=MediumCA
/emailAddress
=Medium@gmail.com -config
/usr/local/ssl/openssl
.cnf
|
3)签发证书
|
1
|
$ gmssl x509 -req -sm3 -days 3650 -CA RootCA.crt -CAkey demoCA
/private/Root
.key -CAcreateserial -
in
Medium.req -out MediumCA.crt
|
4)证书验证
|
1
|
$ gmssl verify -CAfile RootCA.crt MediumCA.crt
|
|
1
2
|
$
cp
MediumCA.crt demoCA/
$
cp
Medium.key demoCA
/private/
|
5)证书转换成浏览器认识的格式 pfx
|
1
|
$ gmssl pkcs12 -
export
-inkey Medium.key -
in
MediumCA.crt -out
test
.pfx -passin pass:xxx -passout pass:xxx
|
6) 查看证书信息
|
1
2
3
4
5
6
7
8
9
10
11
|
PKCS转换为PEM
gmssl pkcs12 -
in
test
.pfx -out cert.pem -nodes
转换后可查看证书信息
打印出证书的内容:
gmssl x509 -
in
cert.pem -noout -text
打印出证书的系列号
gmssl x509 -
in
cert.pem -noout -s erial
打印出证书的拥有者名字
gmssl x509 -
in
cert.pem -noout -subject
打印出证书的MD5特征参数
gmssl x509 -
in
cert.pem -noout -fingerprint
|
(3)生成服务器证书
1) 生成私钥
|
1
|
$ gmssl ecparam -genkey -name sm2p256v1 -text -out Server.key -config
/usr/local/ssl/openssl
.cnf
|
2) 证书请求
|
1
|
$ gmssl req -new -key Server.key -out Server.csr -subj
/C
=CN
/ST
=Guang\ Zhou
/L
=GZ
/O
=Server
/OU
=Server\ Sign
/CN
=ServerCA
/emailAddress
=Server@gmail.com -config
/usr/local/ssl/openssl
.cnf
|
3) 签发证书
|
1
|
$ gmssl x509 -req -sm3 -days 3650 -CA RootCA.crt -CAkey demoCA
/private/Root
.key -CAcreateserial -
in
Server.csr -out ServerCA.crt
|
4)证书验证
|
1
|
$ gmssl verify -CAfile RootCA.crt ServerCA.crt
|
如果你觉得不错的话,右下角,随手点个推荐,鼓励支持hhh^_^