配置環境:
由於配置文件默認是demoCA,這里我們按默認來
mkdir -p demoCA/{certs,crl,newcerts,private} touch demoCA/index.txt echo "01" > demoCA/serial echo "01" > demoCA/crlnumber
index.txt:openSSL定義的已簽發證書的文本數據庫文件,這個文件通常在初始化的時候是空的;
serial:證書簽發時使用的序列號參考文件,該文件的序列號是以16進制格式進行存放的,該文件必須提供並且包含一個有效的序列號。
修改配置文件/usr/local/gmssl/openssl.cnf中“[ usr_cert ]”中的屬性值
[ CA_default ]
dir = ./demoCA # Where everything is kept
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
#密鑰用途根據需要修改
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# keyUsage = digitalSignature
# keyUsage = keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "GmSSL Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
#增加CRL分發點
crlDistributionPoints = URI:http://127.0.0.1/test.crl
#增加OCSP
extendedKeyUsage = critical, OCSPSigning
authorityInfoAccess = OCSP;URI:http:/127.0.0.1:8888
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
# This is required for TSA certificates.
# extendedKeyUsage = critical,timeStamping
root證書(與demoCA同級目錄,下同)
gmssl ecparam -genkey -name sm2p256v1 -out Root.key gmssl req -x509 -sm3 -days 3650 -key Root.key -out RootCA.crt -subj /C="CN"/ST="Beijing"/L="Beijing"/O="Hy"/OU="hy"/CN="hyR"
注:為了不修改openssl.cnf配置文件默認設置,在生成root證書后,在demoCA文件中做一個軟連接(主要為生成crl做准備,如不生成,無需做此步驟)。
cd demoCA
ln -sf ../RootCA.crt cacert.pem
cd demoCA/private
ln -sf ../../Root.key cakey.pem
ca證書
gmssl ecparam -genkey -name sm2p256v1 -out ca.key gmssl req -new -sm3 -extensions v3_req -key ca.key -out ca.csr -subj /C="CN"/ST="Beijing"/L="Beijing"/O="Hy"/OU="hy"/CN="hyI"
gmssl ca -md sm3 -extensions v3_ca -batch -in ca.csr -out ca.crt -days 1850 -cert RootCA.crt -keyfile Root.key -notext
下一級CA證書
gmssl ecparam -genkey -name sm2p256v1 -out ca2.key gmssl req -new -sm3 -extensions v3_req -key ca2.key -out ca2.csr -subj /C="CN"/ST="Beijing"/L="Beijing"/O="Hy"/OU="hy"/CN="hyS"
gmssl ca -md sm3 -extensions v3_ca -batch -in ca2.csr -out ca2.crt -days 1850 -cert ca.crt -keyfile ca.key -notext
使用ca證書頒發用戶證書
gmssl ecparam -genkey -name sm2p256v1 -text -out user.key gmssl req -new -key user.key -out user.req -subj /C="CN"/ST="Beijing"/L="Beijing"/O="Hy"/OU="hy"/CN="hy"
gmssl ca -md sm3 -batch -in user.req -out user.crt -days 365 -cert ca.crt -keyfile ca.key -notext
生成證書鏈(需要從后向前寫證書順序,客戶端在前,Root證書在后)
cat client.crt RooCA.crt | tee chain.crt
查看證書
# 查看CSR請求信息 $ gmssl req -noout -text -in myserver.csr 查看證書信息
$ gmssl x509 -noout -text -in ca.pem
查看證書subject項
$ gmssl x509 -in mysite.pem -noout -subject -nameopt multiline
查看證書issuer項
$ gmssl x509 -in mysite.pem -noout -issuer -nameopt multiline
檢查證書用途
$ gmssl x509 -purpose -noout -in client.cer
#查看DER編碼證書
$ gmssl x509 -inform der -in CERTIFICATE.cer -text -noout
#轉換PEM證書到DER編碼證書
gmssl x509 -outform der -in certificate.pem -out certificate.cer
#查看證書公鑰
$ gmssl x509 -outform PEM -in server.crt -pubkey -out server.pubkey
#查看OID
$ gmssl asn1parse -genstr OID:1.2.156.10197.1.301
#從私鑰取公鑰
$ gmssl pkey -in private.key -pubout -out pub.key
轉換DER編碼證書到PEM證書
gmssl x509 -inform der -in CERTIFICATE.der -out CERTIFICATE.pem
用戶證書轉換為pfx格式
gmssl pkcs12 -export -out user.pfx -inkey user.key -in user.crt
吊銷證書
gmssl ca -revoke user.crt
生成吊銷證書列表
gmssl ca -gencrl -out test.crl
更新CRL(每次吊銷后都需要手動更新CRL)
gmssl ca -gencrl (-crldays 7 [指定CRL更新天數,默認是一個月]) -cert user.crt -keyfile user.key -out test.crl
查看吊銷證書列表
gmssl crl -in test.crl -noout -text
加密和簽名證書屬性的配置:
修改配置文件openssl.cnf中“[ usr_cert ]”中的屬性值
# This is typical in keyUsage for a client certificate. keyUsage = nonRepudiation, digitalSignature, keyEncipherment # keyUsage = digitalSignature # keyUsage = keyEncipherment
key usage擴展為Digital Signature, Non-Repudiation, Key Encipherment (e0),證書可以用來加密和簽名。
key usage擴展為Digital Signature沒有加密功能,只能用來簽名。
key usage擴展為keyEncipherment沒有簽名功能,只能用來加密。
日子匆匆穿過我而行,奔向海洋!
