openssl生成CA和EV SSL证书

Posted on by hetao 
#生成CA私钥
openssl genrsa -out ./private/cakey.pem 2048
#生成CA证书
openssl req -config openssl.cnf -x509 -new -nodes -key ./private/cakey.pem -days 3650 -out cacert.pem -extensions v3_ca
#转换证书格式,用于Windows上导入证书
openssl x509 -in cacert.pem -outform DER -out cacert.der

以上是生成了一个符合EV SSL要求的CA证书
命令不复杂,但是配置文件复杂,我把参数都配置到openssl.cnf中了,这个文件是从/etc/ssl/openssl.cnf复制过来,然后根据需要做对应的修改。下面只列出了需要修改的部分

[ new_oids ]
# 自定义证书策略oid,EV SSL CA必须,oid的值是自定义的,全球唯一就行。
ev_policy = 2.16.840.1.113730.1.100
[req]
default_bits = 2048
distinguished_name = dn
# 禁止提示输入
prompt             = no
req_extensions     = v3_req
x509_extensions    = v3_ca
[dn]
# 这部分根据需要修改
C="CN"
ST="Shanghai"
L="Shanghai"
O="hetao"
OU="squid"
emailAddress="tao@hetao.me"
# 如果域名证书这一项是域名,对于CA证书可以随便填
CN="Squid CA"
[ v3_req ]

# Extensions to add to a certificate request
# 这个区段是签发客户证书用的
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]

# Extensions for a typical CA
# PKIX recommendation.
# subjectKeyIdentifier,authorityKeyIdentifier,basicConstraints,keyUsage这几项是任何CA证书都必须的,尤其是basicConstraints,keyUsage。如果没有basicConstraints = critical, CA:true在Firefox上会不认这个CA证书(其它浏览器可以)
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign, keyEncipherment
# 这一项Root CA非必须,中间CA需要
extendedKeyUsage = serverAuth, clientAuth, codeSigning,emailProtection
#DV SSL证书: CA/B Forum OID:2.23.140.1.2.1
#IV SSL证书: CA/B Forum OID:2.23.140.1.2.3
#OV SSL证书: CA/B Forum OID:2.23.140.1.2.2
#EV SSL证书: CA/B Forum OID:2.23.140.1.1
#这4个oid是客户域名证书需要的,对于EV SSL CA只需要添加ev_policy这个自定义的oid就行了(非EV SSL CA不需要)。
certificatePolicies = 2.23.140.1.1,2.23.140.1.2.1,2.23.140.1.2.2,2.23.140.1.2.3,@polsect
policyConstraints = requireExplicitPolicy:3
# 证书吊销查询,EV SSL CA必须,非EV SSL CA不需要
authorityInfoAccess = OCSP;URI:https://ocsp.hetao.me/

[polsect]
# 经用自定义oid
policyIdentifier=2.16.840.1.113730.1.100
CPS.1 = "https://cer.hetao.me"
CPS.2 = "https://ca.hetao.me"
userNotice.1 = @notice

[notice]
explicitText = "UTF8:squid notice"
organization = "hetao"
noticeNumbers = 1, 2, 3, 4

以上生成的CA证书我是在squid里面用的,当然用这个CA手动签发域名证书也是可以的。因为squid只需要CA证书就行,关于签发域名证书方法就不赘述了。
参考:
https://vircloud.net/operations/sign-ip-crt.html
https://vircloud.net/exp/openssl-ev.html
https://blog.csdn.net/sinat_38816924/article/details/124233402

发表回复