本文介绍的OpenSSL脚本
- 采用自签名CA,以方便多份证书的签发和使用
- 支持SAN(主体备用名称)
- 包含各种文件格式的导出脚本,并简述文件用法
mkdir ssl cd ssl mkdir certs private csr conf # intial directory structure # ssl/ # ├── certs/ # ├── conf/ # │ ├── ca.conf # │ └── localhost.conf # ├── csr/ # └── private/解释扩展名
Notes on file extensions *.crt - PEM-encded single certificate or multiple certificates *-cert.crt signed certificate (-----CERTIFICATE-----) *-chain.crt list of certificates from intermediates to root *.key - PEM-encoded private key *-rsa.key PKCS#1 (-----RSA PRIVATE KEY-----) *.key PKCS#8 (-----PRIVATE KEY-----) or SEC1 (-----EC PRIVATE KEY-----) *.jks - JKS kind of Java keystore (certificate + private key) *.jts - JKS-type truststore (certificates) *-cert.p12 - PKCS12-type keystore (certificate + private key) *-chain.p12 - PKCS12-type truststore (certificates) *.pfx - PKCS12-type Microsoft PFX准备配置文件conf/ca.conf以创建CA
[ req ] default_bits = 2048 default_keyfile = private/ca-encrypted.key distinguished_name = subject req_extensions = req_ext x509_extensions = v3_ca # The Subject DN can be formed using X501 or RFC 4514 (see RFC 4519 for a description). # Its sort of a mashup. For example, RFC 4514 does not provide emailAddress. [ subject ] # Country Name (2 letter code) C=CN # State or Province Name (full name) ST=BJ # Locality Name (eg, city) L=Beijing # Organization Name (eg, company) O=WebDev Org # Organization Unit (eg, department, sub-company, job-type, regions) OU=IT Dept # Common Name (e.g. server FQDN or Authority Name) CN=WebDev CA [ req_ext ] subjectKeyIdentifier = hash basicConstraints = CA:TRUE keyUsage = digitalSignature, keyEncipherment extendedKeyUsage = serverAuth, clientAuth, codeSigning [ v3_ca ] basicConstraints = critical,CA:TRUE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always, issuer:always keyUsage = critical, cRLSign, digitalSignature, keyCertSign #subjectAltName = @alt_ica extendedKeyUsage = clientAuth, serverAuth, codeSigning创建CA
# # create CA # # 1. generate a rsa key for CA openssl genrsa -aes256 -out private/ca-rsa.key 2048 # 2. convert private key from PKCS#1 to PKCS#8 openssl pkcs8 -topk8 -inform PEM -in private/ca-rsa.key -outform PEM -out private/ca-encrypted.key # 3. create ca certificate openssl req -new -config conf/ca.conf -subj "/C=CN/ST=BJ/L=Beijing/O=Web Dev Org/OU=IT Dept/CN=WebDev CA" -x509 -sha256 -days 3650 -key private/ca-encrypted.key -out certs/ca.crt创建证书签名请求
# # create certificate signing request # # the domain name (e.g. example.com) domain=localhost # 1. create a server rsa key openssl genrsa -out private/$domain-rsa.key 2048 # 2. convert rsa key to pkcs8 key (without password protection) openssl pkcs8 -topk8 -nocrypt -inform PEM -in private/$domain-rsa.key -outform PEM -out private/$domain.key # 3. create a server certificate request openssl req -new -sha256 -subj "/C=CN/ST=BJ/L=Beijing/O=Web Dev Org/OU=IT Dept/CN=localhost" -key private/$domain.key -out csr/$domain.csr准备配置文件conf/localhost.conf以签发证书请求
[ x509_extensions ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer basicConstraints = CA:FALSE keyUsage = digitalSignature subjectAltName = @alternate_names extendedKeyUsage = serverAuth,clientAuth [ alternate_names ] DNS.1 = localhost DNS.2 = loopback IP.1 = 127.0.0.1 IP.2 = 127.0.1.1签发证书请求
# # sign a certificate request # # the domain name (e.g. localhost) domain=localhost # 1. sign a certificate openssl x509 -req -days 730 -in csr/$domain.csr -CA certs/ca.crt -CAkey private/ca-encrypted.key -CAserial certs/ca.srl -CAcreateserial -extfile conf/$domain.conf -extensions x509_extensions -out certs/$domain-cert.crt # # test certificate with SSLServer and SSLClient # # on one tty window openssl s_server -accept 1443 -www -key private/$domain.key -cert certs/$domain-cert.crt # on another tty window openssl s_client -showcerts -connect $domain:1443 -CAfile certs/ca.crt导出各种HTTP服务端所需格式
# # export for HTTP Servers # # create certificate chain (for Apache / Tomcat / Node.js) cp certs/ca.crt certs/$domain-chain.crt # create self_plus_intermediates_plus_root (for Nginx) cat certs/$domain-cert.crt <(echo) certs/$domain-chain.crt > certs/$domain.crt # create java keystore in PKCS12 (for Java 9+, Java 8) openssl pkcs12 -export -in certs/$domain-cert.crt -inkey private/$domain.key -name "$domain" -out certs/$domain-cert.pfx $JAVA_HOME/bin/keytool -importkeystore -srcstoretype PKCS12 -srckeystore certs/$domain-cert.pfx -alias "$domain" -deststoretype PKCS12 -destkeystore certs/$domain-cert.p12 $JAVA_HOME/bin/keytool -importkeystore -srcstoretype PKCS12 -srckeystore certs/$domain-cert.pfx -alias "$domain" -deststoretype JKS -destkeystore certs/$domain-cert.jks导出各种HTTP客户端所需格式
# # export for HTTP Clients # # create PKCS12 truststore (for Windows) openssl pkcs12 -export -in certs/ca.crt -nokeys -name "WebDev CA" -out certs/ca.pfx # create PKCS12 truststore (for Java 9+, Java 8) $JAVA_HOME/bin/keytool -importcert -file certs/ca.crt -alias "WebDev CA" -storetype PKCS12 -keystore certs/$domain-chain.p12 -noprompt $JAVA_HOME/bin/keytool -importcert -file certs/ca.crt -alias "WebDev CA" -storetype JKS -keystore certs/$domain-chain.jts -noprompt # append this CA to ca bundle (for Postman) cat certs/ca.crt <(echo) >> certs/ca-certs.crt2. 已签发证书的用法(用于服务端)
配置Nginx,在nginx.conf中使用
ssl_certificate /etc/nginx/ssl/certs/localhost.crt; ssl_certificate_key /etc/nginx/ssl/private/localhost.key;
配置Tomcat 8.5+,在server.xml中使用
编写Node.js脚本,在server.js中使用
let server=https.createServer({
key: fs.readFileSync("/etc/nginx/ssl/private/localhost.key"),
cert: fs.readFileSync("/etc/nginx/ssl/certs/localhost-cert.crt"),
ca: fs.readFileSync("/etc/nginx/ssl/certs/localhost-chain.crt"),
});
配置webpack-dev-server,在webpack.config.js中使用
module.exports = {
devServer: {
https: {
key: '/etc/nginx/ssl/private/localhost.key',
cert: '/etc/nginx/ssl/certs/localhost-cert.crt',
ca: '/etc/nginx/ssl/certs/localhost-chain.crt',
},
},
};
3. 自签名CA证书的用法(用于客户端)
导入到Windows
双击CA证书certs/ca.pfx,安装证书(存储位置为"本地计算机",证书存储为"受信任的根证书颁发机构")。
导入后适用于 IE、Edge及其WebView、Chrome、基于Chromium的浏览器等等
注:如果已经将自签名CA证书certs/ca.pfx导入到Windows,那么可通过访问about:config设置security.enterprise_roots.enabled为true来共享Windows受信任的根证书而无需再Firefox单独导入
在Firefox Settings / Certificates / View Certificates / 导入ca.pfx文件到"Your Certificates
在Postman Settings / Certificates / CA Certificates指定合并的CA合辑文件/etc/nginx/ssl/certs/ca-bundle.crt
导入到Java HTTP客户端在VM arguments,添加-Djavax.net.ssl.trustStore=/etc/nginx/ssl/certs/localhost-chain.jts -Djavax.net.ssl.trustStorePassword=changeit -Djavax.net.ssl.trustStoreType=JKS,对于Java9+也可换成-Djavax.net.ssl.trustStore=/etc/nginx/ssl/certs/localhost-chain.p12 -Djavax.net.ssl.trustStorePassword=changeit -Djavax.net.ssl.trustStoreType=PKCS12
4. 附录 服务端证书配置文件conf/example.com.conf[ x509_extensions ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer basicConstraints = CA:FALSE keyUsage = digitalSignature subjectAltName = @alternate_names extendedKeyUsage = serverAuth, clientAuth [ alternate_names ] DNS.1 = example.com DNS.2 = *.example.comECC的申请和签发
# # create EC CA # # find curve with `openssl ecparam -list_curves` # generate a private key for a curve openssl ecparam -genkey -name prime256v1 -noout -out private/ca-ec.key # generate a encrypted edition of the private key openssl ec -aes256 -in private/ca-ec.key -out private/ca-ec-encrypted.key # create ca certificate openssl req -new -config conf/ca.conf -subj "/C=CN/ST=BJ/L=Beijing/O=Web Dev Org/OU=IT Dept/CN=WebDev ECC CA" -x509 -sha256 -days 3650 -key private/ca-ec-encrypted.key -out certs/ca-ec.crt # # create certificate aigning request # # the domain name (e.g. example.com) domain=foo.apps.example.com # generate a private key openssl ecparam -genkey -name prime256v1 -out private/$domain.key # create a certificate signing request openssl req -new -subj "/C=CN/ST=BJ/L=Beijing/O=Web Dev Org/OU=IT Dept/CN=$domain" -key private/$domain.key -out csr/$domain.csr # optionally, generate corresponding public key openssl ec -in private/$domain.key -pubout -out public/$domain.pub # # sign for certificate request # # the domain name (e.g. example.com) domain=example.com openssl x509 -req -sha256 -days 730 -in csr/$domain.csr -CA certs/ca-ec.crt -CAkey private/ca-ec-encrypted.key -CAserial certs/ca-ec.srl -CAcreateserial -extfile conf/$domain.conf -extensions x509_extensions -out certs/$domain-cert.crt # # export for HTTP Servers # # create certificate chain (for Apache, Tomcat, Node.js) cp certs/ca-ec.crt certs/$domain-chain.crt # for Nginx cat certs/$domain-cert.crt <(echo) certs/ca-ec.crt > certs/$domain.crt # # export for HTTP Clients # # create PKCS12 truststore (for Windows, Firefox) openssl pkcs12 -export -in certs/ca-ec.crt -nokeys -out certs/ca-ec.pfx # append this CA to ca bundle (for Postman) cat certs/ca-ec.crt <(echo) >> certs/ca-certs.crt
