OpenSSL 簽憑證教學

Chumy | Jul 10, 2024 min read

OpenSSL

Generate a private key

openssl genrsa -out <private key file> <key length general we used 2048>

執行結果 key 的內容

Generate a certificate request

openssl req -new -key <private file> -out <request file> -addext 'subjectAltName=<Alternative Name>'

#addext is optional
#addext 是可選項

執行結果

Self sign web certificate

Init environment

mkdir demoCA
mkdir demoCA/newcerts
mkdir demoCA/private
> demoCA/index.txt
> demoCA/serial
echo 01 > demoCA/crlnumber
> demoCA/cacert.pem
cp <private key> demoCA/private/cakey.pem

Modify /etc/ssl/openssl.cnf

Add copy_extensions = copy at /etc/ssl/openssl.cnf under [ CA_default ]

vi /etc/ssl/openssl.cnf

Write extensions file

vi <extensions file>

Sign certificate

openssl ca -in <request file> -out <certificate> -days <Validity period (day)> -batch -rand_serial -extfile <extensions file> -selfsign

Sign a Root CA

openssl x509 -req -days <Validity period (day)> -sha256 -extfile /etc/ssl/openssl.cnf -extensions v3_ca -signkey <your private key> -in <request file> -out <certificate file>

執行結果

Sign a sub CA certificate

Init environment

mkdir demoCA
mkdir demoCA/newcerts
mkdir demoCA/private
> demoCA/index.txt
> demoCA/serial
echo 01 > demoCA/crlnumber
cp <CA certificate> demoCA/cacert.pem
cp <CA private key> demoCA/private/cakey.pem

Write extensions file

vi <extensions file>

crlDistributionPoints is optional crlDistributionPoints 是可選項

Sign Sub CA certificate

openssl ca -in <request file> -out <sub CA certificate file> -days <Validity period (day)> -batch -rand_serial -extfile <extensions file>

執行結果

Sign a certificate

Init environment

mkdir demoCA
mkdir demoCA/newcerts
mkdir demoCA/private
> demoCA/index.txt
> demoCA/serial
echo 01 > demoCA/crlnumber
cp <CA certificate> demoCA/cacert.pem
cp <CA private key> demoCA/private/cakey.pem

Modify /etc/ssl/openssl.cnf

Add copy_extensions = copy at /etc/ssl/openssl.cnf under [ CA_default ]

vi /etc/ssl/openssl.cnf

Write extensions file

vi <extensions file>

Sign certificate

openssl ca -in <request file> -out <certificate> -days <Validity period (day)> -batch -rand_serial -extfile <extensions file>

執行結果

Revoke certificate

openssl ca -revoke <certificate file>

執行結果

Generate CRL

openssl ca -gencrl -out <crl file>

# Everytime you revoke your certificate, you need to regenerate your CRL.

執行結果

certificate 的信任 (trust of certificate)

Untrusted Certificate (Root CA untrusted)

Trusted Certificate (Root CA trusted)

How to trust Root CA in windows

  1. Reopen Root CA certificate file.

How to trust Root CA in linux

For openssl

Copy CA certificate to /usr/local/share/ca-certificates/ and run update-ca-certificates

cp <Root CA certificate> /usr/local/share/ca-certificates/
update-ca-certificates

# flush all ca use: update-ca-certificates -f

For linux browser

Go to setting of browser. Ex: Firefox

Nginx ssl setting

Windows Linux