使用CA签名openSSL生成的https客户端证书

Question

使用CA签名openSSL生成的https客户端证书

15

我需要：

创建一个CA证书
创建一个https客户端证书
用CA签署https客户端证书

在Linux - openSUSE上使用命令行完成。首先我创建了CA证书：

 # openssl genrsa -out rootCA.key 2048
Generating RSA private key, 2048 bit long modulus
..........................................................+++
....................+++
e is 65537 (0x10001)
 # openssl req -x509 -new -nodes -key rootCA.key -days 3650 -out rootCA.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:AA
State or Province Name (full name) [Some-State]:A
Locality Name (eg, city) []:A
Organization Name (eg, company) [Internet Widgits Pty Ltd]:A
Organizational Unit Name (eg, section) []:A
Common Name (e.g. server FQDN or YOUR name) []:A
Email Address []:A
 #

运行正常。然后我创建了https_client-certificate：

 # openssl genrsa -out client1.key 2048
Generating RSA private key, 2048 bit long modulus
............................+++
.............................................+++
e is 65537 (0x10001)
 #
 # openssl req -x509 -new -nodes -key client1.key -days 3650 -out client1.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:BB
State or Province Name (full name) [Some-State]:B
Locality Name (eg, city) []:B
Organization Name (eg, company) [Internet Widgits Pty Ltd]:B
Organizational Unit Name (eg, section) []:B
Common Name (e.g. server FQDN or YOUR name) []:B
Email Address []:B
 #

运行正常。现在当我尝试使用 CA 签署 https_client-certificate 时，出现了一些错误：

 # openssl ca -in client1.pem -out client11.pem
Using configuration from /etc/ssl/openssl.cnf
Error opening CA private key ./demoCA/private/cakey.pem
139667082016400:error:02001002:system library:fopen:No such file or directory:bss_file.c:404:fopen('./demoCA/private/cakey.pem','re')
139667082016400:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:406:
unable to load CA private key
 #

我已经尝试过：

使用绝对路径("Error opening CA private key" on Windows)

但对我来说没有成功。我在某个地方看到，特定输入的属性需要与CA创建时输入的属性相同，但至少在Windows上使用XCA-Tool创建证书时并非如此。只要我用CA签名就可以使用完全不同的东西。有人能帮帮我吗？

更新: 我仅使用.key和.pem，因为在Windows上使用XCA-Tool对我有效...我正在阅读《openSSL Cookbook》(https://www.feistyduck.com/library/openssl-cookbook/online/ch-openssl.html)，以查看我是否犯了任何特殊错误。首先想到的是，我必须使用.csr来签署证书，还是可以使用其他任何格式来完成此操作？

- Yaerox

1个回答

网页内容由stack overflow 提供, 点击上面的

可以查看英文原文，
原文链接

- talamaki · Accepted Answer

你正在使用“openssl ca”工具，它默认使用以下配置文件：/etc/ssl/openssl.cnf。换句话说，你并没有尝试使用你的CA证书进行签名，而是使用了该配置文件中的默认值。你还向客户端证书签名请求传递了“-x509”参数，这导致了一个无效的csr。

请查看下面的工作生成和签名命令。

生成CA密钥和证书：

openssl genrsa -out rootCA.key 2048
openssl req -x509 -new -key rootCA.key -days 3650 -out rootCA.pem \
-subj '/C=AA/ST=AA/L=AA/O=AA Ltd/OU=AA/CN=AA/emailAddress=aa@aa.com'

生成客户端密钥和证书签名请求：

openssl genrsa -out client1.key 2048
openssl req -new -key client1.key -out client1.csr \
-subj '/C=BB/ST=BB/L=BB/O=BB Ltd/OU=BB/CN=BB/emailAddress=bb@bb.com'

生成由CA证书签名的客户端证书：

openssl x509 -req -days 365 -CA rootCA.pem -CAkey rootCA.key \
-CAcreateserial -CAserial serial -in client1.csr -out client1.pem

当然，您可以设置配置文件以使用正确的CA文件，并在此之后使用“openssl ca”工具。

您可以像这样验证您的证书：

openssl verify -verbose -CAfile rootCA.pem client1.pem