13.07.2023 в 15:44
Тим Тоуди
Создание самозаверяющего SSL с полной цепочкой | Корневой и промежуточный Центр Сертификации
Следуя этому руководству, вы станете локальным центром сертификации, который подписывает сертификаты для веб-приложений.
Для этого необходимо выполнить следующие действия:
- Создать ключ rootCA и crt.
- Создать ключ и crt промежуточногоCA (subCA), подписанные rootCA.
- Создать ключ приложения и crt, подписанные subCA.
В конце концов, у вас будут сертификаты root, sub и app (fullchain) и ключ, которые можно использовать в nginx или других программах.
Начало работы
Создайте папку в каталоге /etc/ssl
sudo mkdir -p /etc/ssl/localCA
cd /etc/ssl/localCAДля команд, не связанных с sudo, используйте chown.
sudo chown -R $USER:$USER /etc/ssl/localCAСоздание Root CA
Создайте внутри /etc/ssl/localCA папку с именем rootCA
mkdir -p /etc/ssl/localCA/rootCA
cd /etc/ssl/localCA/rootCAСоздайте файл rootCA.key
openssl genrsa -aes256 -out rootCA.key 4096Создайте файл cnf с именем rootCA.cnf
[ ca ]
# `man ca`
default_ca = CA_default
[ CA_default ]
# Directory and file locations.
dir = /etc/ssl/localCA/rootCA
certs = $dir/certs
crl_dir = $dir/crl
new_certs_dir = $dir/newcerts
database = $dir/index.txt
serial = $dir/serial
RANDFILE = $dir/private/.rand
# The root key and root certificate.
private_key = $dir/rootCA.key
certificate = $dir/rootCA.crt
# For certificate revocation lists.
crlnumber = $dir/crlnumber
crl = $dir/crl/ca.crl.pem
crl_extensions = crl_ext
default_crl_days = 30
# SHA-1 is deprecated, so use SHA-2 instead.
default_md = sha256
name_opt = ca_default
cert_opt = ca_default
default_days = 3650
preserve = no
policy = policy_strict
[ policy_strict ]
# The root CA should only sign intermediate certificates that match.
# See the POLICY FORMAT section of `man ca`.
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_loose ]
# Allow the intermediate CA to sign a more diverse range of certificates.
# See the POLICY FORMAT section of the `ca` man page.
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
# Options for the `req` tool (`man req`).
default_bits = 2048
distinguished_name = req_distinguished_name
string_mask = utf8only
# SHA-1 is deprecated, so use SHA-2 instead.
default_md = sha256
# Extension to add when the -x509 option is used.
x509_extensions = v3_ca
[ req_distinguished_name ]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName = Country Name 2 Letter
stateOrProvinceName = State or Province Name
localityName = Locality Name
0.organizationName = Organization Name
organizationalUnitName = Organizational Unit Name
commonName = Common Name
emailAddress = Email Address
# Optionally, specify some defaults.
countryName_default = TR
stateOrProvinceName_default = Istanbul
localityName_default = Istanbul
0.organizationName_default = Berk
organizationalUnitName_default = Berk ROOT CA
commonName_default = Berk ROOT CA
emailAddress_default = burakberkkeskin@gmail.com
[ v3_ca ]
# Extensions for a typical CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ v3_intermediate_ca ]
# Extensions for a typical intermediate CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ usr_cert ]
# Extensions for client certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection
[ server_cert ]
# Extensions for server certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
[ crl_ext ]
# Extension for CRLs (`man x509v3_config`).
authorityKeyIdentifier=keyid:always
[ ocsp ]
# Extension for OCSP signing certificates (`man ocsp`).
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, OCSPSigningВнимание!⚠️Измените строки значений в файле rootCA.cnf, приведенном выше: 1.сountryName_default2.stateOrProvinceName_default3.localityName_default4.0.organizationName_default5.organizationalUnitName_default6.commonName_default7.emailAddress_default
Создайте файл rootCA.crt
openssl req -config rootCA.cnf \
-key rootCA.key \
-new -x509 -days 7305 -sha256 -extensions v3_ca \
-out rootCA.crtСоздайте каталога newcerts
mkdir /etc/ssl/localCA/rootCA/newcertsСоздайте файл index.txt
touch /etc/ssl/localCA/rootCA/index.txt
chmod 600 /etc/ssl/localCA/rootCA/index.txtСоздайте файл serial
echo "1000" > /etc/ssl/localCA/rootCA/serial
chmod 600 /etc/ssl/localCA/rootCA/serialСоздание Intermediate CA
Создайте папку intermediateCA
mkdir -p /etc/ssl/localCA/intermediateCA
cd /etc/ssl/localCA/intermediateCA Создайте файл intermediateCA.key
openssl genrsa -aes256 -out intermediateCA.key 4096Создайте файл intermediateCA.cnf
[ ca ]
# `man ca`
default_ca = CA_default
[ CA_default ]
# Directory and file locations.
dir = /home/berk/certs/intermediateCA
certs = $dir/certs
crl_dir = $dir/crl
new_certs_dir = $dir/newcerts
database = $dir/index.txt
serial = $dir/serial
RANDFILE = $dir/private/.rand
# The root key and root certificate.
private_key = /home/berk/certs/rootCA/rootCA.key
certificate = /home/berk/certs/rootCA/rootCA.crt
# For certificate revocation lists.
crlnumber = $dir/crlnumber
crl = $dir/crl/ca.crl.pem
crl_extensions = crl_ext
default_crl_days = 30
# SHA-1 is deprecated, so use SHA-2 instead.
default_md = sha256
name_opt = ca_default
cert_opt = ca_default
default_days = 3650
preserve = no
policy = policy_loose
[ policy_loose ]
# Allow the intermediate CA to sign a more diverse range of certificates.
# See the POLICY FORMAT section of the `ca` man page.
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
# Options for the `req` tool (`man req`).
default_bits = 2048
distinguished_name = req_distinguished_name
string_mask = utf8only
# SHA-1 is deprecated, so use SHA-2 instead.
default_md = sha256
# Extension to add when the -x509 option is used.
x509_extensions = v3_intermediate_ca
[ req_distinguished_name ]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName = Country Name 2 Letter
stateOrProvinceName = State or Province Name
localityName = Locality Name
0.organizationName = Organization Name
organizationalUnitName = Organizational Unit Name
commonName = Common Name
emailAddress = Email Address
# Optionally, specify some defaults.
countryName_default = TR
stateOrProvinceName_default = Istanbul
localityName_default = Istanbul
0.organizationName_default = Berk
organizationalUnitName_default = Berk Intermediate CA
commonName_default = Berk Intermediate CA
emailAddress_default = burakberkkeskin@gmail.com
[ v3_intermediate_ca ]
# Extensions for a typical intermediate CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSignВнимание! ⚠️Измените строки значений в файлеintermediateCA.cnf, приведенном выше:
1.countryName_default2.stateOrProvinceName_default3.localityName_default4.0.organizationName_default5.organizationalUnitName_default6.commonName_default7.emailAddress_default
Создайте файл intermediateCA.csr
openssl req -config intermediateCA.cnf \
-new -sha256 -keyout intermediateCA.key \
-out intermediateCA.csrПодпишите файл intermediateCA.csr файлом rootCA.key
openssl ca -config ../rootCA/rootCA.cnf \
-extensions v3_intermediate_ca \
-days 3650 -notext -md sha256 \
-in intermediateCA.csr \
-out intermediateCA.crtСоздание SSL-сертификата для веб-приложения с доменом
Создайте каталог с именем вашего приложения
mkdir -p /etc/ssl/localCA/exampleApp
cd /etc/ssl/localCA/exampleAppСоздайте файл exampleApp.key
openssl genpkey -algorithm RSA -out exampleApp.keyСоздайте файл exampleApp.cnf
[ req ]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn
[ dn ]
countryName = TR
stateOrProvinceName = Istanbul
localityName = Istanbul
organizationName = Safderun
organizationalUnitName = Safderun Webapp
commonName = example.com
emailAddress = burakberkkeskin@gmail.com
[ v3_ext ]
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = api.example.com
DNS.2 = app.example.comВнимание! ⚠️Измените строки значений в файлеexampleApp.cnf, приведенном выше:
1.countryName_default2.stateOrProvinceName_default3.localityName_default4.0.organizationName_default5.organizationalUnitName_default6.commonName_default7.emailAddress_default8.DNS.1
Создайте файл exampleApp.csr
openssl req -new -key exampleApp.key \
-out exampleApp.csr \
-config exampleApp.cnfПодпишите файл exampleApp.csr с помощью intermediateCA.key
openssl x509 -req -in exampleApp.csr \
-CA ../intermediateCA/intermediateCA.crt \
-CAkey ../intermediateCA/intermediateCA.key \
-CAcreateserial -out exampleApp.crt \
-days 365 -extensions v3_ext \
-extfile exampleApp.cnfФинал
У вас есть 3 папки. Корневой ЦС, промежуточный ЦС и каталог приложений. В каталоге приложений имеется 4 файла.
- exampleApp.cnf: cert conf file
- exampleApp.crt: public cert file
- exampleApp.csr: cert signing request file
- exampleApp.key: private key
Файл crt и ключа можно использовать в сервере nginx.
Вы можете продолжать создавать новые сертификаты для новых веб-приложений.
