概括

Question 1

您可以直接使用 OpenSSL。

创建证书颁发机构私钥（这是您最重要的密钥）：

openssl req -new -newkey rsa:1024 -nodes -out ca.csr -keyout ca.key

创建您的 CA 自签名证书：

openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.csr -out ca.pem

首先生成密钥来颁发客户端证书，然后请求（或使用外部系统提供的密钥），然后使用 CA 的私钥对证书进行签名：
```
openssl genrsa -out client.key 1024
openssl req -new -key client.key -out client.csr
openssl ca -in client.csr -out client.cer
```

（您可能需要添加一些选项，因为我将这些命令与我的 openssl.conf 文件一起使用。您可能需要先设置您自己的 .conf 文件。）

Answer

您可以直接使用 OpenSSL。

创建证书颁发机构私钥（这是您最重要的密钥）：

openssl req -new -newkey rsa:1024 -nodes -out ca.csr -keyout ca.key

创建您的 CA 自签名证书：

openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.csr -out ca.pem

首先生成密钥来颁发客户端证书，然后请求（或使用外部系统提供的密钥），然后使用 CA 的私钥对证书进行签名：
```
openssl genrsa -out client.key 1024
openssl req -new -key client.key -out client.csr
openssl ca -in client.csr -out client.cer
```

（您可能需要添加一些选项，因为我将这些命令与我的 openssl.conf 文件一起使用。您可能需要先设置您自己的 .conf 文件。）

Question 2

创建 CA 后，您可以使用它来签署证书：

创建密钥：
```
openssl genrsa -out key_A.key  1024
```

创建 CSR：

openssl req -new -key key_A.key -out csr_A.csr
  # You are about to be asked to enter information etc....

签字：

openssl x509 -req -days 365 -in csr_A.csr -CA CA_certificate_you_created.crt \
-CAkey CA_key_you_created.key -set_serial 01 -out crt_A.crt

以此类推，替换A和乙，CA_certificate_you_created.crt和crt_A.crt，和CA_key_you_created.key和key_A.key

更改以下内容意味着您颁发的证书可用于签署其他证书：

basicConstraints=CA:TRUE  # prev value was FALSE

Answer

创建 CA 后，您可以使用它来签署证书：

创建密钥：
```
openssl genrsa -out key_A.key  1024
```

创建 CSR：

openssl req -new -key key_A.key -out csr_A.csr
  # You are about to be asked to enter information etc....

签字：

openssl x509 -req -days 365 -in csr_A.csr -CA CA_certificate_you_created.crt \
-CAkey CA_key_you_created.key -set_serial 01 -out crt_A.crt

以此类推，替换A和乙，CA_certificate_you_created.crt和crt_A.crt，和CA_key_you_created.key和key_A.key

更改以下内容意味着您颁发的证书可用于签署其他证书：

basicConstraints=CA:TRUE  # prev value was FALSE

Question 3

概括

创建根 CA、中间 CA 和叶证书所用命令的摘要：

openssl genrsa -out root.key 2048
openssl req -new -key root.key -out root.csr -config root_req.config
openssl ca -in root.csr -out root.pem -config root.config -selfsign -extfile ca.ext -days 1095

openssl genrsa -out intermediate.key 2048
openssl req -new -key intermediate.key -out intermediate.csr -config intermediate_req.config
openssl ca -in intermediate.csr -out intermediate.pem -config root.config -extfile ca.ext -days 730

openssl genrsa -out leaf.key 2048
openssl req -new -key leaf.key -out leaf.csr -config leaf_req.config
openssl ca -in leaf.csr -out leaf.pem -config intermediate.config -days 365

openssl verify -x509_strict -CAfile root.pem -untrusted intermediate.pem leaf.pem

这些命令依赖于一些我将在下面描述的设置。如果您只想在链中使用几个证书，那么这些命令就有点过头了，只需使用 x509 命令即可完成。这些命令还将在文本数据库中跟踪您的证书并自动增加序列号。我建议在openssl ca阅读此答案之前或之后阅读手册页的警告和错误部分。

目录结构

开始之前我们需要以下目录结构。

ca.ext              # the extensions required for a CA certificate for signing certs
intermediate.config # configuration for the intermediate CA
root.config         # configuration for the root CA

leaf_req.config         # configuration for the leaf cert's csr
intermediate_req.config # configuration for the intermediate CA's csr
root_req.config         # configuration for the root CA's csr

intermediate_ca/    # state files specific to the intermediate CA
    index           # a text database of issued certificates
    serial          # an auto-incrementing serial number for issued certificates
root_ca/            # state files specific to the root CA
    index           # a text database of issued certificates
    serial          # an auto-incrementing serial number for issued certificates

如果这是一个更永久的 CA，则以下更改可能是个好主意：

将每个 CA 的配置文件、私钥（稍后生成）和证书文件（稍后生成）移动到 CA 的目录中。这将需要更改配置文件。
在 CA 目录中为已颁发的证书创建子目录。这需要更改配置文件
加密私钥
在 CA 配置文件中设置颁发证书的默认天数

起始目录结构文件内容

目录结构中各个文件的内容如下：

ca.ext

[ default ]
basicConstraints = critical,CA:true     # recommended to be marked critical. required for a ca
keyUsage         = critical,keyCertSign # required to be marked critical. required for signing certs

中间件.config

[ ca ]
default_ca      = CA_default

[ CA_default]
dir             = ./intermediate_ca   # helper variable pointing to ca specific files
database        = $dir/index          # database of certs generated by the ca
new_certs_dir   = ./                  # one dir up to make the demo easier
certificate     = ./intermediate.pem  # one dir up to make the demo easier
serial          = $dir/serial         # file with incrementing hex serial number for certs
private_key     = ./intermediate.key

policy          = policy_any
email_in_dn     = no                  # recommended
unique_subject  = no                  # recommended for easier certificate rollover
copy_extensions = none                # don't honor the extensions in the csr
default_md      = sha256

[ policy_any ]
countryName            = optional
stateOrProvinceName    = optional
organizationName       = optional
organizationalUnitName = optional
commonName             = supplied

根目录配置

[ ca ]
default_ca      = CA_default

[ CA_default]
dir             = ./root_ca      # helper variable pointing to ca specific files
database        = $dir/index     # database of certs generated by the ca
new_certs_dir   = ./             # one dir up to make the demo easier
certificate     = ./root.pem     # one dir up to make the demo easier
serial          = $dir/serial    # file with incrementing hex serial number for certs
private_key     = ./root.key

policy          = policy_any
email_in_dn     = no             # recommended
unique_subject  = no             # recommended for easier certificate rollover
copy_extensions = none           # don't honor the extensions in the csr
default_md      = sha256

[ policy_any ]
countryName            = optional
stateOrProvinceName    = optional
organizationName       = optional
organizationalUnitName = optional
commonName             = supplied

叶请求配置

[ req ]
distinguished_name = req_distinguished_name
prompt             = no

[ req_distinguished_name ]
countryName = US
commonName  = Test Leaf

中间件请求配置

[ req ]
distinguished_name = req_distinguished_name
prompt             = no

[ req_distinguished_name ]
countryName = US
commonName  = Test Intermediate CA

根请求配置文件

[ req ]
distinguished_name = req_distinguished_name
prompt             = no

[ req_distinguished_name ]
countryName = US
commonName  = Test Root CA

中间_ca/指数（空文件）。已颁发证书的数据库。自动更新

[empty]

中间体_ca/串行（单个 0 不起作用）。此文件自动递增

root_ca/索引（空文件）。已颁发证书的数据库。自动更新

[empty]

root_ca/串行（单个 0 不起作用）。此文件自动递增

详细命令

现在我们可以从这个答案开始运行命令：

# create the private key for the root CA
openssl genrsa 
    -out root.key # output file
    2048          # bitcount

# create the csr for the root CA
openssl req 
    -new 
    -key root.key           # private key associated with the csr
    -out root.csr           # output file
    -config root_req.config # contains config for generating the csr such as the distinguished name

# create the root CA cert
openssl ca 
    -in root.csr        # csr file
    -out root.pem       # output certificate file
    -config root.config # CA configuration file
    -selfsign           # create a self-signed certificate
    -extfile ca.ext     # extensions that must be present for CAs that sign certificates
    -days 1095          # 3 years

# create the private key for the intermediate CA
openssl genrsa 
    -out intermediate.key # output file
    2048                  # bitcount

# create the csr for the intermediate CA
openssl req 
    -new 
    -key intermediate.key           # private key associated with the csr
    -out intermediate.csr           # output file
    -config intermediate_req.config # contains config for generating the csr such as the distinguished name

# create the intermediate CA cert
openssl ca 
    -in intermediate.csr  # csr file
    -out intermediate.pem # output certificate file
    -config root.config   # CA configuration file (note: root is still issuing)
    -extfile ca.ext       # extensions that must be present for CAs that sign certificates
    -days 730             # 2 years

# create the private key for the leaf certificate
openssl genrsa 
    -out leaf.key # output file
    2048          # bitcount

# create the csr for the leaf certificate
openssl req 
    -new 
    -key leaf.key           # private key associated with the csr
    -out leaf.csr           # output file
    -config leaf_req.config # contains config for generating the csr such as the distinguished name

# create the leaf certificate (note: no ca.ext. this certificate is not a CA)
openssl ca 
    -in leaf.csr                # csr file
    -out leaf.pem               # output certificate file
    -config intermediate.config # CA configuration file (note: intermediate is issuing)
    -days 365                   # 1 year

# verify the certificate chain
openssl verify 
    -x509_strict                # strict adherence to rules
    -CAfile root.pem            # root certificate
    -untrusted intermediate.pem # file with all intermediates
    leaf.pem                    # leaf certificate to verify

最后的想法

如果您希望在生产中使用 CA，请阅读openssl ca手册页的警告和错误部分（或整个手册页）。

Answer

概括

创建根 CA、中间 CA 和叶证书所用命令的摘要：

openssl genrsa -out root.key 2048
openssl req -new -key root.key -out root.csr -config root_req.config
openssl ca -in root.csr -out root.pem -config root.config -selfsign -extfile ca.ext -days 1095

openssl genrsa -out intermediate.key 2048
openssl req -new -key intermediate.key -out intermediate.csr -config intermediate_req.config
openssl ca -in intermediate.csr -out intermediate.pem -config root.config -extfile ca.ext -days 730

openssl genrsa -out leaf.key 2048
openssl req -new -key leaf.key -out leaf.csr -config leaf_req.config
openssl ca -in leaf.csr -out leaf.pem -config intermediate.config -days 365

openssl verify -x509_strict -CAfile root.pem -untrusted intermediate.pem leaf.pem

这些命令依赖于一些我将在下面描述的设置。如果您只想在链中使用几个证书，那么这些命令就有点过头了，只需使用 x509 命令即可完成。这些命令还将在文本数据库中跟踪您的证书并自动增加序列号。我建议在openssl ca阅读此答案之前或之后阅读手册页的警告和错误部分。

目录结构

开始之前我们需要以下目录结构。

ca.ext              # the extensions required for a CA certificate for signing certs
intermediate.config # configuration for the intermediate CA
root.config         # configuration for the root CA

leaf_req.config         # configuration for the leaf cert's csr
intermediate_req.config # configuration for the intermediate CA's csr
root_req.config         # configuration for the root CA's csr

intermediate_ca/    # state files specific to the intermediate CA
    index           # a text database of issued certificates
    serial          # an auto-incrementing serial number for issued certificates
root_ca/            # state files specific to the root CA
    index           # a text database of issued certificates
    serial          # an auto-incrementing serial number for issued certificates

如果这是一个更永久的 CA，则以下更改可能是个好主意：

将每个 CA 的配置文件、私钥（稍后生成）和证书文件（稍后生成）移动到 CA 的目录中。这将需要更改配置文件。
在 CA 目录中为已颁发的证书创建子目录。这需要更改配置文件
加密私钥
在 CA 配置文件中设置颁发证书的默认天数

起始目录结构文件内容

目录结构中各个文件的内容如下：

ca.ext

[ default ]
basicConstraints = critical,CA:true     # recommended to be marked critical. required for a ca
keyUsage         = critical,keyCertSign # required to be marked critical. required for signing certs

中间件.config

[ ca ]
default_ca      = CA_default

[ CA_default]
dir             = ./intermediate_ca   # helper variable pointing to ca specific files
database        = $dir/index          # database of certs generated by the ca
new_certs_dir   = ./                  # one dir up to make the demo easier
certificate     = ./intermediate.pem  # one dir up to make the demo easier
serial          = $dir/serial         # file with incrementing hex serial number for certs
private_key     = ./intermediate.key

policy          = policy_any
email_in_dn     = no                  # recommended
unique_subject  = no                  # recommended for easier certificate rollover
copy_extensions = none                # don't honor the extensions in the csr
default_md      = sha256

[ policy_any ]
countryName            = optional
stateOrProvinceName    = optional
organizationName       = optional
organizationalUnitName = optional
commonName             = supplied

根目录配置

[ ca ]
default_ca      = CA_default

[ CA_default]
dir             = ./root_ca      # helper variable pointing to ca specific files
database        = $dir/index     # database of certs generated by the ca
new_certs_dir   = ./             # one dir up to make the demo easier
certificate     = ./root.pem     # one dir up to make the demo easier
serial          = $dir/serial    # file with incrementing hex serial number for certs
private_key     = ./root.key

policy          = policy_any
email_in_dn     = no             # recommended
unique_subject  = no             # recommended for easier certificate rollover
copy_extensions = none           # don't honor the extensions in the csr
default_md      = sha256

[ policy_any ]
countryName            = optional
stateOrProvinceName    = optional
organizationName       = optional
organizationalUnitName = optional
commonName             = supplied

叶请求配置

[ req ]
distinguished_name = req_distinguished_name
prompt             = no

[ req_distinguished_name ]
countryName = US
commonName  = Test Leaf

中间件请求配置

[ req ]
distinguished_name = req_distinguished_name
prompt             = no

[ req_distinguished_name ]
countryName = US
commonName  = Test Intermediate CA

根请求配置文件

[ req ]
distinguished_name = req_distinguished_name
prompt             = no

[ req_distinguished_name ]
countryName = US
commonName  = Test Root CA

中间_ca/指数（空文件）。已颁发证书的数据库。自动更新

[empty]

中间体_ca/串行（单个 0 不起作用）。此文件自动递增

root_ca/索引（空文件）。已颁发证书的数据库。自动更新

[empty]

root_ca/串行（单个 0 不起作用）。此文件自动递增

详细命令

现在我们可以从这个答案开始运行命令：

# create the private key for the root CA
openssl genrsa 
    -out root.key # output file
    2048          # bitcount

# create the csr for the root CA
openssl req 
    -new 
    -key root.key           # private key associated with the csr
    -out root.csr           # output file
    -config root_req.config # contains config for generating the csr such as the distinguished name

# create the root CA cert
openssl ca 
    -in root.csr        # csr file
    -out root.pem       # output certificate file
    -config root.config # CA configuration file
    -selfsign           # create a self-signed certificate
    -extfile ca.ext     # extensions that must be present for CAs that sign certificates
    -days 1095          # 3 years

# create the private key for the intermediate CA
openssl genrsa 
    -out intermediate.key # output file
    2048                  # bitcount

# create the csr for the intermediate CA
openssl req 
    -new 
    -key intermediate.key           # private key associated with the csr
    -out intermediate.csr           # output file
    -config intermediate_req.config # contains config for generating the csr such as the distinguished name

# create the intermediate CA cert
openssl ca 
    -in intermediate.csr  # csr file
    -out intermediate.pem # output certificate file
    -config root.config   # CA configuration file (note: root is still issuing)
    -extfile ca.ext       # extensions that must be present for CAs that sign certificates
    -days 730             # 2 years

# create the private key for the leaf certificate
openssl genrsa 
    -out leaf.key # output file
    2048          # bitcount

# create the csr for the leaf certificate
openssl req 
    -new 
    -key leaf.key           # private key associated with the csr
    -out leaf.csr           # output file
    -config leaf_req.config # contains config for generating the csr such as the distinguished name

# create the leaf certificate (note: no ca.ext. this certificate is not a CA)
openssl ca 
    -in leaf.csr                # csr file
    -out leaf.pem               # output certificate file
    -config intermediate.config # CA configuration file (note: intermediate is issuing)
    -days 365                   # 1 year

# verify the certificate chain
openssl verify 
    -x509_strict                # strict adherence to rules
    -CAfile root.pem            # root certificate
    -untrusted intermediate.pem # file with all intermediates
    leaf.pem                    # leaf certificate to verify

最后的想法

如果您希望在生产中使用 CA，请阅读openssl ca手册页的警告和错误部分（或整个手册页）。

Question 4

根据这个问题（以及相关问题和文章）的各种答案，我找到了一组命令，这些命令允许我使用默认的 openssl 配置创建根 ca、中间 ca 和测试证书以用于测试目的。因此，我想为自己和其他对适合测试目的的快速解决方案感兴趣的人发布它：

先决条件：OpenSSL 1.1.1

生成 CA

openssl req -new -newkey rsa:2048 -nodes -out ca.csr -keyout ca.key -extensions v3_ca
openssl x509 -signkey ca.key -days 365 -req -in ca.csr -set_serial 01 -out ca.crt

生成中间 CA

openssl req -new -newkey rsa:2048 -nodes -out inter.csr -keyout inter.key -addext basicConstraints=CA:TRUE
openssl x509 -CA ca.crt -CAkey ca.key -days 365 -req -in inter.csr -set_serial 02 -out inter.crt

生成目标证书请求。

openssl req -new -newkey rsa:2048 -nodes -out test.csr -keyout test.key

使用中间 CA 签署目标证书请求

openssl x509 -CA inter.crt -CAkey inter.key -days 365 -req -in test.csr -set_serial 03 -out test.crt

将带有私钥的测试证书和链证书导出到 PFX

openssl pkcs12 -export -out test.pfx -inkey test.key -in test.crt -certfile inter.crt -certfile ca.crt

Answer

根据这个问题（以及相关问题和文章）的各种答案，我找到了一组命令，这些命令允许我使用默认的 openssl 配置创建根 ca、中间 ca 和测试证书以用于测试目的。因此，我想为自己和其他对适合测试目的的快速解决方案感兴趣的人发布它：

先决条件：OpenSSL 1.1.1

生成 CA

openssl req -new -newkey rsa:2048 -nodes -out ca.csr -keyout ca.key -extensions v3_ca
openssl x509 -signkey ca.key -days 365 -req -in ca.csr -set_serial 01 -out ca.crt

生成中间 CA

openssl req -new -newkey rsa:2048 -nodes -out inter.csr -keyout inter.key -addext basicConstraints=CA:TRUE
openssl x509 -CA ca.crt -CAkey ca.key -days 365 -req -in inter.csr -set_serial 02 -out inter.crt

生成目标证书请求。

openssl req -new -newkey rsa:2048 -nodes -out test.csr -keyout test.key

使用中间 CA 签署目标证书请求

openssl x509 -CA inter.crt -CAkey inter.key -days 365 -req -in test.csr -set_serial 03 -out test.crt

将带有私钥的测试证书和链证书导出到 PFX

openssl pkcs12 -export -out test.pfx -inkey test.key -in test.crt -certfile inter.crt -certfile ca.crt

概括

答案1

答案2

答案3

概括

目录结构

起始目录结构文件内容

详细命令

最后的想法

答案4

相关内容