admin';?>

首页 / 个人作品

使用配置文件及shell脚本,自动化生成CA证书, 服务器证书和客户端证书

By admin  •  2021-12-17 03:13:31  •  95次点击
永久外链: https://i.otherhill.com/static/41ced6f95ea411ecb666809b202ce664.html
openssl 指令密密麻麻, 见之让人望而生畏.具体我们之前有所记录, see more:  https://i.otherhill.com/index.php/topic/show/515
为了避免频繁输入各种无关的配置,生成我们所需的各种证书,我们可使用脚本 + 配置文件的方式来自动化处理.

/run/media/lixing/6T_20181101_1/proj/shell/create_selfsigned_cert/TLSv1.3/gencert.sh
#!/bin/sh

umask 077

export PATH=/home/lixing/unstable_libs/ssl-1.1.1k/bin:$PATH
export LD_LIBRARY_PATH=/home/lixing/unstable_libs/ssl-1.1.1k/lib:$YLX_LIBPATH

#openssl dhparam -out /opt/chroot_jail/opt/ssl/dhparam.pem 4096
#/run/media/lixing/6T_20181101_1/src/net/email/dovecot-2.3.17/doc/mkcert.sh  
#https://www.phildev.net/ssl/creating_ca.html
#https://gist.github.com/jhseodev/d17c371c95c7ab4a65c58edc0c31cbf6
#http://www.dayanmei.com/nginx-selfssl/

OPENSSL=/home/lixing/unstable_libs/ssl-1.1.1k/bin/openssl
OPENSSLCONFIG=./openssl.cnf

CERTFILE=./selfcert_tlsv1.3.crt
KEYFILE=./selfcert_tlsv1.3.key
CAFILE=./selfcert_tlsv1.3.pem

CADIR=./ca
PRIVATEDIR=./private
SERVERDIR=./server
CLIENTDIR=./client
NEWCERTSDIR=./newcerts

dirs_group=(  $CADIR $PRIVATEDIR $SERVERDIR $CLIENTDIR $NEWCERTSDIR 'demoCA/newcerts' )
for i in "${dirs_group[@]}"
do 
  	dir_item=$i
  
	if [ ! -d $dir_item ]; then
	  echo 'create path:' $dir_item
	  mkdir -p $dir_item
	fi
done
 

echo 01 > ./demoCA/serial
echo 01 > ./demoCA/crlnumber
touch ./demoCA/index.txt

EXTATTRI='/C=US/ST=Guangdong/L=Shenzhen/O=tashan/OU=tashan LTD/CN=*.otherhill.com'

#1. 创建CA根级证书
#1.1 生成CA私钥
$OPENSSL genrsa -out $CADIR/CA.key 2048  || exit 2

#1.2 生成CA证书 
$OPENSSL req -x509 -sha256 -new -nodes -key $CADIR/CA.key -days 36500 -out $CADIR/CA.cert -subj "$EXTATTRI"  -config $OPENSSLCONFIG || exit 2

#view cert: openssl x509 -in $CADIR/CA.cert -text 

#1.3 生成 csr
#$OPENSSL req -new  -key $CADIR/CA.key -out $CADIR/ca.csr -subj "$EXTATTRI"  -config $OPENSSLCONFIG || exit 2

#1.4 使用CA签发证书:
#$OPENSSL x509 -req -CA $CADIR/CA.cert -CAkey $CADIR/CA.key  -CAcreateserial -in $CADIR/ca.csr -out $CADIR/ca.crt -days 3650 -sha256 -config $OPENSSLCONFIG  || exit 2

#2. 创建server证书   http://www.dayanmei.com/nginx-selfssl/
#2.1 生成key
$OPENSSL genrsa -out $SERVERDIR/srv.key 2048   || exit 2
#2.2 生成 csr
$OPENSSL req -new -key $SERVERDIR/srv.key -out $SERVERDIR/srv.csr  -subj "$EXTATTRI" -config $OPENSSLCONFIG  || exit 2
#2.3 生成证书
$OPENSSL x509 -req -CA $CADIR/CA.cert -CAkey $CADIR/CA.key  -CAcreateserial -in $SERVERDIR/srv.csr -out $SERVERDIR/srv.crt -days 3650 -sha256 || exit 2
#$OPENSSL ca -in $SERVERDIR/srv.csr -cert $CADIR/CA.cert -keyfile $CADIR/CA.key -out $SERVERDIR/srv.crt -days 3650  || exit 2

#3. 创建client证书
#3.1 生成key
$OPENSSL genrsa -out $CLIENTDIR/client.key 2048   || exit 2
#3.2 生成 csr
$OPENSSL req -new -key $CLIENTDIR/client.key -out $CLIENTDIR/client.csr  -subj "$EXTATTRI"  -config $OPENSSLCONFIG  || exit 2
#3.3 生成证书
$OPENSSL x509 -req -CA $CADIR/CA.cert -CAkey $CADIR/CA.key  -CAcreateserial -in $CLIENTDIR/client.csr -out $CLIENTDIR/client.crt -days 3650 -sha256 || exit 2
#3.4 生成windows证书
#$OPENSSL pkcs12 -export -clcerts -in $CLIENTDIR/client.crt -inkey $CLIENTDIR/client.key -out $CLIENTDIR/client.p12 

#$OPENSSL dhparam -out ./dhparam.pem 4096

#Create the keypair (private key and CSR)  o0;6^[Q|//WFCNun|<g"s;Y$w+'?"3
#$OPENSSL req -new -newkey rsa:2048 -keyout private/cakey.pem -out careq.pem -config $OPENSSLCONFIG  || exit 2

#Self-sign the CSR to make your CA CRT
#$OPENSSL ca -create_serial -out cacert.pem -days 3650 -keyfile private/cakey.pem -selfsign -extensions v3_ca_has_san -config ./openssl.cnf -infiles careq.pem  || exit 2

#$OPENSSL req -new -x509 -nodes -config $OPENSSLCONFIG -out $CERTFILE -keyout $KEYFILE -days 3650 || exit 2
#chmod 0600 $KEYFILE


配置文件openssl.cnf:
#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#

# Note that you can include other files from the main configuration
# file using the .include directive.
#.include filename

# This definition stops the following lines choking if HOME isn't
# defined.
HOME			= .

# Extra OBJECT IDENTIFIER info:
#oid_file		= $ENV::HOME/.oid
oid_section		= new_oids

# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions		=
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)

[ new_oids ]

# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6

# Policies used by the TSA examples.
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7

####################################################################
[ ca ]
default_ca	= CA_default		# The default ca section

####################################################################
[ CA_default ]

dir		= ./demoCA		# Where everything is kept
certs		= $dir/certs		# Where the issued certs are kept
crl_dir		= $dir/crl		# Where the issued crl are kept
database	= $dir/index.txt	# database index file.
#unique_subject	= no			# Set to 'no' to allow creation of
					# several certs with same subject.
new_certs_dir	= $dir/newcerts		# default place for new certs.

certificate	= $dir/cacert.pem 	# The CA certificate
serial		= $dir/serial 		# The current serial number
crlnumber	= $dir/crlnumber	# the current crl number
					# must be commented out to leave a V1 CRL
crl		= $dir/crl.pem 		# The current CRL
private_key	= $dir/private/cakey.pem# The private key

x509_extensions	= usr_cert		# The extensions to add to the cert

# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt 	= ca_default		# Subject Name options
cert_opt 	= ca_default		# Certificate field options

# Extension copying option: use with caution.
# copy_extensions = copy

# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions	= crl_ext

default_days	= 3650			# how long to certify for
default_crl_days= 30			# how long before next CRL
default_md	= sha256		# use public key default MD
preserve	= no			# keep passed DN ordering

# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy		= policy_match

# For the CA policy
[ policy_match ]
countryName		= match
stateOrProvinceName	= match
organizationName	= match
organizationalUnitName	= optional
commonName		= supplied
emailAddress		= optional

# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName                     = Country Name (2 letter code)
countryName_default             = US
countryName_min                 = 2
countryName_max                 = 2

stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = California

localityName                    = Locality Name (eg, city)
localityName_default            = Los Angeles

# country (2 letter code)
C=FI

# State or Province Name (full name)
ST=

# Locality Name (eg. city)
L=Helsinki

# Organization (eg. company)
O=Dovecot
0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = ABCDEF Corporation

# Organizational Unit Name (eg. section)
OU=IMAP server

# Common Name (*.example.com is also possible)
CN=*.otherhill.com

# E-mail contact
emailAddress=postmaster@otherhill.com


####################################################################
[ req ]
default_bits		= 2048
default_keyfile 	= privkey.pem
distinguished_name	= req_distinguished_name
attributes		= req_attributes
x509_extensions	= v3_ca	# The extensions to add to the self signed cert
prompt = no
# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret

# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix	 : PrintableString, BMPString (PKIX recommendation before 2004)
# utf8only: only UTF8Strings (PKIX recommendation after 2004).
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
string_mask = utf8only

# req_extensions = v3_req # The extensions to add to a certificate request

[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
countryName_default             = US
countryName_min                 = 2
countryName_max                 = 2

stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = California

localityName                    = Locality Name (eg, city)
localityName_default            = Los Angeles

# country (2 letter code)
C=FI

# State or Province Name (full name)
ST=

# Locality Name (eg. city)
L=Helsinki

# Organization (eg. company)
O=Dovecot
0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = ABCDEF Corporation

# Organizational Unit Name (eg. section)
OU=IMAP server

# Common Name (*.example.com is also possible)
CN=*.otherhill.com

# E-mail contact
emailAddress=postmaster@otherhill.com

#o0\;6\^\[Q\|//WFCNun\|\<g\"s\;Y\$w\+\'\?\"3
[ req_attributes ]
challengePassword		= xKo0RdYME38u
challengePassword_min		= 4
challengePassword_max		= 30

unstructuredName		= An optional company name

[ usr_cert ]

# These extensions are added when 'ca' signs a request.

# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.

basicConstraints=CA:FALSE

# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.

# This is OK for an SSL server.
# nsCertType			= server

# For an object signing certificate this would be used.
# nsCertType = objsign

# For normal client use this is typical
# nsCertType = client, email

# and for everything including object signing:
# nsCertType = client, email, objsign

# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment

# This will be displayed in Netscape's comment listbox.
nsComment			= "OpenSSL Generated Certificate"

# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer

# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move

# Copy subject details
# issuerAltName=issuer:copy

#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName

# This is required for TSA certificates.
# extendedKeyUsage = critical,timeStamping

[ v3_req ]

# Extensions to add to a certificate request

basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

[ v3_ca ]


# Extensions for a typical CA


# PKIX recommendation.

subjectKeyIdentifier=hash

authorityKeyIdentifier=keyid:always,issuer

basicConstraints = critical,CA:true

# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign

# Some might want this also
# nsCertType = sslCA, emailCA

# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
# issuerAltName=issuer:copy

# DER hex encoding of an extension: beware experts only!
# obj=DER:02:03
# Where 'obj' is a standard or added object
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF

[ crl_ext ]

# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.

# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always

[ proxy_cert_ext ]
# These extensions should be added when creating a proxy certificate

# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.

basicConstraints=CA:FALSE

# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.

# This is OK for an SSL server.
# nsCertType			= server

# For an object signing certificate this would be used.
# nsCertType = objsign

# For normal client use this is typical
# nsCertType = client, email

# and for everything including object signing:
# nsCertType = client, email, objsign

# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment

# This will be displayed in Netscape's comment listbox.
nsComment			= "OpenSSL Generated Certificate"

# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer

# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move

# Copy subject details
# issuerAltName=issuer:copy

#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName

# This really needs to be in place for it to be a proxy certificate.
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo

####################################################################
[ tsa ]

default_tsa = tsa_config1	# the default TSA section

[ tsa_config1 ]

# These are used by the TSA reply generation only.
dir		= ./demoCA		# TSA root directory
serial		= $dir/tsaserial	# The current serial number (mandatory)
crypto_device	= builtin		# OpenSSL engine to use for signing
signer_cert	= $dir/tsacert.pem 	# The TSA signing certificate
					# (optional)
certs		= $dir/cacert.pem	# Certificate chain to include in reply
					# (optional)
signer_key	= $dir/private/tsakey.pem # The TSA private key (optional)
signer_digest  = sha256			# Signing digest to use. (Optional)
default_policy	= tsa_policy1		# Policy if request did not specify it
					# (optional)
other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
digests     = sha1, sha256, sha384, sha512  # Acceptable message digests (mandatory)
accuracy	= secs:1, millisecs:500, microsecs:100	# (optional)
clock_precision_digits  = 0	# number of digits after dot. (optional)
ordering		= yes	# Is ordering defined for timestamps?
				# (optional, default: no)
tsa_name		= yes	# Must the TSA name be included in the reply?
				# (optional, default: no)
ess_cert_id_chain	= no	# Must the ESS cert id chain be included?
				# (optional, default: no)
ess_cert_id_alg		= sha1	# algorithm to compute certificate
				# identifier (optional, default: sha1)


以nginx反代为例,我们这么使用 :

客户 <---> vps服务器(反向代理) <---> 后端服务器(upstream servers)


vps 服务器:
#这个证书是从Let's encrypt申请的认证证书.
ssl_certificate     /opt/ssl/otherhill.com/fullchain.pem;
ssl_certificate_key /opt/ssl/otherhill.com/privkey.pem;

ssl_protocols SSLv3 SSLv2 TLSv1.3 TLSv1.2 TLSv1.1 TLSv1;
ssl_ciphers  'TLS13-AES-128-GCM-SHA256:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5';

ssl_prefer_server_ciphers on;

ssl_session_cache shared:tashan_SSL:30m;
ssl_session_timeout 4h;

proxy_ssl_certificate_key        $SERVERDIR/srv.key;
proxy_ssl_trusted_certificate   $CADIR/CA.cert;
proxy_ssl_verify        on;

proxy_ssl_verify_depth  2;
proxy_ssl_session_reuse on;


后端服务器(upstream servers):
ssl_certificate        $SERVERDIR/srv.crt;
ssl_certificate_key  $SERVERDIR/srv.key;
proxy_ssl_session_reuse on;

ssl_protocols TLSv1.3 TLSv1.2 TLSv1.1 TLSv1;
ssl_ciphers HIGH:!aNULL:!MD5;

ssl_session_cache shared:tashan_SSL:100m;
ssl_session_timeout 4h;
ssl_prefer_server_ciphers on;


对nginx所需的证书,执行:
sudo chown root:root  ....
sudo chmod 400 .....
以保证证书安全.

会不会有人和我一样, VPS与后端服务器的通讯,明文裸奔了很多年呢.
关于 VPS与后端服务器(upstream servers)之间的流量加密,见我们之前的文章:  https://i.otherhill.com/index.php/topic/show/514

0 回复 | 直到2022-09-30 23:43添加回复

回复

最近更新

私信给我
生成图片 生成二维码 生成密码
清空