OpenSSL 作为 CA，无需触及 certs/crl/index/etc 环境

发布于 2024-12-09 17:59:50 字数 869 浏览 0 评论 0原文

我认为我有正确的 OpenSSL 命令来签署证书，但我陷入了困境，并且我发现的教程使用了不同的参数格式（我使用的是 OpenSSL 0.9.8o 01 Jun 2010）。

openssl ca -cert cert.pem -keyfile key.pem

（私钥未加密，CSR 位于标准输入上。）

它给出此错误

Using configuration from /usr/lib/ssl/openssl.cnf
./demoCA/index.txt: No such file or directory
unable to open './demoCA/index.txt'

查看该配置文件：

[ ca ]
default_ca = CA_default    # The default ca section

[ CA_default ]
dir      = ./demoCA        # Where everything is kept
certs    = $dir/certs      # Where the issued certs are kepp
crl_dir  = $dir/crl        # Where the issued crl are kept
database = $dir/index.txt  # database index file.

我没有任何此设置。 我不想设置任何这些。

这是否是严格必要的，或者是否有“不打扰”选项？

我尝试创建空目录和文件，但我陷入了困境。我真正想要的是像上面这样的命令能够工作，输出在标准输出上，而不接触文件系统上的任何东西。

原文

I think I have the right OpenSSL command to sign a certificate but I've gotten stuck and the tutorials I've found use a different argument format (I'm using OpenSSL 0.9.8o 01 Jun 2010).

openssl ca -cert cert.pem -keyfile key.pem

(Private key is not encryped and CSR is on stdin.)

It gives this error

Using configuration from /usr/lib/ssl/openssl.cnf
./demoCA/index.txt: No such file or directory
unable to open './demoCA/index.txt'

Looking at that configuration file:

[ ca ]
default_ca = CA_default    # The default ca section

[ CA_default ]
dir      = ./demoCA        # Where everything is kept
certs    = $dir/certs      # Where the issued certs are kepp
crl_dir  = $dir/crl        # Where the issued crl are kept
database = $dir/index.txt  # database index file.

I don't have any of this set up. I don't want to set any of this up.

Is it strictly nessecary, or is there a "don't bother" option?

I tried creating empty directories and files but I've got in a tangle. What I really want is for a command like the above to work, with the output on stdout, without touching anything on the filesystem.

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

执笏见 2024-12-16 17:59:50

我不知道有什么“不用打扰”的选项，但以下是如何设置快速演示 CA：

#!/bin/bash
CAROOT=/path/to/ca
mkdir -p ${CAROOT}/ca.db.certs   # Signed certificates storage
touch ${CAROOT}/ca.db.index      # Index of signed certificates
echo 01 > ${CAROOT}/ca.db.serial # Next (sequential) serial number

# Configuration
cat>${CAROOT}/ca.conf<<'EOF'
[ ca ]
default_ca = ca_default

[ ca_default ]
dir = REPLACE_LATER
certs = $dir
new_certs_dir = $dir/ca.db.certs
database = $dir/ca.db.index
serial = $dir/ca.db.serial
RANDFILE = $dir/ca.db.rand
certificate = $dir/ca.crt
private_key = $dir/ca.key
default_days = 365
default_crl_days = 30
default_md = md5
preserve = no
policy = generic_policy
[ generic_policy ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
EOF

sed -i "s|REPLACE_LATER|${CAROOT}|" ${CAROOT}/ca.conf

cd ${CAROOT}

# Generate CA private key
openssl genrsa -out ca.key 1024

# Create Certificate Signing Request
openssl req -new -key ca.key  \
                 -out ca.csr       

# Create self-signed certificate
openssl x509 -req -days 10000 \
              -in ca.csr      \
              -out ca.crt     \
              -signkey ca.key

现在您可以生成并签名密钥：

# Create private/public key pair
openssl genrsa -out server.key 1024

# Create Certificate Signing Request
openssl req -new -key server.key \
                 -out server.csr

# Sign key
openssl ca -config ${CAROOT}/ca.conf   \
           -in server.csr              \
           -cert ${CAROOT}/ca.crt      \
           -keyfile ${CAROOT}/ca.key   \
           -out server.crt

I don't know of any "don't bother" options, but here is how you can setup a quick demo CA:

#!/bin/bash
CAROOT=/path/to/ca
mkdir -p ${CAROOT}/ca.db.certs   # Signed certificates storage
touch ${CAROOT}/ca.db.index      # Index of signed certificates
echo 01 > ${CAROOT}/ca.db.serial # Next (sequential) serial number

# Configuration
cat>${CAROOT}/ca.conf<<'EOF'
[ ca ]
default_ca = ca_default

[ ca_default ]
dir = REPLACE_LATER
certs = $dir
new_certs_dir = $dir/ca.db.certs
database = $dir/ca.db.index
serial = $dir/ca.db.serial
RANDFILE = $dir/ca.db.rand
certificate = $dir/ca.crt
private_key = $dir/ca.key
default_days = 365
default_crl_days = 30
default_md = md5
preserve = no
policy = generic_policy
[ generic_policy ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
EOF

sed -i "s|REPLACE_LATER|${CAROOT}|" ${CAROOT}/ca.conf

cd ${CAROOT}

# Generate CA private key
openssl genrsa -out ca.key 1024

# Create Certificate Signing Request
openssl req -new -key ca.key  \
                 -out ca.csr       

# Create self-signed certificate
openssl x509 -req -days 10000 \
              -in ca.csr      \
              -out ca.crt     \
              -signkey ca.key

Now you can generate and sign keys:

# Create private/public key pair
openssl genrsa -out server.key 1024

# Create Certificate Signing Request
openssl req -new -key server.key \
                 -out server.csr

# Sign key
openssl ca -config ${CAROOT}/ca.conf   \
           -in server.csr              \
           -cert ${CAROOT}/ca.crt      \
           -keyfile ${CAROOT}/ca.key   \
           -out server.crt

回复收藏 0 原文

我一向站在原地 2024-12-16 17:59:50

根据 snow6oy 的回答，这就是我所做的：

openssl x509 -req -CA CACert.pem -CAkey CAKey.pem -CAcreateserial -in YourCSR.csr -out YourCert.pem

几个可能有用的可选标志：

-第1095天
（默认为30天）
-sha256
（RHEL 7 默认为 SHA-1）

Based on snow6oy's answer, here's what I did:

openssl x509 -req -CA CACert.pem -CAkey CAKey.pem -CAcreateserial -in YourCSR.csr -out YourCert.pem

A couple optional flags that may be useful:

-days 1095
(The default is 30 days)
-sha256
(RHEL 7 defaults to SHA-1)

回复收藏 0 原文

三五鸿雁 2024-12-16 17:59:50

不要使用 ca 选项，而是尝试使用 -req 的 x509 选项。您可以添加 -CAfile 以指向您的权限。这将签署您的证书，而不向索引添加条目。这里有更多关于使用 x509 作为“迷你 CA”的信息。

https://www.openssl.org/ docs/manmaster/man1/openssl-x509.html#Micro-CA-Options

回复收藏 0 原文

哽咽笑 2024-12-16 17:59:50

根据您的情况，您可能希望加密您的私钥、使用不同的 X.509 扩展和/或可能进行其他更改。

我知道的生成证书的最简单方法如下。首先生成根（CA）证书（带有私钥）：

$ openssl req -x509 -subj /CN=root.yourdomain.com -days 3650 -noenc \
    -out root.crt -keyout root.key

然后可以创建最终用户证书（由根证书签名）：

$ openssl req -x509 -subj /CN=server.yourdomain.com -days 365 -noenc \
    -CA root.crt -CAkey root.key -extensions usr_cert \
    -out server.crt -keyout server.key

选项含义：

-x509 - 生成证书，而不是 CSR
-subj - 主题
-days - 到期前的天数
-noenc - 不加密私钥
-CA - 根 (CA)证书
-CAkey - 根 (CA) 私钥
-extensions - 添加到证书的 X.509 扩展（配置文件的部分）； usr_cert 在证书中添加CA:FALSE
-out - 输出证书
-keyout - 输出私钥

其他一些方式可以找到这里。

Depending on your case you might want to have your private keys encrypted, use different X.509 extensions, and/or possibly make other changes.

The simplest way to generate certificates I know is as follows. First generate a root (CA) certificate (with a private key):

$ openssl req -x509 -subj /CN=root.yourdomain.com -days 3650 -noenc \
    -out root.crt -keyout root.key

Then you can create end-user certificates (signed by the root certificate):

$ openssl req -x509 -subj /CN=server.yourdomain.com -days 365 -noenc \
    -CA root.crt -CAkey root.key -extensions usr_cert \
    -out server.crt -keyout server.key

The meaning of the options:

-x509 - generate a certificate, not CSR
-subj - subject
-days - the number of days until it expires
-noenc - don't encrypt the private key
-CA - the root (CA) certificate
-CAkey - the root (CA) private key
-extensions - X.509 extensions to add to the certificate (the section of the config file); usr_cert adds CA:FALSE to the certificate
-out - output certificate
-keyout - output private key