使用OpenSSL有多种方式生成CA的私钥和自签名证书,而使用CFSSL也同样非常简单。
准备CA的私钥的长度以及CSR的Subject的配置信息,可通过cfssl print-defaults来生成csr文件的模版,然后在此基础上进行修改
生成CSR文件模版[root@liumiaocn cfssl]# ls
cfssl cfssl-certinfo cfssljson
[root@liumiaocn cfssl]# mkdir ca
[root@liumiaocn cfssl]# cd ca
[root@liumiaocn ca]# ../cfssl version
Version: 1.2.0
Revision: dev
Runtime: go1.6
[root@liumiaocn ca]#
[root@liumiaocn ca]# ../cfssl print-defaults list
Default configurations are available for:
config
csr
[root@liumiaocn ca]#
[root@liumiaocn ca]# ../cfssl print-defaults csr
{
"CN": "example.net",
"hosts": [
"example.net",
"www.example.net"
],
"key": {
"algo": "ecdsa",
"size": 256
},
"names": [
{
"C": "US",
"L": "CA",
"ST": "San Francisco"
}
]
}
[root@liumiaocn ca]#
[root@liumiaocn ca]# ../cfssl print-defaults csr >ca-csr.json
[root@liumiaocn ca]#
修改之后生成的CA的CSR文件信息如下所示:
[root@liumiaocn ca]# ls
ca-csr.json
[root@liumiaocn ca]# cat ca-csr.json
{
"CN": "devops.com",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "DaLian",
"ST": "LiaoNing",
"O": "devops",
"OU": "unicorn"
}
]
}
[root@liumiaocn ca]#
生成CA私钥、CSR文件与CA证书
使用如下命令可以一次性生成CA私钥、CSR文件与CA证书。
[root@liumiaocn ca]# ../cfssl gencert -initca ca-csr.json |../cfssljson -bare ca - 2019/12/15 06:12:02 [INFO] generating a new CA key and certificate from CSR 2019/12/15 06:12:02 [INFO] generate received request 2019/12/15 06:12:02 [INFO] received CSR 2019/12/15 06:12:02 [INFO] generating key: rsa-2048 2019/12/15 06:12:03 [INFO] encoded CSR 2019/12/15 06:12:03 [INFO] signed certificate with serial number 72583730418191516028003096307996422627737938938 [root@liumiaocn ca]# ls ca.csr ca-csr.json ca-key.pem ca.pem [root@liumiaocn ca]#
文件种类信息如下所示:
[root@liumiaocn ca]# file * ca.csr: PEM certificate request ca-csr.json: ASCII text ca-key.pem: PEM RSA private key ca.pem: PEM certificate [root@liumiaocn ca]#
文件内容如下所示:
[root@liumiaocn ca]# cat ca-key.pem -----BEGIN RSA PRIVATE KEY----- MIIEpQIBAAKCAQEAqOeeZJI29et/dOGqljuiIDki067DUdQ/ua2Hq2gFGFrDXL6S ULpM0Ks1pRDJD9VQCB/Es5uexYrp0ZVs7ePWE/ms25oxqXScE2iROIyUZp8gZrgj Nc9o4ynG7kKlPNgeSnCKDZ6nPRy6BiRMDCN37LZ93dE/d4fXUuMYccs8TUeB7Uga /5a60VAIZbMCKtZ1WCkUwzjoJbPVVUPsbjGM8pP2637Gk0khUQm9gSEfRL1ZrZ7c UUCqxKFPcyUpl93vj9h03E3/suL3tmutQtibVoqLR+jOEIauewqv/gxv/fH6EEqF 5UWHREmdEiiLhTYzoRKeRS5GYZUOm1HT2pu2CwIDAQABAoIBAQClVSv3eCRybpXx vF/19OOLNUKBAQXSGLhUMaemwgiSwW2QYD7q5KICdETrkdWuOPjBKw+pXEB7T7H2 5JSe/DF2liR9RZ8tJ6cLXIUiXIF7PnJB+icFKkSacC941CXYvBhSd3y7PjyoFnGF R4xlKWbff/cO5R+CCqdcTE2GPhGF9kz6ttX1+vX9p8hMuo0bmbp20eOvFyv/EFId qSLnp2CBcnxA9hM2DojCxixGguy6cCNVhOn1imxZLfpwb9R9tTXitPcapMjKwvn3 BNSVHAETxcsqpJv779Az77/ML9TZgPwgqvAnAKxCV4czoweQZQ3ssOymznQa3/e2 YT1poh75AoGBAM2o0v0GT6DpNfPuHW3Z0T8VYjW8iOO5FG2qcblCF97ltDdslp4M BEtACpv5wZo9CtNxDyDUXjrz1sH5bSI4+n9RZDDP8IH7c8mbX5D4GgqII389J4XC iYJ9LqLU1eKmCpxxbNO5zMzsozRV4B9XypdDXn2/B8Tq72d6DMVr9TotAoGBANI/ pUTOjgq8aO0U/lY7/p+M3FKT2+vdhN/0njNH5ckilTSBgOCW79uAFjZaWb2F+NLL FpOJSSWasYyVevQDoQJBe84GOmZu7BxFkVuUMl4gcQUOhunkqYpk1z5qwoqsHiRW TQq/wihYxrb4YVO2pGIyQDDzSdrLnkmyb3ke+uwXAoGAQ/E5OvQhzGQfOeX5fPgP w8p5to0BoFHdqNk9Vtm57x5t6j2KiM4pgP64Qo1BY4Y1FGNufwcJ1moGEfEoF71B LFykP+gCab67ougcq1T7rW0KZRe7/dml+iEHDi5INudp7AMg09W3DiBDTp/sOg6T 1GMiTWKV231N+B5/J52h10UCgYEAsdMO74FcdgwhGtS0wS8BDuVOu7E/QuEbL2hw HaNj4JiVZdFatZozyI0vPE1ytW+IopEOyT5GVb3fCa6sTZJ8LbJBCmIOJvEOVmMo rDJN33rE3KgKx+yU0O61dp9JZ4xn+gfcJYlGqGVdvQebGfjSVBN4Y26COsIZYO/A hMsFI4UCgYEAhA8iHtljm0Q/aO078A7512Ra4xKJp4FFPG6qAokquRhXnb4AmXks Un414h/iKCjKW2QvVDFwbOBkRhoEph2BskF9BDlcgr2/tUGZawHGoNZLOsyC7Afc MSjwP6Ulwzv9lYe5XxEOzQ/YDVDljpXApQX+ZHfbp53q0fFbedHiypg= -----END RSA PRIVATE KEY----- [root@liumiaocn ca]# [root@liumiaocn ca]# cat ca.csr -----BEGIN CERTIFICATE REQUEST----- MIICrjCCAZYCAQAwaTELMAkGA1UEBhMCQ04xETAPBgNVBAgTCExpYW9OaW5nMQ8w DQYDVQQHEwZEYUxpYW4xDzANBgNVBAoTBmRldm9wczEQMA4GA1UECxMHdW5pY29y bjETMBEGA1UEAxMKZGV2b3BzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC AQoCggEBAKjnnmSSNvXrf3ThqpY7oiA5ItOuw1HUP7mth6toBRhaw1y+klC6TNCr NaUQyQ/VUAgfxLObnsWK6dGVbO3j1hP5rNuaMal0nBNokTiMlGafIGa4IzXPaOMp xu5CpTzYHkpwig2epz0cugYkTAwjd+y2fd3RP3eH11LjGHHLPE1Hge1IGv+WutFQ CGWzAirWdVgpFMM46CWz1VVD7G4xjPKT9ut+xpNJIVEJvYEhH0S9Wa2e3FFAqsSh T3MlKZfd74/YdNxN/7Li97ZrrULYm1aKi0fozhCGrnsKr/4Mb/3x+hBKheVFh0RJ nRIoi4U2M6ESnkUuRmGVDptR09qbtgsCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IB AQAxHhkvw+GjxXhE3KeCcXxaXefdtfoJJvKzB3HPJGBHwJDEYWeld3LY76rEUCoA g1RpYyXnhtzwnWxKQj1D4u9W7kAH8nLADa4+2cqI8B/WFXf5VU1GIuxUDXxWy4A1 ye48V7G6Tawqs9s1WzYTkIy/C/gPMKSVhsWv2FnXI6mawJjOhf5mWxXCh8gHY3Vq IERe2YQ5Fspkh+Cd3V0uJrWviaNtn1bvX2logo/v9/IhO0iQg+PN/WLykq6C30iF DASJJeVl3UAcPNw5rw0I16RkILNQWh0g9chPNodiZDjK67Uzd3zkUpscSDPXqjlb syzeHsepu3Qenj0M54YWVuwH -----END CERTIFICATE REQUEST----- [root@liumiaocn ca]# [root@liumiaocn ca]# cat ca.pem -----BEGIN CERTIFICATE----- MIIDxjCCAq6gAwIBAgIUDLbEXKukkhGbTQFdF4LH8EBnK/owDQYJKoZIhvcNAQEL BQAwaTELMAkGA1UEBhMCQ04xETAPBgNVBAgTCExpYW9OaW5nMQ8wDQYDVQQHEwZE YUxpYW4xDzANBgNVBAoTBmRldm9wczEQMA4GA1UECxMHdW5pY29ybjETMBEGA1UE AxMKZGV2b3BzLmNvbTAeFw0xOTEyMTUxMTA3MDBaFw0yNDEyMTMxMTA3MDBaMGkx CzAJBgNVBAYTAkNOMREwDwYDVQQIEwhMaWFvTmluZzEPMA0GA1UEBxMGRGFMaWFu MQ8wDQYDVQQKEwZkZXZvcHMxEDAOBgNVBAsTB3VuaWNvcm4xEzARBgNVBAMTCmRl dm9wcy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo555kkjb1 63904aqWO6IgOSLTrsNR1D+5rYeraAUYWsNcvpJQukzQqzWlEMkP1VAIH8Szm57F iunRlWzt49YT+azbmjGpdJwTaJE4jJRmnyBmuCM1z2jjKcbuQqU82B5KcIoNnqc9 HLoGJEwMI3fstn3d0T93h9dS4xhxyzxNR4HtSBr/lrrRUAhlswIq1nVYKRTDOOgl s9VVQ+xuMYzyk/brfsaTSSFRCb2BIR9EvVmtntxRQKrEoU9zJSmX3e+P2HTcTf+y 4ve2a61C2JtWiotH6M4Qhq57Cq/+DG/98foQSoXlRYdESZ0SKIuFNjOhEp5FLkZh lQ6bUdPam7YLAgMBAAGjZjBkMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAG AQH/AgECMB0GA1UdDgQWBBQhIS4LdvUwgDp6Hx/Kd04Hrj2CczAfBgNVHSMEGDAW gBQhIS4LdvUwgDp6Hx/Kd04Hrj2CczANBgkqhkiG9w0BAQsFAAOCAQEAQ56h0t1H VSnaX9ExBDlMIivK/znevJ2GPqvPG2Fq+C1nX/Gpv+biuuA0V15NEDC3YLlUfsfb jstYAwNRY51gFnhZh/PwJXs1SlktoQ4RuxjwGfdRt1kNSOpzwZbz5JUcTqoEmgtO LZIIhjLMiALV5br6zbNPqSDv18cLYWqS1is7sD0ppxNRMteizdYdHjk+t3Z1em+6 Onk0cqzZzBXVfELGb19FUcrcwLdQDpccAWTUzrQ/H9d595P6Og3bWmWDSgpYyIrT mQ0PHXkxAJAMOrY90l+k7r6SfI5f3InTVGv+zMw4HVct9BPUGIOA88tt6rvjSprJ 08uzibszD2ZBEA== -----END CERTIFICATE----- [root@liumiaocn ca]#确认结果
使用cfssl-certinfo命令可以确认CA证书内容,详细如下所示
[root@liumiaocn ca]# ../cfssl-certinfo -cert ca.pem
{
"subject": {
"common_name": "devops.com",
"country": "CN",
"organization": "devops",
"organizational_unit": "unicorn",
"locality": "DaLian",
"province": "LiaoNing",
"names": [
"CN",
"LiaoNing",
"DaLian",
"devops",
"unicorn",
"devops.com"
]
},
"issuer": {
"common_name": "devops.com",
"country": "CN",
"organization": "devops",
"organizational_unit": "unicorn",
"locality": "DaLian",
"province": "LiaoNing",
"names": [
"CN",
"LiaoNing",
"DaLian",
"devops",
"unicorn",
"devops.com"
]
},
"serial_number": "72583730418191516028003096307996422627737938938",
"not_before": "2019-12-15T11:07:00Z",
"not_after": "2024-12-13T11:07:00Z",
"sigalg": "SHA256WithRSA",
"authority_key_id": "21:21:2E:B:76:F5:30:80:3A:7A:1F:1F:CA:77:4E:7:AE:3D:82:73",
"subject_key_id": "21:21:2E:B:76:F5:30:80:3A:7A:1F:1F:CA:77:4E:7:AE:3D:82:73",
"pem": "-----BEGIN CERTIFICATE-----\nMIIDxjCCAq6gAwIBAgIUDLbEXKukkhGbTQFdF4LH8EBnK/owDQYJKoZIhvcNAQEL\nBQAwaTELMAkGA1UEBhMCQ04xETAPBgNVBAgTCExpYW9OaW5nMQ8wDQYDVQQHEwZE\nYUxpYW4xDzANBgNVBAoTBmRldm9wczEQMA4GA1UECxMHdW5pY29ybjETMBEGA1UE\nAxMKZGV2b3BzLmNvbTAeFw0xOTEyMTUxMTA3MDBaFw0yNDEyMTMxMTA3MDBaMGkx\nCzAJBgNVBAYTAkNOMREwDwYDVQQIEwhMaWFvTmluZzEPMA0GA1UEBxMGRGFMaWFu\nMQ8wDQYDVQQKEwZkZXZvcHMxEDAOBgNVBAsTB3VuaWNvcm4xEzARBgNVBAMTCmRl\ndm9wcy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo555kkjb1\n63904aqWO6IgOSLTrsNR1D+5rYeraAUYWsNcvpJQukzQqzWlEMkP1VAIH8Szm57F\niunRlWzt49YT+azbmjGpdJwTaJE4jJRmnyBmuCM1z2jjKcbuQqU82B5KcIoNnqc9\nHLoGJEwMI3fstn3d0T93h9dS4xhxyzxNR4HtSBr/lrrRUAhlswIq1nVYKRTDOOgl\ns9VVQ+xuMYzyk/brfsaTSSFRCb2BIR9EvVmtntxRQKrEoU9zJSmX3e+P2HTcTf+y\n4ve2a61C2JtWiotH6M4Qhq57Cq/+DG/98foQSoXlRYdESZ0SKIuFNjOhEp5FLkZh\nlQ6bUdPam7YLAgMBAAGjZjBkMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAG\nAQH/AgECMB0GA1UdDgQWBBQhIS4LdvUwgDp6Hx/Kd04Hrj2CczAfBgNVHSMEGDAW\ngBQhIS4LdvUwgDp6Hx/Kd04Hrj2CczANBgkqhkiG9w0BAQsFAAOCAQEAQ56h0t1H\nVSnaX9ExBDlMIivK/znevJ2GPqvPG2Fq+C1nX/Gpv+biuuA0V15NEDC3YLlUfsfb\njstYAwNRY51gFnhZh/PwJXs1SlktoQ4RuxjwGfdRt1kNSOpzwZbz5JUcTqoEmgtO\nLZIIhjLMiALV5br6zbNPqSDv18cLYWqS1is7sD0ppxNRMteizdYdHjk+t3Z1em+6\nOnk0cqzZzBXVfELGb19FUcrcwLdQDpccAWTUzrQ/H9d595P6Og3bWmWDSgpYyIrT\nmQ0PHXkxAJAMOrY90l+k7r6SfI5f3InTVGv+zMw4HVct9BPUGIOA88tt6rvjSprJ\n08uzibszD2ZBEA==\n-----END CERTIFICATE-----\n"
}
[root@liumiaocn ca]#
当然也可以使用x509子命令确认
[root@liumiaocn ca]# openssl x509 -noout -text -in ca.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
0c:b6:c4:5c:ab:a4:92:11:9b:4d:01:5d:17:82:c7:f0:40:67:2b:fa
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CN, ST = LiaoNing, L = DaLian, O = devops, OU = unicorn, CN = devops.com
Validity
Not Before: Dec 15 11:07:00 2019 GMT
Not After : Dec 13 11:07:00 2024 GMT
Subject: C = CN, ST = LiaoNing, L = DaLian, O = devops, OU = unicorn, CN = devops.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:a8:e7:9e:64:92:36:f5:eb:7f:74:e1:aa:96:3b:
a2:20:39:22:d3:ae:c3:51:d4:3f:b9:ad:87:ab:68:
05:18:5a:c3:5c:be:92:50:ba:4c:d0:ab:35:a5:10:
c9:0f:d5:50:08:1f:c4:b3:9b:9e:c5:8a:e9:d1:95:
6c:ed:e3:d6:13:f9:ac:db:9a:31:a9:74:9c:13:68:
91:38:8c:94:66:9f:20:66:b8:23:35:cf:68:e3:29:
c6:ee:42:a5:3c:d8:1e:4a:70:8a:0d:9e:a7:3d:1c:
ba:06:24:4c:0c:23:77:ec:b6:7d:dd:d1:3f:77:87:
d7:52:e3:18:71:cb:3c:4d:47:81:ed:48:1a:ff:96:
ba:d1:50:08:65:b3:02:2a:d6:75:58:29:14:c3:38:
e8:25:b3:d5:55:43:ec:6e:31:8c:f2:93:f6:eb:7e:
c6:93:49:21:51:09:bd:81:21:1f:44:bd:59:ad:9e:
dc:51:40:aa:c4:a1:4f:73:25:29:97:dd:ef:8f:d8:
74:dc:4d:ff:b2:e2:f7:b6:6b:ad:42:d8:9b:56:8a:
8b:47:e8:ce:10:86:ae:7b:0a:af:fe:0c:6f:fd:f1:
fa:10:4a:85:e5:45:87:44:49:9d:12:28:8b:85:36:
33:a1:12:9e:45:2e:46:61:95:0e:9b:51:d3:da:9b:
b6:0b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:2
X509v3 Subject Key Identifier:
21:21:2E:0B:76:F5:30:80:3A:7A:1F:1F:CA:77:4E:07:AE:3D:82:73
X509v3 Authority Key Identifier:
keyid:21:21:2E:0B:76:F5:30:80:3A:7A:1F:1F:CA:77:4E:07:AE:3D:82:73
Signature Algorithm: sha256WithRSAEncryption
43:9e:a1:d2:dd:47:55:29:da:5f:d1:31:04:39:4c:22:2b:ca:
ff:39:de:bc:9d:86:3e:ab:cf:1b:61:6a:f8:2d:67:5f:f1:a9:
bf:e6:e2:ba:e0:34:57:5e:4d:10:30:b7:60:b9:54:7e:c7:db:
8e:cb:58:03:03:51:63:9d:60:16:78:59:87:f3:f0:25:7b:35:
4a:59:2d:a1:0e:11:bb:18:f0:19:f7:51:b7:59:0d:48:ea:73:
c1:96:f3:e4:95:1c:4e:aa:04:9a:0b:4e:2d:92:08:86:32:cc:
88:02:d5:e5:ba:fa:cd:b3:4f:a9:20:ef:d7:c7:0b:61:6a:92:
d6:2b:3b:b0:3d:29:a7:13:51:32:d7:a2:cd:d6:1d:1e:39:3e:
b7:76:75:7a:6f:ba:3a:79:34:72:ac:d9:cc:15:d5:7c:42:c6:
6f:5f:45:51:ca:dc:c0:b7:50:0e:97:1c:01:64:d4:ce:b4:3f:
1f:d7:79:f7:93:fa:3a:0d:db:5a:65:83:4a:0a:58:c8:8a:d3:
99:0d:0f:1d:79:31:00:90:0c:3a:b6:3d:d2:5f:a4:ee:be:92:
7c:8e:5f:dc:89:d3:54:6b:fe:cc:cc:38:1d:57:2d:f4:13:d4:
18:83:80:f3:cb:6d:ea:bb:e3:4a:9a:c9:d3:cb:b3:89:bb:33:
0f:66:41:10
[root@liumiaocn ca]#
可以看到此证书签发的有效期缺省为5年时间。
