1.3.Generate-RSA-CA-Intermediate.md

1.3. 生成 RSA CA 中间证书

初始化工作目录

假定 RSA CA 的工作目录在 /data/ca/RSA/R1，那么执行如下脚本：

export MY_CA_WORKDIR=/data/ca

MY_CA_L2_DIR=$MY_CA_WORKDIR/RSA/R1

mkdir -p $MY_CA_L2_DIR

cd $MY_CA_L2_DIR

mkdir -p certs crl csr newcerts private
touch index.txt

MY_CA_RAND_FILE=$MY_CA_L2_DIR/.rand

openssl rand -out $MY_CA_RAND_FILE 65535
sha1sum $MY_CA_RAND_FILE | grep -Po '^\w+' > serial

openssl rand -out $MY_CA_RAND_FILE 65535
sha1sum $MY_CA_RAND_FILE | grep -Po '^\w+' > crlnumber

openssl rand -out $MY_CA_RAND_FILE 1048576

生成 CA 中间证书的 RSA 私钥

MY_CA_L2_KEY_PATH=$MY_CA_L2_DIR/key.pem

openssl genrsa -rand $MY_CA_RAND_FILE -aes-256-cfb -out $MY_CA_L2_KEY_PATH 4096

生成证书签名申请表文件（xxx.csr.pem）

首先，创建一个申请表草稿（xxx.csr.cnf），这是一个用于描述要申请的证书的详细信息的文本文件。

MY_CA_L2_REQ_PATH=$MY_CA_L2_DIR/ca.csr.cnf

cat > $MY_CA_L2_REQ_PATH << EOL
[ req ]
distinguished_name  = req_distinguished_name
string_mask         = utf8only

# SHA-1 is deprecated, so use SHA-2 instead.
default_md          = sha384
prompt              = no

[ req_distinguished_name ]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName                     = CN
0.organizationName              = Demo ORG
organizationalUnitName          = www.demo.org
commonName                      = Demo CA RSA R1
EOL

然后使用 openssl req 命令，在该申请表里添加你的二级 CA 公钥，并使用你二级 CA 私钥，对该申请表进行签名，从而得到一个新的文件 xxx.csr.pem，这是一个 BASE64 编码的 DER 文件。

MY_CA_L2_CSR_PATH=$MY_CA_L2_DIR/ca.csr.pem

openssl req \
    -config $MY_CA_L2_REQ_PATH \
    -new \
    -key $MY_CA_L2_KEY_PATH \
    -out $MY_CA_L2_CSR_PATH

可以通过如下命令查看该文件的详细信息。

openssl req \
    -in $MY_CA_L2_CSR_PATH \
    -noout \
    -text

签发 CA 中间证书

限制开始使用根 CA 签发二级 CA 证书。这里使用你上面创建的 xxx.csr.pem 文件里的信息，生成一个 x509 证书文件（ca.pem），并使用 CA 的私钥对该证书进行签名。

这里签发的是一个 10 年有效期的二级 CA。

MY_CA_L2_CERT_PATH=$MY_CA_L2_DIR/ca.pem

openssl ca \
    -config $MY_CA_ROOT_DIR/ca.cnf \
    -extensions v3_intermediate_ca \
    -days 3650 \
    -notext \
    -batch \
    -in $MY_CA_L2_CSR_PATH \
    -out $MY_CA_L2_CERT_PATH

然后可以通过如下命令查看生成证书的详细信息。

openssl x509 -noout -text -in $MY_CA_L2_CERT_PATH

通过如下命令验证二级 CA 证书是否可以用根 CA 证书验证。

openssl verify -CAfile $MY_CA_ROOT_CERT_PATH $MY_CA_L2_CERT_PATH

生成证书链文件

MY_CA_L2_CERT_CHAIN_PATH=$MY_CA_L2_DIR/ca.fullchain.pem

cat > $MY_CA_L2_CERT_CHAIN_PATH << EOL
$(cat $MY_CA_L2_CERT_PATH)

$(cat $MY_CA_ROOT_CERT_PATH)
EOL

配置 CA

最后对 CA 进行配置，以用于签发其他证书。

MY_CA_L2_CONF_PATH=$MY_CA_L2_DIR/ca.cnf

cat > $MY_CA_L2_CONF_PATH << EOL
# OpenSSL intermediate CA configuration file.
# Copy to /root/ca/intermediate/openssl.cnf.

[ ca ]
# man ca
default_ca = CA_default

[ CA_default ]
# Directory and file locations.
dir               = $MY_CA_L2_DIR
certs             = \$dir/certs
crl_dir           = \$dir/crl
new_certs_dir     = \$dir/newcerts
database          = \$dir/index.txt
serial            = \$dir/serial
RANDFILE          = \$dir/.rand

# The root key and root certificate.
private_key       = \$dir/key.pem
certificate       = \$dir/ca.pem

# For certificate revocation lists.
crlnumber         = \$dir/crlnumber
crl               = \$dir/crl/intermediate.crl.pem
crl_extensions    = crl_ext
default_crl_days  = 30

# SHA-1 is deprecated, so use SHA-2 instead.
default_md        = sha256

name_opt          = ca_default
cert_opt          = ca_default
default_days      = 375
preserve          = no
policy            = policy_loose
copy_extensions   = copy

[ policy_loose ]
# Allow the intermediate CA to sign a more diverse range of certificates.
# See the POLICY FORMAT section of the ca man page.
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ client_cert ]
# Extensions for client certificates (man x509v3_config).
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth
# authorityInfoAccess = caIssuers;URI:http://demo.org/ca.html
# certificatePolicies = 2.23.140.1.2.1,@policy_issuer_info
# authorityInfoAccess = OCSP;URI:http://ocsp.demo.org/

[ server_cert ]
# Extensions for server certificates (man x509v3_config).
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
# authorityInfoAccess = caIssuers;URI:http://demo.org/ca.html
# certificatePolicies = 2.23.140.1.2.1,@policy_issuer_info
# authorityInfoAccess = OCSP;URI:http://ocsp.demo.org/

# [ policy_issuer_info ]
# policyIdentifier = 1.3.6.1.4.1.44947.1.2.3.4.5.6.7.8
# CPS.1 = "http://cps.demo.org/"
# userNotice.1 = @policy_issuer_notice

# [ policy_issuer_notice ]

# explicitText="This is a demo certificate"
# organization="Demo ORG"

EOL

注意，此时的 CA 不允许重复对同一个 commonName 签发证书，需要改成可以对同一个主体重复颁发证书：

echo 'unique_subject = no' > $MY_CA_L2_DIR/index.txt.attr