系统分为四级:根 CA → 二级 CA → 三级 CA → 最终证书,支持双向交叉认证。
一、目录结构准备
mkdir -p {root-ca,level2-ca,level3-ca,end-cert}/{certs,private,newcerts}
touch {root-ca,level2-ca,level3-ca}/index.txt echo 01 > {root-ca,level2-ca,level3-ca}/serial
|
二、配置文件模板(openssl.cnf)
[ req ]
default_bits = 2048
prompt = no
distinguished_name = dn
req_extensions = v3_req
[ dn ]
C = US
ST = California
L = Mountain View
O = ChainCert Inc
CN = $ENV::CERT_NAME
# 动态替换
[ v3_req ]
basicConstraints = critical,CA:$ENV::IS_CA
keyUsage = critical,keyCertSign,cRLSign,digitalSignature
subjectAltName = @alt_names [ alt_names ]
DNS.1 = $ENV::SITE_NAME
|
三、证书链生成脚本(Linux/macOS/UNIX)
#!/bin/bash
# Root CA
export CERT_NAME="ROOT-CA" IS_CA="TRUE" SITE_NAME=""
openssl req -x509 -newkey rsa:2048 -nodes -days 3650 \
-config <(cat openssl.cnf) \
-keyout root-ca/private/ca.key -out root-ca/certs/ca.crt
# 二级CA
export CERT_NAME="LEVEL2-CA" IS_CA="TRUE" SITE_NAME=""
openssl req -newkey rsa:2048 -nodes \
-config <(cat openssl.cnf) \
-keyout level2-ca/private/ca.key -out level2-ca/certs/ca.csr
openssl x509 -req -in level2-ca/certs/ca.csr -days 3650 \
-extensions v3_req -extfile <(cat openssl.cnif) \
-CA root-ca/certs/ca.crt -CAkey root-ca/private/ca.key \
-out level2-ca/certs/ca.crt
# 三级CA
export CERT_NAME="LEVEL3-CA" IS_CA="TRUE" SITE_NAME=""
openssl req -newkey rsa:2048 -nodes \
-config <(cat openssl.cnf) \
-keyout level3-ca/private/ca.key -out level3-ca/certs/ca.csr
openssl x509 -req -in level3-ca/certs/ca.csr -days 3650 \
-extensions v3_req -extfile <(cat openssl.cnif) \
-CA level2-ca/certs/ca.crt -CAkey level2-ca/private/ca.key \
-out level3-ca/certs/ca.crt
# 终端证书
export CERT_NAME="end-server.example.com" IS_CA="FALSE" SITE_NAME="end-server.example.com"
openssl req -newkey rsa:2048 -nodes \
-config <(cat openssl.cnf) \
-keyout end-cert/private/server.key -out end-cert/certs/server.csr
openssl x509 -req -in end-cert/certs/server.csr -days 365 \
-extensions v3_req -extfile <(cat openssl.cnif) \
-CA level3-ca/certs/ca.crt -CAkey level3-ca/private/ca.key \
-out end-cert/certs/server.crt
# 构建证书链文件
cat end-cert/certs/server.crt level3-ca/certs/ca.crt level2-ca/certs/ca.crt root-ca/certs/ca.crt > full-chain.pem
# 双向交叉认证支持 (Level2信任Level3)
openssl x509 -in level3-ca/certs/ca.crt -out level2-ca/trusted-certs/level3.crt
|
四、关键交叉认证技术点
双向交叉认证实现
# Level2信任Level3
openssl verify -CAfile level2-ca/certs/ca.crt level3-ca/certs/ca.crt
# Level3信任Level2(可选)
openssl x509 -in level2-ca/certs/ca.crt -out level3-ca/trusted-certs/level2.crt
|
OCSP 支持扩展(在 openssl.cnif 中添加)
[ v3_req ]
authorityInfoAccess = OCSP;URI:http://ocsp.example.com
|
五、验证证书链有效性
# 完整链验证
openssl verify -CAfile full-chain.pem end-cert/certs/server.crt
# 单步链验证(三级跳)
openssl verify -CAfile root-ca/certs/ca.crt -untrusted level2-ca/certs/ca.crt level3-ca/certs/ca.crt
|
六、Windows PowerShell 适配要点
$env:CERT_NAME="ROOT-CA"; $env:IS_CA="TRUE"
openssl req -newkey rsa:2048 -nodes -config openssl.cnf ` -keyout .\root-ca\private\ca.key -out .\root-ca\certs\ca.csr
|
七、证书链结构图示
graph LR
RootCA-->|签署| Level2CA
Level2CA-->|交叉信任| Level3CA
Level3CA-->|签署| EndCertificate
RootCA-->|备用签署| EndCertificate
关键参数说明
| 参数 |
作用 |
| basicConstraints |
CA 层级控制,pathlen:0 表示只能签发终端证书 |
| keyUsage |
CA 必须包含 keyCertSign,服务器证书需 digitalSignature,keyEncipherment |
| extendedKeyUsage |
服务器证书添加 serverAuth,客户端证书 clientAuth |
| -extfile |
动态生成扩展配置,避免配置文件冲突 |
实际部署建议:
- 根 CA 离线保存(物理隔离)
- 定期轮换 Level2/Level3 的中间证书
- 使用 OCSP 或 CRL 实现证书状态实时验证
备注
基于 DeepSeek 生成的文档