前言

之前写了一篇关于Nginx的客户端验证的文章，让大家使用XCA这个东西，没有讲用OpenSSL来建一个CA，故本文章来讲一讲。
本文章主要介绍搭建一个简单的一级CA，由根证书直接签发最终用户证书。

配置与签发

本次使用的配置文件如下：

[ ca ]
default_ca    = CA_default
[ CA_default ]
# 一些目录配置
dir        = .
certs        = $dir/certs
crl_dir        = $dir/crl
database    = $dir/index.txt
new_certs_dir    = $dir/newcerts

certificate    = $dir/cacert.crt
serial        = $dir/serial
crlnumber    = $dir/crlnumber

crl        = $dir/crl.crl 
private_key    = $dir/cakey.key

# x509证书扩展配置
x509_extensions    = usr_cert

# 证书主题选项
name_opt     = ca_default
cert_opt     = ca_default

# 有效期
default_days    = 730
# 默认crl列表更新时间
default_crl_days= 30
# 默认签名哈希算法
default_md    = default
# 保持DN顺序
preserve    = no
# 证书主题策略
policy        = policy_match
# 不复制来自证书请求文件的扩展
copy_extensions = none

[ crl_info ]
# crl分发点，这个链接必须为URI且指向crl列表
URI.0 = http://ca.coat.jp/root/ca.crl

[ policy_match ]
# 主题均为可选
countryName        = optional
stateOrProvinceName    = optional
organizationName    = optional
organizationalUnitName    = optional
commonName        = optional
emailAddress        = optional

[ req ]
default_bits        = 2048
default_keyfile     = privkey.pem
# 要求填写的字段名DN
distinguished_name    = req_distinguished_name
x509_extensions    = v3_ca
string_mask = utf8only

[ req_distinguished_name ]
countryName            = Country Name (2 letter code)
countryName_default        = JP
countryName_min            = 2
countryName_max            = 2

stateOrProvinceName        = State or Province Name (full name)
stateOrProvinceName_default    = Simokitazawa

localityName            = Locality Name (eg, city)

0.organizationName        = Organization Name (eg, company)
0.organizationName_default    = COAT Inc.

#1.organizationName        = Second Organization Name (eg, company)
#1.organizationName_default    = World Wide Web Pty Ltd

organizationalUnitName        = Organizational Unit Name (eg, section)

commonName            = Common Name (e.g. server FQDN or YOUR name)
commonName_default = COAT Email CA
commonName_max            = 64

emailAddress            = Email Address
emailAddress_max        = 64


[ usr_cert ]
# 基本约束
basicConstraints=CA:FALSE
# 扩展用户用法，这里指定了证书的用途
# 如果你看了之前那片文章并使用了XCA，在它的选项卡中有这些选项，不填写为所有应用程序策略
# https://www.openssl.org/docs/manmaster/man5/x509v3_config.html
extendedKeyUsage = emailProtection,clientAuth
# 配置crl列表
crlDistributionPoints   = @crl_info
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer


[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = critical,CA:true
# 秘钥用法
keyUsage = cRLSign, keyCertSign
extendedKeyUsage = emailProtection,clientAuth
crlDistributionPoints   = @crl_info

配置CA目录：

mkdir emailCA && cd emailCA
mkdir certs
mkdir crl
mkdir newcerts
echo "01" > serial
echo "01" > crlnumber
touch index.txt

首先生成根证书证书请求：

openssl req -new -config openssl.cnf -out ca.csr -keyout cakey.key

自签名根证书：

openssl ca -selfsign -config openssl.cnf -in ca.csr -out cacert.crt -extensions v3_ca

签发后长这样：

用户证书配置文件：

[ req ]
default_bits = 2048
encrypt_key = no
utf8 = yes
string_mask = utf8only
req_extensions = v3_req
prompt = yes
distinguished_name = distinguished_name

[distinguished_name]
emailAddress = Email Address
emailAddress_max = 64

[ v3_req ]
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

生成用户证书请求：

openssl req -new -config email.cnf -out certs/email.csr -keyout certs/email.key

签发用户证书请求：

openssl ca -config openssl.cnf -in certs/email.csr -out certs/email.crt -extensions usr_cert -days 365

签发后长这样：

吊销证书：

openssl ca -config openssl.cnf -revoke certs/email.crt

生成crl列表：

openssl ca -config openssl.cnf -gencrl -out ca.crl

结尾

一级CA搭建较为简单，但并不常用，一般都是由根签发二级CA，再由二级CA签发给用户，这种方式方便不同用途的证书管理，同时防止CA被爆破导致签发的证书作废带来的影响。

在下一篇文章将讲述一个二级CA与OCSP服务器的搭建。