首页 > 代码库 > 构建自己的证书颁发服务(CA)

构建自己的证书颁发服务(CA)

本文原创自 http://blog.csdn.net/voipmaker  转载注明出处。


本系列文章分为三篇,主要介绍构建自己的证书颁发服务,生成证书请求,以及通过自己构建的CA给生成的证书请求签名并最终应用到服务。


通过构建自己的证书服务,可以给自己的应用证书签名,无需购买商业证书颁发机构的签名,但自己授权的不利之处是客户端需要导入你的root证书后才能信任证书。


下面为在centos上构建自己的CA过程


1. 构建相关目录和文件

#mkdir /home/cg/myca
#cd /home/cg/myca/
#mkdir private certs newcerts conf export csr
#echo ‘01‘ > serial
#touch index.txt


#vim /home/cg/myca/conf/caconfig.cnf


添加如下内容:
[ ca ]
default_ca = CA_default


[ CA_default ]
dir = /home/cg/myca/
certs = $dir/certs
crl_dir = $dir/crl
database = $dir/index.txt
new_certs_dir = $dir/newcerts
certificate = $dir/certs/cacert.pem
serial = $dir/serial
#crl = $dir/crl.pem
private_key = $dir/private/cakey.pem
#RANDFILE = $dir/private/.rand
x509_extensions = usr_cert
#crl_extensions = crl_ext
default_days = 3650
#default_startdate = YYMMDDHHMMSSZ
#default_enddate = YYMMDDHHMMSSZ
#default_crl_days= 30
#default_crl_hours = 24
default_md = sha1
preserve = no
#msie_hack
policy = policy_match


[ policy_match ]
countryName = match
stateOrProvinceName = match
localityName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional


[ req ]
default_bits = 4096 # Size of keys
default_keyfile = key.pem # name of generated keys
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca
#input_password
#output_password
string_mask = nombstr # permitted characters
req_extensions = v3_req


[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = US
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = New York
localityName = Locality Name (city, district)
localityName_default = New York
organizationName = Organization Name (company)
organizationName_default = Code Ghar
organizationalUnitName = Organizational Unit Name (department, division)
organizationalUnitName_default = IT
commonName = Common Name (hostname, FQDN, IP, or your name)
commonName_max = 64
commonName_default = CGIT
emailAddress = Email Address
emailAddress_max = 40
emailAddress_default = codeghar@example.com


[ req_attributes ]
#challengePassword = A challenege password
#challengePassword_min = 4
#challengePassword_max = 20
#unstructuredName = An optional company name


[ usr_cert ]
basicConstraints= CA:FALSE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
#nsComment = ‘‘OpenSSL Generated Certificate‘‘
#nsCertType = client, email, objsign for ‘‘everything including object signing‘‘
subjectAltName=email:copy
issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl = 
#nsRenewalUrl =
#nsCaPolicyUrl = 
#nsSslServerName =


[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment


[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = CA:TRUE
#keyUsage = cRLSign, keyCertSign
#nsCertType = sslCA, emailCA
#subjectAltName=email:copy
#issuerAltName=issuer:copy
#obj=DER:02:03


[ crl_ext ]
#issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always,issuer:always


2. 生成root 证书:



openssl req -new -x509 -days 3650 -config conf/caconfig.cnf -keyform PEM -keyout private/key.ca.cg.pem -outform PEM -out certs/crt.ca.cg.pem

两个文件key.ca.cg.pem and crt.ca.cg.pem会在 $dir/private 和 $dir/certs 目录


3. 检查root证书的正确性


openssl x509 -in certs/crt.ca.cg.pem -inform pem -noout -text


5. 导出root证书


导出为PKCS12格式,可直接在windows系统点击即可自动安装


openssl pkcs12 -export -out export/ca.cg.p12 -in certs/crt.ca.cg.pem -inkey private/key.ca.cg.pem


发送到windows系统,双击ca.cg.p12即可按照提示安装



构建自己的证书颁发服务(CA)