这个 CA 证书的 pathlen 是 2,这意味着它还可以再签发一个 pathlen 等于 1 的中级 CA 证书,然后这个 pathlen 等于 1 的中级 CA 证书自己又可以再签发一个 pathlen 等于 0 的中级 CA 证书,pathlen 等于 0 的 CA 证书不能再签发 CA 证书,只能签发最终用户证书 (end-entity certificate).
我们可以用这行命令验证它:
1 2 3 4 5
openssl verify --show_chain -CAfile ca.crt ca.crt --- ca.crt: OK Chain: depth=0: C = CN, ST = Beijing, L = Beijing, O = LocalOrganizationName, OU = IT, CN = Homelab Root CA, emailAddress = [email protected]
接下来我们选择直接用它签发 end-entity certificate
证书签发
生成私钥
1
openssl genrsa -out x.com.key 2048
准备一个 x.com.ini 配置文件,填写主体信息:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
[ req ] distinguished_name = req_distinguished_name prompt = no
openssl x509 -in x.com.crt -noout -text --- Certificate: Data: Version: 3 (0x2) Serial Number: 5b:3e:9f:d1:7d:8f:f2:ab:18:ba:fa:1d:d1:65:ac:4e:40:f2:e3:ac Signature Algorithm: sha256WithRSAEncryption Issuer: C = CN, ST = Beijing, L = Beijing, O = LocalOrganizationName, OU = IT, CN = Homelab Root CA, emailAddress = [email protected] Validity Not Before: Jan 12 09:49:16 2024 GMT Not After : Jan 6 09:49:16 2025 GMT Subject: C = CN, ST = Beijing, L = Beijing, O = LocalOrganizationName, OU = IT, CN = Homelab Root CA, emailAddress = [email protected], subjectAltName = @SubjectAlternativeName Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:d7:ef:3f:0f:50:b6:1a:43:2c:90:77:82:01:2a: ...略 da:f7 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Subject Key Identifier: AC:41:8A:AD:CB:6C:D5:68:E9:B7:59:F2:4B:E5:EF:F5:DA:50:49:C4 X509v3 Authority Key Identifier: keyid:51:27:75:BE:3E:24:AE:A5:93:C7:1C:DE:F8:23:FB:7F:4D:BF:53:34 DirName:/C=CN/ST=Beijing/L=Beijing/O=LocalOrganizationName/OU=IT/CN=Homelab Root CA/[email protected] serial:60:9A:7A:BA:8C:98:9B:F8:1A:DE:46:C4:0C:05:0C:7F:B2:B8:C9:AB X509v3 Key Usage: critical Digital Signature, Key Encipherment, Data Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 Subject Alternative Name: DNS:*.x.com Signature Algorithm: sha256WithRSAEncryption Signature Value: 05:8e:3f:dc:a5:a8:f8:7b:ac:74:6a:c3:c7:b3:f0:33:31:ca: ...略 91:f6:40:0e
会看到这里已经有了签名值,它的 X509v3 Authority Key Identifier 刚好就是 CA 的 X509v3 Subject Key Identifier,它的 Public Key Modulus 和 CSR 里面的也一样。
验证证书
1 2 3 4 5 6
openssl verify --show_chain -CAfile ca.crt x.com.crt --- x.com.crt: OK Chain: depth=0: C = CN, ST = Beijing, L = Beijing, O = LocalOrganizationName, OU = IT, CN = Homelab Root CA, emailAddress = [email protected], subjectAltName = @SubjectAlternativeName (untrusted) depth=1: C = CN, ST = Beijing, L = Beijing, O = LocalOrganizationName, OU = IT, CN = Homelab Root CA, emailAddress = [email protected]