Certificate Authority是通信雙方都相信的第三方機構,是Public Key Infrastructure的重要組成,主要用於簽發數字證書。數字證書在網路通信中扮演了很重要的角色,通過驗證公鑰的所有者實現通信安全。CA可分為root caintermediate caintermediate caroot ca簽發。出於安全因素考慮,由intermediate ca代表root ca簽發數字證書,遵循鏈式信任。本文記錄使用OpenSSL創建私有CA,並通過私有CA創建CRLOnline Certificate Status Protocol,簽發、吊銷數字證書的過程。本文中的相關操作參考自OpenSSL Certificate AuthorityOpenSS\L Cookbook

Introduction

WikiPedia

In cryptography, a certificate authority or certification authority (CA) is an entity that issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate. This allows others (relying parties) to rely upon signatures or on assertions made about the private key that corresponds to the certified public key. In this model of trust relationships, a CA is a trusted third party—trusted both by the subject (owner) of the certificate and by the party relying upon the certificate. The most commonly encountered public-key infrastructure (PKI) schemes are those used to implement https on the world-wide web. All these are based upon the X.509 standard and feature CAs. – https://en.wikipedia.org/wiki/Certificate_authority

GlobalSign

Certificate Authorities, or Certificate Authorities / CAs, issue Digital Certificates. Digital Certificates are verifiable small data files that contain identity credentials to help websites, people, and devices represent their authentic online identity (authentic because the CA has verified the identity). CAs play a critical role in how the Internet operates and how transparent, trusted transactions can take place online. CAs issue millions of Digital Certificates each year, and these certificates are used to protect information, encrypt billions of transactions, and enable secure communication. – https://www.globalsign.com/en/ssl-information-center/what-are-certification-authorities-trust-hierarchies/

本文將首先創建root ca,再由root ca簽發intermediate ca。數字證書由intermediate ca代表root ca簽發。存儲路徑定義為/tmp/ca

Preparation

操作平臺信息

item version details
os Debian GNU/Linux 8 (jessie)
kernel 3.16.0-4-amd64
openssl OpenSSL 1.0.1t

Creating A Root CA

創建新的CA須進行如下操作

  1. 構建OpenSSL配置文件;
  2. 創建相關目錄結構;
  3. 初始化相關密鑰文件;
  4. 生成root ca的私鑰和證書;

OpenSSL默認的配置文件路徑為

1
2
3
4
$(openssl version -a | sed -r -n '/OPENSSLDIR/s@.*"(.*)"@\[email protected]')/openssl.cnf
# /usr/lib/ssl/openssl.cnf
# /etc/ssl/openssl.cnf

其格式、指令說明見

1
2
man ca
# man ca | sed -r -n '/^[[:space:]]*A sample configuration/,/^ENVIRONMENT VARIABLES/p' | sed '$d'

部分指令來自

1
2
3
man x509v3_config
man req
man ocsp

默認的OpenSSL配置文件中只有certs(存放數字證書)、private(存放私鑰)兩個目錄。出於安全、優化目錄結構等因素,設置如下目錄

dir explanation
certs 用於存放數字證書,如root ca的證書、intermediate ca的證書
newcerts 用於存放新簽發的數字證書
private 用於存放私鑰
db 用於存放index.txt、serial、crlnumber等文件
crl 用於存放生成的crl文件

其中目錄private設置讀寫權限為700

執行如下命令創建目錄並初始化相關文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
#create root ca dir
mkdir -pv /tmp/ca
cd /tmp/ca
#create relevant dirs
mkdir -pv {certs,newcerts,db,crl}
mkdir -pv -m=700 private
#create CA text database file
touch ./db/index.txt
#create CA serial number file
openssl rand -hex 32 > ./db/serial
#create text file containing the next CRL number to use in hex
echo 1000 > ./db/crlnumber

Configuration File

出於安全考慮,此處的message digest(md)算法使用SHA-2(SHA-1已經被廢棄),即sha256

此處root ca的目錄是/tmp/ca,在該目錄下創建文件openssl.cnf,內容如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
[ ca ]
# man ca
name = root_ca
name_opt = utf8,esc_ctrl,multiline,lname,align # man x509 --> NAME OPTIONS
default_ca = CA_default
[ CA_default ]
# Directory and file locations. 此處路徑可自定義
dir = /tmp/ca # main CA directory
certs = $dir/certs # certificate output file
new_certs_dir = $dir/newcerts # new certs dir
crl_dir = $dir/crl
database = $dir/db/index.txt # CA text database file
serial = $dir/db/serial # CA serial number file
RANDFILE = $dir/private/.rand # CA random seed information
private_key = $dir/private/ca.key.pem # CA private key
certificate = $dir/certs/ca.cert.pem # CA certificate
# For certificate revocation lists.
crlnumber = $dir/db/crlnumber
crl = $dir/crl/ca.crl.pem
crl_extensions = crl_ext
default_crl_days = 365 # how long before next CRL
default_md = sha256 # message digest to use
name_opt = ca_default # Subject name display option
cert_opt = ca_default # Certificate display option
default_days = 3650 # how long to certify for, 10years
preserve = no
email_in_dn = no # Don't add the email into cert DN
unique_subject = no
copy_extensions = none # Don't copy extensions from request
policy = policy_strict # default policy man ca --> POLICY FORMAT
# For all root CA signatures, root CA just only sign intermediate certificates that match.
# countryName, organizationName須匹配
[ policy_strict ]
countryName = match
stateOrProvinceName = optional
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For all intermediate CA signatures
[ policy_loose ]
# Allow the intermediate CA to sign a more diverse range of certificates.
# See the POLICY FORMAT section of the ca man page.
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For creating certificates or certificate signing requests
[ req ]
# Options for the req tool (man req).
default_bits = 4096
default_md = sha256
encrypt_key = yes
utf8 = yes
string_mask = utf8only
distinguished_name = req_distinguished_name
# Extension to add when the -x509 option is used.
x509_extensions = v3_ca
# See https://en.wikipedia.org/wiki/Certificate_signing_request.
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name
emailAddress = Email Address
# Optionally, specify some defaults. 此處參數值可自定義
countryName_default = CN
stateOrProvinceName_default = Shanghai
localityName_default =
0.organizationName_default = LempStacker Ltd
organizationalUnitName_default = LempStacker Ltd Certificate Authority
commonName_default = LempStacker Ltd Root CA
emailAddress_default =
[ v3_ca ]
# Extensions for a typical CA (man x509v3_config).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ v3_intermediate_ca ]
# Extensions for a typical intermediate CA (man x509v3_config).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
# Extensions for server certificates (man x509v3_config).
[ server_cert ]
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
# Extensions for client certificates (man x509v3_config).
[ usr_cert ]
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection
# Extension for CRLs(certificate revocation list) (man x509v3_config).
[ crl_ext ]
authorityKeyIdentifier=keyid:always
# Extension for Online Certificate Status Protocol (OCSP) (man ocsp).
[ ocsp ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, OCSPSigning
#Configuration End

注意: 如果要使用如下命令寫入內容

1
2
3
sudo tee /tmp/ca/openssl.cnf <<-EOF
...
EOF

須在$dir之前加斜線\用以轉義符號$,即將$dir改寫為\$dir

Signing Root Certificate

關於如何創建私鑰、自簽證書,可參考本人Blog Try To Create X.509 Self-Signed Certificate With OpenSSL

為避免出現Passphrase提示,使用選項-passout-passin顯式指定pass phrase,此處設置為LempStacker2017,實際操作時可將該選項去除,以確保操作安全。

為避免出現Subject(distinguished name)提示,使用選項-subj顯式指定相關參數,可根據個人情況選擇使用。

執行如下命令創建私鑰、證書,私鑰存儲在目錄private中,證書存儲在certs中。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
cd /tmp/ca
#Create the root key, set file attributes 400 via umask 266
(umask 266; openssl genrsa -passout pass:LempStacker2017 -out ./private/ca.key.pem -aes256 4096)
#remove pass phrase in private key
# openssl rsa -passin pass:LempStacker2017 -in ./private/ca.key.pem -out ./private/ca.keyout.pem
#Create the root certificate, set file attributes 444 via umask 222
# expire days 3650 (10 years), use extensions v3_ca in configuration file
(umask 222; openssl req -new -x509 -days 3650 -extensions v3_ca -config ./openssl.cnf -passin pass:LempStacker2017 -subj "/C=CN/ST=Shanghai/O=LempStacker Ltd/OU=LempStacker Ltd Certificate Authority/CN=LempStacker Ltd Root CA" -key ./private/ca.key.pem -out ./certs/ca.cert.pem)
#Verify the root certificate
# openssl x509 -noout -text -in ./certs/ca.cert.pem

校驗證書,輸出如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
#openssl x509 -noout -text -in ./certs/ca.cert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
95:52:8c:e1:bd:de:dc:93
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=Shanghai, O=LempStacker Ltd, OU=LempStacker Ltd Certificate Authority, CN=LempStacker Ltd Root CA
Validity
Not Before: Jan 26 20:33:33 2017 GMT
Not After : Jan 24 20:33:33 2027 GMT
Subject: C=CN, ST=Shanghai, O=LempStacker Ltd, OU=LempStacker Ltd Certificate Authority, CN=LempStacker Ltd Root CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:e1:27:4e:b1:8b:ca:c4:86:0f:7a:cd:65:49:48:
...
59:22:13:04:41:32:cc:db:f4:f4:68:0f:05:50:16:
c8:82:15
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
2E:AD:C2:8E:83:94:91:AB:53:1B:03:66:2F:3F:B7:69:A3:FB:1E:40
X509v3 Authority Key Identifier:
keyid:2E:AD:C2:8E:83:94:91:AB:53:1B:03:66:2F:3F:B7:69:A3:FB:1E:40
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
Signature Algorithm: sha256WithRSAEncryption
d9:63:d9:d1:78:ba:85:e4:70:fa:9a:88:2e:84:1b:71:d5:5f:
...
0e:d2:6e:e2:38:77:94:a4:79:4b:3f:87:aa:c3:00:fd:b9:1d:
32:60:a0:94:4f:86:ce:1b

Creating A Intermediate CA

root ca創建完成後,創建intermediate ca,文件目錄較之root ca多了csr,用於存放生成的CSR文件。

dir explanation
certs 用於存放數字證書,如root ca的證書、intermediate ca的證書
newcerts 用於存放新簽發的數字證書
private 用於存放私鑰
db 用於存放index.txt、serial、crlnumber等文件
csr 用於存放證書簽署請求文件CSR
crl 用於存放生成的crl文件

其中目錄private設置讀寫權限為700

執行如下命令創建目錄並初始化相關文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
#create intermediate ca dir
mkdir -pv /tmp/ca/intermediate
cd /tmp/ca/intermediate
#create relevant dirs
mkdir -pv {certs,newcerts,db,csr,crl}
mkdir -pv -m=700 private
#create CA text database file
touch ./db/index.txt
#create CA serial number file
openssl rand -hex 32 > ./db/serial
#create text file containing the next CRL number to use in hex
echo 1000 > ./db/crlnumber

Configuration File

出於安全考慮,此處的message digest(md)算法使用SHA-2(SHA-1已經被廢棄),即sha256

此處intermediate ca的目錄是/tmp/ca/intermediate,在該目錄下創建文件openssl.cnf,內容如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
[ ca ]
# man ca
name = sub_ca
name_opt = utf8,esc_ctrl,multiline,lname,align # man x509 --> NAME OPTIONS
default_ca = CA_default
[ CA_default ]
# Directory and file locations. 此處路徑可自定義
dir = /tmp/ca/intermediate # main CA directory
certs = $dir/certs # certificate output file
new_certs_dir = $dir/newcerts # new certs dir
crl_dir = $dir/crl
database = $dir/db/index.txt # CA text database file
serial = $dir/db/serial # CA serial number file
RANDFILE = $dir/private/.rand # CA random seed information
private_key = $dir/private/intermediate.key.pem # CA private key
certificate = $dir/certs/intermediate.cert.pem # CA certificate
# For certificate revocation lists.
crlnumber = $dir/db/crlnumber
crl = $dir/crl/ca.crl.pem
crl_extensions = crl_ext
default_crl_days = 30 # how long before next CRL
default_md = sha256 # message digest to use
name_opt = ca_default # Subject name display option
cert_opt = ca_default # Certificate display option
default_days = 365 # how long to certify for, 10years
preserve = no
email_in_dn = no # Don't add the email into cert DN
unique_subject = no
copy_extensions = none # Don't copy extensions from request
policy = policy_loose # default policy man ca --> POLICY FORMAT
# For all root CA signatures, root CA just only sign intermediate certificates that match.
# countryName, organizationName須匹配
[ policy_strict ]
countryName = match
stateOrProvinceName = optional
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For all intermediate CA signatures
[ policy_loose ]
# Allow the intermediate CA to sign a more diverse range of certificates.
# See the POLICY FORMAT section of the ca man page.
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For creating certificates or certificate signing requests
[ req ]
# Options for the req tool (man req).
default_bits = 4096
default_md = sha256
encrypt_key = yes
utf8 = yes
string_mask = utf8only
distinguished_name = req_distinguished_name
# Extension to add when the -x509 option is used.
x509_extensions = v3_ca
# See https://en.wikipedia.org/wiki/Certificate_signing_request.
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name
emailAddress = Email Address
# Optionally, specify some defaults. 此處參數值可自定義
countryName_default = CN
stateOrProvinceName_default = Shanghai
localityName_default =
0.organizationName_default = LempStacker Ltd
organizationalUnitName_default = LempStacker Ltd Certificate Authority
commonName_default = LempStacker Ltd Intermediate CA
emailAddress_default =
[ v3_ca ]
# Extensions for a typical CA (man x509v3_config).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ v3_intermediate_ca ]
# Extensions for a typical intermediate CA (man x509v3_config).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
# Extensions for server certificates (man x509v3_config).
[ server_cert ]
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
#以下URL根據實際情況設置
#authorityInfoAccess = OCSP;URI:http://ocsp.example.com
#crlDistributionPoints = URI:http://example.com/intermediate.crl.pem
# Extensions for client certificates (man x509v3_config).
[ usr_cert ]
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection
# Extension for CRLs(certificate revocation list) (man x509v3_config).
[ crl_ext ]
authorityKeyIdentifier=keyid:always
# Extension for Online Certificate Status Protocol (OCSP) (man ocsp).
[ ocsp ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, OCSPSigning
#Configuration End

Signing Intermediate Certificate

為避免出現Passphrase提示,使用選項-passout-passin顯式指定pass phrase,此處設置為LempStacker2017,實際操作時可將該選項去除,以確保操作安全。

為避免出現Subject(distinguished name)提示,使用選項-subj顯式指定相關參數,可根據個人情況選擇使用。

執行如下命令創建私鑰、CSR文件、證書,私鑰存儲在目錄private中,CSR文件存儲在csr中,證書存儲在certs中。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
cd /tmp/ca/intermediate
#Create the intermediate key
(umask 266; openssl genrsa -passout pass:LempStacker2017 -out ./private/intermediate.key.pem -aes256 4096)
#remove pass phrase in private key
# openssl rsa -passin pass:LempStacker2017 -in ./private/intermediate.key.pem -out ./private/intermediate.keyout.pem
#Generate CSR
openssl req -new -sha256 -config ./openssl.cnf -passin pass:LempStacker2017 -subj "/C=CN/ST=Shanghai/O=LempStacker Ltd/OU=LempStacker Ltd Certificate Authority/CN=LempStacker Ltd Intermediate CA" -key ./private/intermediate.key.pem -out ./csr/intermediate.csr.pem
#Signing Intermediate Self-Signed Certificate Via Root Cert Conf
# expire days 365 (1 years), use extensions v3_intermediate_ca in configuration file
#必須切換到root ca所在目錄
cd /tmp/ca
(umask 222; openssl ca -days 365 -notext -md sha256 -config ./openssl.cnf -extensions v3_intermediate_ca -passin pass:LempStacker2017 -in ./intermediate/csr/intermediate.csr.pem -out ./intermediate/certs/intermediate.cert.pem) # set file attributes 444 via umask
#Verify the intermediate certificate
# openssl x509 -noout -text -in ./intermediate/certs/intermediate.cert.pem
#Verify the intermediate certificate against the root certificate. An `OK` indicates that the chain of trust is intact.
# openssl verify -CAfile ./certs/ca.cert.pem ./intermediate/certs/intermediate.cert.pem

校驗證書,輸出如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
39:3d:1d:c7:38:45:fb:52:5e:a5:0b:03:a2:c6:b5:f7:d2:76:ae:ce:38:b7:ee:c8:38:3d:ec:f4:85:7a:da:ec
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=Shanghai, O=LempStacker Ltd, OU=LempStacker Ltd Certificate Authority, CN=LempStacker Ltd Root CA
Validity
Not Before: Jan 26 20:35:41 2017 GMT
Not After : Jan 26 20:35:41 2018 GMT
Subject: C=CN, ST=Shanghai, O=LempStacker Ltd, OU=LempStacker Ltd Certificate Authority, CN=LempStacker Ltd Intermediate CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:cd:9b:38:cc:ad:73:a0:38:4b:30:ec:f0:ba:f4:
...
54:31:02:4a:7a:b8:e7:6c:36:9e:e9:90:b8:51:e2:
09:bd:95
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
F0:84:6D:EB:DD:48:A1:9A:1B:33:F4:74:8A:2B:6B:21:F8:7C:2E:06
X509v3 Authority Key Identifier:
keyid:2E:AD:C2:8E:83:94:91:AB:53:1B:03:66:2F:3F:B7:69:A3:FB:1E:40
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
Signature Algorithm: sha256WithRSAEncryption
90:5a:06:9a:85:ed:1b:9f:80:4b:98:d8:e3:a4:2e:84:f5:44:
...
dc:ee:c4:bb:8a:bf:c7:36:37:af:35:d5:89:ed:ed:fd:0b:f6:
00:0e:e3:bf:83:0e:15:8c

Create Certificate Chain File

Web瀏覽器有時並不信任某些intermediate ca簽發的證書,故而需將root ca的證書加入證書文件,以確保瀏覽器信任該intermediate ca。

在root ca所在路徑中執行如下操作,創建證書信任鏈文件,此處命名為ca-chain

1
2
3
cd /tmp/ca
(umask 222; cat ./intermediate/certs/intermediate.cert.pem ./certs/ca.cert.pem > ./intermediate/certs/ca-chain.cert.pem) # set file attributes 444 via umask 222

Nginx中使用指令ssl_trusted_certificate進行設置,指令如下:

1
ssl_trusted_certificate /tmp/ca/intermediate/certs/ca-chain.cert.pem;

如果使用Let’s Encrypt配置SSL證書,可參考其官網文檔配置證書信任鏈文件

1
2
3
4
5
6
7
8
# Let's Encrypt Root and Intermediate Certificates
#Active Root Certificates (ISRG Root X1)
https://letsencrypt.org/certs/isrgrootx1.pem
#Active Intermediate Certificates
#Let’s Encrypt Authority X3 (IdenTrust cross-signed)
https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem

使用示例見 鏈接

執行如下命令創建文件

1
wget -q -O - https://letsencrypt.org/certs/isrgrootx1.pem https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem | sudo tee -a /tmp/ca/intermediate/certs/letsencrypt-ca-cert.pem > /dev/null

Sign Server & Client Certificates

使用intermediate ca簽發證書

  • 對於server certificate(Web服務器),Common Name 必須是FQDN形式,如www.lempstacker.com;
  • 對於client certificate(郵件),Common Name 可以是任意唯一標誌符,如郵件地址等;
usage extension Common Name
server cert server_cert FQDN形式,如www.lempstacker.com
client cert usr_cert 任意唯一標誌符,如郵件地址等

: 表格中的extension在intermediate ca的配置文件

1
/tmp/ca/intermediate/openssl.cnf

執行如下命令簽發證書

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
cd /tmp/ca/intermediate
#Generate private key
(umask 266; openssl genrsa -aes256 -passout pass:LempStacker2017 -out ./private/lempstacler.com.key.pem 4096)
#Generate CSR
openssl req -new -sha256 -config ./openssl.cnf -passin pass:LempStacker2017 -subj "/C=CN/ST=Shanghai/O=LempStacker Ltd/OU=LempStacker Ltd Web [email protected]" -key ./private/lempstacler.com.key.pem -out ./csr/lempstacler.com.csr.pem
#Scene1: sign server cert via intermediate CA, use extension server_cert
(umask 222; openssl ca -days 365 -notext -md sha256 -config ./openssl.cnf -extensions server_cert -passin pass:LempStacker2017 -in ./csr/lempstacler.com.csr.pem -out ./newcerts/lempstacler.com.cert.pem)
#Scene2: sign client cert via intermediate CA, use extension usr_cert
# (umask 222; openssl ca -days 365 -notext -md sha256 -config ./openssl.cnf -extensions usr_cert -passin pass:LempStacker2017 -in ./csr/lempstacler.com.csr.pem -out ./newcerts/lempstacler.com.cert.pem)
#Verify the intermediate certificate
# openssl x509 -noout -text -in ./newcerts/lempstacler.com.cert.pem
#Verify the intermediate certificate against the root certificate. An `OK` indicates that the chain of trust is intact.
# openssl verify -CAfile ./certs/ca-chain.cert.pem ./newcerts/lempstacler.com.cert.pem

證書校驗過程

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
9c:62:58:84:ae:8c:03:a7:09:55:40:a5:3c:3a:1b:ac:83:05:a4:1d:42:f1:99:46:0e:a4:ab:8e:4d:c1:52:ee
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=Shanghai, O=LempStacker Ltd, OU=LempStacker Ltd Certificate Authority, CN=LempStacker Ltd Intermediate CA
Validity
Not Before: Jan 26 20:38:16 2017 GMT
Not After : Jan 26 20:38:16 2018 GMT
Subject: C=CN, ST=Shanghai, O=LempStacker Ltd, OU=LempStacker Ltd Web Service, CN=www.lempstacker.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:cb:41:30:97:d6:f6:aa:76:ed:eb:32:88:c5:b3:
...
03:9e:85:74:cd:cf:7a:b7:3e:90:50:f0:c4:bc:49:
bd:df:9f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Netscape Comment:
OpenSSL Generated Server Certificate
X509v3 Subject Key Identifier:
4C:5B:14:B0:A9:F2:01:05:45:45:6A:02:CA:19:97:43:C3:E3:11:AF
X509v3 Authority Key Identifier:
keyid:F0:84:6D:EB:DD:48:A1:9A:1B:33:F4:74:8A:2B:6B:21:F8:7C:2E:06
DirName:/C=CN/ST=Shanghai/O=LempStacker Ltd/OU=LempStacker Ltd Certificate Authority/CN=LempStacker Ltd Root CA
serial:39:3D:1D:C7:38:45:FB:52:5E:A5:0B:03:A2:C6:B5:F7:D2:76:AE:CE:38:B7:EE:C8:38:3D:EC:F4:85:7A:DA:EC
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
Signature Algorithm: sha256WithRSAEncryption
81:c1:f4:df:95:0f:38:7a:a8:54:2a:89:b6:e9:8b:ce:f2:c0:
...
c0:55:3f:0c:2c:8c:62:8e:5f:7e:4e:e6:1b:5c:38:63:1f:7b:
94:3c:5a:a4:0e:82:87:19

在Nginx中配置SSL證書,指令如下:

1
2
3
4
5
6
7
server {
...
ssl_certificate /tmp/ca/intermediate/newcerts/lempstacler.com.cert.pem;
ssl_certificate_key /tmp/ca/intermediate/private/lempstacler.com.key.pem;
ssl_trusted_certificate /tmp/ca/intermediate/certs/ca-chain.cert.pem;
...
}

Certificate Revocation List (CRL)

WikiPedia鏈接

1
https://en.wikipedia.org/wiki/Certificate_revocation_list

RFC鏈接

1
https://tools.ietf.org/html/rfc5280

在PKIs中,CRL文件存儲著已經被吊銷(revocate)的證書清單,用於告知訪問著某證書已不在受信任。證書吊銷理由有多個選項,具體見man ca-crl_reason reason部分:

  • unspecified
  • keyCompromise
  • CACompromise
  • affiliationChanged
  • superseded
  • cessationOfOperation
  • certificateHold
  • removeFromCRL

Generating CRL File

在intermediate ca所在目錄下進行操作,在配置文件openssl.cnf的[server_cert]中添加crlDistributionPoints指令,URL根據實際情況設置

1
crlDistributionPoints = URI:http://example.com/intermediate.crl.pem

此處通過如下命令啟用crlDistributionPoints

1
2
3
cd /tmp/ca/intermediate
sed -i -r '/^\[ server_cert \]/,/^\[ crl_ext \]/s@^#?(authorityInfoAccess)@#\1@' ./openssl.cnf
sed -i -r '/^\[ server_cert \]/,/^\[ crl_ext \]/s@^#?(crlDistributionPoints)@\1@' ./openssl.cnf

執行如下命令創建crl文件

1
2
3
4
5
6
cd /tmp/ca/intermediate
openssl ca -gencrl -config ./openssl.cnf -passin pass:LempStacker2017 -out ./crl/intermediate.crl.pem
#Verify the crl file
openssl crl -noout -text -in ./crl/intermediate.crl.pem

驗證信息如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: /C=CN/ST=Shanghai/O=LempStacker Ltd/OU=LempStacker Ltd Certificate Authority/CN=LempStacker Ltd Intermediate CA
Last Update: Jan 26 21:02:35 2017 GMT
Next Update: Feb 25 21:02:35 2017 GMT
CRL extensions:
X509v3 Authority Key Identifier:
keyid:F0:84:6D:EB:DD:48:A1:9A:1B:33:F4:74:8A:2B:6B:21:F8:7C:2E:06
X509v3 CRL Number:
4096
No Revoked Certificates.
Signature Algorithm: sha256WithRSAEncryption
2a:df:2b:af:c9:ee:b9:8b:6a:32:db:6b:ef:36:15:07:69:fc:
...
...
31:86:e0:60:20:69:84:ec:0d:ed:9c:a7:9b:2d:32:17:e5:cb:
48:57:40:b2:3e:11:e1:9f

在Nginx中配置CRL,使用指令ssl_crl

1
2
3
4
5
server {
...
ssl_crl /tmp/ca/intermediate/crl/intermediate.crl.pem;
...
}

注意:每次執行證書吊銷操作後,須重載(reload)Nginx服務,重新讀取crl,使操作生效。

1
2
3
sudo service nginx reload
#or
sudo systemctl reload nginx

Revoking A Certificate

創建測試證書crl.lempstacler.com.cert.pem

執行如下命令進行證書吊銷操作

1
2
3
cd /tmp/ca/intermediate
openssl ca -config ./openssl.cnf -passin pass:LempStacker2017 -crl_reason keyCompromise -revoke ./newcerts/crl.lempstacler.com.cert.pem

創建測試證書

1
2
3
4
5
6
7
cd /tmp/ca/intermediate
(umask 266; openssl genrsa -aes256 -passout pass:LempStacker2017 -out ./private/crl.lempstacler.com.key.pem 4096)
openssl req -new -sha256 -config ./openssl.cnf -passin pass:LempStacker2017 -subj "/C=CN/ST=Shanghai/O=LempStacker Ltd/OU=LempStacker Ltd Web [email protected]" -key ./private/crl.lempstacler.com.key.pem -out ./csr/crl.lempstacler.com.csr.pem
(umask 222; openssl ca -days 365 -notext -md sha256 -config ./openssl.cnf -extensions server_cert -passin pass:LempStacker2017 -in ./csr/crl.lempstacler.com.csr.pem -out ./newcerts/crl.lempstacler.com.cert.pem)
執行如下命令,可查看到在配置文件中設置的`crlDistributionPoints`的URL
1
2
3
4
5
cd /tmp/ca/intermediate
# find Full Name
openssl x509 -noout -text -in ./newcerts/crl.lempstacler.com.cert.pem
# openssl x509 -noout -text -in ./newcerts/crl.lempstacler.com.cert.pem | awk '$0~/Full Name/{getline;print gensub(/^[[:space:]]+(.*)/,"\\1"," ",$0)}'

在文件/tmp/ca/intermediate/db/index.txt中由如下信息

1
2
#吊銷前
V 180126210725Z 9C625884AE8C03A7095540A53C3A1BAC8305A41D42F199460EA4AB8E4DC152EF unknown /C=CN/ST=Shanghai/O=LempStacker Ltd/OU=LempStacker Ltd Web Service/CN=www.lempstacker.com

符號V表示該證書驗證有效、受信任。吊銷該證書後,符號會由V變成R,表示已吊銷。執行證書吊銷命令後,信息改變為

1
2
#吊銷後
R 180126210725Z 170126211446Z,keyCompromise 9C625884AE8C03A7095540A53C3A1BAC8305A41D42F199460EA4AB8E4DC152EF unknown /C=CN/ST=Shanghai/O=LempStacker Ltd/OU=LempStacker Ltd Web Service/CN=www.lempstacker.com

Online Certificate Status Protocol (OCSP)

WikiPedia鏈接

1
https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol

RFC鏈接

1
https://tools.ietf.org/html/rfc6960

Generating A OCSP File

OCSP需要密鑰對用於簽署發送給請求方的響應信息,該密鑰對必須由簽署證書的CA簽署(相同的CA)。由於OCSP證書不包含吊銷信息,無法被吊銷,故可適當縮短該證書的生命週期,如30天。

在intermediate ca所在目錄下進行操作,在配置文件openssl.cnf的[server_cert]中添加authorityInfoAccess指令,URL根據實際情況設置

1
authorityInfoAccess = OCSP;URI:http://ocsp.example.com

此處通過如下命令啟用authorityInfoAccess

1
2
3
cd /tmp/ca/intermediate
sed -i -r '/^\[ server_cert \]/,/^\[ crl_ext \]/s@^#?(authorityInfoAccess)@\1@' ./openssl.cnf
sed -i -r '/^\[ server_cert \]/,/^\[ crl_ext \]/s@^#?(crlDistributionPoints)@#\1@' ./openssl.cnf

執行如下命令創建ocsp證書ocsp.lempstacker.com.cert.pem

1
2
3
4
5
6
7
8
9
10
11
12
cd /tmp/ca/intermediate
(umask 266; openssl genrsa -aes256 -passout pass:LempStacker2017 -out ./private/ocsp.lempstacker.com.key.pem 4096)
#generate csr
openssl req -new -sha256 -config ./openssl.cnf -passin pass:LempStacker2017 -subj "/C=CN/ST=Shanghai/O=LempStacker Ltd/OU=LempStacker Ltd Certificate Authority/CN=ocsp.lempstacker.com" -key ./private/ocsp.lempstacker.com.key.pem -out ./csr/ocsp.lempstacker.com.csr.pem
#sign server cert via intermediate CA, use extension oscp
(umask 222; openssl ca -days 30 -notext -md sha256 -config ./openssl.cnf -extensions ocsp -passin pass:LempStacker2017 -in ./csr/ocsp.lempstacker.com.csr.pem -out ./certs/ocsp.lempstacker.com.cert.pem)
#Verify the ocsp certificate
openssl x509 -noout -text -in ./certs/ocsp.lempstacker.com.cert.pem

證書校驗信息如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
9c:62:58:84:ae:8c:03:a7:09:55:40:a5:3c:3a:1b:ac:83:05:a4:1d:42:f1:99:46:0e:a4:ab:8e:4d:c1:52:f3
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=Shanghai, O=LempStacker Ltd, OU=LempStacker Ltd Certificate Authority, CN=LempStacker Ltd Intermediate CA
Validity
Not Before: Jan 26 22:00:58 2017 GMT
Not After : Feb 25 22:00:58 2017 GMT
Subject: C=CN, ST=Shanghai, O=LempStacker Ltd, OU=LempStacker Ltd Certificate Authority, CN=ocsp.lempstacker.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:b4:66:39:ce:e9:2c:40:d2:ed:ff:6e:dc:0f:1e:
...
cb:b9:41:1d:c0:a6:c2:4b:7a:55:27:37:0e:bc:cb:
37:1f:23
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
5D:B4:18:71:30:50:A1:6A:D7:DE:E0:2D:6B:44:48:F2:61:1A:36:6E
X509v3 Authority Key Identifier:
keyid:F0:84:6D:EB:DD:48:A1:9A:1B:33:F4:74:8A:2B:6B:21:F8:7C:2E:06
X509v3 Key Usage: critical
Digital Signature
X509v3 Extended Key Usage: critical
OCSP Signing
Signature Algorithm: sha256WithRSAEncryption
3c:6f:a7:b8:a0:35:47:a5:7e:f7:df:31:07:a6:8b:3f:8f:7f:
...
80:f3:37:9a:13:a3:2d:7a:81:b0:9a:40:06:40:9a:85:59:da:
fc:7a:f2:9f:10:39:91:aa

可看到

1
2
3
4
X509v3 Key Usage: critical
Digital Signature
X509v3 Extended Key Usage: critical
OCSP Signing

在Nginx中啟用ocsp,設置如下

1
2
3
4
5
server {
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /tmp/ca/intermediate/certs/ca-chain.cert.pem;
}

配置完成,重載Nginx服務後,可通過如下命令查看ocsp配置是否生效

1
openssl s_client -connect www.example.com:443 -tls1_2 -tlsextdebug -status

可參閱 Let’ encrypt - nginx - OCSP stapling

Testing a certificate

因為是測試,故在本機進行,端口選擇9999

創建測試證書ocsp_test1.lempstacler.com.cert.pem

1
2
3
4
5
6
cd /tmp/ca/intermediate
(umask 266; openssl genrsa -aes256 -passout pass:LempStacker2017 -out ./private/ocsp_test1.lempstacler.com.key.pem 4096)
openssl req -new -sha256 -config ./openssl.cnf -passin pass:LempStacker2017 -subj "/C=CN/ST=Shanghai/O=LempStacker Ltd/OU=LempStacker Ltd Web [email protected]ker.com" -key ./private/ocsp_test1.lempstacler.com.key.pem -out ./csr/ocsp_test1.lempstacler.com.csr.pem
(umask 222; openssl ca -days 365 -notext -md sha256 -config ./openssl.cnf -extensions server_cert -passin pass:LempStacker2017 -in ./csr/ocsp_test1.lempstacler.com.csr.pem -out ./newcerts/ocsp_test1.lempstacler.com.cert.pem)

同時開啟2個Terminal(Shell終端),在GNome Desktop中是gnome-terminal

在Terminal 1 中執行

1
2
3
4
5
6
7
8
cd /tmp/ca/intermediate
openssl ocsp -text -sha256 \
-index ./db/index.txt \
-CA ./certs/ca-chain.cert.pem \
-rkey ./private/ocsp.lempstacker.com.key.pem \
-rsigner ./certs/ocsp.lempstacker.com.cert.pem \
-port 127.0.0.1:9999 \
-nrequest 1

按要求輸入pass phrase的值後,出現信息

Waiting for OCSP client connections…

在Terminal2中執行

1
2
3
4
5
6
cd /tmp/ca/intermediate
openssl ocsp -resp_text \
-CAfile ./certs/ca-chain.cert.pem \
-issuer ./certs/intermediate.cert.pem \
-cert ./newcerts/ocsp_test1.lempstacler.com.cert.pem \
-url http://127.0.0.1:9999

返回信息如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: C = CN, ST = Shanghai, O = LempStacker Ltd, OU = LempStacker Ltd Certificate Authority, CN = ocsp.lempstacker.com
Produced At: Jan 26 22:04:03 2017 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: A092DA95CA97A95F723C11CE054D278AA7B3E28A
Issuer Key Hash: F0846DEBDD48A19A1B33F4748A2B6B21F87C2E06
Serial Number: 9C625884AE8C03A7095540A53C3A1BAC8305A41D42F199460EA4AB8E4DC152F4
Cert Status: good
This Update: Jan 26 22:04:03 2017 GMT
Response Extensions:
OCSP Nonce:
04105B5B2A2F9F7C727A24A8FE7D353B0DE6
Signature Algorithm: sha256WithRSAEncryption
81:18:42:b5:92:a0:66:42:5c:48:f1:fd:0a:14:f5:04:4e:9c:
...
88:0e:7d:90:7b:e2:eb:eb:77:11:52:5e:02:40:90:91:e4:f8:
97:77:1f:c1:07:45:df:e8
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
9c:62:58:84:ae:8c:03:a7:09:55:40:a5:3c:3a:1b:ac:83:05:a4:1d:42:f1:99:46:0e:a4:ab:8e:4d:c1:52:f3
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=Shanghai, O=LempStacker Ltd, OU=LempStacker Ltd Certificate Authority, CN=LempStacker Ltd Intermediate CA
Validity
Not Before: Jan 26 22:00:58 2017 GMT
Not After : Feb 25 22:00:58 2017 GMT
Subject: C=CN, ST=Shanghai, O=LempStacker Ltd, OU=LempStacker Ltd Certificate Authority, CN=ocsp.lempstacker.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:b4:66:39:ce:e9:2c:40:d2:ed:ff:6e:dc:0f:1e:
...
cb:b9:41:1d:c0:a6:c2:4b:7a:55:27:37:0e:bc:cb:
37:1f:23
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
5D:B4:18:71:30:50:A1:6A:D7:DE:E0:2D:6B:44:48:F2:61:1A:36:6E
X509v3 Authority Key Identifier:
keyid:F0:84:6D:EB:DD:48:A1:9A:1B:33:F4:74:8A:2B:6B:21:F8:7C:2E:06
X509v3 Key Usage: critical
Digital Signature
X509v3 Extended Key Usage: critical
OCSP Signing
Signature Algorithm: sha256WithRSAEncryption
3c:6f:a7:b8:a0:35:47:a5:7e:f7:df:31:07:a6:8b:3f:8f:7f:
...
80:f3:37:9a:13:a3:2d:7a:81:b0:9a:40:06:40:9a:85:59:da:
fc:7a:f2:9f:10:39:91:aa
-----BEGIN CERTIFICATE-----
MIIGLzCCBBegAwIBAgIhAJxiWISujAOnCVVApTw6G6yDBaQdQvGZRg6kq45NwVLz
...
001D16/LXHOMH6wLw1i6AqJd84nOqGNRVoDzN5oToy16gbCaQAZAmoVZ2vx68p8Q
OZGq
-----END CERTIFICATE-----
Response verify OK
./newcerts/ocsp_test1.lempstacler.com.cert.pem: good
This Update: Jan 26 22:04:03 2017 GMT

其中有

1
2
#未被吊銷
Cert Status: good

吊銷後,狀態值會變成revoked

Revoking A Certificate

執行如下命令吊銷證書ocsp_test1.lempstacler.com.cert.pem

1
2
3
cd /tmp/ca/intermediate
openssl ca -config ./openssl.cnf -passin pass:LempStacker2017 -revoke ./newcerts/ocsp_test1.lempstacler.com.cert.pem

操作完成後,再次進行上文 Testing a certificate 的操作

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: C = CN, ST = Shanghai, O = LempStacker Ltd, OU = LempStacker Ltd Certificate Authority, CN = ocsp.lempstacker.com
Produced At: Jan 26 22:11:08 2017 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: A092DA95CA97A95F723C11CE054D278AA7B3E28A
Issuer Key Hash: F0846DEBDD48A19A1B33F4748A2B6B21F87C2E06
Serial Number: 9C625884AE8C03A7095540A53C3A1BAC8305A41D42F199460EA4AB8E4DC152F4
Cert Status: revoked
Revocation Time: Jan 26 22:09:30 2017 GMT
This Update: Jan 26 22:11:08 2017 GMT
Response Extensions:
OCSP Nonce:
04107DD00184815B914D3772DDDFD0C54532
Signature Algorithm: sha256WithRSAEncryption
96:cf:66:6d:b5:2a:95:c0:67:e7:0e:4b:ea:5f:de:5d:ff:4a:
...
80:35:ed:5b:fd:7b:41:4a:9c:8d:99:75:a3:69:25:3c:ca:4e:
cd:2b:69:1a:b2:1a:d4:86
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
9c:62:58:84:ae:8c:03:a7:09:55:40:a5:3c:3a:1b:ac:83:05:a4:1d:42:f1:99:46:0e:a4:ab:8e:4d:c1:52:f3
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=Shanghai, O=LempStacker Ltd, OU=LempStacker Ltd Certificate Authority, CN=LempStacker Ltd Intermediate CA
Validity
Not Before: Jan 26 22:00:58 2017 GMT
Not After : Feb 25 22:00:58 2017 GMT
Subject: C=CN, ST=Shanghai, O=LempStacker Ltd, OU=LempStacker Ltd Certificate Authority, CN=ocsp.lempstacker.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:b4:66:39:ce:e9:2c:40:d2:ed:ff:6e:dc:0f:1e:
...
cb:b9:41:1d:c0:a6:c2:4b:7a:55:27:37:0e:bc:cb:
37:1f:23
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
5D:B4:18:71:30:50:A1:6A:D7:DE:E0:2D:6B:44:48:F2:61:1A:36:6E
X509v3 Authority Key Identifier:
keyid:F0:84:6D:EB:DD:48:A1:9A:1B:33:F4:74:8A:2B:6B:21:F8:7C:2E:06
X509v3 Key Usage: critical
Digital Signature
X509v3 Extended Key Usage: critical
OCSP Signing
Signature Algorithm: sha256WithRSAEncryption
3c:6f:a7:b8:a0:35:47:a5:7e:f7:df:31:07:a6:8b:3f:8f:7f:
...
80:f3:37:9a:13:a3:2d:7a:81:b0:9a:40:06:40:9a:85:59:da:
fc:7a:f2:9f:10:39:91:aa
-----BEGIN CERTIFICATE-----
MIIGLzCCBBegAwIBAgIhAJxiWISujAOnCVVApTw6G6yDBaQdQvGZRg6kq45NwVLz
...
001D16/LXHOMH6wLw1i6AqJd84nOqGNRVoDzN5oToy16gbCaQAZAmoVZ2vx68p8Q
OZGq
-----END CERTIFICATE-----
Response verify OK
./newcerts/ocsp_test1.lempstacler.com.cert.pem: revoked
This Update: Jan 26 22:11:08 2017 GMT
Revocation Time: Jan 26 22:09:30 2017 GMT

其中有

1
2
#已被吊銷
Cert Status: revoked

Error Occuring

Error 1

problems making Certificate Request
139870547867280:error:0D07A097:asn1 encoding routines:ASN1_mbstring_ncopy:string too long:a_mbstr.c:158:maxsize=2

原因是配置文件openssl.cnf中[req]下設置了

1
prompt = no

註釋或刪除改行即可。

References

Bibliography

Change Logs

  • 2017.01.26 17:20 Thu America/Boston
    • 初稿完成