openSSL使用CA签署https_客户端证书

我需要：

• 创建CA证书
• 创建https\u客户端证书
• 由CA签署https_客户端证书

通过在Linux-openSUSE上使用命令行。我创建CA证书：

 # openssl genrsa -out rootCA.key 2048
Generating RSA private key, 2048 bit long modulus
..........................................................+++
....................+++
e is 65537 (0x10001)
 # openssl req -x509 -new -nodes -key rootCA.key -days 3650 -out rootCA.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:AA
State or Province Name (full name) [Some-State]:A
Locality Name (eg, city) []:A
Organization Name (eg, company) [Internet Widgits Pty Ltd]:A
Organizational Unit Name (eg, section) []:A
Common Name (e.g. server FQDN or YOUR name) []:A
Email Address []:A
 #

 # openssl genrsa -out client1.key 2048
Generating RSA private key, 2048 bit long modulus
............................+++
.............................................+++
e is 65537 (0x10001)
 #
 # openssl req -x509 -new -nodes -key client1.key -days 3650 -out client1.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:BB
State or Province Name (full name) [Some-State]:B
Locality Name (eg, city) []:B
Organization Name (eg, company) [Internet Widgits Pty Ltd]:B
Organizational Unit Name (eg, section) []:B
Common Name (e.g. server FQDN or YOUR name) []:B
Email Address []:B
 #

很好。然后创建https\u客户端证书：

 # openssl genrsa -out rootCA.key 2048
Generating RSA private key, 2048 bit long modulus
..........................................................+++
....................+++
e is 65537 (0x10001)
 # openssl req -x509 -new -nodes -key rootCA.key -days 3650 -out rootCA.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:AA
State or Province Name (full name) [Some-State]:A
Locality Name (eg, city) []:A
Organization Name (eg, company) [Internet Widgits Pty Ltd]:A
Organizational Unit Name (eg, section) []:A
Common Name (e.g. server FQDN or YOUR name) []:A
Email Address []:A
 #

 # openssl genrsa -out client1.key 2048
Generating RSA private key, 2048 bit long modulus
............................+++
.............................................+++
e is 65537 (0x10001)
 #
 # openssl req -x509 -new -nodes -key client1.key -days 3650 -out client1.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:BB
State or Province Name (full name) [Some-State]:B
Locality Name (eg, city) []:B
Organization Name (eg, company) [Internet Widgits Pty Ltd]:B
Organizational Unit Name (eg, section) []:B
Common Name (e.g. server FQDN or YOUR name) []:B
Email Address []:B
 #

很好。现在，当我尝试使用CA签署https_客户端证书时，我在这里遇到了一些错误：

 # openssl ca -in client1.pem -out client11.pem
Using configuration from /etc/ssl/openssl.cnf
Error opening CA private key ./demoCA/private/cakey.pem
139667082016400:error:02001002:system library:fopen:No such file or directory:bss_file.c:404:fopen('./demoCA/private/cakey.pem','re')
139667082016400:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:406:
unable to load CA private key
 #

我已经试过了：

• 使用绝对路径（）

但我没有成功。我在某个地方读到，输入的特定属性需要与创建CA时输入的属性相同，但至少在使用XCA工具在Windows上创建证书时，这是不正确的。我可以输入完全不同的东西，只要我用CA签名，我就可以使用它。有人能帮我吗

更新：

---

我只使用.key和.pem，因为这在使用XCA工具的Windows上对我有效。。。我正在实际阅读openSSL食谱（），看看我是否犯了什么特别的错误。首先想到，我是否必须使用.csr来签署证书，或者我也可以使用任何其他格式来签署证书？

您使用的是“openssl ca”工具，默认情况下使用以下配置文件：/etc/ssl/openssl.cnf。换句话说，您没有尝试使用CA证书进行签名，而是使用该配置文件中的默认值。您还向客户端证书签名请求传递了-x509参数，这导致csr无效

请在下面找到工作生成和签名命令

生成CA密钥和证书：

openssl genrsa -out rootCA.key 2048
openssl req -x509 -new -key rootCA.key -days 3650 -out rootCA.pem \
-subj '/C=AA/ST=AA/L=AA/O=AA Ltd/OU=AA/CN=AA/emailAddress=aa@aa.com'

生成客户端密钥和csr：

openssl genrsa -out client1.key 2048
openssl req -new -key client1.key -out client1.csr \
-subj '/C=BB/ST=BB/L=BB/O=BB Ltd/OU=BB/CN=BB/emailAddress=bb@bb.com'

生成使用CA证书签名的客户端证书：

openssl x509 -req -days 365 -CA rootCA.pem -CAkey rootCA.key \
-CAcreateserial -CAserial serial -in client1.csr -out client1.pem

当然，您可以将配置文件设置为使用正确的CA文件，然后使用“openssl CA”工具

您可以通过以下方式验证您的证书：

openssl verify -verbose -CAfile rootCA.pem client1.pem

---

谢谢你到目前为止的回复，我有一个会议，在过去的几个小时内无法处理这个问题。。。我明天一定去看看。谢谢你，非常感谢，先生，这对我来说很有用。。。我使用openssl pkcs12-export-out-client1.p12-inkey-client1.key-in-client1.pem-certfile rootCA.pem转换为.p12。。。我现在要实施这个。出于安全原因，我想我需要设置/更改一些选项。你能再帮我一次吗？我想让我自己创建的rootCA可信。你知道怎么做吗@talamakiTo使您自己生成的ca证书受信任您需要使其可用于将验证用其签名的证书的应用程序。因为您生成了客户机证书，所以您的目标可能是让您的客户机通过某个服务器的身份验证。您需要以某种方式将ca证书导入服务器证书存储。有关opensuse，请参见，例如，您计划分发ca证书的范围越广，您就越需要小心使用您的ca私钥。您可以轻松找到描述如何充当自己的证书颁发机构的web链接，例如和。