本系列文章分为三篇，主要介绍构建自己的证书颁发服务，生成证书请求，以及通过自己构建的CA给生成的证书请求签名并最终应用到服务。

通过构建自己的证书服务，可以给自己的应用证书签名，无需购买商业证书颁发机构的签名，但自己授权的不利之处是客户端需要导入你的root证书后才能信任证书。

下面为在centos上构建自己的CA过程

1. 构建相关目录和文件
#mkdir /home/cg/myca
 #cd /home/cg/myca/
 #mkdir private certs newcerts conf export csr
 #echo '01' > serial
 #touch index.txt


 #vim /home/cg/myca/conf/caconfig.cnf


 添加如下内容：
 [ ca ]
 default_ca = CA_default


 [ CA_default ]
 dir = /home/cg/myca/
 certs = $dir/certs
 crl_dir = $dir/crl
 database = $dir/index.txt
 new_certs_dir = $dir/newcerts
 certificate = $dir/certs/cacert.pem
 serial = $dir/serial
 #crl = $dir/crl.pem
 private_key = $dir/private/cakey.pem
 #RANDFILE = $dir/private/.rand
 x509_extensions = usr_cert
 #crl_extensions = crl_ext
 default_days = 3650
 #default_startdate = YYMMDDHHMMSSZ
 #default_enddate = YYMMDDHHMMSSZ
 #default_crl_days= 30
 #default_crl_hours = 24
 default_md = sha1
 preserve = no
 #msie_hack
 policy = policy_match


 [ policy_match ]
 countryName = match
 stateOrProvinceName = match
 localityName = match
 organizationName = match
 organizationalUnitName = optional
 commonName = supplied
 emailAddress = optional


 [ req ]
 default_bits = 4096 # Size of keys
 default_keyfile = key.pem # name of generated keys
 distinguished_name = req_distinguished_name
 attributes = req_attributes
 x509_extensions = v3_ca
 #input_password
 #output_password
 string_mask = nombstr # permitted characters
 req_extensions = v3_req


 [ req_distinguished_name ]
 countryName = Country Name (2 letter code)
 countryName_default = US
 countryName_min = 2
 countryName_max = 2
 stateOrProvinceName = State or Province Name (full name)
 stateOrProvinceName_default = New York
 localityName = Locality Name (city, district)
 localityName_default = New York
 organizationName = Organization Name (company)
 organizationName_default = Code Ghar
 organizationalUnitName = Organizational Unit Name (department, division)
 organizationalUnitName_default = IT
 commonName = Common Name (hostname, FQDN, IP, or your name)
 commonName_max = 64
 commonName_default = CGIT
 emailAddress = Email Address
 emailAddress_max = 40
 emailAddress_default = codeghar@example.com


 [ req_attributes ]
 #challengePassword = A challenege password
 #challengePassword_min = 4
 #challengePassword_max = 20
 #unstructuredName = An optional company name


 [ usr_cert ]
 basicConstraints= CA:FALSE
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid,issuer:always
 #nsComment = ''OpenSSL Generated Certificate''
 #nsCertType = client, email, objsign for ''everything including object signing''
 subjectAltName=email:copy
 issuerAltName=issuer:copy
 #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
 #nsBaseUrl = 
 #nsRenewalUrl =
 #nsCaPolicyUrl = 
 #nsSslServerName =


 [ v3_req ]
 basicConstraints = CA:FALSE
 keyUsage = nonRepudiation, digitalSignature, keyEncipherment


 [ v3_ca ]
 subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid:always,issuer:always
 basicConstraints = CA:TRUE
 #keyUsage = cRLSign, keyCertSign
 #nsCertType = sslCA, emailCA
 #subjectAltName=email:copy
 #issuerAltName=issuer:copy
 #obj=DER:02:03


 [ crl_ext ]
 #issuerAltName=issuer:copy
 authorityKeyIdentifier=keyid:always,issuer:always


 2. 生成root 证书： openssl req -new -x509 -days 3650 -config conf/caconfig.cnf -keyform PEM -keyout private/key.ca.cg.pem -outform PEM -out certs/crt.ca.cg.pem

 两个文件key.ca.cg.pem and crt.ca.cg.pem会在 $dir/private 和 $dir/certs 目录


 3. 检查root证书的正确性


 openssl x509 -in certs/crt.ca.cg.pem -inform pem -noout -text


 5. 导出root证书


 导出为PKCS12格式，可直接在windows系统点击即可自动安装


 openssl pkcs12 -export -out export/ca.cg.p12 -in certs/crt.ca.cg.pem -inkey private/key.ca.cg.pem


 发送到windows系统，双击ca.cg.p12即可按照提示安装