OpenSSL 廢止憑證方式
- 修改 openssl.cnf 參數檔
看修改 openssl.cnf 內容
:
[ca]
default_ca = CA_default # The default ca section
trysoft_ca = CA_trysoft # Trysoft Corp. ca section
:
[ CA_trysoft ]
dir = /home/jonathan/ca/trysoft
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/RootCA.crt # The CA certificate
serial = $dir/RootCA.srl # The current serial number
crlnumber = $dir/CRL.srl # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl/trysoft.crl # The current CRL
private_key = $dir/private/RootCA.key # The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
# Extension copying option: use with caution.
# copy_extensions = copy
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = sha1 # which md to use.
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match
:
:
[ req ]
default_bits = 2048
:
[ req_distinguished_name ]
:
countryName_default = TW
:
stateOrProvinceName_default = Taiwan
:
localityName_default = Taipei
:
/home/jonathan/ca/trysoft/
|-- RootCA.crt
|-- RootCA.srl
|-- certs
| |-- ClientCA.crt
|-- crl
|-- jonathan
| |-- ClientCA.crt
| |-- ClientCA.key
| |-- ClientCA.pem
| `-- ClientCA.pfx
|-- mail.ichiayi.com
| |-- ServerCA.crt
| `-- ServerCA.key
|-- newcerts
`-- private
`-- RootCA.key
- 產生設定檔內相關檔案
cd /home/jonathan/ca/trysoft/
touch index.txt
cp RootCA.srl CRL.srl
- 測試進行廢止 ClientCA
/home/jonathan/ca/trysoft/
|-- certs
|-- ClientCA.crt
cd /home/jonathan/ca/trysoft/certs
openssl ca -name CA_trysoft -revoke ClientCA.crt
看執行結果
[jonathan@pd920 certs]$ openssl ca -name CA_trysoft -revoke ClientCA.crt
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /home/jonathan/ca/trysoft/private/RootCA.key: <-- 輸入 RootCA 密碼
Adding Entry with serial number E0B893FC9733381E to DB for /C=TW/ST=Taiwan/L=Taipei/O=Test Corp./CN=Test Corp./[email protected]
Revoking Certificate E0B893FC9733381E.
Data Base Updated
- 產生 CRL 檔 trysoft.crl
cd /home/jonathan/ca/trysoft/crl
openssl ca -name CA_trysoft -gencrl -out trysoft.crl
看執行結果
[jonathan@pd920 certs]$ cd /home/jonathan/ca/trysoft/crl
[jonathan@pd920 crl]$ openssl ca -name CA_trysoft -gencrl -out trysoft.crl
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /home/jonathan/ca/trysoft/private/RootCA.key: <-- 輸入 RootCA 密碼
要轉成 DER 格式可執行以下命令
openssl crl -in trysoft.crl -outform DER -out trysoft.crl
- 執行後檔案目錄結果
/home/jonathan/ca/trysoft/
|-- CRL.srl
|-- CRL.srl.old
|-- RootCA.crt
|-- RootCA.srl
|-- certs
| |-- ClientCA.crt
|-- crl
| `-- trysoft.crl
|-- index.txt
|-- index.txt.attr
|-- index.txt.attr.old
|-- index.txt.old
|-- jonathan
| |-- ClientCA.crt
| |-- ClientCA.key
| |-- ClientCA.pem
| `-- ClientCA.pfx
|-- mail.ichiayi.com
| |-- ServerCA.crt
| `-- ServerCA.key
|-- newcerts
`-- private
`-- RootCA.key
參考網址
