On Thu, Nov 27, 2014 at 02:58:01PM +0800, Jerry OELoo wrote:
> # Create CA
> openssl genrsa -out ca.key 4096
> openssl req -new -x509 -nodes -sha1 -days 1825 -key ca.key -out ca.crt
Don't forget "umask 077" or use a strong passpharse (no "nodes").
Otherwise, the key is generally world-readable. By far the greater
risk than someone factoring a 2048-bit key.
> # Create Intermediate
> openssl genrsa -out intermediate.key 4096
> openssl req -new -sha1 -key intermediate.key -out intermediate.csr
Various extensions should be set for intermediate CAs, and are not
in this case.
> Please kindly give me some suggestion about how to use openssl command
> to sign "test.example.com.crt" with intermediate CA. Thanks!
If you want to avoid the "stateful" CA model supported by the
openssl ca(1) command, the bash script below my signature is a
one-shot CA. Adjust to taste. This it has a root, two intermediates
and a leaf. A PKCS#12 file is also generated. The PKCS#12 passphrase
is "umask 077", i.e. security of that file relies exclusively on
the filesystem (if POSIX). You can change that too if you wish,
as well as password protecting the created keys (provided you're
willing to put up with all the prompts).
You may need to add more extensions, depending on where and for
what the chain will be used, this is not difficult.
--
Viktor.
#! /bin/bash
set -e
urun() {
local mask=$1; shift
( umask "$mask"; exec "$@" )
}
key() {
local alg=$1; shift
local key=$1; shift
if [ ! -f "${key}.pem" ]; then
case $alg in
ecdsa)
urun 077 \
openssl genpkey \
-paramfile <(openssl ecparam -name prime256v1) \
-out "${key}.pem";;
rsa)
urun 077 \
openssl genpkey \
-algorithm rsa -pkeyopt rsa_keygen_bits:2048 \
-out "${key}.pem";;
*)
echo "Unsupported key algorithm $alg"
return 1;;
esac
fi
}
req() {
local alg=$1; shift
local key=$1; shift
local cn=$1; shift
key "$alg" "$key"
openssl req -new -sha256 -key "${key}.pem" \
-config <(printf "[req]\n%s\n%s\n%s\n[dn]\nCN=%s\n" \
"string_mask = utf8only" "prompt = no" \
"distinguished_name = dn" "${cn}")
}
cert() {
local cert=$1; shift
local exts=$1; shift
openssl x509 -req -sha256 -out "${cert}.pem" \
-extfile <(printf "%s\n" "$exts") "$@"
}
genroot() {
local cn=$1; shift
local alg=$1; shift
local key=$1; shift
local cert=$1; shift
local akid="authorityKeyIdentifier = keyid"
local skid="subjectKeyIdentifier = hash"
exts=$(printf "%s\n%s\n%s\n" "$skid" "$akid" "basicConstraints = CA:true")
req "$alg" "$key" "$cn" |
cert "$cert" "$exts" -signkey "${key}.pem" -set_serial 1 -days 30
}
genca() {
local cn=$1; shift
local alg=$1; shift
local key=$1; shift
local cert=$1; shift
local ca=$1; shift
local cakey=$1; shift
local akid="authorityKeyIdentifier = keyid"
local skid="subjectKeyIdentifier = hash"
exts=$(printf "%s\n%s\n%s\n" "$skid" "$akid" "basicConstraints = CA:true")
req "$alg" "$key" "$cn" |
cert "$cert" "$exts" -CA "${ca}.pem" -CAkey "${cakey}.pem" \
-set_serial 2 -days 30 "$@"
}
genee() {
local cn=$1; shift
local alg=$1; shift
local key=$1; shift
local cert=$1; shift
local ca=$1; shift
local cakey=$1; shift
exts=$(printf "%s\n%s\n%s\n%s\n%s\n[alts]\n%s\n" \
"subjectKeyIdentifier = hash" \
"authorityKeyIdentifier = keyid, issuer" \
"basicConstraints = CA:false" \
"extendedKeyUsage = serverAuth" \
"subjectAltName = @alts" "DNS=${cn}")
req "$alg" "$key" "$cn" |
cert "$cert" "$exts" -CA "${ca}.pem" -CAkey "${cakey}.pem" \
-set_serial 2 -days 30 "$@"
}
genroot "Root CA" rsa rootkey rootcert
genca "CA 1" rsa cakey1 cacert1 rootcert rootkey
genca "CA 2" rsa cakey2 cacert2 cacert1 cakey1
genee "$(uname -n)" ecdsa eekey eecert cacert2 cakey2
cat eecert.pem cacert2.pem cacert1.pem rootcert.pem > fullchain.pem
cat eecert.pem cacert2.pem cacert1.pem > chain.pem
urun 077 \
openssl pkcs12 -export \
-inkey eekey.pem -in chain.pem -out eekeys.p12 \
-password pass:"umask 077" \
-keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
