ubuntu 14.04使用easy-rsa创建CA并签发证书

sudo apt-get update

sudo apt-get install easy-rsa

软件库里easy-rsa的版本是2.0

使用dpkg -L查看安装了哪些文件

$ dpkg -L easy-rsa
/.
/usr
/usr/share
/usr/share/man
/usr/share/man/man1
/usr/share/man/man1/make-cadir.1.gz
/usr/share/easy-rsa
/usr/share/easy-rsa/openssl-1.0.0.cnf
/usr/share/easy-rsa/build-req-pass
/usr/share/easy-rsa/build-key
/usr/share/easy-rsa/inherit-inter
/usr/share/easy-rsa/sign-req
/usr/share/easy-rsa/build-key-pkcs12
/usr/share/easy-rsa/vars
/usr/share/easy-rsa/pkitool
/usr/share/easy-rsa/openssl-0.9.8.cnf
/usr/share/easy-rsa/build-dh
/usr/share/easy-rsa/build-key-pass
/usr/share/easy-rsa/revoke-full
/usr/share/easy-rsa/openssl-0.9.6.cnf
/usr/share/easy-rsa/build-ca
/usr/share/easy-rsa/build-key-server
/usr/share/easy-rsa/clean-all
/usr/share/easy-rsa/list-crl
/usr/share/easy-rsa/build-inter
/usr/share/easy-rsa/build-req
/usr/share/easy-rsa/whichopensslcnf
/usr/share/doc
/usr/share/doc/easy-rsa
/usr/share/doc/easy-rsa/README-2.0.gz
/usr/share/doc/easy-rsa/README.Debian
/usr/share/doc/easy-rsa/copyright
/usr/share/doc/easy-rsa/changelog.Debian.gz
/usr/bin
/usr/bin/make-cadir

使用脚本make-cadir MyCA建立CA目录

该脚本会建立MyCA目录，建立文件链接并准备相关文件

脚本主要内容

mkdir -p "$1"
chmod 700 "$1"
ln -s /usr/share/easy-rsa/* "$1"
rm -f "$1"/vars "$1"/*.cnf
cp /usr/share/easy-rsa/vars /usr/share/easy-rsa/*.cnf "$1"

创建的MyCA目录的结构

   28 Dec 13 11:32 build-ca -> /usr/share/easy-rsa/build-ca
   28 Dec 13 11:32 build-dh -> /usr/share/easy-rsa/build-dh
   31 Dec 13 11:32 build-inter -> /usr/share/easy-rsa/build-inter
   29 Dec 13 11:32 build-key -> /usr/share/easy-rsa/build-key
   34 Dec 13 11:32 build-key-pass -> /usr/share/easy-rsa/build-key-pass
   36 Dec 13 11:32 build-key-pkcs12 -> /usr/share/easy-rsa/build-key-pkcs12
   36 Dec 13 11:32 build-key-server -> /usr/share/easy-rsa/build-key-server
   29 Dec 13 11:32 build-req -> /usr/share/easy-rsa/build-req
   34 Dec 13 11:32 build-req-pass -> /usr/share/easy-rsa/build-req-pass
   29 Dec 13 11:32 clean-all -> /usr/share/easy-rsa/clean-all
   33 Dec 13 11:32 inherit-inter -> /usr/share/easy-rsa/inherit-inter
   28 Dec 13 11:32 list-crl -> /usr/share/easy-rsa/list-crl
 7859 Dec 13 11:32 openssl-0.9.6.cnf
 8416 Dec 13 11:32 openssl-0.9.8.cnf
 8313 Dec 13 11:32 openssl-1.0.0.cnf
   27 Dec 13 11:32 pkitool -> /usr/share/easy-rsa/pkitool
   31 Dec 13 11:32 revoke-full -> /usr/share/easy-rsa/revoke-full
   28 Dec 13 11:32 sign-req -> /usr/share/easy-rsa/sign-req
 2077 Dec 13 11:32 vars
   35 Dec 13 11:32 whichopensslcnf -> /usr/share/easy-rsa/whichopensslcnf

cd MyCA进入CA目录

修改配置文件vars

把KEY_SIZE改为4096

其他的如KEY_COUNTRY、KEY_PROVINCE等可以改成适当的值

使用source vars引入环境变量

使用env命令可以看到vars中的变量在环境变量中

KEY_SIZE=4096
KEY_NAME=EasyRSA
KEY_CITY=SanFrancisco
KEY_PROVINCE=CA
KEY_ORG=Fort-Funston
......

执行./clean-all脚本

准备keys目录

执行./build-ca脚本

创建ca的私钥和证书，在keys目录内

提示的直接回车即可

执行./build-key-server server

创建用于服务端的ssl server证书

Common Name即脚本的参数server

默认回车即可

最后输入2次y确认

创建的证书在keys目录keys/server.crt keys/server.csr keys/server.key

build-key-server脚本创建的证书含有Netscape Cert Type扩展

        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Cert Type: 
                SSL Server

执行./build-key client1

创建客户端证书

ubuntu 14.04使用easy-rsa创建CA并签发证书

相关文章