使用OpenSSL生成TLS配置文件

引言

最近在搭建SDP项目的通信模块时,需要建立控制器和客户端的双向TLS加密,这部分采用OpenSSL生成密钥和证书的方式实现。本篇文章用于记录OpenSSL的简易使用方法,通过本文可以快速地生成Netty可用的密钥证书。

构建步骤

本文的构建环境为 Ubuntu 22.04,其自带了 OpenSSL,其他平台用户可能需要首先安装 OpenSSL,具体步骤如下:

  1. 生成CA的私钥 ca.key 和自签名证书 ca.crt,用于 SSL/TLS 通信的证书认证,当前自签名证书有效期为 365 天,即一年 
    1
    openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:4096 -keyout ca.key -out ca.crt
  2. 生成服务器(即Controller)的私钥 server.key,证书签名请求 server.csr 以及签名证书 server.crt 
    1
    2
    3
    4
    # server.key 为密钥长度为 2048 位的 RSA 私钥,证书有效期为 365 天
    openssl genrsa -out server.key 2048
    openssl req -new -key server.key -out server.csr
    openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -out server.crt
  3. 生成客户端(即Client)的私钥 client.key,证书签名请求 client.csr 以及签名证书 client.crt 
    1
    2
    3
    4
    # 同上,证书有效期为 31 天
    openssl genrsa -out client.key 2048
    openssl req -new -key client.key -out client.csr
    openssl x509 -req -days 31 -in client.csr -CA ca.crt -CAkey ca.key -out client.crt
  4. 转换为 netty 可以识别的密钥格式 
    1
    2
    openssl pkcs8 -topk8 -inform PEM -in server.key -outform PEM -nocrypt -out server_pkcs8.key
    openssl pkcs8 -topk8 -inform PEM -in client.key -outform PEM -nocrypt -out client_pkcs8.key
  5. *CA可以通过以下指令去核实证书 
    1
    2
    openssl verify -purpose sslserver -CAfile ca.crt server.crt
    openssl verify -purpose sslclient -CAfile ca.crt client.crt

至此我们在当前目录下可以得到以下文件:

ca.key ca.crt ca.srl client.crt client.key client.csr client_pkcs8.key server.crt server.key server.csr server_pkcs8.key

其中 *_pkcs8.key 文件就是 Netty 配置 TLS 时能够识别的 PKCS8 密钥格式。

可能遇到的问题

  • CA 签发证书时提示如下,是指我们在签发证书时需要指定一个生成证书的序列号,可以在签发前 echo "01" > ca.srl 避免提示 
    1
    2
    3
    4
    5
    6
    7
    8
    $ openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -out server.crt
    Signature ok
    subject=C = CN, ST = JiangSu, L = Nanjing, O = SEU, OU = CyberScience, CN = 6209, emailAddress = ShijieQ@outlook.com
    Getting CA Private Key
    ca.srl: No such file or directory
    139954133366592:error:06067099:digital envelope routines:EVP_PKEY_copy_parameters:different parameters:crypto/evp/p_lib.c:93:
    139954133366592:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:69:fopen('ca.srl','r')
    139954133366592:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:76:
  • 使用 CA 的自签名证书签发密钥证书后,可能会出现无法 CA 无法认证的情况,需要检查在签发时 Common Name 不能和 CA 相同 
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    $ openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:4096 -keyout ca.key -out ca.crt
    Generating a RSA private key
    .++++
    ...................................................................++++
    writing new private key to 'ca.key'
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]:CN
    State or Province Name (full name) [Some-State]:JiangSu
    Locality Name (eg, city) []:Nanjing
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:XXX
    Organizational Unit Name (eg, section) []:XXXX
    Common Name (e.g. server FQDN or YOUR name) []:XXXX # 这个不能和控制器以及客户端相同
    Email Address []:ShijieQ@outlook.com
OpenSSL > TLS
#Netty #OpenSSL #TLS
使用OpenSSL生成TLS配置文件
http://shijieq.github.io/2023/03/17/OpenSSL/使用OpenSSL生成TLS配置文件/
Author
ShijieQ
Posted on
March 17, 2023
Licensed under