easyrsa用法解析

[zhouhaibing089]

init-pki

$ ./easyrsa init-pki

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /Users/haibzhou/Test/easyrsa/easy-rsa-master/easyrsa3/pki

该命令会在当前位置创建一个pki目录.

$ tree pki
pki
├── private
└── reqs

2 directories, 0 files

build-ca

创建CA(Certificate Authority), 也就是创建一个根证书.

$ ./easyrsa --batch "--req-cn=example" build-ca nopass
Generating a 2048 bit RSA private key
................................................................................................................+++
...............+++
writing new private key to '/Users/haibzhou/Test/easyrsa/easy-rsa-master/easyrsa3/pki/private/ca.key'
-----

--batch表示一次性做完, 不需要prompt什么提示出来让用户交互, 选项都配置在后面的参数中, 比如我们指定的--req-cn=example指定了根证书拥有的Common Name. nopass表示不加密生成的私钥.

做完这个工作之后, 目录中出现了一些新文件.

$ tree pki
pki
├── ca.crt
├── certs_by_serial
├── index.txt
├── issued
├── private
│   └── ca.key
├── reqs
└── serial

4 directories, 4 files

其中ca.crt就是我们创建的根证书, 通过cfssl我们可以看一下它的具体信息.

$ cfssl certinfo -cert pki/ca.crt
{
  "subject": {
    "common_name": "example",
    "names": [
      "example"
    ]
  },
  "issuer": {
    "common_name": "example",
    "names": [
      "example"
    ]
  },
  "serial_number": "11049474115556817455",
  "not_before": "2016-12-09T05:59:07Z",
  "not_after": "2026-12-07T05:59:07Z",
  "sigalg": "SHA256WithRSA",
  "authority_key_id": "9:7B:D4:29:60:20:AC:A:1A:3B:1D:1:18:CD:33:64:1F:13:1D:9C",
  "subject_key_id": "9:7B:D4:29:60:20:AC:A:1A:3B:1D:1:18:CD:33:64:1F:13:1D:9C",
  "pem": "-----BEGIN CERTIFICATE-----\nMIIDKDCCAhCgAwIBAgIJAJlXnipcozovMA0GCSqGSIb3DQEBCwUAMBIxEDAOBgNV\nBAMMB2V4YW1wbGUwHhcNMTYxMjA5MDU1OTA3WhcNMjYxMjA3MDU1OTA3WjASMRAw\nDgYDVQQDDAdleGFtcGxlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA\nuaGoJSPMhfuCIG50zAwElayr8IdCpY06kSRxP739pk0m20eGbMsKExOTPEUIiZec\nJaY4gz9/PurGyuAdSb9JmmeOoRZEKQum8NvjTPDXseARUGkpeJSeH+sMBnpbh/5G\nN9aUIfhM2CIcpxTHqAI581RQKUVC0hPtBG0HbghA9LbR30Cj0jNj03E0v4E8yVY5\nxmmW8/fKKT8rr1uhR+LhyWYHh7aybUYfSXUEMqYIHnqraY7oLI0lx/t36OS3fbn1\nR55dmPG0wCSUIEw0vOqR8zFq3vZS+VptVrgCD4ZwA3kejXTQUkJeM5KiE8WonAkA\nW4coVB/CLjvKJ+/efnclqwIDAQABo4GAMH4wHQYDVR0OBBYEFAl71ClgIKwKGjsd\nARjNM2QfEx2cMEIGA1UdIwQ7MDmAFAl71ClgIKwKGjsdARjNM2QfEx2coRakFDAS\nMRAwDgYDVQQDDAdleGFtcGxlggkAmVeeKlyjOi8wDAYDVR0TBAUwAwEB/zALBgNV\nHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEBAEIm1oyPJKjnffV8vm0c/Lo/HvX4\neLv2jtjuK3u5rbpoWZNiLWsbdnAkQrR0i+DvgW+t3SYXCpOVVVGMmo4o8+5RqwmC\n7w050yg+yHS6Drk+0USRBUROTiJe3jr6nvDAfGns6cBA00pnB0DtV8ZqnsrKIczW\nWaFsKthoLLU58cNwFDqVOIocUT4RTMe3xQk77m+7KPNH+c6Uv0ycWuzHjNgu5bdL\n5uIKyKIJy/cJKUJrLFSE1edQvosUeiIho8OAtcpGHjzJwIiADLjnJiQsr2+Kgfyn\n/DG58BV0a0nPBnl0Po2ehhOT8XM8Zf5ZV036biYwso1Ox/pxZTE2e8AzmUo=\n-----END CERTIFICATE-----\n"
}

其中ca.key是生成根证书过程中使用的私钥, 一般情况下这个文件都是极为私密的. 之后我们签发证书都需要依赖这个文件.

build-server-full

我们要使用刚才生成的ca来签发一个新证书.

$ ./easyrsa --subject-alt-name="DNS:1.domain.com,DNS:2.domain.com,DNS:3.domain.com,IP:192.168.0.1" build-server-full domain nopass
Generating a 2048 bit RSA private key
.........+++
.........................+++
writing new private key to '/Users/haibzhou/Test/easyrsa/easy-rsa-master/easyrsa3/pki/private/domain.key'
-----
Using configuration from /Users/haibzhou/Test/easyrsa/easy-rsa-master/easyrsa3/openssl-1.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'domain'
Certificate is to be certified until Dec  7 06:08:28 2026 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

上面的命令主要是指定了SAN, 即subject alternative name, 表示一个CN的一些其他可用别名, 别名可以指定DNS也可以指定IP, 现在来看下我们又多了哪些文件.

$ tree pki
pki
├── ca.crt
├── certs_by_serial
│   └── 01.pem
├── index.txt
├── index.txt.attr
├── index.txt.old
├── issued
│   └── domain.crt
├── private
│   ├── ca.key
│   └── domain.key
├── reqs
│   └── domain.req
├── serial
└── serial.old

4 directories, 11 files

可以看出来我们多了好多文件, 其中我们最关心的还是pki/issued/domain.crt以及pki/private/domain.key, 第一个是签发出来的证书, 第二个是使用的私钥. 同样的, 我们可以用cfssl命令来查看我们得到的certificate信息.

$ cfssl certinfo -cert pki/issued/domain.crt
{
  "subject": {
    "common_name": "domain",
    "names": [
      "domain"
    ]
  },
  "issuer": {
    "common_name": "example",
    "names": [
      "example"
    ]
  },
  "serial_number": "1",
  "sans": [
    "1.domain.com",
    "2.domain.com",
    "3.domain.com",
    "192.168.0.1"
  ],
  "not_before": "2016-12-09T06:08:28Z",
  "not_after": "2026-12-07T06:08:28Z",
  "sigalg": "SHA256WithRSA",
  "authority_key_id": "9:7B:D4:29:60:20:AC:A:1A:3B:1D:1:18:CD:33:64:1F:13:1D:9C",
  "subject_key_id": "4A:95:D2:5:67:B3:59:25:7D:60:D1:CE:AB:DB:54:67:38:F3:26:EB",
  "pem": "-----BEGIN CERTIFICATE-----\nMIIDbTCCAlWgAwIBAgIBATANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdleGFt\ncGxlMB4XDTE2MTIwOTA2MDgyOFoXDTI2MTIwNzA2MDgyOFowETEPMA0GA1UEAwwG\nZG9tYWluMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4zt4BFBpEAyv\nFsdfKnqhjAERg8/++Ao1Eqv6JZQVkdnq9hRTWAnzlYB9q4D3YhYSEb1DmkYaNAEO\nQUSEiVvwDGerYqIloHMXbK/0/prEUBxyLniy/CalAg25bpt2vl6G2MOC+ZexLoBt\n6drAfHb2L1l601ZvcwkkSK+Yob0yZdiMn7Yj5e9MfNJ74avj0wAsPNPcMFLiszD0\nZzz4kUJLZ71PWQoPrYzIiADbOVgIN44MI6hQtyXRcq2fhRenrbV++zAQTqEuSRyC\n3t+sCDPCZWJ3Z1qo582bukcEkKbgNAiCtq2SWQUN5qlDORC2y3n30HIx1P/TuZtg\n5kQCOdQ3cwIDAQABo4HOMIHLMAkGA1UdEwQCMAAwHQYDVR0OBBYEFEqV0gVns1kl\nfWDRzqvbVGc48ybrMEIGA1UdIwQ7MDmAFAl71ClgIKwKGjsdARjNM2QfEx2coRak\nFDASMRAwDgYDVQQDDAdleGFtcGxlggkAmVeeKlyjOi8wEwYDVR0lBAwwCgYIKwYB\nBQUHAwEwCwYDVR0PBAQDAgWgMDkGA1UdEQQyMDCCDDEuZG9tYWluLmNvbYIMMi5k\nb21haW4uY29tggwzLmRvbWFpbi5jb22HBMCoAAEwDQYJKoZIhvcNAQELBQADggEB\nAFTcxTYBFaEZzGv1Ev1KQX/CFX1wcl0nCeqZa8BqCN7frv/15uhr1KjXo7LRjp0r\nqEI6DzO7OAork9+K3UHswArr5vc/JyvK8CjKekkzzuozvxaNwOOyRTtV+PkGgGit\n9+4kq9RdkYsIBYxMTxjWt0+4d2khw7GyIl4GA2+616sxU2/+AYCstTiTi2n046zu\nVYzD2o0gxoAXBVRu/+qxWSBNX1NOG5YZEos5njAiWqrUM0FpjZyMUMHb17P/zFPX\nDiGymXklnL3yRGkYyJTRtfetkXQWH0ufZskbn7T9Yhb6TDre/F+iK9g8Q/zUPcjs\nONQu4m9VzT+wvL/UZq2eqkU=\n-----END CERTIFICATE-----\n"
}

我们稍微过一下, 能看出来issuer就是我们前面创建的ca的common name, subject是我们所指定的domain, 其中SAN也包括我们前面所指定的那些内容.