自建 CA

我们可以使用 cfssl 来进行自建 CA 。

  1. 下载

  2. 编写配置文件 ca-config.json 

     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
    {
    "signing": {
      "default": {
        "expiry": "8760h"
      },
      "profiles": {
        "www": {
          "expiry": "8760h",
          "usages": ["signing", "key encipherment", "server auth", "client auth"]
        }
      }
    }
}

  3. 编写请求文件 ca-csr.json 

     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
    {
    "CN": "HCC NSO - CA T1",
    "key": {
      "algo": "rsa",
      "size": 2048
    },
    "names": [
      {
        "C": "CN",
        "ST": "QD",
        "L": "HCCPDC",
        "O": "HCCPDC NSO",
        "OU": "HCCPDC NSO"
      }
    ]
}

  4. 自签证书 ./cfssl gencert -initca ca-csr.json | ./cfssljson -bare ca

  5. 使用自建 CA 进行签发证书

写了一个脚本来实现,本质一样是生成 CSR 然后签发证书

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
import os, json
BASE_DIR = "/cert/"
domain = ["lzh","lzh"]
names = {
    "C": "CN",
    "ST": "SD",
    "L": "QD",
    "O": "qdzx",
    "OU": "IT Department"
}
os.mkdir(BASE_DIR + "cert/" + domain[0])
with open(f"/cert/cert/{domain[0]}/csr.json","w+") as fp:
    fp.write(json.dumps({
        "CN": domain[0],
        "hosts": domain,
        "key": {
          "algo": "rsa",
          "size": 2048
        },
        "names": [
            names
        ]
      }
  ))
os.system(f"/cert/cfssl gencert -ca=/cert/ca.pem -ca-key=/cert/ca-key.pem -config=/cert/ca-config.json -profile=www /cert/cert/{domain[0]}/csr.json | ./cfssljson -bare /cert/cert/{domain[0]}/{domain[0]}")