I think I have the right OpenSSL command to sign a certificate but I've gotten stuck and the tutorials I've found use a different argument format (I'm using OpenSSL 0.9.8o 01 Jun 2010).
openssl ca -cert cert.pem -keyfile key.pem
(Private key is not encryped and CSR is on stdin.)
It gives this error
Using configuration from /usr/lib/ssl/openssl.cnf
./demoCA/index.txt: No such file or directory
unable to open './demoCA/index.txt'
Looking at that configuration file:
[ ca ]
default_ca = CA_default # The default ca section
[ CA_default ]
dir = ./demoCA # Where everything is kept
certs = $dir/certs # Where the issued certs are kepp
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
I don't have any of this set up. I don't want to set any of this up.
Is it strictly nessecary, or is there a "don't bother" option?
I tried creating empty directories and files but I've got in a tangle. What I really want is for a command like the above to work, with the output on stdout, without touching anything on the filesystem.
I don't know of any "don't bother" options, but here is how you can setup a quick demo CA:
#!/bin/bash
CAROOT=/path/to/ca
mkdir -p ${CAROOT}/ca.db.certs # Signed certificates storage
touch ${CAROOT}/ca.db.index # Index of signed certificates
echo 01 > ${CAROOT}/ca.db.serial # Next (sequential) serial number
# Configuration
cat>${CAROOT}/ca.conf<<'EOF'
[ ca ]
default_ca = ca_default
[ ca_default ]
dir = REPLACE_LATER
certs = $dir
new_certs_dir = $dir/ca.db.certs
database = $dir/ca.db.index
serial = $dir/ca.db.serial
RANDFILE = $dir/ca.db.rand
certificate = $dir/ca.crt
private_key = $dir/ca.key
default_days = 365
default_crl_days = 30
default_md = md5
preserve = no
policy = generic_policy
[ generic_policy ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
EOF
sed -i "s|REPLACE_LATER|${CAROOT}|" ${CAROOT}/ca.conf
cd ${CAROOT}
# Generate CA private key
openssl genrsa -out ca.key 1024
# Create Certificate Signing Request
openssl req -new -key ca.key \
-out ca.csr
# Create self-signed certificate
openssl x509 -req -days 10000 \
-in ca.csr \
-out ca.crt \
-signkey ca.key
Now you can generate and sign keys:
# Create private/public key pair
openssl genrsa -out server.key 1024
# Create Certificate Signing Request
openssl req -new -key server.key \
-out server.csr
# Sign key
openssl ca -config ${CAROOT}/ca.conf \
-in server.csr \
-cert ${CAROOT}/ca.crt \
-keyfile ${CAROOT}/ca.key \
-out server.crt
Rather than using the ca option try the x509 option with -req. You would add -CAfile to point to your authority. This will sign your certificate without adding entries to the index. There is more about using x509 as "mini CA" here.
Based on snow6oy's answer, here's what I did:
openssl x509 -req -CA CACert.pem -CAkey CAKey.pem -CAcreateserial -in YourCSR.csr -out YourCert.pem
A couple optional flags that may be useful:
-days 1095
(The default is 30 days)-sha256
(RHEL 7 defaults to SHA-1)
And optionss like -sha256 -days 1095 are not necessary.
openssl x509 -req -in YOUR_CSR.csr -CA YOUR_CA.pem -CAkey YOUR_CA_KEY.pem -CAcreateserial -out YOUR_WANTED.crt
来源:https://stackoverflow.com/questions/7768593/openssl-as-a-ca-without-touching-the-certs-crl-index-etc-environment