gmssl state secret certificate generation method: state secret multi-level ca certificate, state secret encryption certificate, state secret signature certificate

Configure the prerequisite environment:

mkdir  demoCA
cd  demoCA
mkdir certs clr newcerts private
touch index.txt
touch index.txt.attr
echo "01" > serial

index.txt: a text database file defined by openSSL that has issued a certificate. This file is usually empty during initialization;

Serial: the serial number reference file used when issuing the certificate. The serial number of the file is stored in hexadecimal format. The file must provide and contain a valid serial number.

Note: when gmssl is executed, if the installation path of gmssl is "/ usr/local/gmssl /", the execution method of adding the path is as follows:

/usr/local/gmssl/bin/gmssl version

Modify the property value in "[usr_cert]" in the configuration file / usr/local/gmssl/openssl.cnf

[ CA_default ]

dir             = ../demoCA             # Where everything is kept / / changed from ". / demoCA" to ".. / demoCA"

root certificate

gmssl ecparam -genkey -name sm2p256v1 -out Root.key

gmssl req -x509 -sm3 -days 3650 -key Root.key -out RootCA.crt

ca certificate

gmssl ecparam -genkey -name sm2p256v1 -out ca.key

gmssl req  -new -sm3 -extensions v3_req -key ca.key -out ca.csr

gmssl ca -md sm3 -extensions v3_ca -in ca.csr -out ca.crt -days 1850 -cert RootCA.crt -keyfile Root.key

Next level CA certificate

gmssl ecparam -genkey -name sm2p256v1 -out ca2.key

gmssl req  -new -sm3 -extensions v3_req -key ca2.key -out ca2.csr

gmssl ca -md sm3 -extensions v3_ca -in ca2.csr -out ca2.crt -days 1850 -cert ca.crt -keyfile ca.key

Use ca certificate to issue user certificate

gmssl ecparam -genkey -name sm2p256v1 -text -out user.key

gmssl req -new -key user.key -out user.req 

gmssl ca -md sm3  -in user.req -out user.crt -days 365 -cert ca.crt -keyfile ca.key

User certificate converted to pfx format

gmssl pkcs12 -export -out user.pfx -inkey user.key -in user.crt

Configuration of encryption and signing certificate properties:

Modify the attribute value in "[usr_cert]" in the configuration file openssl.cnf

# This is typical in keyUsage for a client certificate.
 keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# keyUsage = digitalSignature
# keyUsage = keyEncipherment

The key usage extension is digital signature, non repetition, key encryption (E0). The certificate can be used for encryption and signature.
The key usage extension is Digital Signature, which has no encryption function and can only be used for signature.
The key usage extension is keyEncipherment, which has no signature function and can only be used for encryption.

Tags: Linux OpenSSL Database Attribute

Posted on Wed, 29 Apr 2020 08:19:08 -0700 by Thatsmej