国密双证书双向认证实践

生成证书

Generate CA Cerificate

# 签发CA根证书
## prepare
### mkdir -p certs/ca
### mkdir certs/ca/{newcerts,db,private,crl}
### touch certs/ca/crl/crlnumber
### echo 00 > certs/ca/crl/crlnumber
### touch certs/ca/db/{index,serial}
### echo 00 > certs/ca/db/serial
## ca.cnf文件：
### ... ...
## 生成SM2私钥
### tongsuo genpkey -algorithm ec -out certs/ca/sm2.key -pkeyopt ec_paramgen_curve:sm2
## 生成CSR
### tongsuo req -batch -config certs/ca/ca.cnf -key certs/ca/sm2.key -new -nodes -out certs/ca/sm2.csr -sm3 -subj "/C=AB/ST=CD/L=EF/O=GH/OU=IJ/CN=CA SM2"
## 自签发CA证书
### tongsuo ca -batch -config certs/ca/ca.cnf -days 365 -extensions v3_ca -in certs/ca/sm2.csr -keyfile certs/ca/sm2.key -md sm3 -notext -out certs/ca/sm2.crt -selfsign

ca.cnf file

[ ca ]
# `man ca`
default_ca = CA_default[ CA_default ]
# Directory and file locations.
dir               = ./certs/ca
certs             = $dir/certs
crl_dir           = $dir/crl
new_certs_dir     = $dir/newcerts
database          = $dir/db/index
unique_subject    = no
serial            = $dir/db/serial
RANDFILE          = $dir/private/random# The root key and root certificate.
private_key       = $dir/ca.key
certificate       = $dir/ca.crt# For certificate revocation lists.
crlnumber         = $dir/crl/crlnumber
crl               = $dir/crl/ca.crl.pem
crl_extensions    = crl_ext
default_crl_days  = 30# SHA-1 is deprecated, so use SHA-2 instead.
default_md        = sha256name_opt          = ca_default
cert_opt          = ca_default
default_days      = 365
preserve          = no
policy            = policy_strict[ policy_strict ]
# The root CA should only sign intermediate certificates that match.
# See the POLICY FORMAT section of `man ca`.
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional[ req ]
# Options for the `req` tool (`man req`).
default_bits        = 2048
distinguished_name  = req_distinguished_name
string_mask         = utf8only# SHA-1 is deprecated, so use SHA-2 instead.
default_md          = sha256# Extension to add when the -x509 option is used.
x509_extensions     = v3_careq_extensions = v3_req[ req_distinguished_name ]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName                     = optional
stateOrProvinceName             = optional
localityName                    = optional
0.organizationName              = optional
organizationalUnitName          = optional
commonName                      = optional
emailAddress                    = optional# Optionally, specify some defaults.
countryName_default             =
stateOrProvinceName_default     =
localityName_default            =
0.organizationName_default      =
#organizationalUnitName_default =
#emailAddress_default           =[ v3_req ]# Extensions to add to a certificate requestbasicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names[ alt_names ]
DNS.1 = test.com[ v3_ca ]
# Extensions for a typical CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign[ v3_intermediate_ca ]
# Extensions for a typical intermediate CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign[ ocsp ]
# Extension for OCSP signing certificates (`man ocsp`).
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, OCSPSigning[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always

Generate SubCA Cerificate

# 签发中间CA证书
## prepare
### mkdir -p certs/subca
### mkdir certs/subca/{newcerts,db,private,crl}
### touch certs/subca/crl/crlnumber
### echo 00 > certs/subca/crl/crlnumber
### touch certs/subca/db/{index,serial}
### echo 00 > certs/subca/db/serial
## ca.cnf文件：
### ... ...
## 生成SM2私钥
### tongsuo genpkey -algorithm "ec" -out certs/subca/sm2.key -pkeyopt ec_paramgen_curve:sm2
## 生成CSR
### tongsuo req -batch -config certs/subca/subca.cnf -key certs/subca/sm2.key -new -nodes -out certs/subca/sm2.csr -sm3 -subj "/C=AB/ST=CD/L=EF/O=GH/OU=IJ/CN=SUBCA SM2"
## 使用CA证书签发中间CA证书
### tongsuo ca -batch -cert certs/ca/sm2.crt -config certs/subca/subca.cnf -days 365 -extensions "v3_intermediate_ca" -in certs/subca/sm2.csr -keyfile certs/ca/sm2.key -md sm3 -notext -out certs/subca/sm2.crt

subca.cnf file

[ ca ]
# `man ca`
default_ca = CA_default[ CA_default ]
# Directory and file locations.
dir               = ./certs/subca
certs             = $dir/certs
crl_dir           = $dir/crl
new_certs_dir     = $dir/newcerts
database          = $dir/db/index
unique_subject    = no
serial            = $dir/db/serial
RANDFILE          = $dir/private/random# The root key and root certificate.
private_key       = $dir/ca.key
certificate       = $dir/ca.crt# For certificate revocation lists.
crlnumber         = $dir/crl/crlnumber
crl               = $dir/crl/ca.crl.pem
crl_extensions    = crl_ext
default_crl_days  = 30# SHA-1 is deprecated, so use SHA-2 instead.
default_md        = sha256name_opt          = ca_default
cert_opt          = ca_default
default_days      = 365
preserve          = no
policy            = policy_strict[ policy_strict ]
# The root CA should only sign intermediate certificates that match.
# See the POLICY FORMAT section of `man ca`.
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional[ req ]
# Options for the `req` tool (`man req`).
default_bits        = 2048
distinguished_name  = req_distinguished_name
string_mask         = utf8only# SHA-1 is deprecated, so use SHA-2 instead.
default_md          = sha256# Extension to add when the -x509 option is used.
x509_extensions     = v3_ca
req_extensions      = v3_req[ req_distinguished_name ]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName                     = optional
stateOrProvinceName             = optional
localityName                    = optional
0.organizationName              = optional
organizationalUnitName          = optional
commonName                      = optional
emailAddress                    = optional# Optionally, specify some defaults.
countryName_default             =
stateOrProvinceName_default     =
localityName_default            =
0.organizationName_default      =
#organizationalUnitName_default =
#emailAddress_default           =[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names[ alt_names ]
DNS.1 = localhost
DNS.2 = localhost.localdomain
DNS.3 = 127.0.0.1[ v3_ca ]
# Extensions for a typical CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign[ v3_intermediate_ca ]
# Extensions for a typical intermediate CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign[ client_cert ]
# Extensions for client certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection[ server_cert ]
# Extensions for server certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "Tongsuo Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names[ server_sign_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "Tongsuo Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = nonRepudiation, digitalSignature
extendedKeyUsage = serverAuth
subjectAltName = @alt_names[ server_enc_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "Tongsuo Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = keyAgreement, keyEncipherment, dataEncipherment
subjectAltName = @alt_names[ crl_ext ]
# Extension for CRLs (`man x509v3_config`).
authorityKeyIdentifier=keyid:always[ ocsp ]
# Extension for OCSP signing certificates (`man ocsp`).
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, OCSPSigning

End Cetificate

# 签发服务器双证书
## prepare
### mkdir certs/server
## ca.cnf文件：
### ... ...
## 签发SM2签名证书：
## 生成SM2私钥
### tongsuo genpkey -algorithm ec -out certs/server/sm2_sign.key -pkeyopt "ec_paramgen_curve:sm2"
## 生成CSR
### tongsuo req -batch -config certs/subca/subca.cnf -key certs/server/sm2_sign.key -new -nodes -out certs/server/sm2_sign.csr -sm3 -subj "/C=AB/ST=CD/L=EF/O=GH/OU=IJ/CN=SERVER Sign SM2"
## 使用中间CA证书签发签名证书
### tongsuo ca -batch -cert certs/subca/sm2.crt -config certs/subca/subca.cnf -days 365 -extensions server_sign_req -in certs/server/sm2_sign.csr -keyfile certs/subca/sm2.key -md sm3 -notext -out certs/server/sm2_sign.crt
## 签发SM2加密证书：
## 生成SM2私钥
### tongsuo genpkey -algorithm ec -out certs/server/sm2_enc.key -pkeyopt "ec_paramgen_curve:sm2"
## 生成CSR
### tongsuo req -batch -config certs/subca/subca.cnf -key certs/server/sm2_enc.key -new -nodes -out certs/server/sm2_enc.csr -sm3 -subj "/C=AB/ST=CD/L=EF/O=GH/OU=IJ/CN=SERVER Enc SM2"
## 使用中间CA证书签发加密证书
### tongsuo ca -batch -cert certs/subca/sm2.crt -config certs/subca/subca.cnf -days 365 -extensions "server_enc_req" -in certs/server/sm2_enc.csr -keyfile certs/subca/sm2.key -md sm3 -notext -out certs/server/sm2_enc.crt

Install gm dual certificate in Tengine server

Case 1

$ cd Tongsuo-8.3.3/
$ ./config enable-ntls no-shared
$ make -j
$ mkdir lib
$ cp libssl.a libcrypto.a lib

$ cd tengine-3.1.0/# edit auto/lib/openssl/conf file
# mv all $OPENSSL/.openssl to $OPENSSL/$ ./configure --prefix=/usr/local/tengine --add-module=modules/ngx_tongsuo_ntls --with-openssl=../Tongsuo-8.3.3  --with-openssl-opt="enable-ntls" --with-http_ssl_module --with-stream --with-stream_ssl_module --with-stream_sni
$ make -j
$ sudo make install

Case 2

$ wget -c https://github.com/BabaSSL/BabaSSL/archive/refs/tags/8.2.1.tar.gz
$ tar -zxvf 8.2.1.tar.gz
$ wget -c https://tengine.taobao.org/download/tengine-2.4.1.tar.gz
$ tar -zxvf tengine-2.4.1.tar.gz
$ cd tengine-2.4.1/$ ./configure --prefix=/usr/local/tengine --add-module=modules/ngx_tongsuo_ntls --with-openssl=../Tongsuo-8.2.1 --with-openssl-opt="enable-ntls" --with-http_ssl_module --with-stream --with-stream_ssl_module --with-stream_sni
$ make -j
$ make install

Edit /etc/local/tengine/conf/nginx.conf, add server

server {listen 443 ssl;server_name localhost; #需修改为对应的网站域名# 启用NTLS。Tengine针对BabaSSL中的NTLS功能进行了适配，本文使用BabaSSL作为Tengine的底层密码库来实现通信加密的能力。enable_ntls on;# 配置国密标准算法签名证书ssl_sign_certificate cert/server_sign.pem; #需修改为实际证书文件路径ssl_sign_certificate_key cert/server_sign.key; #需修改为实际私钥文件路径# 配置国密标准算法证书ssl_enc_certificate cert/server_enc.pem; #需修改为实际证书文件路径ssl_enc_certificate_key cert/server_enc.key; #需修改为实际私钥文件路径# （可选）配置国际标准算法证书ssl_certificate cert/server_rsa.pem; #需修改为实际证书文件路径ssl_certificate_key cert/server_rsa.key; #需修改为实际私钥文件路径ssl_session_cache shared:SSL:1m;ssl_session_timeout 5m;# 配置加密套件# ssl_ciphers HIGH: !aNULL: !MD5;ssl_ciphers ECC-SM2-SM4-CBC-SM3:ECC-SM2-SM4-GCM-SM3:ECDHE-SM2-SM4-CBC-SM3:ECDHE-SM2-SM4-GCM-SM3:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:ECDHE-RSA-AES128-SHA256:!aNULL:!eNULL:!RC4:!EXPORT:!DES:!3DES:!MD5:!DSS:!PKS;ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;ssl_prefer_server_ciphers on;location / {root html;index index.html index.htm;}
}

Start Nginx

$ cd /usr/local/tengine/sbin
$ ./nginx -s reload  #重新载入配置文件。

Client access the server

$ export LD_LIBRARY_PATH=/absolutely/path/Tongsuo-8.3.3/out/lib/
$ ./Tongsuo-8.3.3/out/bin/openssl s_client -connect 127.0.0.1:443 -cipher ECC-SM2-SM4-GCM-SM3 -enable_ntls -ntls -sign_cert ./client-sign-cert.pem -sign_key ./client-sign-key.pem -enc_cert ./client-enc-cert.pem -enc_key ./client-enc-key.pem -verifyCAfile ./ca-cert.pem 

Check

...0060 - e0 3e 14 e1 2b cd 86 3c-cb 2c 0c bd 9b 1e 4f 4e   .>..+..<.,....ON0070 - 33 14 62 31 c1 9b 5f 11-3e 9d e6 d4 3e 4e 94 c6   3.b1.._.>...>N..0080 - 3e 56 7c 57 98 11 d1 3a-5b c7 de 2c 76 2e bc 1a   >V|W...:[..,v...0090 - 86 8e 37 0d 9e 67 77 d7-b4 ae fa cd 9b b4 c8 e9   ..7..gw.........00a0 - 47 18 f4 64 3e 2b 22 e1-bf 45 20 ad 5a c6 5a 78   G..d>+"..E .Z.ZxStart Time: 1755853851Timeout   : 7200 (sec)Verify return code: 0 (ok)Extended master secret: noQUIC: no
---

Ref:
在Tengine服务器使用Tongsuo配置国密SSL证书_数字证书管理服务（原SSL证书）(SSL Certificate)-阿里云帮助中心