关建立私有CA证书
- OpenSSL: 三个组件: openssl: 多用途的命令行工具; libcrypto: 加密解密库; libssl:ssl协议的实现;
# PKI:Public Key Infrastructure
# CA
# RA
# CRL
# 证书存取库
# 建立私有CA:
# OpenCA
# openssl
# 证书申请及签署步骤:
# 1、生成申请请求;
# 2、RA核验;
# 3、CA签署;
# 4、获取证书;
创建私有CA步骤
openssl的配置文件:/etc/pki/tls/openssl.conf
- 签发流程:
#1. 创建需要的文件
# touch index.txt
# echo 01 > serial
#2. CA自签证书
# (umask 077; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
# openssl req -new -x509 -key /etc/pki/CA/private/cakey.epm -days 7300 -out /etc/pki/CA/cacert.pem
# -new: 生成新证书签署请求;
# -x509: 专用于CA生成自签证书;
# -key: 生成请求时用到的私钥文件;
# -days n:证书的有效期限;
# -out /PATH/TO/SOMECERTFILE: 证书的保存路径;
#3. 发证
# (a) 用到证书的主机生成证书请求;
# (umask 077; openssl genrsa -out /etc/httpd/ssl/httpd.key 2048)
# openssl req -new -key /etc/httpd/ssl/httpd.key -days 365 -out /etc/httpd/ssl/httpd.csr
# (b) 把请求文件传输给CA;
# (c) CA签署证书,并将证书发还给请求者;
# openssl ca -in /tmp/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365
# 查看证书中的信息:
# openssl x509 -in /PATH/FROM/CERT_FILE -noout -text|-subject|-serial
#4. 吊销证书
# (a) 客户端获取要吊销的证书的serial
# openssl x509 -in /PATH/FROM/CERT_FILE -noout -serial -subject
# (b) CA
# 先根据客户提交的serial与subject信息,对比检验是否与index.txt文件中的信息一致;
# 吊销证书:
# openssl ca -revoke /etc/pki/CA/newcerts/SERIAL.pem
# (c) 生成吊销证书的编号(第一次吊销一个证书)
# echo 01 > /etc/pki/CA/crlnumber
# (d) 更新证书吊销列表
# openssl ca -gencrl -out thisca.crl
# 查看crl文件:
# openssl crl -in /PATH/FROM/CRL_FILE.crl -noout -text
证书的签发与吊销测试
#生成CA
[root@master CA]# touch index.txt
[root@master CA]# echo 01 > serial
[root@master CA]# (umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
..................................................+++
..........................................................+++
e is 65537 (0x10001)
[root@master CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 7300 -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN #城市名
State or Province Name (full name) []:GuangZhou #省名
Locality Name (eg, city) [Default City]:TianHe #地方名字
Organization Name (eg, company) [Default Company Ltd]:itab #公司名字
Organizational Unit Name (eg, section) []:jkl #名字
Common Name (eg, your name or your server's hostname) []:ca.itab.com #主机名
Email Address []:caadmin@itab.com #邮箱
[root@master CA]# ll
total 8
-rw-r--r-- 1 root root 1407 Nov 28 11:06 cacert.pem
drwxr-xr-x. 2 root root 6 Aug 9 09:38 certs
drwxr-xr-x. 2 root root 6 Aug 9 09:38 crl
-rw-r--r-- 1 root root 0 Nov 28 07:58 index.txt
drwxr-xr-x. 2 root root 6 Aug 9 09:38 newcerts
drwx------. 2 root root 22 Nov 28 07:59 private
-rw-r--r-- 1 root root 3 Nov 28 07:58 serial
#主机申请证书发送至CA服务器签署证书
[root@slave httpd]# (umask 077; openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus
.........................................................................................................................+++
............................................+++
e is 65537 (0x10001)
[root@slave httpd]# openssl req -new -key httpd.key -days 365 -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:GuangZhou
Locality Name (eg, city) [Default City]:TianHe
Organization Name (eg, company) [Default Company Ltd]:itab
Organizational Unit Name (eg, section) []:jkl
Common Name (eg, your name or your server's hostname) []:www.itab.com
Email Address []:webadmin.itab.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
#需要主机的是主机生成证书的时候要和CA的信息一致
#上传证书至CA服务器签名
[root@slave httpd]# scp httpd.csr root@10.10.1.109:/tmp/
httpd.csr 100% 1050 1.0KB/s 00:00
[root@master CA]# openssl ca -in /tmp/httpd.csr -out /tmp/httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Nov 28 03:52:57 2019 GMT
Not After : Nov 27 03:52:57 2020 GMT
Subject:
countryName = CN
stateOrProvinceName = GuangZhou
organizationName = itab
organizationalUnitName = jkl
commonName = www.itab.com
emailAddress = webadmin.itab.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
28:98:E1:2E:E2:20:B2:F9:A7:ED:72:37:BE:87:C4:E4:45:2A:6A:5B
X509v3 Authority Key Identifier:
keyid:D6:30:CC:B0:D7:5E:A1:8E:C7:8F:D1:8A:9A:A1:27:03:8C:C7:ED:B6
Certificate is to be certified until Nov 27 03:52:57 2020 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@master CA]# cat index.txt #签好的证书会在index.txt里面显示信息
V 201127035257Z 01 unknown /C=CN/ST=GuangZhou/O=itab/OU=jkl/CN=www.itab.com/emailAddress=webadmin.itab.com
[root@master CA]# cp newcerts/01.pem certs/ #把签好的证书放到certs目录下
#把证书发送回需要签名的主机上
[root@master CA]# scp /tmp/httpd.crt root@10.10.1.216:/etc/httpd/ssl/httpd.crt
httpd.crt 100% 4600 5.8MB/s 00:00
[root@slave ssl]# ll -h
total 8.0K
-rw-r--r-- 1 root root 4.5K Nov 28 11:57 httpd.crt
版权属于:龙之介大人
本文链接:https://i7dom.cn/212/2019/09/openssl-ca.html
本站所有原创文章采用知识共享署名-非商业性使用-相同方式共享 4.0 国际许可协议进行许可。 您可以自由的转载和修改,但请务必注明文章来源和作者署名并说明文章非原创且不可用于商业目的。