Leif160519的blog

CA(Certificate Authority)是数字证书认证中心的简称，是指发放、管理、废除数字证书的机构。CA的作用是检查证书持有者身份的合法性，并签发证书（在证书上签字），以防证书被伪造或篡改，以及对证书和密钥进行管理。使用OpenSSL可以创建CA，签证和吊销证书

一 OpenSSL配置文件为/etc/pki/tls/openssl.cnf，下面是此文件中关于CA的部分摘要

####################################################################
[ CA_default ]

dir             = /etc/pki/CA           # Where everything is kept     <==默认工作目录，变量形式
certs           = $dir/certs            # Where the issued certs are kept   <==签发证书位置
crl_dir         = $dir/crl              # Where the issued crl are kept    <==吊销证书位置
database        = $dir/index.txt        # database index file.     <==颁发过的证书索引文件
#unique_subject = no                    # Set to 'no' to allow creation of
                                        # several ctificates with same subject.
new_certs_dir   = $dir/newcerts         # default place for new certs.  <==新的证书位置

certificate     = $dir/cacert.pem       # The CA certificate     <==CA的自签证书
serial          = $dir/serial           # The current serial number    <==当前证书序列号，第一次要指定
crlnumber       = $dir/crlnumber        # the current crl number  <==吊销证书序列号，第一次吊销要指定
                                        # must be commented out to leave a V1 CRL
crl             = $dir/crl.pem          # The current CRL     <==证书吊销列表文件
private_key     = $dir/private/cakey.pem# The private key     <==CA自己的私钥
RANDFILE        = $dir/private/.rand    # private random number file

x509_extensions = usr_cert              # The extentions to add to the cert

# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt        = ca_default            # Subject Name options
cert_opt        = ca_default            # Certificate field options

# Extension copying option: use with caution.
# copy_extensions = copy

# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions        = crl_ext

default_days    = 365                   # how long to certify for     <==证书的默认有效期
default_crl_days= 30                    # how long before next CRL    <==默认声明有效期
default_md      = sha256                # use SHA-256 by default    <==默认的生成算法
preserve        = no                    # keep passed DN ordering

# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy          = policy_match

# For the CA policy     <==CA策略相关属性
[ policy_match ]
countryName             = match     <==country name（国家名）必须匹配CA证书
stateOrProvinceName     = match     <==stateOrProvinceName（州或省名）必须匹配CA证书
organizationName        = match     <==organizationName（组织机构名称，例如公司名）必须匹配CA证书
organizationalUnitName  = optional     <==organizationalUnitName（组织单位，例如公司部门）可选
commonName              = supplied    <==commonName（通用名字，例如域名）必须提供
emailAddress            = optional    <==emailAddress（邮件地址）可选

# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional     <==localityName（地区名，例如城市） 可选
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

####################################################################
​

二 创建私有证书签发机构

1.创建CA所需要的文件和目录

[root@server ~]# mkdir -pv /etc/pki/CA/{certs,crl,newcerts,private}
[root@server ~]# touch /etc/pki/CA/{serial,index.txt}
[root@server ~]# echo 01 > /etc/pki/CA/serial     <==将序列号写入此文件
​

根据openssl.cnf文件中定义的按需创建

2.CA生成私钥

[root@server ~]# (umask 077; openssl genrsa -out /etc/pki/CA/private/cakey.pem 4096)
Generating RSA private key, 4096 bit long modulus
.....................................++
...........................................++
e is 65537 (0x10001)
​

3.CA自签证书

[root@server ~]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem
​

其中选项含义如下：
-new: 生成新证书签署请求；
-x509: 生成请生成自签格式，专用于CA生成自签证书
-key: 证书求时用到的私钥文件
-days ：证书的有效期限，单位是天
-out /PATH/TO/SOMECERTFILE: 证书的保存路径

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN     <==两个字符表示的国家代码，CN为中国
State or Province Name (full name) []:GuangDong    <==省或洲的完整名称
Locality Name (eg, city) [Default City]:ShenZhen    <==所在位置的名称(默认为城市)
Organization Name (eg, company) [Default Company Ltd]:example  <==组织机构名称(默认为公司）
Organizational Unit Name (eg, section) []:Ops    <==组织机构单元名称(eg.部门)
Common Name (eg, your name or your server's hostname) []:ca.example.com    <==CA持有者名或者所在服务器主机名(即域名)
Email Address []:caadmin@example.com    <==CA管理员邮件地址，可以省略
​

三 颁发证书

在需要使用证书的主机上生成证书请求，以 httpd 服务（yum安装）为例，其中CA签署机构放置于172.16.8.10主机上，httpd服务器放置于172.16.8.11主机上

1.用到证书的服务器生成私钥

[root@localhost ~]# (umask 077;openssl genrsa -out /etc/httpd/ssl/httpd.key 4096)
Generating RSA private key, 4096 bit long modulus
.........................................................++
.................++
e is 65537 (0x10001)
​

2.用到证书的主机生成证书请求，要保证和签署机构CA签署机构信息一致

[root@localhost ~]# openssl req -new -key /etc/httpd/ssl/httpd.key -days 365 -out /etc/httpd/ssl/httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:GuangDong
Locality Name (eg, city) [Default City]:ShenZhen
Organization Name (eg, company) [Default Company Ltd]:example
Organizational Unit Name (eg, section) []:Ops
Common Name (eg, your name or your server's hostname) []:www.example.com  <==httpd所在服务器主机名(即域名)
Email Address []:admin@example.com   <==httpd管理员邮件地址，可以省略

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

​

3.将证书请求通过可靠方式发给CA主机

[root@localhost ~]# scp /etc/httpd/ssl/httpd.csr root@172.16.8.10:/tmp/
​

4.在CA主机上签署证书

[root@server ~]# openssl ca -in /tmp/httpd.csr -days 365 -out /etc/pki/CA/certs/httpd.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Nov 18 15:06:39 2017 GMT
            Not After : Nov 18 15:06:39 2018 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = GuangDong
            organizationName          = example
            organizationalUnitName    = Ops
            commonName                = www.example.com
            emailAddress              = admin@example.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                0C:C9:67:94:91:F3:17:6C:67:50:35:96:DB:B6:08:3B:11:01:06:98
            X509v3 Authority Key Identifier: 
                keyid:AB:A2:16:C4:E9:A9:A4:BB:33:59:7E:29:25:14:B8:1D:AF:4F:76:D9

Certificate is to be certified until Nov 18 15:06:39 2018 GMT (365 days)
Sign the certificate? [y/n]:y     <==是否要签署证书


1 out of 1 certificate requests certified, commit? [y/n]y  <==是否确认
Write out database with 1 new entries
Data Base Updated

​

在生成证书/etc/pki/CA/crets/*.crt后，会生成以对应证书命名的文件/etc/pki/CA/newcrets/SERIAL.pem（此处为httpd.crt和01.pem）

5.CA主机将证书httpd.crt发送给httpd主机

[root@server ~]# scp  /etc/pki/CA/certs/httpd.crt  root@172.16.8.11:/etc/httpd/ssl
​

查看所签署的证书主机信息

[root@localhost ~]# openssl x509 -in /etc/pki/CA/certs/httpd.crt -noout -subject   <==CA主机和httpd主机均可查看
subject= /C=CN/ST=GuangDong/O=example/OU=Ops/CN=www.example.com/emailAddress=admin@example.com
​

或者

[root@server ~]# cat /etc/pki/CA/index.txt      <==仅CA主机能查看
V   181118150639Z       01  unknown /C=CN/ST=GuangDong/O=example/OU=Ops/CN=www.example.com/emailAddress=admin@example.com
​

其中V表示已经签署的证书，01表示证书序列号

6.删除CA主机和httpd主机上的httpd.csr文件，确保安全

[root@server ~]# rm -rf /tmp/httpd.csr              <==CA主机
[root@localhost ~]# rm -rf /etc/httpd/ssl/httpd.csr    <==httpd主机
​

四 吊销证书

1.客户端获取要吊销的证书的serial和subject信息（httpd主机）

[root@localhost ~]# openssl x509 -in /etc/httpd/ssl/httpd.crt -noout -serial -subject
serial=01
subject= /C=CN/ST=GuangDong/O=example/OU=Ops/CN=www.example.com/emailAddress=admin@example.com
​

2.CA主机吊销证书

根据客户端提交的serial与subject信息，对比检验是否与index.txt文件中的信息一致

[root@server ~]# cat /etc/pki/CA/index.txt
V   181118150639Z       01  unknown /C=CN/ST=GuangDong/O=example/OU=Ops/CN=www.example.com/emailAddress=admin@example.com
​

一致的话则可以进行证书吊销

吊销证书：

[root@server ~]# openssl ca -revoke /etc/pki/CA/newcerts/01.pem 
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 01.
Data Base Updated

​

吊销之后再查看index.txt文件

[root@server ~]# cat /etc/pki/CA/index.txt
R   181118150639Z   171118155958Z   01  unknown /C=CN/ST=GuangDong/O=example/OU=Ops/CN=www.example.com/emailAddress=admin@example.com
​

其中R表示证书已失效

3.生成吊销证书的编号(第一次吊销证书时执行)

[root@server ~]# echo  01  > /etc/pki/CA/crlnumber
​

4.更新证书吊销列表

[root@server ~]# openssl ca -gencrl -out /etc/pki/CA/crl/ca.crl
Using configuration from /etc/pki/tls/openssl.cnf
​

查看crl文件

[root@server ~]# openssl crl -in /etc/pki/CA/crl/ca.crl -noout -text
​