Leif160519的blog
——————
目录
OpenSSL创建私有CA,签证和吊销证书
OpenSSL创建私有CA,签证和吊销证书
CA(Certificate Authority)是数字证书认证中心的简称,是指发放、管理、废除数字证书的机构。CA的作用是检查证书持有者身份的合法性,并签发证书(在证书上签字),以防证书被伪造或篡改,以及对证书和密钥进行管理。使用OpenSSL可以创建CA,签证和吊销证书
一 OpenSSL配置文件为/etc/pki/tls/openssl.cnf,下面是此文件中关于CA的部分摘要
####################################################################
[ CA_default ]
dir = /etc/pki/CA # Where everything is kept <==默认工作目录,变量形式
certs = $dir/certs # Where the issued certs are kept <==签发证书位置
crl_dir = $dir/crl # Where the issued crl are kept <==吊销证书位置
database = $dir/index.txt # database index file. <==颁发过的证书索引文件
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs. <==新的证书位置
certificate = $dir/cacert.pem # The CA certificate <==CA的自签证书
serial = $dir/serial # The current serial number <==当前证书序列号,第一次要指定
crlnumber = $dir/crlnumber # the current crl number <==吊销证书序列号,第一次吊销要指定
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL <==证书吊销列表文件
private_key = $dir/private/cakey.pem# The private key <==CA自己的私钥
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
# Extension copying option: use with caution.
# copy_extensions = copy
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 365 # how long to certify for <==证书的默认有效期
default_crl_days= 30 # how long before next CRL <==默认声明有效期
default_md = sha256 # use SHA-256 by default <==默认的生成算法
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match
# For the CA policy <==CA策略相关属性
[ policy_match ]
countryName = match <==country name(国家名)必须匹配CA证书
stateOrProvinceName = match <==stateOrProvinceName(州或省名)必须匹配CA证书
organizationName = match <==organizationName(组织机构名称,例如公司名)必须匹配CA证书
organizationalUnitName = optional <==organizationalUnitName(组织单位,例如公司部门)可选
commonName = supplied <==commonName(通用名字,例如域名)必须提供
emailAddress = optional <==emailAddress(邮件地址)可选
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional <==localityName(地区名,例如城市) 可选
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
二 创建私有证书签发机构
1.创建CA所需要的文件和目录
[root@server ~]# mkdir -pv /etc/pki/CA/{certs,crl,newcerts,private}
[root@server ~]# touch /etc/pki/CA/{serial,index.txt}
[root@server ~]# echo 01 > /etc/pki/CA/serial <==将序列号写入此文件
根据openssl.cnf文件中定义的按需创建
2.CA生成私钥
[root@server ~]# (umask 077; openssl genrsa -out /etc/pki/CA/private/cakey.pem 4096)
Generating RSA private key, 4096 bit long modulus
.....................................++
...........................................++
e is 65537 (0x10001)
3.CA自签证书
[root@server ~]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem
其中选项含义如下:
-new: 生成新证书签署请求;
-x509: 生成请生成自签格式,专用于CA生成自签证书
-key: 证书求时用到的私钥文件
-days :证书的有效期限,单位是天
-out /PATH/TO/SOMECERTFILE: 证书的保存路径
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN <==两个字符表示的国家代码,CN为中国
State or Province Name (full name) []:GuangDong <==省或洲的完整名称
Locality Name (eg, city) [Default City]:ShenZhen <==所在位置的名称(默认为城市)
Organization Name (eg, company) [Default Company Ltd]:example <==组织机构名称(默认为公司)
Organizational Unit Name (eg, section) []:Ops <==组织机构单元名称(eg.部门)
Common Name (eg, your name or your server's hostname) []:ca.example.com <==CA持有者名或者所在服务器主机名(即域名)
Email Address []:caadmin@example.com <==CA管理员邮件地址,可以省略
三 颁发证书
在需要使用证书的主机上生成证书请求,以 httpd 服务(yum安装)为例,其中CA签署机构放置于172.16.8.10主机上,httpd服务器放置于172.16.8.11主机上
1.用到证书的服务器生成私钥
[root@localhost ~]# (umask 077;openssl genrsa -out /etc/httpd/ssl/httpd.key 4096)
Generating RSA private key, 4096 bit long modulus
.........................................................++
.................++
e is 65537 (0x10001)
2.用到证书的主机生成证书请求,要保证和签署机构CA签署机构信息一致
[root@localhost ~]# openssl req -new -key /etc/httpd/ssl/httpd.key -days 365 -out /etc/httpd/ssl/httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:GuangDong
Locality Name (eg, city) [Default City]:ShenZhen
Organization Name (eg, company) [Default Company Ltd]:example
Organizational Unit Name (eg, section) []:Ops
Common Name (eg, your name or your server's hostname) []:www.example.com <==httpd所在服务器主机名(即域名)
Email Address []:admin@example.com <==httpd管理员邮件地址,可以省略
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
3.将证书请求通过可靠方式发给CA主机
[root@localhost ~]# scp /etc/httpd/ssl/httpd.csr root@172.16.8.10:/tmp/
4.在CA主机上签署证书
[root@server ~]# openssl ca -in /tmp/httpd.csr -days 365 -out /etc/pki/CA/certs/httpd.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Nov 18 15:06:39 2017 GMT
Not After : Nov 18 15:06:39 2018 GMT
Subject:
countryName = CN
stateOrProvinceName = GuangDong
organizationName = example
organizationalUnitName = Ops
commonName = www.example.com
emailAddress = admin@example.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
0C:C9:67:94:91:F3:17:6C:67:50:35:96:DB:B6:08:3B:11:01:06:98
X509v3 Authority Key Identifier:
keyid:AB:A2:16:C4:E9:A9:A4:BB:33:59:7E:29:25:14:B8:1D:AF:4F:76:D9
Certificate is to be certified until Nov 18 15:06:39 2018 GMT (365 days)
Sign the certificate? [y/n]:y <==是否要签署证书
1 out of 1 certificate requests certified, commit? [y/n]y <==是否确认
Write out database with 1 new entries
Data Base Updated
在生成证书/etc/pki/CA/crets/*.crt后,会生成以对应证书命名的文件/etc/pki/CA/newcrets/SERIAL.pem(此处为httpd.crt和01.pem)
5.CA主机将证书httpd.crt发送给httpd主机
[root@server ~]# scp /etc/pki/CA/certs/httpd.crt root@172.16.8.11:/etc/httpd/ssl
查看所签署的证书主机信息
[root@localhost ~]# openssl x509 -in /etc/pki/CA/certs/httpd.crt -noout -subject <==CA主机和httpd主机均可查看
subject= /C=CN/ST=GuangDong/O=example/OU=Ops/CN=www.example.com/emailAddress=admin@example.com
或者
[root@server ~]# cat /etc/pki/CA/index.txt <==仅CA主机能查看
V 181118150639Z 01 unknown /C=CN/ST=GuangDong/O=example/OU=Ops/CN=www.example.com/emailAddress=admin@example.com
其中V表示已经签署的证书,01表示证书序列号
6.删除CA主机和httpd主机上的httpd.csr文件,确保安全
[root@server ~]# rm -rf /tmp/httpd.csr <==CA主机
[root@localhost ~]# rm -rf /etc/httpd/ssl/httpd.csr <==httpd主机
四 吊销证书
1.客户端获取要吊销的证书的serial和subject信息(httpd主机)
[root@localhost ~]# openssl x509 -in /etc/httpd/ssl/httpd.crt -noout -serial -subject
serial=01
subject= /C=CN/ST=GuangDong/O=example/OU=Ops/CN=www.example.com/emailAddress=admin@example.com
2.CA主机吊销证书
根据客户端提交的serial与subject信息,对比检验是否与index.txt文件中的信息一致
[root@server ~]# cat /etc/pki/CA/index.txt
V 181118150639Z 01 unknown /C=CN/ST=GuangDong/O=example/OU=Ops/CN=www.example.com/emailAddress=admin@example.com
一致的话则可以进行证书吊销
吊销证书:
[root@server ~]# openssl ca -revoke /etc/pki/CA/newcerts/01.pem
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 01.
Data Base Updated
吊销之后再查看index.txt文件
[root@server ~]# cat /etc/pki/CA/index.txt
R 181118150639Z 171118155958Z 01 unknown /C=CN/ST=GuangDong/O=example/OU=Ops/CN=www.example.com/emailAddress=admin@example.com
其中R表示证书已失效
3.生成吊销证书的编号(第一次吊销证书时执行)
[root@server ~]# echo 01 > /etc/pki/CA/crlnumber
4.更新证书吊销列表
[root@server ~]# openssl ca -gencrl -out /etc/pki/CA/crl/ca.crl
Using configuration from /etc/pki/tls/openssl.cnf
查看crl文件
[root@server ~]# openssl crl -in /etc/pki/CA/crl/ca.crl -noout -text
“The first 90% of the code accounts for the first 90% of the development time. The remaining 10% of the code accounts for the other 90% of the development time.” – Tom Cargill
标 题:OpenSSL创建私有CA,签证和吊销证书作 者:Leif160519
出 处:https://github.icu/articles/2019/08/22/1566473487903.html
关于博主:坐标六朝古都南京,服务器运维工程师+桌面运维工程师,如有问题探讨可以直接下方留言。
声援博主:如果您觉得文章对您有帮助,可以评论、订阅、收藏。您的鼓励是博主的最大动力!
- 一 OpenSSL配置文件为/etc/pki/tls/openssl.cnf,下面是此文件中关于CA的部分摘要
- 二 创建私有证书签发机构
- 1.创建CA所需要的文件和目录
- 2.CA生成私钥
- 3.CA自签证书
- 三 颁发证书
- 1.用到证书的服务器生成私钥
- 2.用到证书的主机生成证书请求,要保证和签署机构CA签署机构信息一致
- 3.将证书请求通过可靠方式发给CA主机
- 4.在CA主机上签署证书
- 5.CA主机将证书httpd.crt发送给httpd主机
- 6.删除CA主机和httpd主机上的httpd.csr文件,确保安全
- 四 吊销证书
- 1.客户端获取要吊销的证书的serial和subject信息(httpd主机)
- 2.CA主机吊销证书
- 3.生成吊销证书的编号(第一次吊销证书时执行)
- 4.更新证书吊销列表