Linux下私有CA搭建

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Linux下私有CA搭建相关的知识,希望对你有一定的参考价值。

        数字证书为实现双方安全通信提供了电子认证。在因特网、公司内部网或外部网中,使用数字证书实现身份识别和电子信息加密。数字证书中含有密钥对(公钥私钥所有者的识别信息,通过验证识别信息的真伪实现对证书持有者身份的认证。

    

    证书申请及签署步骤;

1、生成申请请求;

2、RA核验;

3、CA签署;

4、获取证书;

    创建私有CA

         1、在/etc/pki/CA 下面创建所需的文件

             [[email protected] CA]# touch index.txt      

             [[email protected] CA]# echo 01 > serial

             [[email protected] CA]#  ls

             certs  crl  index.txt  newcerts  private  serial

           2、生成CA自签证书;

              [[email protected] CA]# (umask 077; openssl genrsa -out /etc/pki/CA/cakey.pem 4096)

                Generating RSA private key, 4096 bit long modulus

                ..............................++

                ...............................................................................++

                e is 65537 (0x10001)   

            [[email protected] CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days                 365 -out cacert.pem

            You are about to be asked to enter information that will be incorporated

            into your certificate request.

            What you are about to enter is what is called a Distinguished Name or a DN.

            There are quite a few fields but you can leave some blank

            For some fields there will be a default value,

            If you enter ‘.‘, the field will be left blank.

            -----

            Country Name (2 letter code) [XX]:CN

            State or Province Name (full name) []:Beijing

            Locality Name (eg, city) [Default City]:Beijing

            Organization Name (eg, company) [Default Company Ltd]:Dk     

            Organizational Unit Name (eg, section) []:Ops

            Common Name (eg, your name or your server‘s hostname) []:ca.xiong.cn

            Email Address []:[email protected]

            一些选项的作用:

                -new: 生成新证书签署请求

-x509: 专用于CA生成自签证书;

-key: 生成请求时用到的私钥文件;

-days n: 证书的有效期限;

-out /PATH/TO/SOMECEFTFILE: 证书的保存路径;

            

            查看刚生成的cakey.pem、cacert.pem两个文件 

            [[email protected] CA]# ls -l

            总用量 28

            -rw-r--r--  1 root root 1399 6月  14 19:51 cacert.pem

            -rw-------  1 root root 3247 6月  14 19:06 cakey.pem

            drwxr-xr-x. 2 root root 4096 6月  14 18:50 certs

            drwxr-xr-x. 2 root root 4096 2月  20 23:49 crl

            -rw-r--r--  1 root root    0 6月  14 19:03 index.txt

            drwxr-xr-x. 2 root root 4096 6月  14 18:48 newcerts

            drwx------. 2 root root 4096 6月  14 18:17 private

            -rw-r--r--  1 root root    3 6月  14 19:03 serial

            

            在客户端上主机生成证书请求     

            [[email protected] ssl]# (umask 077; openssl genrsa -out /etc/httpd/ssl/httpd.key 4096)

            Generating RSA private key, 4096 bit long modulus

            ..................................................................................++

            ............................................................................................................++

            e is 65537 (0x10001)

        [[email protected] ssl]# openssl req -new -key /etc/httpd/ssl/httpd.key -days 369 -out                              /etc/httpd/ssl/httpd.csr

        You are about to be asked to enter information that will be incorporated

        into your certificate request.

        What you are about to enter is what is called a Distinguished Name or a DN.

        There are quite a few fields but you can leave some blank

        For some fields there will be a default value,

        If you enter ‘.‘, the field will be left blank.

        -----

        Country Name (2 letter code) [XX]:CN

        State or Province Name (full name) []:Beijing

        Locality Name (eg, city) [Default City]:Beijing

        Organization Name (eg, company) [Default Company Ltd]:Dk

        Organizational Unit Name (eg, section) []:Ops

        Common Name (eg, your name or your server‘s hostname) []:www.xiong.cn

        Email Address []:[email protected]  

        Please enter the following ‘extra‘ attributes

        to be sent with your certificate request

        A challenge password []:123456

        An optional company name []:centos

        

        查看客户端生成的两个文件              

        [[email protected] ssl]# ls

        httpd.csr  httpd.key

       把httpd.csr这个文件传给CA,然后CA进行授权。实验的话 就上传到CA下的/tmp目录下,按照规范的话 都是传到相对应的文件夹里头去,这里为了方便就放到了/tmp下

[[email protected] ssl]# scp httpd.csr [email protected]:/tmp/

The authenticity of host ‘192.168.2.30 (192.168.2.32)‘ can‘t be established.

ECDSA key fingerprint is 62:d9:92:9a:3a:be:c1:82:6a:96:36:da:b7:9d:e3:a9.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added ‘192.168.2.32‘ (ECDSA) to the list of known hosts.

[email protected]‘s password: 

httpd.csr                                                                                               100% 1801     1.8KB/s   00:00    

[[email protected] ssl]# 

然后在CA上进行授权并同意

[[email protected] CA]# openssl ca -in /tmp/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365 

Using configuration from /etc/pki/tls/openssl.cnf

Check that the request matches the signature

Signature ok

Certificate Details:

        Serial Number: 1 (0x1)

        Validity

            Not Before: Jun 14 15:20:46 2017 GMT

            Not After : Jun 14 15:20:46 2018 GMT

        Subject:

            countryName               = CN

            stateOrProvinceName       = Beijing

            organizationName          = Dk

            organizationalUnitName    = Ops

            commonName                = www.xiong.cn

            emailAddress              = [email protected]

        X509v3 extensions:

            X509v3 Basic Constraints: 

                CA:FALSE

            Netscape Comment: 

                OpenSSL Generated Certificate

            X509v3 Subject Key Identifier: 

                37:6B:FF:B5:74:93:4F:ED:36:BC:23:2F:77:66:4D:31:48:BF:23:A6

            X509v3 Authority Key Identifier: 

                keyid:8C:D9:52:FD:D6:EC:86:99:DE:14:D4:A8:D9:C5:01:CF:69:DA:E2:D1


Certificate is to be certified until Jun 14 15:20:46 2018 GMT (365 days)

这块的话它是问你确定要给它授权吗,咱输入y同意即可

Sign the certificate? [y/n]:   y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

查看授权证书里头的信息,有点长就复制一丢丢过来了

[[email protected] CA]# openssl x509 -in /etc/pki/CA/certs/httpd.crt  -noout -text

Certificate:

    Data:

        Version: 3 (0x2)

        Serial Number: 1 (0x1)

    Signature Algorithm: sha1WithRSAEncryption

        Issuer: C=CN, ST=Beijing, L=Beijing, O=Dk, OU=Ops, CN=ca.xiong.cn/[email protected]

        Validity

            Not Before: Jun 14 15:20:46 2017 GMT

            Not After : Jun 14 15:20:46 2018 GMT

        Subject: C=CN, ST=Beijing, O=Dk, OU=Ops, CN=www.xiong.cn/[email protected]

        Subject Public Key Info:

            Public Key Algorithm: rsaEncryption

                Public-Key: (4096 bit)

                Modulus:

再次从CA服务器上把已授权的证书发放到客户端的指定目录下即可

[[email protected] CA]# scp certs/httpd.crt [email protected]:/etc/httpd/ssl/

Address 192.168.2.30 maps to bogon, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!

[email protected]‘s password: 

httpd.crt                                                                                               100% 6051     5.9KB/s   00:00    

在客户端指定文件夹查看证书

[[email protected] ~]# ls /etc/httpd/ssl/

httpd.crt  httpd.csr  httpd.key


小白第一次写博客 里头肯定有很多问题,文章里头有什么问题大神们可以帮忙指出来!!十分感谢。

以上是关于Linux下私有CA搭建的主要内容,如果未能解决你的问题,请参考以下文章

Linux系统搭建私有CA证书服务器

Linux 加密安全和私有CA的搭建方法

私有CA搭建

私有CA搭建

私有CA搭建

搭建私有CA服务器