私有CA建立和证书申请
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了私有CA建立和证书申请相关的知识,希望对你有一定的参考价值。
私有CA建立和证书申请
CA在创建时有规定的格式,详细需要参考/etc/pki/tls/openssl.cnf此文件存放了CA相关的一些配置信息。
以下为比较重要的2个相关配置:
1.此段为CA的详细目录结构
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = /etc/pki/CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to ‘no‘ to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
2.此段为证书签署的相关规则,其中标记为match的表示客户端在提交证书签署申请时必须和CA相同的部分。若要不同也可以修改policy规则
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match #此处若修改为policy_anything就能实现客户端申请证书时countryName、stateOrProvinceName、organizationName和CA不同也能签署。
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For the ‘anything‘ policy
# At this point in time, you must list all acceptable ‘object‘
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
一、创建私有CA
1.生成证书索引数据库文件
[[email protected] CA]# touch index.txt
2.指定证书颁发序列号
[[email protected] CA]# echo 01 > serial
3.生成私钥
私钥必须存放在/etc/pki/CA/private下取名为cakey.pem
[[email protected] CA]# (umask 066;openssl genrsa -out private/cakey.pem 4096) #生成私钥,指定长度为4096位
Generating RSA private key, 4096 bit long modulus
.........................................++
.....................++
e is 65537 (0x10001)
4.生成自签证书
自签证书的存放位置和命名也有规定,必须存放在/etc/pki/CA/下,取名为cacert.pem
[[email protected] CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650 #生成自签证书,指定有效时长为3650天
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:ops
Common Name (eg, your name or your server‘s hostname) []:ca.magedu.com
Email Address []:
二、客户端申请证书
1.在客户端生成私钥文件
客户端的私钥一般在需要生成私钥的应用下生成
[[email protected] data]# (umask 066;openssl genrsa -out test.key 1024)
Generating RSA private key, 1024 bit long modulus
....................................................................................................................++++++
.....++++++
e is 65537 (0x10001)
2.利用私钥生成证书签署请求
签署请求中Country Name、State or Provice Name、Organization Name必须相同。
[[email protected] data]# openssl req -new -key test.key -out test.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:ops
Common Name (eg, your name or your server‘s hostname) []:www.mylinuxops.com
Email Address []:
Please enter the following ‘extra‘ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
3.将证书签署请求发给CA
[[email protected] data]# scp test.csr 192.168.73.132:/tmp
The authenticity of host ‘192.168.73.132 (192.168.73.132)‘ can‘t be established.
ECDSA key fingerprint is SHA256:YNlH0VBV0kp4lAClVvfMWVx/bHcbKKHXQwyd13d+MME.
ECDSA key fingerprint is MD5:8a:1c:3d:c2:04:b1:be:05:95:33:9e:16:e8:ad:6c:25.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘192.168.73.132‘ (ECDSA) to the list of known hosts.
[email protected]‘s password:
test.csr 100% 660 220.9KB/s 00:00
三、CA服务器端签署证书
CA服务器签署证书时,需要指定证书有效时长
[[email protected] CA]# openssl ca -in /tmp/test.csr -out certs/test.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Apr 15 22:42:33 2019 GMT
Not After : Apr 14 22:42:33 2020 GMT
Subject:
countryName = CN
stateOrProvinceName = beijing
organizationName = magedu
organizationalUnitName = ops
commonName = www.mylinuxops.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
6F:FE:2A:6D:CA:54:71:43:EC:58:54:8B:94:8E:92:BC:04:9B:6D:91
X509v3 Authority Key Identifier:
keyid:EE:25:E6:80:F8:8A:68:3F:E5:5E:C4:38:FB:1C:B9:93:C9:2B:5B:AD
Certificate is to be certified until Apr 14 22:42:33 2020 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
四、其他
1.查看证书中的信息:
[[email protected] CA]# openssl x509 -in certs/test.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=beijing, L=beijing, O=magedu, OU=ops, CN=ca.magedu.com
Validity
Not Before: Apr 15 22:42:33 2019 GMT
Not After : Apr 14 22:42:33 2020 GMT
Subject: C=CN, ST=beijing, O=magedu, OU=ops, CN=www.mylinuxops.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:d1:ab:99:29:51:31:e8:2d:69:e6:04:25:89:61:
2d:81:71:c6:cf:b0:a2:a2:8a:94:6f:b3:ab:40:fa:
1f:da:40:33:7b:46:0f:f7:61:21:18:be:3b:5d:b8:
18:a2:8a:9e:99:66:9c:9c:7c:68:2e:ab:73:00:87:
3a:91:aa:b5:a0:f0:2c:ec:d0:f2:44:15:86:74:2a:
39:d0:64:42:a8:d5:69:ca:c2:79:a1:5a:e3:c9:dc:
6e:9e:1e:ab:89:cf:47:62:57:67:17:d3:9f:09:4f:
0d:ed:f3:b7:d1:99:b0:49:95:99:25:0b:70:30:ef:
a2:72:8d:42:90:8b:51:bb:41
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
6F:FE:2A:6D:CA:54:71:43:EC:58:54:8B:94:8E:92:BC:04:9B:6D:91
X509v3 Authority Key Identifier:
keyid:EE:25:E6:80:F8:8A:68:3F:E5:5E:C4:38:FB:1C:B9:93:C9:2B:5B:AD
Signature Algorithm: sha256WithRSAEncryption
a0:b9:ac:ef:a6:cb:9c:af:99:5b:f8:f2:dd:f4:0b:dc:63:51:
99:16:3d:b9:53:91:5e:e5:61:f0:9d:85:cb:57:19:b8:fd:fd:
6e:3a:9c:f2:2a:d0:69:90:89:ff:75:90:20:f6:25:d0:d2:f9:
4f:23:34:fd:b7:3c:25:00:7c:a3:7f:f3:14:2b:54:54:3e:cf:
19:fa:80:48:b2:f3:3a:c7:cf:20:7a:91:3e:43:6f:88:2d:36:
9a:50:23:12:d1:0c:fa:78:c3:3a:7e:90:85:b1:ba:a8:4a:f0:
c9:a1:6c:e9:7c:ff:e5:8a:f1:30:8d:36:33:1c:22:03:5b:37:
73:95:a8:6f:2d:68:42:5d:78:e2:9c:24:c4:b2:f7:59:37:1e:
af:90:ea:1e:bc:73:d7:95:83:42:64:f5:e1:fb:45:e6:9c:e3:
2b:04:6f:de:d0:de:01:d9:dc:af:9c:47:2d:31:5e:c3:71:6d:
23:a6:f3:e0:77:65:c9:a3:39:c0:f2:c5:d2:21:df:84:64:cd:
0f:4b:19:ea:b4:d5:75:2a:52:54:38:e4:d6:6a:e0:9e:61:c6:
3a:04:21:cb:d5:2f:c9:f3:21:15:a6:bf:48:ea:06:f4:a8:20:
43:49:e9:e5:d5:c6:74:06:6a:53:c6:31:48:08:89:6f:af:9a:
aa:d7:62:e3:9b:60:f2:55:1e:0d:e0:e2:ab:02:76:ab:f0:2f:
c5:39:fe:11:e3:1d:51:19:96:2d:57:6b:a6:d1:97:8d:fb:cb:
4f:08:b5:29:af:c8:b8:c7:c9:32:7d:a6:30:ee:ad:c7:13:af:
d9:9f:c4:09:f1:57:6b:aa:66:de:ad:28:c9:ea:a3:52:26:9b:
29:e2:0a:14:30:c5:fb:06:70:89:69:f2:5a:de:49:bd:4a:f3:
af:20:f0:b6:c5:97:37:9a:b4:35:03:5e:75:6c:a0:82:1e:bb:
0c:68:fe:f4:ee:06:3b:0a:2e:e1:72:0c:b1:32:f4:f3:0f:c0:
ee:66:1e:5b:9b:e5:02:72:8a:f4:f8:94:3b:c3:85:5f:53:38:
47:b4:47:61:1a:a1:fd:36:9d:40:81:0a:65:37:47:ad:9e:d5:
a3:0f:58:87:d5:2f:7f:b5:bc:15:e8:cc:f4:16:c0:67:fa:a2:
b6:f1:2b:4e:5d:ac:8f:fe:c5:20:3a:b5:49:18:5d:be:29:01:
67:5f:2f:e9:77:31:34:5c:e2:12:78:1c:a2:c8:3a:67:d1:90:
3b:24:ed:49:68:5d:c4:f3:f7:8f:4c:bf:02:88:15:3b:11:90:
9e:f0:fc:d2:41:48:8b:6c:53:22:8d:b0:1b:53:67:05:dc:f5:
72:37:19:1b:05:24:4b:3b
2.查看指定编号的证书状态
[[email protected] CA]# openssl ca -status 01
Using configuration from /etc/pki/tls/openssl.cnf
01=Valid (V)
CA证书的吊销
一、在客户机上查看索要吊销的证书的serial和subject
[[email protected] certs]# openssl x509 -in test.crt -noout -serial -subject
serial=01
subject= /C=CN/ST=beijing/O=magedu/OU=ops/CN=www.mylinuxops.com
二、根据客户端所提交的信息,在CA服务器端比对index.txt内的信息
[[email protected] CA]# cat index.txt
V 200414224233Z 01 unknown /C=CN/ST=beijing/O=magedu/OU=ops/CN=www.mylinuxops.com
三、吊销证书
[[email protected] CA]# openssl ca -revoke /etc/pki/CA/newcerts/01.pem
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 01.
Data Base Updated
四、指定第一个证书吊销的编号(第一次执行吊销时需要执行此步骤)
[[email protected] CA]# echo 01 > /etc/pki/CA/crlnumber
五、生成证书吊销列表
[[email protected] CA]# openssl ca -gencrl -out /etc/pki/CA/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf
六、查看证书吊销列表
[[email protected] CA]# openssl crl -in crl.pem -noout -text
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: /C=CN/ST=beijing/L=beijing/O=magedu/OU=ops/CN=ca.magedu.com
Last Update: Apr 16 08:41:46 2019 GMT
Next Update: May 16 08:41:46 2019 GMT
CRL extensions:
X509v3 CRL Number:
1
Revoked Certificates:
Serial Number: 01
Revocation Date: Apr 16 08:38:37 2019 GMT
Signature Algorithm: sha256WithRSAEncryption
a3:07:8f:b4:a8:ec:76:fb:d1:6c:88:f6:1d:ba:e6:79:5e:19:
59:3a:38:8d:26:d0:15:d2:22:b1:2f:a5:b0:b0:fc:49:11:00:
0a:2a:93:22:8d:44:ec:18:c9:5d:ad:66:60:32:36:8a:55:77:
03:9e:fb:51:b4:8e:9d:b7:d8:3b:d1:da:64:9e:ae:9f:5a:04:
19:69:f6:e9:de:94:75:92:f4:f4:33:b6:2b:e9:8e:27:dd:40:
9f:90:11:0f:36:d4:4a:ef:af:55:08:ec:87:81:c6:7c:38:02:
fb:e2:d9:77:61:dc:2a:2c:61:c5:36:aa:6e:34:59:77:fe:47:
81:6d:02:15:e5:4b:f2:1f:ae:b3:e0:2e:5e:49:9d:c1:51:f9:
2e:69:d5:5f:9b:26:25:20:d9:88:ac:30:94:e2:25:e5:ee:17:
f4:62:ca:ea:be:af:aa:7a:07:e7:e5:91:24:80:cc:52:9b:30:
e2:3e:59:66:2a:77:28:7b:6a:10:99:a3:a3:27:30:17:a1:94:
49:bb:ae:eb:7f:53:d9:07:a5:0c:8f:b0:97:0a:cb:42:d8:37:
22:d9:0b:48:5e:a9:a0:13:78:0d:71:5b:76:25:11:f2:62:7b:
e7:a5:f5:52:03:a6:25:ea:3a:da:d6:37:5a:55:ed:89:3e:67:
6f:b7:d7:a9:75:94:e8:17:af:cc:87:ed:bb:4d:19:3c:ee:af:
a5:4d:fe:5e:f9:80:7a:16:4d:8c:99:36:77:75:e7:81:03:05:
92:91:01:5c:5e:d7:d0:d3:2b:ef:62:cd:20:5b:1b:40:30:29:
41:83:c6:7b:cc:29:2a:c3:6c:76:88:ed:a8:ac:be:83:00:7b:
56:c6:de:97:cf:6a:a5:bd:38:1e:84:b1:00:37:e5:85:15:eb:
86:51:f8:51:f6:e4:7e:2e:25:e2:8b:10:7d:3e:a6:4d:e5:bd:
cb:8b:1e:2f:71:60:83:e5:75:1b:91:87:90:39:4a:67:88:87:
51:d3:b9:ff:0a:f6:36:3c:ba:a0:ae:32:6d:48:d7:e0:3d:20:
06:b5:ae:05:74:ab:13:84:49:dc:d7:91:c3:48:38:2d:b3:e9:
b7:f0:13:9d:54:44:f1:5c:52:35:95:f5:da:9c:85:62:3f:28:
3a:c1:8a:32:e9:f6:f6:93:d2:40:7f:8a:71:20:6e:04:2f:2f:
33:2b:ac:2a:bb:33:b1:09:4d:4b:67:69:a9:48:a7:a7:a4:cb:
7e:61:fb:3e:85:dd:1f:99:8b:35:d6:7d:75:9d:34:61:84:8e:
46:39:e7:4b:09:e3:00:44:69:24:73:ac:37:82:73:1b:42:0d:
1f:60:5a:e7:47:6c:5f:a6
使用脚本创建私有CA
#!/bin/bash
PS3="plese choose a nember: "
select menu in 创建CA 申请证书 签发证书 退出;do
case $menu in
创建CA)
cd /etc/pki/CA
touch serial
echo 01 > index.txt
(umask 066;openssl genrsa -out private/cakey.pem 4096)
openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650
;;
申请证书)
read -p "please input your need crt appdir: " APPDIR
read -p "please input your need crt app name: " NAME
read -p "please input CA server ip: " IP
cd $APPDIR
(unmask 066;openssl genrsa -out $NAME.key 2048)
openssl req -new -key ${NAME}.key -out ${NAME}.csr
scp ${NAME}.csr ${IP}:/tmp
unset IP
;;
签发证书)
read -p "please input client ip: " IP
NAME=`cd /tmp;ls *.csr`
openssl ca -in /tmp/${NAME}.csr -out /etc/pki/CA/certs/${NAME}.crt
rm -rf /tmp/*.csr
scp /etc/pki/CA/certs/${NAME}.crt $IP:/tmp
unset IP
;;
退出)
break
;;
esac
done
~
以上是关于私有CA建立和证书申请的主要内容,如果未能解决你的问题,请参考以下文章