搭建CA认证中心
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了搭建CA认证中心相关的知识,希望对你有一定的参考价值。
前言
CA英文全称CertificationAuthority,即数字证书认机构。A是负责发放和管理数字证书的权威机构,并作为用户数字认证中受信任的第三方,承担公钥体系(PKI)中公钥的合法性检验的责任,在互联网上,实现用户与用户、用户与企业之间的数字身份认证。
本文通过使用openssl进行搭建私有CA认证体系,从而简单地了解CA的认证过程。搭建私有CA,可以实现企业内部认证加密。
图示CA流程
一、搭建CA认证中心
1、修改配置文件
#vim /etc/pki/tls/openssl.cnf
将basicConstraints=CA:FALSE改为 TRUE #让自己成为CA认证中心
2、配置认证中心生成根证、私钥
1、创建所需文件
touch /etc/pki/CA/index.txt
echo 01 >/etc/pki/CA/serial
2、生成私钥
[[email protected]_1 ~]# (umask 066;openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048) Generating RSAprivate key, 2048 bit long modulus ....................+++ ............................................................................................................................................+++ e is 65537(0x10001) # 私钥生成完毕。
3、生成自签名证书(根证)
[[email protected]_1 ~]#openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 \ -out /ect/pki/CA/cacert.pem #命令 You are about tobe asked to enter information that will be incorporated into yourcertificate request. What you areabout to enter is what is called a Distinguished Name or a DN. There are quite afew fields but you can leave some blank For some fieldsthere will be a default value, If you enter ‘.‘,the field will be left blank. ----- Country Name (2letter code) [XX]:CN #国家 State or ProvinceName (full name) []:beijing #省 Locality Name(eg, city) [Default City]:beijing #市 Organization Name(eg, company) [Default Company Ltd]:linuxinfo 组织机构 OrganizationalUnit Name (eg, section) []:IT 组织部门 Common Name (eg,your name or your server‘s hostname) []:linuxinfo.com #服务器主机名 Email Address[]:[email protected] #邮箱
查看证书中的信息
[[email protected]_1CA]# openssl x509 -in cacert.pem -noout -text #命令 Certificate: Data: Version: 3 (0x2) Serial Number: 10031721591501306818(0x8b37d5a31b0d3bc2) Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, ST=beijing, L=beijing,O=mage, OU=IT, CN=linuxinfo.com/email [email protected] Validity Not Before: Dec 1 04:26:18 2016 GMT Not After : Nov 29 04:26:18 2026GMT Subject: C=CN, ST=beijing, L=beijing,O=linuxinfo, OU=IT, CN=linuxinfo.com/ [email protected] Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:a8:a9:7f:48:b3:bf:ae:51:72:e3:01:e4:82:fd: 9f:54:f6:cc:8f:76:df:7a:7f:05:9f:81:c4:45:68: 80:31:14:86:46:2c:58:f2:80:52:05:11:b1:5c:28: 09:68:00:f6:a8:7f:02:85:6f:ce:57:82:2d:74:7a: aa:49:ba:41:d0:5f:2f:bc:dd:3b:3f:af:df:73:8c: 32:d6:17:46:01:0f:1e:0d:bc:5a:f8:b4:3e:2f:97: 4f:71:39:07:1f:a5:fa:e9:a2:3b:86:9e:03:34:be: 8c:b9:02:cf:10:28:74:c0:51:ae:fc:9e:d0:a5:18: 9d:5d:15:09:2c:08:e9:89:07:56:d5:3a:c1:cd:6e: fa:10:59:c7:6a:96:53:1f:1a:a9:37:8d:9b:fd:e8: cb:61:81:f1:21:2d:65:8a:8b:5f:9b:e9:c8:12:14: 15:b5:8c:a0:4f:0f:4e:f4:4a:bd:27:09:66:b2:1f: 58:c1:e0:06:31:7f:5e:5b:a8:25:77:de:c1:7e:d4: 77:a1:cc:d7:1e:65:cf:6d:b9:8c:f7:a3:41:2d:68: 72:43:20:68:78:ec:7d:0d:6c:37:0a:d9:36:e9:3c: 4a:fb:a3:06:08:da:9b:31:3c:53:eb:92:cd:46:db: df:8d:32:25:5c:31:2a:6f:52:ef:ab:e7:c2:81:7e: 58:e5 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: A4:AD:22:00:6C:19:8D:AC:29:A6:E4:E4:13:01:B4:00:C9:C2:1A:15 X509v3 Authority Key Identifier: keyid:A4:AD:22:00:6C:19:8D:AC:29:A6:E4:E4:13:01:B4:00:C9:C2:1A:15 X509v3 Basic Constraints: CA:TRUE Signature Algorithm:sha256WithRSAEncryption 9e:e9:ed:76:47:46:de:bd:02:1c:04:66:26:c9:1c:cc:76:f9: 7e:7c:51:df:97:35:ca:15:52:a3:6f:c3:c5:d4:da:a3:e1:13: a9:aa:f0:2c:15:19:a2:1b:cc:56:11:dc:98:e5:a8:59:cd:b8: 14:45:cb:37:80:c9:a3:68:a8:10:e2:b6:62:6e:ce:24:42:52: 64:d2:84:7f:13:2b:d3:da:2b:63:4b:fb:f0:4b:08:63:60:e2: 71:65:fd:60:2a:ad:96:c7:d9:16:9b:8b:f0:cd:d8:c3:19:12: bc:cf:c8:62:77:04:c8:11:7b:1b:e0:70:10:5c:da:2a:58:59: f8:41:dd:13:f9:89:d6:74:92:62:35:35:28:19:e8:22:0a:7b: f7:d3:cb:dc:50:54:96:c6:dd:01:f3:e2:ff:94:80:aa:f5:29: 34:aa:a1:be:2a:ce:44:d5:ed:f2:d7:aa:c5:59:64:d5:dc:73: 88:11:8c:d2:5b:ab:d9:f6:a5:1c:bb:8f:d7:cb:f0:fb:dd:1c: ad:2c:03:2d:da:69:ad:5d:27:20:7c:1e:f4:99:ac:46:ca:86: b7:12:aa:05:2b:8c:68:d5:c0:ba:eb:5a:ce:98:0e:b5:fe:10: 97:ad:b1:7d:7c:e0:b6:95:34:6a:bc:a3:74:e7:8a:fe:f7:dd: 50:bc:80:c0
二、颁发证书
1、 在需要使用证书的主机上生成私钥以及证书请求文件
给web服务器生成私钥
[[email protected]_1 ~]# (umask 066; openssl genrsa -out/etc/httpd/ssl/httpd.key 2048) Generating RSA private key, 2048 bit long modulus .............................................................................................................................+++ ............+++ e is 65537 (0x10001)
生成请求文件
[[email protected]_1 ~]# openssl req -new -key/etc/httpd/ssl/httpd.key -days 3650 -out /etc/httpd/ssl/httpd.scr 请求文件 You are about to be asked to enter information that will beincorporated into your certificate request. What you are about to enter is what is called a Distinguished Nameor a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.‘, the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:beijing Locality Name (eg, city) [Default City]:beijing Organization Name (eg, company) [Default Company Ltd]:linuxinfo Organizational Unit Name (eg, section) []:IT Common Name (eg, your name or your server‘s hostname)[]:linuxinfo.top #真实存在的域名哦 Email Address []:[email protected] 注意:默认国家,省 ,公司名称必须和CA一致 Please enter the following ‘extra‘ attributes to be sent with your certificate request A challenge password []: #直接回车即可 An optional company name []: #同上
将请求文件发送给CA服务器
scp /etc/httpd/ssl/httpd.scr [email protected]:/
CA服务器签署正式,并将证书颁发给请求者
[[email protected]_1 /]# openssl ca -in /httpd.scr -out httpd.crt -days 3650 Using configuration from/etc/pki/tls/openssl.cnf Check that the requestmatches the signature Signature ok Certificate Details: Serial Number: 2 (0x2) Validity Not Before: Dec 1 04:40:07 2016 GMT Not After : Nov 29 04:40:07 2026GMT Subject: countryName = CN stateOrProvinceName = beijing organizationName = linuxinfo organizationalUnitName = IT commonName = linuxinfo.com emailAddress = [email protected] X509v3 extensions: X509v3 Basic Constraints: CA:TRUE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 02:7C:2E:19:F6:03:D2:CD:3D:F3:A6:A8:25:21:DB:80:2C:8C:5E:AC X509v3 Authority Key Identifier: keyid:A4:AD:22:00:6C:19:8D:AC:29:A6:E4:E4:13:01:B4:00:C9:C2:1A:15 Certificate is to be certified until Nov 2904:40:07 2026 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified,commit? [y/n]y Write out database with 1 new entries Data Base Updated
将颁发的证书发送给web服务器。
这里就不介绍怎么应用到web服务器了,下面的在写web应用时候一块写到博客了。
openssl 命令详解 http://man.linuxde.net/openssl
本文出自 “秋季” 博客,请务必保留此出处http://lxlxlx.blog.51cto.com/3363989/1879191
以上是关于搭建CA认证中心的主要内容,如果未能解决你的问题,请参考以下文章