创建私有CA过程

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了创建私有CA过程相关的知识,希望对你有一定的参考价值。

openssl命令:配置文件:/etc/pki/tls/openssl.cnf

构建私有CA:

在确定配置为CA的服务上生成一个自签证书,并为CA提供所需要的目录及文件即可

步骤:

(1) 生成私钥;

[[email protected] ~]# (umask 077; openssl genrsa -out /etc/pki/CA/private/cakey.pem 4096)

(2) 生成自签证书;

[[email protected] ~]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3655

    /*-new:生成新证书签署请求;

    -x509:生成自签格式证书,专用于创建私有CA时;

     -key:生成请求时用到的私有文件路径;

     -out:生成的请求文件路径;如果自签操作将直接生成签署过的证书;

     -days:证书的有效时长,单位是day;*/

You are about to be asked to enter information that will be incorporatedinto your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ‘.‘, the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:Beijing

Locality Name (eg, city) [Default City]:Beijing

Organization Name (eg, company) [Default Company Ltd]:ME

Organizational Unit Name (eg, section) []:Ops

Common Name (eg, your name or your server‘s hostname) []:ca.me.com

Email Address []:[email protected]

  

(3) 为CA提供所需的目录及文件;

[[email protected] /]# mkdir  -pv  /etc/pki/CA/{certs,crl,newcerts}

[[email protected] /]# touch /etc/pki/CA/{serial,index.txt}

[[email protected] /]# echo 01 > /etc/pki/CA/serial 

要用到证书进行安全通信的服务器,需要向CA请求签署证书:

步骤:(以httpd为例) 

(1) 用到证书的主机生成私钥;

[[email protected] httpd]# mkdir /etc/httpd/ssl

[[email protected] httpd]# cd  /etc/httpd/ssl

[[email protected] ssl]#  (umask  077; openssl  genrsa -out  /etc/httpd/ssl/httpd.key  2048)

Generating RSA private key, 2048 bit long modulus

........+++

..+++

e is 65537 (0x10001)

(2) 生成证书签署请求

[[email protected] ssl]#  openssl  req  -new  -key  /etc/httpd/ssl/httpd.key  -out /etc/httpd/ssl/httpd.csr  -days  365

You are about to be asked to enter information that will be incorporatedinto your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ‘.‘, the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:Beijing

Locality Name (eg, city) [Default City]:Beijing

Organization Name (eg, company) [Default Company Ltd]:ME

Organizational Unit Name (eg, section) []:Ops

Common Name (eg, your name or your server‘s hostname) []:www.me.com

Email Address []:[email protected]

Please enter the following ‘extra‘ attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:


(3) 将请求通过可靠方式发送给CA主机;

测试使用scp命令将请求发送至CA主机

[[email protected] ssl]# scp http.csr [email protected]:/tmp/

The authenticity of host ‘192.168.0.104 (192.168.0.104)‘ can‘t be established.

ECDSA key fingerprint is f6:80:c9:d6:5a:68:10:a0:95:49:a5:1c:48:f8:65:68.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added ‘192.168.0.104‘ (ECDSA) to the list of known hosts.

[email protected]‘s password: 

http.csr                                                100% 1041     1.0KB/s   00:00 

(4) 在CA主机上签署证书;

[[email protected] /]# openssl ca -in /tmp/http.csr -out /etc/pki/CA/certs/httpd.crt -days 365

Using configuration from /etc/pki/tls/openssl.cnf

Check that the request matches the signature

Signature ok

Certificate Details:

Serial Number: 1 (0x1)

Validity

Not Before: Jun  3 14:05:39 2017 GMT

Not After : Jun  3 14:05:39 2018 GMT

Subject:

countryName               = CN

stateOrProvinceName       = Beijing

organizationName          = ME

organizationalUnitName    = Ops

commonName                = www.me.com

emailAddress              = [email protected]

X509v3 extensions:

X509v3 Basic Constraints: 

CA:FALSE

Netscape Comment: 

OpenSSL Generated Certificate

X509v3 Subject Key Identifier: 

5A:FA:98:3F:D1:96:7B:F0:FF:83:BC:F5:2A:41:85:3E:DF:20:81:3E

X509v3 Authority Key Identifier: 

keyid:74:46:21:24:27:6E:85:46:7E:37:6F:44:E9:97:76:3C:65:EB:6C:F8


Certificate is to be certified until Jun  3 14:05:39 2018 GMT (365 days)

Sign the certificate? [y/n]:y



1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

查看证书序列号:

[[email protected] CA]# cat /etc/pki/CA/index.txt

V180603140539Z01unknown/C=CN/ST=Beijing/O=ME/OU=Ops/CN=www.me.com

/[email protected]

将证书发给请求者:

[[email protected] CA]# scp /etc/pki/CA/certs/httpd.crt [email protected]:/etc/httpd/ssl/

The authenticity of host ‘192.168.0.150 (192.168.0.150)‘ can‘t be established.

ECDSA key fingerprint is 3b:89:4b:0b:f3:88:e8:9f:ab:8b:d0:d8:7a:83:6c:f2.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added ‘192.168.0.150‘ (ECDSA) to the list of known hosts.

[email protected]‘s password: 

httpd.crt   

                                           100% 5819     5.7KB/s   00:00  

查看证书中的信息:

[[email protected] CA]# openssl  x509  -in /etc/pki/CA/certs/httpd.crt  -noout  -serial  -subjectserial=01

subject= /C=CN/ST=Beijing/O=ME/OU=Ops/CN=www.me.com/[email protected]

或者:在客户机查看

[[email protected] ssl]# openssl  x509  -in /etc/httpd/ssl/httpd.crt  -noout  -serial  -subjectserial=01

subject= /C=CN/ST=Beijing/O=ME/OU=Ops/CN=www.me.com/[email protected]



吊销证书:

步骤:

(1) 客户端获取要吊销的证书的serial(在使用证书的主机执行):

~]# openssl  x509  -in /etc/pki/CA/certs/httpd.crt  -noout  -serial  -subject

(2) CA主机吊销证书

先根据客户提交的serial和subject信息,对比其与本机数据库index.txt中存储的是否一致;

    吊销:

# openssl  ca  -revoke  /etc/pki/CA/newcerts/SERIAL.pem

其中的SERIAL要换成证书真正的序列号;

(3) 生成吊销证书的吊销编号(第一次吊销证书时执行)

# echo  01  > /etc/pki/CA/crlnumber

(4) 更新证书吊销列表

# openssl  ca  -gencrl  -out  thisca.crl 

查看crl文件:

        # openssl  crl  -in  /PATH/FROM/CRL_FILE.crl  -noout  -text


本文出自 “11290766” 博客,请务必保留此出处http://rylan.blog.51cto.com/11290766/1932035

以上是关于创建私有CA过程的主要内容,如果未能解决你的问题,请参考以下文章

创建私有CA并进行证书申请

OpenSSL(私有CA)

使用 OpenSSL 创建私有 CA:3 用户证书

自建私有CA

Linux学习笔记—— 基于CentOS创建私有CA及应用

创建私有CA