利用openssl创建私有CA的步骤和过程

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了利用openssl创建私有CA的步骤和过程相关的知识,希望对你有一定的参考价值。

openssl命令行 工具:命令包含众多的子命令来实现各种安全加密功能

    标准命令有:
        enc, dgst, ca, req, genrsa, rand, rsa, x509, passwd, ...

        1.对称加密命令:enc
            提供对称加密算法,以进行数据或文件的手动加密;

            格式:openssl enc -ciphername [-in filename] [-out filename] [-e] [-d] [-a/-base64] [-salt]
                -ciphername:加密算法的名称
                -in filename:openssl要读取的文件路径;
                -out filename:加密或解密操作后用于保存结果的文件路径;
                -e:加密操作
                -d:解密操作
                -a/-base64:用纯文本格式进行密文编码;
                -salt:随机加盐;

                示例:
                    加密文件(使用-e,-in选项,指定文件和加密后存放的位置):
                        ~]# openssl enc -e -des3 -in anaconda-ks.cfg -a -out anaconda-ks.cfg.encryptfile
                    解密文件(使用-d,-out选项,指定文件和加密后存放的位置):
                        ~]# openssl enc -d -des3 -out anaconda-ks.cfg -a -in anaconda-ks.cfg.encryptfile

        2.单向解密命令:dgst
            示例:
                对fstab文件进行单向解密
                ~]# openssl dgst -sha1 fstab

        3.生成随机数命令:rand
            openssl rand [-out file] [-rand file(s)] [-base64] [-hex] num
            示例:
                ~]# openssl rand -base64 8

        4.生成带盐的密码:passwd
            openssl passwd -1 -salt SALT_STRING
            示例:
                ~]# openssl passwd -1 -salt 01234567

        5.公钥加密算法:genrsa
                生成rsa加密算法的私钥;
                openssl genrsa [-out filename] [-des] [-des3] [-idea] [-f4] [-3] [numbits]

            建议使用权限遮罩码来生成私钥:
                ~]# (umask 077 ; openssl genrsa -out /tmp/my.key 4096)
                ~]# (umask 077 ; openssl genrsa > /tmp/my.key 4096)

            从以及生成的私钥文件中抽取公钥:rsa
                openssl rsa [-in filename] [-out filename] [-pubout]
                    -pubout:抽取公钥
                    -in filename:私钥文件的路径
                    -out filename:公钥文件的路径

                示例:
                    ~]# openssl rsa -in my.key -out mykey.pub -pubout

利用openssl建立私有CA:
    1.创建CA所在主机的私钥文件;
    2.生成自签证书;
    3.必须为CA提供必要的目录级文件及文本级文件;
        目录级文件:
            /etc/pki/CA/certs
            /etc/pki/CA/crl
            /etc/pki/CA/newcerts
        文本级文件:
            /etc/pki/CA/serial:保存证书的序列号,一般初始序列号为01;
            /etc/pki/CA/index.txt:证书索引;
            /etc/pki/tls/openssl.cnf:配置文件;

创建私有CA的步骤:
    1.创建CA的私钥文件:
    [[email protected] CA]# ls
    certs  crl  newcerts  private
    [[email protected] CA]# (umask 077 ; openssl genrsa -out /etc/pki/CA/private/clcakey.pem 2048) 
    Generating RSA private key, 2048 bit long modulus
    ....+++
    ....................................................................................................................................+++
    e is 65537 (0x10001)
    [[email protected] CA]# ll private/
    总用量 4
    -rw-------. 1 root root 1675 4月  11 09:01 clcakey.pem

    2.生成自签证书:
    [[email protected] CA]# openssl req -new -x509 -key /etc/pki/CA/private/clcakey.pem -out /etc/pki/CA/clcacert.pem -days 10000
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter ‘.‘, the field will be left blank.
    -----
    Country Name (2 letter code) [XX]:CN
    State or Province Name (full name) []:Hebei                                             
    Locality Name (eg, city) [Default City]:Handan
    Organization Name (eg, company) [Default Company Ltd]:cl              
    Organizational Unit Name (eg, section) []:Tech
    Common Name (eg, your name or your server‘s hostname) []:clca.handan.com
    Email Address []:mail.clhandan.com

[[email protected] CA]# ls
certs  clcacert.pem  crl  newcerts  private

    3.完善目录及文本文件结构:

[[email protected] CA]# touch /etc/pki/CA/index.txt
[[email protected] CA]# ls
certs clcacert.pem crl index.txt newcerts private
[[email protected] CA]# echo 01 > /etc/pki/CA/serial
[[email protected] CA]# ls
certs clcacert.pem crl index.txt newcerts private serial

在CA上查看证书内容:
        查看序列号:
                [[email protected] CA]# openssl x509 -in clcacert.pem  -noout -serial
            serial=F0FD9E8DA617E97D
    查看证书内容:
                [[email protected] CA]# openssl x509 -in clcacert.pem  -noout -subject
                subject= /C=CN/ST=hebei\x08:Hebei/L=Handan/O=cl/OU=Tech/CN=clca.handan.com/emailAddress=mail.clhandan.com

吊销证书:必须在CA上执行;
    1.获取客户端证书对应的序列号:
        openssl x509 -in /etc/pki/CA/certificate -noout -serial

    2.吊销证书:
        openssl ca -revoke /etc/pki/CA/newcerts/SERIAL.pem

        注意:上述命令中的"SERIAL"要换成准备吊销的证书的序列号;

    3.生成吊销证书的吊销索引文件;仅需要第一次吊销证书时执行此操作:
        echo "SERIAL" > /etc/pki/CA/crl/crlnumber

    4.更新证书吊销列表:
        openssl ca -genctl -out /etc/pki/CA/crl/ca.crl

    5.查看CRL:
        openssl crl -in /etc/pki/CA/crl/ca.crl -noout -text

以上是关于利用openssl创建私有CA的步骤和过程的主要内容,如果未能解决你的问题,请参考以下文章

OpenSSL(私有CA)

OpenSSH的应用和利用OpenSSL创建私有CA签证给httpd服务器开https

利用openssl建立私有CA

利用openssl建立私有CA

局域网内 创建私有CA和申请CA步骤

使用 OpenSSL 创建私有 CA:3 用户证书