CA

2017-08-11  本文已影响0人  姜饼人_9e7b

openssl的配置文件: /etc/pki/tls/openssl.cnf,这个文件包含了很多关于CA的配置。

[root@CentOS7 ~]#vim /etc/pki/tls/openssl.cnf 

...部分略

####################################################################
[ ca ]
default_ca      = CA_default            # 默认的CA

####################################################################
[ CA_default ]                          # CA默认的配置

dir             = /etc/pki/CA           # 定义CA文件总目录
certs           = $dir/certs            # 保存发布的证书的目录
crl_dir         = $dir/crl              # 保存证书吊销列表的目录
database        = $dir/index.txt        # 证书索引数据库
#unique_subject = no                    # 是否允许多个证书使用一个subject
                                       
new_certs_dir   = $dir/newcerts         # 新证书目录

certificate     = $dir/cacert.pem       # CA自己本身的证书(自签名的证书)
serial          = $dir/serial           # 下一个证书的序列号
crlnumber       = $dir/crlnumber        # 下一个吊销证书的序列号
crl             = $dir/crl.pem          # 已吊销的证书的目录
private_key     = $dir/private/cakey.pem# CA的私钥
RANDFILE        = $dir/private/.rand    # 私钥随机数文件

x509_extensions = usr_cert              # 数字证书扩展
...
default_days    = 365                   # 证书有效期
default_crl_days= 30                    # 证书吊销列表发布更新时间
default_md      = sha256                # 使用的hash算法
preserve        = no                    # keep passed DN ordering
...
policy          = policy_match          #使用的CA策略

# For the CA policy
[ policy_match ]                        #CA策略policy_match的定义
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]                    #CA策略policy_anything的定义
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied

1、创建私有CA的私钥
按照配置上述的配置文件的定义,CA私钥保存在/etc/pki/CA/private/cakey.pem

[root@CentOS7 ~]#(umask 066;openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
...........................................+++
.............................................................+++
e is 65537 (0x10001)
[root@CentOS7 ~]#tree /etc/pki/CA
/etc/pki/CA
├── certs
├── crl
├── newcerts
└── private
    └── cakey.pem

4 directories, 1 file

上面的命令,()是打开一个子进程,临时设置umask。这样我们创建的私钥文件权限也同时设定成600了。

2、生成自签名证书
用上一步CA的私钥,生成自签名证书:/etc/pki/CA/cacert.pem
有效期为十年。-x509选项用于生成自签名证书。

[root@CentOS7 ~]#openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3650

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:GUANGDONG
Locality Name (eg, city) [Default City]:SHENZHEN
Organization Name (eg, company) [Default Company Ltd]:Magedu.com        
Organizational Unit Name (eg, section) []:M24
Common Name (eg, your name or your server's hostname) []:ca.magedu.com
Email Address []:

[root@CentOS7 ~]#tree /etc/pki/CA
/etc/pki/CA
├── cacert.pem
├── certs
├── crl
├── newcerts
└── private
    └── cakey.pem

4 directories, 2 files


用以下命令可以查看签名证书的信息

[root@CentOS7 ~]#openssl x509 -in /etc/pki/CA/cacert.pem -noout -text

3、

[root@CentOS7 ~]#touch /etc/pki/CA/index.txt
#生成证书索引数据库文件
[root@CentOS7 ~]#echo 01 >  /etc/pki/CA/serial
#指定颁发证书的第一个序列号
[root@CentOS7 ~]#mkdir /etc/pki/CA/csr/

客户端:

1、生成私钥
与CA服务端不同,CA客户端的私钥路径可以自定义。

[root@CentOS6 ~]#(umask 066;openssl genrsa -out /app/service.key 2048)
Generating RSA private key, 2048 bit long modulus
........+++
..................+++
e is 65537 (0x10001)
[root@CentOS6 ~]#ll /app
total 4
-rw-------. 1 root root 1675 Jul 15 09:16 service.key

2、在需要使用证书的主机生成证书请求文件

[root@CentOS6 ~]#openssl req -new -key /app/service.key -out /app/service.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:GUANGDONG
Locality Name (eg, city) [Default City]:SHENZHEN
Organization Name (eg, company) [Default Company Ltd]:Magedu.com
Organizational Unit Name (eg, section) []:beiguoxia
Common Name (eg, your name or your server's hostname) []:www.magedu.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

3、

[root@CentOS6 ~]#scp /app/service.csr 192.168.5.133:/etc/pki/CA/csr
root@192.168.5.133's password: 
service.csr                                        100% 1025     1.0KB/s   00:00    

在CA服务端颁发证书:

[root@CentOS7 CA]#openssl ca -in /etc/pki/CA/csr/service.csr -out /etc/pki/CA/certs/service.cer -days 100
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Jul 17 12:43:54 2017 GMT
            Not After : Oct 25 12:43:54 2017 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = GUANGDONG
            organizationName          = Magedu.com
            organizationalUnitName    = beiguoxia
            commonName                = www.magedu.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                AA:35:D0:2E:EF:8C:91:59:98:FD:7A:96:6A:75:36:4E:97:1D:3A:30
            X509v3 Authority Key Identifier: 
                keyid:91:B1:F6:B0:EA:2A:3F:A2:F8:93:A7:11:75:44:D4:2C:67:2E:2E:31

Certificate is to be certified until Oct 25 12:43:54 2017 GMT (100 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

系统提示已生成证书,并更新了数据库。我们可以看一下

[root@CentOS7 CA]#tree `/etc/pki/CA`
-bash: /etc/pki/CA: Is a directory
.
├── cacert.pem
├── certs
│   └── service.cer
├── crl
├── csr
│   └── service.csr
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│   └── 01.pem
├── private
│   └── cakey.pem
├── serial
└── serial.old
[root@CentOS7 CA]#cat serial
02

可以看到,serial文件的下一个证书序列号从01,变成02了。

上一篇下一篇

猜你喜欢

热点阅读