OpenSSL(创建CA和申请证书)
2017-09-10 本文已影响0人
不知岁月惜
OpenSSL的配置文件etc/pki/tls/openssl.cnf,下面有一些重要的配置,里面的一下目录和文件需要手动创建
name_opt = ca_default # 主题名称选项默认ca_default
cert_opt = ca_default # 证书字段选项默认ca_default
[ CA_default ] #默认配置
dir = /etc/pki/CA # 默认文件存放的目录,定义的一个dir变量
certs = $dir/certs # 签发的证书存放位置
crl_dir = $dir/crl #吊销的证书存放文件
database = $dir/index.txt #颁发过的证书索引文件
#unique_subject = no #能不能设置相同的证书,默认被注释
# several ctificates with same subject.
new_certs_dir = $dir/newcerts #新证书默认存放的目录
certificate = $dir/cacert.pem #CA的自签证书的名字和存放目录
serial = $dir/serial #指明证书序列号,只第一次需要指定
crlnumber = $dir/crlnumber # the current crl number
#吊销证书的序列号,第一次需要指定
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem #CA私钥的文件名和存放文件固定路径
RANDFILE = $dir/private/.rand #伪随机数文件
x509_extensions = usr_cert # The extentions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
# Extension copying option: use with caution.
# copy_extensions = copy
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 365 #证书的默认有效期
default_crl_days= 30 # 吊销证书默认声明有效期
default_md = sha256 #默认的生成算法
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match #指定默认的CA属性
# For the CA policy
[ policy_match ]
countryName = match #证书申请时填写的国家,参数match必须CA同一个国家
stateOrProvinceName = match #客户机申请时填写省份
organizationName = match #机构名称
organizationalUnitName = optional #部门,参数optional可以和CA不同
commonName = supplied #通用名称
emailAddress = optional #邮箱
# For the 'anything' policy #另外一套CA属性,规则比较宽松
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional #允许跨国家、地区申请证书
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ] #向CA证书签署发起注册请求相关属性
default_bits = 2048
default_md = sha256
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
创建自签证书
创建私钥
[root@centos7 /etc/pki/CA]#(umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem -des3 1024)
Generating RSA private key, 1024 bit long modulus #密钥默认是1024位加密,也可以在命令尾部指定
.............++++++
.................................+++
........................+++
e is 65537 (0x10001)
Enter pass phrase for /etc/pki/CA/private/cakey.pem: 设置密码
Verifying - Enter pass phrase for /etc/pki/CA/private/cakey.pem: 设置密码
[root@CentOS7.3 /etc/pki/CA/private]#cat cakey.pem
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,B63B4943DA7D30F0 DES-EDE3 显示加密
[root@CentOS7.3 ~]#touch /etc/pki/CA/index.txt #创建证书索引文件
[root@CentOS7.3 ~]#echo 01 > /etc/pki/CA/serial #指定证书颁发的两位16进制数
[root@CentOS7.3 ~]#echo 01 > /etc/pki/CA/crlnumber #指定证书吊销的序号
[root@CentOS7.3 ~]#touch /etc/pki/CA/private/.rand #创建伪随机数文件
[root@CentOS7.3 ~]#openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem
-out /etc/pki/CA/cacert.pem -days 7300
#创建自签证书 -new:生成新证书签署请求;-x509:生成自签格式证书,专用于创建私有CA时;
#-key:生成请求时用到的私有文件路径;-out:生成的请求文件路径;如果自签操作将直接生成签署过的证书;
#-days:证书的有效时长,单位是day;
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
----- #1国家、省州、部门
Country Name (2 letter code) [XX]:CN #填写CA所在的国家,格式为国家代码
State or Province Name (full name) []:xxxxxx #填写所在的州或省
Locality Name (eg, city) [Default City]:xxxxxx #填写所在的城市
Organization Name (eg, company) [Default Company Ltd]:CentOS #机构名称
Organizational Unit Name (eg, section) []:CA #部门名称
Common Name (eg, your name or your server's hostname) []: #通用名称,服务器的主机名
Email Address []: #邮箱地址
[root@CentOS7.3 ~]#openssl x509 -in /etc/pki/CA/cacert.pem -noout -text #查看生成的证书,信息有省略
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 11088094993200996766 (0x99e0d3a62988619e)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=HeNan, L=ZhengZhou, O=CAServer, OU=CA, CN=www.CAServer.com #颁发机构的信息
Validity
Not Before: Jul 17 14:50:30 2017 GMT
Not After : Jul 12 14:50:30 2037 GMT
Subject: C=CN, ST=HeNan, L=ZhengZhou, O=CAServer, OU=CA, CN=www.CAServer.com #申请者的信息
给客户端颁发证书
生成私钥路径 根据应用web或 ftp放在各自配置文件夹 ,不需要放一起,自定义路径
cd /etc/pki/tls 私钥文件放在private 证书放在certs 后期应用放在openssl.crt里面
[root@CentOS6.9 ~]#(umask 077;openssl genrsa -out /etc/pki/tls/private/test.key 1024)
#在客户端生成私钥
Generating RSA private key, 1024 bit long modulus
..............................++++++
.......++++++
e is 65537 (0x10001)
[root@CentOS6.9 ~]#openssl req -new -key /etc/pki/tls/private/test.key -out
/etc/pki/tls/test.pem #生成证书申请文件
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN #国家,必须和CA相同
State or Province Name (full name) []:HeNan #州或者省份,必须和CA相同
Locality Name (eg, city) [Default City]:zz #城市,可以自定义
Organization Name (eg, company) [Default Company Ltd]:CAServer #机构名必须和CA相同
Organizational Unit Name (eg, section) []:test #部门名称,可以自定义
Common Name (eg, your name or your server's hostname) []:test.com #服务器名称
Email Address []: #邮箱地址可以忽略
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:admin #设置密码加密
An optional company name []:admin
[root@CentOS6.9 ~]#scp /etc/pki/tls/test.pem root@172.18.xx.xxx:/etc/pki/CA
#把他发送到CA服务器上
将证书颁发给请求者centos6
[root@CentOS7.3 CA]#openssl ca -in test.pem -out certs/test.crt -days 365
#请求文件test.pem 生成文件certs/test.crt 时间1年
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1) #1是十进制,(0x1)是16进制
Validity
Not Before: Jul 17 16:14:46 2017 GMT
Not After : Jul 17 16:14:46 2018 GMT
Subject:
countryName = CN
stateOrProvinceName = HeNan
organizationName = CAServer
organizationalUnitName = test
commonName = test.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
3B:F1:1B:6B:88:C2:17:35:19:2E:35:90:C6:22:6E:69:10:FF:B4:02
X509v3 Authority Key Identifier:
keyid:60:3C:95:CB:A1:63:DC:0C:FC:1B:85:22:B3:4D:FD:FB:3B:5E:A4:B8
Certificate is to be certified until Jul 17 16:14:46 2018 GMT (365 days)#有效期1年
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries #增加一条新纪录
Data Base Updated
[root@CentOS7.3 CA]#cat serial
02 #下一个证书的编号
[root@CentOS7.3 CA]#cat index.txt
V 180717161446Z 01 unknown /C=CN/ST=HeNan/O=CAServer/OU=test/CN=test.com #V证书
[root@CentOS7.3 CA]#scp certs/test.crt root@172.18.xx.xxx:/etc/pki/tls/certs/
# 复制给用户就可以使用了
openssl x509 -in /PATH/FROM/CERT_FILE -noout -text 文本|issuer颁发者是谁|subject主题给谁发|serial|dates有效期 #查看证书信息后面可以添加选项
[root@CentOS6.9 certs]#openssl x509 -in test.crt -noout -text 以文本方式显示一遍
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=HeNan, L=ZhengZhou, O=CAServer, OU=CA, CN=www.CAServer.com
Validity
Not Before: Jul 17 16:14:46 2017 GMT
Not After : Jul 17 16:14:46 2018 GMT #有效期一年
Subject: C=CN, ST=HeNan, O=CAServer, OU=test, CN=test.com
Subject Public Key Info:
再次申请证书给另一个程序使用
私钥不需要生成,需要在申请一个证书
[root@CentOS6.9 ~]#openssl req -new -key /etc/pki/tls/private/test.key
-out /etc/pki/tls/test2.pem #生成证书申请文件
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN #国家,必须和CA相同
State or Province Name (full name) []:HeNan #州或者省份,必须和CA相同
Locality Name (eg, city) [Default City]:zz #城市,可以自定义
Organization Name (eg, company) [Default Company Ltd]:CAServer #机构名必须和CA相同
Organizational Unit Name (eg, section) []:test #部门名称,可以自定义
Common Name (eg, your name or your server's hostname) []:test2.com #服务器名称
Email Address []: #邮箱地址可以忽略
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:admin #设置密码加密
An optional company name []:admin
[root@CentOS6.9 ~]#scp /etc/pki/tls/test2.pem root@172.18.xx.xxx:/etc/pki/CA
#把他发送到CA服务器上
[root@CentOS7.3 CA]#openssl ca -in test.pem -out certs/test2.crt -days 365
#请求文件test.pem 生成文件certs/test.crt 时间1年
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1) #1是十进制,(0x1)是16进制
Validity
Not Before: Jul 17 16:14:46 2017 GMT
Not After : Jul 17 16:14:46 2018 GMT
Subject:
countryName = CN
stateOrProvinceName = HeNan
organizationName = CAServer
organizationalUnitName = test
commonName = test.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
3B:F1:1B:6B:88:C2:17:35:19:2E:35:90:C6:22:6E:69:10:FF:B4:02
X509v3 Authority Key Identifier:
keyid:60:3C:95:CB:A1:63:DC:0C:FC:1B:85:22:B3:4D:FD:FB:3B:5E:A4:B8
Certificate is to be certified until Jul 17 16:14:46 2018 GMT (365 days)#有效期1年
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries #增加一条新纪录
Data Base Updated
[root@CentOS7.3 CA]#cat serial
02 #下一个证书的编号
[root@CentOS7.3 CA]#cat index.txt
V 180717161446Z 01 unknown /C=CN/ST=HeNan/O=CAServer/OU=test/CN=test.com #V证书
[root@CentOS7.3 CA]#scp certs/test2.crt root@172.18.xx.xxx:/etc/pki/tls/certs/ 复制给用户就可以使用了
小工具
[root@centos7 /etc/pki/CA]# index.txt.old serial.old 文件里都是上一次的文件相当于备份
同一个申请发多个证书默认是不允许的,可以修改vim index.txtt.attr
unique_subject = yes #yes改为no
桌面证书没有路径
[root@centos7 /etc/pki/CA]# cacert.pem #sz cacert.pem 传输到桌面
后缀修改成cacert.crt
双击安装证书、下一步,浏览、收信人颁发机构、下一步安装
[root@centos7 /etc/pki/CA]#openssl ca -status 01 #查看证书变数是否有效
Using configuration from /etc/pki/tls/openssl.cnf
01=Valid (V) #有效
客户端centos6.9做子CA办法
[root@CentOS6.9 ~]#touch /etc/pki/CA/index.txt #创建证书索引文件
[root@CentOS6.9 ~]#echo 01 > /etc/pki/CA/serial #指定证书颁发的序号,序号必须是两位16进制数
[root@centos6 /etc/pki/CA]#(umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem -des3 1024)
Generating RSA private key, 1024 bit long modulus #密钥默认是1024位加密,也可以在命令尾部指定
.............++++++
.................................+++
........................+++
e is 65537 (0x10001)
[root@CentOS6.9 AC]#openssl req -new -key private/cakey.pem -out subca.csr
#生成证书申请文件
[root@CentOS6.9 AC]#scp subca.csr 172.18.xx.xxx:/etc/pki/CA/ #把他发送到CA服务器上
[root@CentOS7.3 CA]#openssl ca -in subca.csr -out certs/subca.crt -days 3650
[root@CentOS7.3 CA]#scp certs/subca.csr
172.18.xx.xxx:/etc/pki/CA/cacert.pem #把他发送到CA客户端centos60上
[root@centos6 ~]#openssl genrsa -out centos60.key 1024 #生成私钥
Generating RSA private key, 1024 bit long modulus
.....++++++
....................++++++
e is 65537 (0x10001)
[root@centos6 ~]#ll centos60.key
-rw-r--r--. 1 root root 887 Sep 8 11:38 centos60.key
[root@centos6 ~]#openssl req -new -key centos60.key -out centos60.csr
#生成证书申请文件
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN #国家,必须和子CA相同
State or Province Name (full name) []:HeNan #州或者省份,必须和子CA相同
Locality Name (eg, city) [Default City]:zz #城市,可以自定义
Organization Name (eg, company) [Default Company Ltd]:CAServer #机构名必须和子CA相同
#其他自定义
[root@centos6 ~]#scp centos60.csr 172.18.xx.xxx:/etc/pki/CA 证书复制到子CA
子CAcentos6.9颁发证书给centos6
[root@CentOS6.9 CA]#openssl ca -in centos60.csr -out certs/centos60.csr -days 365 #颁发证书
root@CentOS6.9 CA]#cat index.txt 颁发的第一个证书存放位置
root@CentOS6.9 CA]#sz certs/centos60.crt
root@CentOS6.9 CA]#sz cacert.pem
上传到桌面 CAcentos7 ,子CAcentos6.9 ,客户端centos6的证书都在桌面进行安装
吊销证书
[root@CentOS6.9 certs]#openssl x509 -in /etc/pki/tls/certs/test.crt -noout -serial -subject
#在客户主机上面查询证书的编号和信息,提供给CA
serial=01
subject= /C=CN/ST=HeNan/O=CAServer/OU=test/CN=test.com
[root@CentOS7.3 CA]#cat index.txt #CA查看索引文件确认
R 180717161446Z 170717162332Z 01 unknown /C=CN/ST=HeNan/O=CASe
rver/OU=test/CN=test.com
[root@CentOS7.3 CA]#ll /etc/pki/CA/newcerts/01.pem #
-rw-r--r--. 1 root root 3077 Jul 18 00:14 /etc/pki/CA/newcerts/01.pem
#在签发证书之后会在/newcerts生成一个证书编号.pem文件
[root@CentOS7.3 CA]#cat /etc/pki/CA/newcerts/01.pem #里面是证书的信息和申请者的公钥
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=HeNan, L=ZhengZhou, O=CAServer, OU=CA, CN=www.CAServer.com
Validity
Not Before: Jul 17 16:14:46 2017 GMT
Not After : Jul 17 16:14:46 2018 GMT
Subject: C=CN, ST=HeNan, O=CAServer, OU=test, CN=test.com
[root@CentOS7.3 CA]#openssl -revoke /etc/pki/CA/newcerts/01.pem
openssl:Error: '-revoke' is an invalid command.
[root@CentOS7.3 CA]#openssl ca -revoke /etc/pki/CA/newcerts/01.pem #吊销证书
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 01.
Data Base Updated
[root@CentOS7.3 CA]#openssl ca -gencrl -out crl/test.crl #更新证书吊销列表
Using configuration from /etc/pki/tls/openssl.cnf
[root@CentOS7.3 CA]#openssl crl -in crl/test.crl -noout -text #查看证书吊销列表
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: /C=CN/ST=HeNan/L=ZhengZhou/O=CAServer/OU=CA/CN=w
ww.CAServer.com #CA的信息
Last Update: Jul 17 16:24:37 2017 GMT
Next Update: Aug 16 16:24:37 2017 GMT
CRL extensions:
X509v3 CRL Number:
2
Revoked Certificates:
Serial Number: 01 #证书编号
Revocation Date: Jul 17 16:23:32 2017 GMT