数字证书系列-CA以及用CA 签发用户证书

上一篇了解了证书请求文件(.CSR) https://www.jianshu.com/p/49b5626c8cd5的创建，那么我们如何由证书请求文件获得证书呢？
我们的证书请求文件一般发送给相应（取决于CSR文件创建向导中填写的X.509信息）的可信任“证书签发”机构，他们会给我们生成对应的证书文件(签发证书是收费的哦)；对于我们的个人小站，还需要去付费买“签名数字证书”，这个可怎么办？还好，我们可以自己创建CA证书，然后用CA证书来为自己CSR签发数字证书，只是这个证书不是“可信任”机构签发的，而是我们自己签发的；
废话不多说，我们还是用openssl来创建CA证书：

创建CA证书所需要的私钥：

[root@localhost cert_test]# openssl genrsa -out CA_Key.key  2048
Generating RSA private key, 2048 bit long modulus
...........................................................................................................................................................................+++
..............................+++
e is 65537 (0x10001)
[root@localhost cert_test]# ls
CA_Key.key  my_cert.csr  myprivate.key  #CA_Key.key 便是新生成的私钥；我们会用该私钥来创建CA证书；

CA证书虽然特殊，但是也是证书，和“证书请求文件（.CSR）”创建的命令几乎一样，唯一不同的是：CA证书是自签证书，为了表示这个证书是自签证书，需要指定证书的格式为 X.509, 只有CA证书采用这种格式：

[root@localhost cert_test]# openssl req -new -x509 -key CA_Key.key  -out CA_Cert.pem  -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:GuangDong
Locality Name (eg, city) [Default City]:GuanagZhou
Organization Name (eg, company) [Default Company Ltd]:mycompany
Organizational Unit Name (eg, section) []:Tech_depart
Common Name (eg, your name or your server's hostname) []:www.my.com
Email Address []:
[root@localhost cert_test]# ls
CA_Cert.pem  CA_Key.key  my_cert.csr  myprivate.key  #CA_Cert.pem 就是我们的CA证书了；
[root@localhost cert_test]#

注意在创建CA证书guide中提供的信息，这些信息是我们 创建 CSR所必须的哦；至此我们的CA证书就创建完成了；那么让我们查看刚刚创建的CA证书把：

[root@localhost cert_test]# openssl x509 -in ./CA_Cert.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            c8:bd:28:89:97:82:a7:84
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=GuangDong, L=GuanagZhou, O=mycompany, OU=Tech_depart, CN=www.my.com
        Validity
            Not Before: Aug 18 13:31:12 2019 GMT
            Not After : Aug 17 13:31:12 2020 GMT
        Subject: C=CN, ST=GuangDong, L=GuanagZhou, O=mycompany, OU=Tech_depart, CN=www.my.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b5:85:d4:13:07:0b:f2:5a:6f:f1:7b:ff:14:46:
                    d8:cc:ae:c1:43:8c:79:d6:b4:71:c1:bf:37:84:b5:
                    ab:f0:36:5a:b3:3a:57:38:82:a3:90:e4:b1:6f:b8:
                    90:be:ba:f1:77:2f:ef:72:02:0e:c3:22:5c:04:2d:
                    a8:bd:aa:e4:b6:06:b2:eb:7c:b1:da:d5:f7:12:47:
                    91:46:e2:91:fe:29:e0:e1:71:47:05:44:c0:7c:66:
                    cd:f3:d8:6f:db:6e:66:c5:11:5a:fb:64:5d:a2:1b:
                    9f:97:96:e3:ba:a3:d7:a7:b1:cd:d7:1c:50:52:fa:
                    ad:09:68:1e:a0:b3:47:42:2e:71:e4:62:e5:26:21:
                    51:38:a8:08:67:6a:d4:78:b1:77:01:5c:3e:8d:fc:
                    72:27:79:4c:02:8a:d7:3d:4d:fe:fb:d8:ff:23:ee:
                    4c:1e:7b:5e:40:45:11:29:2e:73:37:c3:a2:a6:f9:
                    6f:8a:d0:36:91:0e:ab:2b:f5:d6:6e:24:fa:68:f2:
                    77:96:55:b7:d0:d2:da:de:c8:f9:5b:b2:fd:90:4f:
                    bb:fc:51:b6:da:f1:16:db:ee:12:2d:69:25:ba:79:
                    8e:27:d3:96:ef:72:61:65:e5:f2:8f:30:d2:23:b0:
                    d8:db:13:0b:22:2d:57:af:a3:4c:f6:6b:36:59:2e:
                    40:dd
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                49:F6:DD:70:70:0E:AA:87:A5:7A:C1:A7:C1:A8:A3:40:DF:91:8C:89
            X509v3 Authority Key Identifier:
                keyid:49:F6:DD:70:70:0E:AA:87:A5:7A:C1:A7:C1:A8:A3:40:DF:91:8C:89

            X509v3 Basic Constraints:
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         a2:22:fe:09:e9:5d:21:e0:d5:eb:fd:a3:4e:5b:97:8c:5d:0f:
         de:8f:23:16:a2:13:b2:d6:a1:0e:1a:21:8d:a9:18:b0:dc:ab:
         3f:43:32:56:91:07:aa:ae:8d:a6:11:59:77:38:9a:f5:63:b0:
         d1:6a:e2:ad:65:63:c1:86:22:bb:91:8a:d2:f3:91:73:8f:0f:
         3a:e2:8f:6d:46:fb:72:ad:a7:1f:01:e8:9d:72:1b:ea:b5:0b:
         1e:5c:cd:fe:8c:9c:88:97:21:b0:a0:b5:48:83:72:83:25:b9:
         73:af:5d:d7:06:c2:2b:66:4e:a4:3c:b1:7c:a3:86:14:e6:91:
         d3:1f:30:be:51:04:b6:28:66:61:9b:f7:05:17:47:11:91:dc:
         cb:9c:73:70:1b:94:9e:89:ce:5a:95:6b:a2:db:fd:f0:b2:ee:
         2a:e8:54:51:2c:be:3d:5b:67:79:1e:e1:85:59:2b:20:1b:58:
         dc:86:e6:29:a9:eb:bf:74:72:2c:f4:fe:55:b4:07:b8:9c:80:
         4c:1e:ac:73:55:44:28:40:c2:3a:29:0f:30:2f:d6:41:fa:d4:
         db:4c:e0:80:bc:3e:94:20:71:0b:1d:ef:4b:dd:87:3e:f0:e8:
         1e:50:5c:8c:48:6a:bb:44:01:bd:9a:5c:d1:f8:db:77:e4:71:
         89:ef:97:9b
[root@localhost cert_test]# 

到这里我们要明白：
如果我们创建证书的时候请求的是X.509 格式的证书，那么就是CA证书，否则就是证书请求文件(CSR).

CA证书创建完成了，我们创建CA的目的是用来给用户证书签名的，下面看怎么进行签名了，所谓的签名：
在检查确认CSR文件的内容没有被篡改/破坏后(因为CSR里面含有公钥，所以用公钥解密那个被私钥加密的hash值，得到一个解密后的hash1，然后对CSR中明文的概要做hash，得到hash2 ，如果hash1,hash2相同就表示内容没有被篡改或者破坏)，就开始对CSR文件进行签名，首先会摘取概要信息，然后对概要进行hash, 获得hash值，然后用CA自己的私钥把hash进行加密，加密完成后，和概要等一起写入新的文件，完成签名；在这个过程中涉及到如下的4个文件：
被签名的CSR文件（含有证书的公钥） , 签名者的证书文件(这里是CA证书，含有签名者的公钥)，签名使用的私钥(签名者的私钥，这里是CA证书的私钥)；签名完成后输出的文件）

[root@localhost cert_test]# ls
CA_Cert.pem  CA_Key.key  my_cert.csr   myprivate.key
#下面是证书签名的命令，需要指定四个文件的路径，如果没有指定CA证书以及CA的key, 那么会默认读取openssl的配置；另外两个文件参数是必须指定的
[root@localhost cert_test]# openssl ca -in ./my_cert.csr  -out ./my.crt -days 365 -cert ./CA_Cert.pem  -keyfile ./CA_Key.key
Using configuration from /etc/pki/tls/openssl.cnf
/etc/pki/CA/serial: No such file or directory
error while loading serial number
140233124767648:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('/etc/pki/CA/serial','r')
140233124767648:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
#据网上搜索，这个错误的原因是格式不对，用下面的命令解决：
[root@localhost cert_test]# echo 01 > /etc/pki/CA/serial  
#重新执行签名
[root@localhost cert_test]# openssl ca -in ./my_cert.csr  -out ./my.crt -days 365 -cert ./CA_Cert.pem  -keyfile ./CA_Key.key
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Aug 18 13:50:52 2019 GMT
            Not After : Aug 17 13:50:52 2020 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = GuangDong
            organizationName          = mycompany
            organizationalUnitName    = Tech_depart
            commonName                = www.my.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                B8:21:FC:86:07:E3:80:24:31:FD:0C:5C:B5:26:6B:5A:ED:CA:F3:FF
            X509v3 Authority Key Identifier:
                keyid:49:F6:DD:70:70:0E:AA:87:A5:7A:C1:A7:C1:A8:A3:40:DF:91:8C:89

Certificate is to be certified until Aug 17 13:50:52 2020 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@localhost cert_test]#
[root@localhost cert_test]# ls -l
total 24
-rw-------. 1 root root 1359 Aug 18 21:31 CA_Cert.pem
-rw-------. 1 root root 1675 Aug 18 21:20 CA_Key.key
-rw-r--r--. 1 root root 1021 Aug 18 17:23 my_cert.csr
-rw-------. 1 root root 4509 Aug 18 22:12 my.crt   #该文件就是签名之后的证书文件
-rw-r--r--. 1 root root 1679 Aug 18 17:18 myprivate.key

至此，成功完成了用自己的CA对CSR的签名操作；
你get到了吗？^_
本文原创，转载请注明出处