1 CA是什么
CA(Certificate Authority)证书颁发机构主要负责证书的颁发、管理以及归档和吊销。证书内包含了拥有证书者的姓名、地址、电子邮件帐号、公钥、证书有效期、发放证书的CA、CA的数字签名等信息。证书主要有三大功能:加密、签名、身份验证。
2 搭建CA服务器
2.1 配置文件查看
default_ca = CA_default # The default ca section # ca的配置使用哪个片段。 #################################################################### [ CA_default ] dir = /etc/pki/CA # Where everything is kept # ca的主目录 certs = $dir/certs # Where the issued certs are kept # 证书的保存位置 crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. # 证书的索引文件 #unique_subject = no # Set to 'no' to allow creation of # 是否运行相同的subject信息的证书请求 # several ctificates with same subject. new_certs_dir = $dir/newcerts # default place for new certs. # 最新的证书放置位置 certificate = $dir/cacert.pem # The CA certificate # ca的自己给自己签发的证书(自签证书) serial = $dir/serial # The current serial number # 当前序列号 crlnumber = $dir/crlnumber # the current crl number # must be commented out to leave a V1 CRL crl = $dir/crl.pem # The current CRL # 当前证书吊销列表 private_key = $dir/private/cakey.pem# The private key # ca自己的私钥位置 RANDFILE = $dir/private/.rand # private random number file x509_extensions = usr_cert # The extentions to add to the cert default_days = 365 # how long to certify for # 默认颁发证书时间 policy = policy_match # 证书办法策略,这个片段下面就有 # For the CA policy [ policy_match ] countryName = match # match代表证书签发单位和证书请求单位的对应项目必须相同,其他的影响不大。 stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional countryName_default = XX # 默认国家,2为字母。下面还有其他的默认配置项目,比如默认省,默认市,默认公司等等。
2.2 生成秘钥
[root@localhost CA]# cd /etc/pki/CA/ #切换到CA目录 [root@localhost CA]# (umask 077; openssl genrsa -out private/cakey.pem 2048) #调用openssl子命令genrsa生成私钥 Generating RSA private key, 2048 bit long modulus ..+++ ...................................................................................................................................................................................................................+++ e is 65537 (0x10001)
注:上述命令使用()扩着,表示在当前shell的子shell执行,()内的设定只在子shell内生效,每个命令使用“;”分割 , umask指定掩码, -out选项指定了生成的私钥存放位置,不指定是输出到终端的。2048 指定秘钥的长度,默认是1024。
2.2 生成自签证书
[root@localhost CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:CN State or Province Name (full name) [Berkshire]:ZHENGZHOU Locality Name (eg, city) [Newbury]: [root@localhost CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:CN State or Province Name (full name) [Berkshire]:HENAN Locality Name (eg, city) [Newbury]:ZHENGZHOU Organization Name (eg, company) [My Company Ltd]:ZKYT Organizational Unit Name (eg, section) []:TECH Common Name (eg, your name or your server's hostname) []:ca.linuxpanda.com Email Address []:caadmin@linuxpanda.com
- req:生成证书签署请求
- -x509:生成自签署证书
- -days n:证书的有效天数
- -new:新请求
- -key /path/to/keyfile:指定私钥文件
- -out /path/to/somefile:输出证书文件位置
2.3 查看自己的证书
[root@localhost CA]$ openssl x509 -in cacert.pem -noout -text
2.4 初始化工作环境
[root@localhost CA]# touch index.txt serial #创建index.txt,serial文件 [root@localhost CA]# echo 01 >serial #写入初始值
[root@localhost CA]# mkdir csr crl newcerts #创建目录csr,crl newcerts
- index.txt:索引文件,用于匹配证书编号
- serial:证书序列号文件,只在首次生成证书时赋值
- csr:证书请求目录
- crl:吊销列表目标
- newcerts:证书目录
3.节点申请证书
3.1生成密钥对
[root@localhost CA]# cd /etc/httpd/ssl #进入httpd的配置子目录ssl -bash: cd: /etc/httpd/ssl: No such file or directory [root@localhost CA]# ls cacert.pem index.txt private serial [root@localhost CA]# cd /etc/httpd/ #查看目录情况 [root@localhost httpd]# ls conf conf.d logs modules run [root@localhost httpd]# mkdir ssl #创建ssl目录,用于存放秘钥 [root@localhost httpd]# (umask 077; openssl genrsa -out ssl/httpd.key 2048) #生成私钥 Generating RSA private key, 2048 bit long modulus .+++ ............................+++ e is 65537 (0x10001)
3.2生成证书请求
[root@localhost httpd]# openssl req -new -key ssl/httpd.key -out ssl/httpd.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:CN State or Province Name (full name) [Berkshire]:HENAN Locality Name (eg, city) [Newbury]:ZHENGZHOU Organization Name (eg, company) [My Company Ltd]:ZKYT Organizational Unit Name (eg, section) []:TECH Common Name (eg, your name or your server's hostname) []:tech1.linuxpanda.com Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
3.3证书请求文件发送到服务器
[root@localhost httpd]# scp ssl/httpd.csr 192.168.137.100:/etc/pki/CA/csr/httpd.csr root@192.168.137.100's password: httpd.csr 100% 1013 1.0KB/s 00:00 [root@localhost httpd]# ls /etc/pki/CA/csr httpd.csr
4 CA服务器签署证书
4.1 CA服务器上签署证书
[root@localhost CA]# openssl ca -in csr/httpd.csr -out httpd.crt -days 365 Using configuration from /etc/pki/tls/openssl.cnf Error opening CA private key ../../CA/private/cakey.pem 12948:error:02001002:system library:fopen:No such file or directory:bss_file.c:352:fopen('../../CA/private/cakey.pem','r') 12948:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354: unable to load CA private key [root@localhost CA]# vim /etc/pki/tls/ cert.pem certs/ misc/ openssl.cnf private/ [root@localhost CA]# vim /etc/pki/tls/openssl.cnf #编辑配置文件,修改../../CA 为 /etc/pki/CA 即可 [root@localhost CA]# openssl ca -in csr/httpd.csr -out httpd.crt -days 365 Using configuration from /etc/pki/tls/openssl.cnf I am unable to access the /etc/pki/CA/newcerts directory #没有创建newcerts 目录 /etc/pki/CA/newcerts: No such file or directory [root@localhost CA]# mkdir newcerts #创建目录newcerts [root@localhost CA]# openssl ca -in csr/httpd.csr -out httpd.crt -days 365 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Mar 25 02:15:21 2017 GMT Not After : Mar 25 02:15:21 2018 GMT Subject: countryName = CN stateOrProvinceName = HENAN organizationName = ZKYT organizationalUnitName = TECH commonName = tech1.linuxpanda.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: B3:E9:86:1A:74:99:85:F1:A2:79:B4:53:C6:FD:5A:AF:8E:56:CB:C3 X509v3 Authority Key Identifier: keyid:00:0F:4A:D3:69:3F:20:D7:FA:10:3C:0A:36:9B:6F:6A:97:42:68:29 Certificate is to be certified until Mar 25 02:15:21 2018 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries
4.2将证书发送给请求者
[root@localhost CA]# scp httpd.crt 192.168.137.100:/etc/httpd/ssl root@192.168.137.100's password: httpd.crt
5 吊销证书
5.1节点请求吊销
[root@localhost CA]# openssl x509 -in httpd.crt -noout -serial -subject serial=01 subject= /C=CN/ST=HENAN/O=ZKYT/OU=TECH/CN=tech1.linuxpanda.com
- x509:证书格式
- -in:要吊销的证书
- -noout:不输出额外信息
- -serial:显示序列号
- -subject:显示subject信息
5.2节点提交的serial和subject信息是否和index.txt的信息一致
[root@localhost CA]# cat index.txt V 180325021521Z 01 unknown /C=CN/ST=HENAN/O=ZKYT/OU=TECH/CN=tech1.linuxpanda.com
5.3 吊销证书
[root@localhost CA]# openssl ca -revoke newcerts/01.pem Using configuration from /etc/pki/tls/openssl.cnf Revoking Certificate 01. Data Base Updated
5.4生成吊销证书的编号(如果是第一次吊销)
root@localhost CA]# echo 00 > crlnumber
5.5更新吊销证书列表
我们虽然上面已经吊销了证书, 但是别人是无法知道的。 只能通过crl来让别人知道谁谁谁的证书被吊销了。
[root@localhost CA]# openssl ca -gencrl -out crl/ca.crl
Using configuration from /etc/pki/tls/openssl.cnf
5.6查看crl文件内容
[root@localhost CA]# openssl crl -in crl/ca.crl -noout -text Certificate Revocation List (CRL): Version 2 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: /C=CN/ST=HENAN/L=ZHENGZHOU/O=ZKYT/OU=TECH/CN=ca.linuxpanda.com/emailAddress=caadmin@linuxpanda.com Last Update: Mar 25 02:30:21 2017 GMT Next Update: Apr 24 02:30:21 2017 GMT CRL extensions: X509v3 CRL Number: 0 Revoked Certificates: Serial Number: 01 Revocation Date: Mar 25 02:26:19 2017 GMT Signature Algorithm: sha1WithRSAEncryption 63:20:78:c1:0e:9d:f5:57:b9:b5:ae:2b:be:ce:50:28:8d:e7: 7a:17:eb:e0:29:5b:bd:47:aa:76:e5:dd:a6:99:f4:4c:e0:e5: c2:71:2d:54:ff:2e:44:ad:15:9d:02:75:0f:6d:dc:0f:a7:fc: e8:95:0e:6f:f2:cf:a8:ed:19:ea:ff:57:bb:4b:62:c7:a1:62: 39:b0:75:67:0c:cc:db:5b:f9:b3:99:49:e5:fd:bd:f7:39:a2: 4a:27:d9:b9:ad:7d:a7:55:59:11:c2:bb:82:54:dd:c3:63:25: 93:b2:f9:dc:7f:4c:d7:09:48:06:ad:bd:04:56:e6:8d:1c:9d: e1:d8:ab:63:49:a8:49:c7:a1:35:2a:b4:fb:dd:c4:b9:38:38: 47:2c:e5:77:7f:53:33:1d:e5:28:a7:87:53:d7:a8:8b:a5:5f: da:51:4e:7c:f8:87:59:a7:5e:2a:33:c1:b2:37:c8:c1:71:df: 24:fa:2d:ba:40:e4:b8:70:46:d0:fb:e3:9e:c9:3b:85:6b:ae: 8a:a5:b6:6e:9e:08:ed:5d:74:ab:6f:a9:83:6d:b2:86:5d:23: ce:0f:05:3e:f6:e6:f5:e8:a5:ef:d2:d1:d7:eb:bc:e7:44:1b: fc:61:6b:85:b2:14:c2:94:8a:e3:46:59:f9:34:a5:6e:a1:4d: 2d:93:e2:70