建立私有CA的方法
建立私有CA的工具: OpenCA Openssl 证书申请及签署步骤: 1,生成申请请求: 2,RA核验; 3,CA签署; 4,获取证书; 创建私有CA: CA的默认配置文件 [root@localhost CA]# cat /etc/pki/tls/openssl.cnf CA的工作目录: [root@localhost CA]# pwd /etc/pki/CA drwxr-xr-x. 2 root root 4096 May 9 20:32 certs drwxr-xr-x. 2 root root 4096 May 9 20:32 crl drwxr-xr-x. 2 root root 4096 May 9 20:32 newcerts drwx------. 2 root root 4096 May 9 20:32 private 先准备在配置文件中的没有的文件: 1)创建所需要的文件 touch index.txt echo 01 > serial [root@localhost CA]# touch index.txt [root@localhost CA]# echo 01 > serial [root@localhost CA]# ls certs crl index.txt newcerts private serial 2)CA自签证书 [root@localhost CA]# (umask 077; openssl genrsa -out private/cakey.pem 2048) Generating RSA private key, 2048 bit long modulus ..........................................................................................+++ .....+++ e is 65537 (0x10001) [root@localhost CA]# ls private/ cakey.pem 建立私钥密钥,但是这里生成的密钥文件必须是cakey.pem 然后提取公钥文件: openssl -req -new -x509(要自签的加) private、cakey.epm -days 7300 -out cacert.pem -new:生成新证书的签署请求; -X509:专用于CA生成自签证书; -key:生成请求时用到的私钥文件; -days n:证书的有效期限; -out XXX:证书的保存路径; root@localhost CA]# openssl req -new -x509 -key private/cakey.pem -days 7300 -out cacert.pem You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:Beijing Locality Name (eg, city) [Default City]:Beijing Organization Name (eg, company) [Default Company Ltd]:MageEdu Organizational Unit Name (eg, section) []:Ops Common Name (eg, your name or your server's hostname) []:ca.magedu.com-->这里必须有DNS解析出来的地址相关 Email Address []:caadmin$magedu.com [root@localhost CA]# ll total 24 -rw-r--r-- 1 root root 1424 Sep 5 23:39 cacert.pem drwxr-xr-x. 2 root root 4096 May 9 20:32 certs drwxr-xr-x. 2 root root 4096 May 9 20:32 crl -rw-r--r-- 1 root root 0 Sep 5 23:27 index.txt drwxr-xr-x. 2 root root 4096 May 9 20:32 newcerts drwx------. 2 root root 4096 Sep 5 23:31 private -rw-r--r-- 1 root root 3 Sep 5 23:27 serial 3)如何去发证: a)用到证书的主机生成证书请求; [root@localhost CA]# rpm -q httpd httpd-2.2.15-54.el6.centos.x86_64 [root@localhost CA]# cd /etc/httpd/ [root@localhost httpd]# mkdir ssl [root@localhost httpd]# ll total 12 drwxr-xr-x. 2 root root 4096 Sep 3 02:23 conf drwxr-xr-x. 2 root root 4096 Sep 3 02:23 conf.d lrwxrwxrwx. 1 root root 19 Sep 3 02:23 logs -> ../../var/log/httpd lrwxrwxrwx. 1 root root 29 Sep 3 02:23 modules -> ../../usr/lib64/httpd/modules lrwxrwxrwx. 1 root root 19 Sep 3 02:23 run -> ../../var/run/httpd drwxr-xr-x 2 root root 4096 Sep 16 23:32 ssl [root@localhost httpd]# (umask 077; openssl genrsa -out httpd.key 2048)-->生成私钥文件 [root@localhost httpd]# openssl req -new -key httpd.key -days 365 -out httpd.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:Beijing Locality Name (eg, city) [Default City]:Beijing Organization Name (eg, company) [Default Company Ltd]:MageEdu Organizational Unit Name (eg, section) []:Ops Common Name (eg, your name or your server's hostname) []:www.magedu.com Email Address []:webadmin@magedu.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: 将生成的请求发送给CA: [root@localhost httpd]# scp httpd.csr root@172.16.0.124:/tmp/ [root@localhost CA]# ls /tmp/ httpd.csr orbit-gdm pulse-bMNLizBbCagk virtual-root.Bhm2B0 yum.log keyring-JyWsRM orbit-root pulse-egdmbk3LeK05 virtual-root.gGyvcV 签发证书: [root@localhost CA]# openssl ca -in /tmp/httpd.csr -out /tmp/httpd.crt -days 365 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Sep 5 15:57:22 2016 GMT Not After : Sep 5 15:57:22 2017 GMT Subject: countryName = CN stateOrProvinceName = Beijing organizationName = MageEdu organizationalUnitName = Ops commonName = www.magedu.com emailAddress = webadmin@magedu.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: BE:04:D4:72:AD:83:DF:1A:CE:AE:ED:0D:0E:C1:32:9B:C2:AD:F5:7E X509v3 Authority Key Identifier: keyid:D7:32:EF:C1:93:55:AE:EF:21:38:D3:3F:90:FB:60:DC:77:11:43:74 Certificate is to be certified until Sep 5 15:57:22 2017 GMT (365 days) 签署信息: [root@localhost CA]# cat index.txt V 170905155722Z 01 unknown /C=CN/ST=Beijing/O=MageEdu/OU=Ops/CN=www.magedu.com/emailAddress=webadmin@magedu.com 需要将生成的证书放到证书存取库中: 目录为:CA下的certs目录下: 将newcerts下的文件cp一份到certs中! 将生成的证书传输给客户端: [root@localhost CA]# scp /tmp/httpd.crt 172.16.0.2:/etc/httpd/ssl/ The authenticity of host '172.16.0.2 (172.16.0.2)' can't be established. RSA key fingerprint is 01:03:19:c3:af:54:f4:37:f1:57:f5:7c:09:88:1c:bc. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '172.16.0.2' (RSA) to the list of known hosts. root@172.16.0.2's password: httpd.crt 100% 4623 4.5KB/s 00:00 注意:证书的后缀是crt 查看证书中的信息: [root@localhost ssl]# openssl x509 -in /etc/httpd/ssl/httpd.crt -noout -text 4)吊销证书: a)客户端获取要吊销的证书serial openssl x509 -in /etc/httpd/ssl/httpd.crt -noout -serial b)先根据客户提交的serial与subject信息对比检验是否与index.txt 文件中的信息是否一致: 吊销证书: openssl -ca -revoke /etc/pki/CA/newcerts/SERIAL.pem c)生成吊销证书的编号: echo 01> /etc/pki/CA/crlnumber d)更新证书的吊销列表 openssl ca -gencrl -out thisca.crl 查看crl文件: openssl crl -in /PATH/FROM/CRL_FILE.crl -noout -text
原创文章,作者:wostop,如若转载,请注明出处:http://www.178linux.com/47658
