在CentOS 7上实现私有CA及申请和吊销证书

– 创建私有CA

openssl的配置文件：/etc/pki/tls/openssl.cnf

42 dir     = /etc/pki/CA       # Where everything is kept
 43 certs       = $dir/certs        # Where the issued certs are kept
 44 crl_dir     = $dir/crl      # Where the issued crl are kept
 45 database    = $dir/index.txt    # database index file.
 46 #unique_subject = no            # Set to 'no' to allow creation of
 47                     # several ctificates with same subject.
 48 new_certs_dir   = $dir/newcerts     # default place for new certs.
 49 
 50 certificate = $dir/cacert.pem   # The CA certificate
 51 serial      = $dir/serial       # The current serial number
 52 crlnumber   = $dir/crlnumber    # the current crl number
 53                     # must be commented out to leave a V1 CRL
 54 crl     = $dir/crl.pem      # The current CRL
 55 private_key = $dir/private/cakey.pem# The private key
 56 RANDFILE    = $dir/private/.rand    # private random number file
 57 
 58 x509_extensions = usr_cert      # The extentions to add to the cert

1、创建所需文件

[root@Shining /etc/pki/CA]# openssl req -new -x509 -key private/cakey.pem -days 7300 -out cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:pirate.com
Email Address []:pirate@163.com

-new: 生成新证书签署请求 
-x509: 专用于CA生成自签证书 
-key: 生成请求时用到的私钥文件 
-days n：证书的有效期限 
-out /PATH/TO/SOMECERTFILE: 证书的保存路径

3、颁发证书

(a)在需要使用证书的主机生成证书请求

[root@Shining /etc/pki/CA]# (umask 066;openssl genrsa -out /etc/httpd/ssl/httpd.key) 
Generating RSA private key, 1024 bit long modulus
....++++++
................++++++
e is 65537 (0x10001)

生成证书申请文件

[root@Shining /etc/pki/CA]# openssl req -new -key /etc/httpd/ssl/httpd.key -days 365 -out /etc/httpd/ssl/httpd.csr 
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:pirate.com
Email Address []:pirate@163.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

(b) 将证书请求文件传输给CA 
(c) CA签署证书，并将证书颁发给请求者:

[root@Shining /etc/pki/CA]# openssl ca -in /etc/httpd/ssl/httpd.csr -out certs/http.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Dec  1 06:34:52 2016 GMT
            Not After : Dec  1 06:34:52 2017 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = Beijing
            organizationName          = magedu
            organizationalUnitName    = IT
            commonName                = pirate.com
            emailAddress              = pirate@163.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                7E:6E:F0:97:27:94:8D:6B:27:55:6A:2D:4E:1D:54:D8:C3:EA:9B:FA
            X509v3 Authority Key Identifier: 
                keyid:3E:DF:08:62:77:CF:10:3E:5D:A4:E6:61:85:8A:7A:86:DE:AE:F3:2C

Certificate is to be certified until Dec  1 06:34:52 2017 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

注意：默认国家，省，公司名称必须和CA一致 
(d) 查看证书中的信息：

[root@Shining /etc/pki/CA]# openssl x509 -in cacert.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 14592393701163322702 (0xca8298c1e47ccd4e)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=Beijing, L=Beijing, O=magedu, OU=IT, CN=pirate.com/emailAddress=pirate@163.com
        Validity
            Not Before: Dec  1 06:25:39 2016 GMT
            Not After : Nov 26 06:25:39 2036 GMT
        Subject: C=CN, ST=Beijing, L=Beijing, O=magedu, OU=IT, CN=pirate.com/emailAddress=pirate@163.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:a8:7a:aa:73:d1:67:5d:5d:1f:7b:9b:4b:d6:91:
                    bf:e2:2a:38:0e:cc:91:8d:a7:6c:9f:4d:30:8f:4a:
                    d5:68:98:ac:c2:0e:28:d5:a0:61:81:90:0b:b2:69:
                    2e:bb:9d:8a:79:3e:34:e3:24:6c:bf:4b:95:36:8e:
                    c9:69:b6:9c:65:d7:fa:4f:78:b9:01:72:93:ec:56:
                    3c:3d:50:34:a0:43:3f:5d:04:aa:e2:a7:4a:d3:04:
                    fc:32:1a:e5:a8:91:75:84:06:4d:72:61:c5:ef:bb:
                    23:68:ba:5a:d6:4d:af:a4:ae:b0:81:b9:b4:1d:68:
                    ed:2d:f6:36:5c:40:89:92:6d:05:7a:34:70:77:0d:
                    4c:26:c0:a1:14:d6:41:96:e9:59:dd:e1:31:07:7a:
                    d5:36:c2:2e:26:0c:e0:9b:39:49:18:dc:85:30:17:
                    7c:b6:c3:6d:ba:90:0a:11:e9:04:c0:1f:2e:4f:fd:
                    85:31:3b:67:35:a0:e1:d3:f8:c2:15:fe:96:95:1d:
                    a1:9a:9a:41:cf:26:cc:65:3f:dd:6b:98:86:38:76:
                    c1:3e:54:e6:09:57:b4:c0:36:2e:f5:1a:70:8e:0e:
                    81:93:42:2d:0a:1a:4c:96:f9:90:aa:10:af:e3:06:
                    b0:27:57:ba:4a:27:5e:98:14:7d:28:fd:c5:89:4a:
                    75:9b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                3E:DF:08:62:77:CF:10:3E:5D:A4:E6:61:85:8A:7A:86:DE:AE:F3:2C
            X509v3 Authority Key Identifier: 
                keyid:3E:DF:08:62:77:CF:10:3E:5D:A4:E6:61:85:8A:7A:86:DE:AE:F3:2C

        X509v3 Basic Constraints: 
            CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
     6b:b2:40:62:2b:a9:0e:f4:fc:46:ed:88:69:8e:8b:72:05:c4:
     ff:db:66:87:16:7b:7b:6f:98:3c:fa:94:87:93:07:d8:8d:9e:
     50:76:21:ae:11:b3:59:43:c5:ac:82:dd:75:aa:37:33:88:43:
     bc:e6:de:67:fb:0a:e9:ce:8f:ef:70:93:19:32:5b:68:10:55:
     cf:7c:87:2a:91:d4:b6:d0:f2:39:02:84:29:7d:4b:12:6c:c1:
     9d:6d:fd:d0:01:07:ce:f1:34:6c:64:85:98:c9:56:3f:7d:92:
     e4:65:e3:d9:83:32:40:a8:f9:48:a4:6a:68:a4:09:82:8f:ec:
     86:96:25:1f:64:4c:6e:63:98:0a:fb:95:44:58:71:81:2d:84:
     41:a3:44:31:b0:47:26:79:fb:3a:9d:b5:b3:6b:c6:a9:d2:36:
     e6:27:6f:de:ef:1f:6c:df:2a:38:2f:e0:85:c2:4f:62:23:c3:
     c0:dd:a8:df:e3:0b:94:d1:87:9f:ce:d2:13:6c:82:9e:28:35:
     52:fc:50:9c:23:92:ae:4a:83:a0:76:d1:f3:59:22:c2:02:54:
     77:96:d8:2c:06:a5:71:25:98:bb:10:84:db:87:06:e0:d5:56:
     44:0d:8d:bf:a1:cb:74:33:f5:6a:b8:fb:7b:d7:af:26:c0:bc:
     44:e8:2b:18

(4)吊销证书

(a) 在客户端获取要吊销的证书的serial

[root@Shining /etc/pki/CA]# openssl x509 -in cacert.pem -noout -serial -subject
serial=CA8298C1E47CCD4E
subject= /C=CN/ST=Beijing/L=Beijing/O=magedu/OU=IT/CN=pirate.com/emailAddress=pirate@163.com

(b) 在CA上，根据客户提交的serial与subject信息，对比检验是否与index.txt文件中的信息一致 
吊销证书：

[root@Shining /etc/pki/CA]# openssl ca -revoke newcerts/01.pem 
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 01.
Data Base Updated

(c) 生成吊销证书的编号(第一次吊销一个证书时才需要执行)

[root@Shining /etc/pki/CA]# echo 01 > crlnumber

(d) 更新证书吊销列表

[root@Shining /etc/pki/CA]# openssl ca -gencrl -out crl/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf

查看crl文件：

[root@Shining /etc/pki/CA]# openssl crl -in crl/crl.pem -noout -text
Certificate Revocation List (CRL):
        Version 2 (0x1)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: /C=CN/ST=Beijing/L=Beijing/O=magedu/OU=IT/CN=pirate.com/emailAddress=pirate@163.com
        Last Update: Dec  1 08:02:47 2016 GMT
        Next Update: Dec 31 08:02:47 2016 GMT
        CRL extensions:
            X509v3 CRL Number: 
                1
Revoked Certificates:
    Serial Number: 01
        Revocation Date: Dec  1 07:50:35 2016 GMT
    Signature Algorithm: sha256WithRSAEncryption
         5a:02:42:b5:08:3e:e6:16:1a:9f:40:bb:dd:9e:7d:15:8d:d9:
         9f:06:e2:c7:9d:1b:46:8f:f0:7e:b0:25:82:fc:b1:ca:b0:cb:
         c1:4b:3d:a9:b7:2d:06:ba:c1:81:ca:e0:3c:c5:67:f9:0a:cd:
         30:88:ff:84:38:ab:64:19:3d:15:91:69:44:29:83:63:e3:e9:
         e5:b4:1c:a5:35:e1:40:b1:2d:ef:a6:91:c6:56:12:d2:87:4f:
         47:28:5b:0f:b4:8f:fa:e1:9a:04:25:26:1b:8c:d5:df:72:71:
         d8:30:de:38:44:53:a7:f3:57:0a:22:63:9e:7d:79:86:06:b4:
         65:e7:f5:54:b4:de:41:90:5a:f4:41:3c:50:ee:6e:f3:bf:fa:
         0b:c5:aa:51:ae:f9:92:76:d9:68:75:5b:d9:1c:2b:e6:47:1c:
         7b:93:06:41:0c:87:2b:31:4a:d1:0f:c1:1b:27:9a:07:33:0d:
         a9:32:c3:c8:b6:99:4e:cc:b7:08:7d:61:04:ae:71:fd:fa:63:
         20:6a:af:9c:7f:84:07:31:67:f3:3a:be:34:01:16:30:68:a0:
         f2:00:56:1e:98:17:21:fb:7e:b4:5f:5b:ba:ce:eb:bc:bd:ee:
         8b:d4:2f:72:30:a6:d5:eb:f3:0c:bb:f5:c5:f0:89:5e:1a:1e:
         fa:33:af:c2

+