使用OpenSSL自建CA及颁发证书、吊销证书

一、实验说明

       OpenSSL 是一个安全套接字层密码库,囊括主要的密码算法、常用的密钥和证书封装管理功能及SSL协议,并提供丰富的应用程序供测试或其它目的使用。
       OpenSSL是一个开源程序的套件、这个套件有三个部分组成:一是libcryto,这是一个具有通用功能的加密库,里面实现了众多的加密库;二是libssl,这个是实现ssl机制的,它是用于实现TLS/SSL的功能;三是openssl,是个多功能命令行工具,它可以实现加密解密,甚至还可以当CA来用,可以让你创建证书、吊销证书。

二、实验环境

    Centos 6.9 x86_64位(申请签名机器)、Centos 7.3 x86_64位(自建CA的机器)、VMware workstaton 12.

三、实验正文

1、查看自建CA的主机是否安装OpenSSL

[root@centos7 ~]# rpm -qa openssl  # 查看openssl是否安装
openssl-1.0.1e-60.el7.x86_64
[root@centos7 ~]# rpm -ql openssl  # 列出openssl安装包下有哪些文件,等下会用到下面的一些目录
/etc/pki/CA
/etc/pki/CA/certs 
/etc/pki/CA/crl    # 吊销的证书存放目录
/etc/pki/CA/newcerts # 存放CA签署(颁发)过的数字证书(证书备份目录)
/etc/pki/CA/private  # 用于存放CA的私钥
/etc/pki/tls/certs/Makefile
/etc/pki/tls/certs/make-dummy-cert
/etc/pki/tls/certs/renew-dummy-cert
/etc/pki/tls/misc/CA
/etc/pki/tls/misc/c_hash
/etc/pki/tls/misc/c_info
/etc/pki/tls/misc/c_issuer
/etc/pki/tls/misc/c_name
/usr/bin/openssl
...(以下省略)...
[root@centos7 ~]# yum install openssl -y  # 若没有安装使用此条命令安装

2、创建私有CA服务器

a、创建所需要的文件,只有第一次使用CA时才需要

[root@centos7 ~]# touch /etc/pki/CA/index.txt   # 生成证书索引数据库
[root@centos7 ~]# echo 01 > /etc/pki/CA/serial  # 指定第一个颁发证书的序列号

b、CA生成私钥

[root@centos7 ~]# cd /etc/pki/CA/  # 切换至此目录
[root@centos7 CA]# (umask 006; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)  # 生成私钥
Generating RSA private key, 2048 bit long modulus  
.........+++
......................................+++
e is 65537 (0x10001)
[root@centos7 CA]# ls -l private/cakey.pem 
-rw-rw----. 1 root root 1675 Jul 17 17:22 cakey.pem

c、CA生成自签名证书

[root@centos7 CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days \3650 -out /etc/pki/CA/cacert.pem   # CA生成自签名
...(中间省略)...
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:Hxt
Organizational Unit Name (eg, section) []:Ops
Common Name (eg, your name or your server's hostname) []:www.hengxia.top
Email Address []:[email protected]
[root@centos7 CA]# ls -l
total 12
-rw-r--r--. 1 root root 1403 Jul 17 17:59 cacert.pem
drwxr-xr-x. 2 root root    6 Nov  6  2016 certs
drwxr-xr-x. 2 root root    6 Nov  6  2016 crl
-rw-r--r--. 1 root root    0 Jul 17 16:47 index.txt
drwxr-xr-x. 2 root root    6 Nov  6  2016 newcerts
drwx------. 2 root root   23 Jul 17 17:22 private
-rw-rw----. 1 root root 1675 Jul 17 17:18 privatecakey.pem
-rw-r--r--. 1 root root    3 Jul 17 16:48 serial

3、颁发证书

a、在需要使用证书的主机上给web服务器生成私钥

[root@centos6 ~]# (umask 066; openssl genrsa -out /etc/pki/tls/ private/test.key 2048)
Generating RSA private key, 2048 bit long modulus
.........+++
................................................+++
e is 65537 (0x10001)

b、在需要使用证书的主机上给web服务器生成证书请求

[root@centos6 ~]# openssl req -new -key /etc/pki/tls/private/test.key   -days 365 -out /etc/pki/tls/test.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN  # 默认国家要与CA一致
State or Province Name (full name) []:Beijing  # 默认省要与CA一致
Locality Name (eg, city) [Default City]:Beijing 
Organization Name (eg, company) [Default Company Ltd]:Hxt # 公司名称默认要与CA一致
Organizational Unit Name (eg, section) []:Ops 
Common Name (eg, your name or your server's hostname) []:*.testweb.com
Email Address []:[email protected]              

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

c、将证书文件传输给CA

[root@centos6 ~]# scp /etc/pki/tls/test.csr 172.16.251.124:/tmp
The authenticity of host '172.16.251.124 (172.16.251.124)' can't be established.
RSA key fingerprint is 8e:d7:ac:fd:71:70:22:e7:ff:98:ed:61:96:85:5f:b7.
Are you sure you want to continue connecting (yes/no)? yes 
Warning: Permanently added '172.16.251.124' (RSA) to the list of known hosts.
[email protected]'s password: 
test.csr                                          100% 1050     1.0KB/s   00:00 

d、CA签署证书,并将证书颁发给请求者

[root@centos7 ~]# openssl ca -in  /tmp/test.csr -out /etc/pki/CA/certs/test.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Jul 17 11:57:46 2017 GMT
            Not After : Jul 17 11:57:46 2018 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = Beijing
            organizationName          = Hxt
            organizationalUnitName    = Ops 
            commonName                = *.testweb.com
            emailAddress              = [email protected]
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                58:6B:86:66:B0:41:9D:E7:C0:43:65:B4:85:51:BC:62:82:1F:91:A8
            X509v3 Authority Key Identifier: 
                keyid:1A:FC:24:EA:FA:D8:03:E4:4E:2D:19:04:3D:DB:2A:30:43:88:F7:D8
Certificate is to be certified until Jul 17 11:57:46 2018 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

e、查看证书中的信息

[root@centos7 ~]# openssl x509 -in /etc/pki/CA/certs/test.crt -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=Beijing, L=Beijing, O=Hxt, OU=Ops, CN=www.hengxia.top/[email protected]
        Validity
            Not Before: Jul 17 11:57:46 2017 GMT
            Not After : Jul 17 11:57:46 2018 GMT
        Subject: C=CN, ST=Beijing, O=Hxt, OU=Ops , 
CN=*.testweb.com/[email protected]
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:e3:84:72:59:14:c2:00:91:6c:d0:b4:f1:b4:6b:
                    72:bb:a4:05:6c:ae:00:bf:b0:4b:e1:b0:1f:9a:a7:
                    05:68:b7:73:60:ca:f5:95:59:90:cd:a3:ef:da:29:
                    fd:83:5d:fc:bc:53:9d:4b:cb:87:c6:d9:00:1f:36:
                    06:26:a4:15:ac:7f:01:67:4b:60:ee:af:40:30:5c:
                    60:1c:fb:7c:33:8e:aa:45:f7:5b:55:e8:57:07:40:
                    05:ab:4a:9e:25:ec:2c:ce:f3:6d:fb:e9:a2:eb:c0:
                    59:49:84:5f:f7:68:98:16:c2:4e:db:ab:43:50:80:
                    f0:71:f6:d4:9d:57:1b:a4:4d:89:e3:2f:fa:fe:48:
                    5e:da:84:d6:64:64:36:fd:2d:03:38:0e:fe:0d:65:
                    9a:0e:37:66:52:d3:60:ea:5d:dc:5b:36:2c:d1:25:
                    ef:0b:e6:50:5a:81:78:00:b4:f4:c7:68:ca:d1:d0:
                    21:d1:37:49:7a:99:1d:2d:2d:3d:7f:9e:4a:5b:87:
                    83:d6:96:8d:84:d9:88:b7:c0:c9:63:43:4c:06:d9:
                    19:d7:b9:5a:99:8a:7c:1b:52:04:d7:a1:e0:bb:87:
                    bc:bd:77:1c:c9:ea:19:2e:97:f2:86:2c:fe:37:95:
                    1a:df:e1:bb:4a:9e:26:c7:d1:1e:21:d8:1b:cd:ae:
                    8d:11
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                58:6B:86:66:B0:41:9D:E7:C0:43:65:B4:85:51:BC:62:82:1F:91:A8
            X509v3 Authority Key Identifier: 
                keyid:1A:FC:24:EA:FA:D8:03:E4:4E:2D:19:04:3D:DB:2A:30:43:88:F7:D8

    Signature Algorithm: sha256WithRSAEncryption
         26:21:51:45:0d:8c:f4:75:25:3e:e2:13:fa:d4:7a:60:ea:ba:
         78:b7:aa:61:57:a5:80:9d:09:95:0a:e8:09:1d:69:20:43:1c:
         ee:54:b2:65:cb:0c:13:5a:e1:59:61:2d:95:ee:c6:09:f3:7d:
         cf:e0:dc:7c:5e:11:22:bc:7b:cc:aa:e5:3e:4a:ed:56:5a:9d:
         8b:8f:9b:6d:34:85:b1:f6:9e:87:07:c4:b0:5a:61:92:ca:30:
         66:29:fb:ea:7d:68:90:ca:30:a9:85:64:8b:90:99:01:7c:27:
         d6:62:c7:de:e0:f8:9d:00:6b:7b:39:d3:01:eb:32:9e:71:89:
         f6:17:d4:7b:08:8f:9d:48:11:e1:c5:91:91:73:fd:f5:19:b6:
         35:a1:15:ad:6c:78:fc:ba:e9:ea:d1:9a:8f:13:8a:bb:ec:cc:
         79:c8:c9:f4:0d:a1:a7:c5:f5:90:e8:3b:46:d2:9f:55:85:41:
         e6:36:8e:fe:3f:59:33:77:37:95:51:2e:68:cd:93:79:fd:11:
         db:71:d0:e7:2c:61:34:bc:db:ef:89:68:f5:ae:42:5f:df:79:
         ed:f7:e5:2f:9a:a7:ef:a9:8b:81:d7:32:21:13:59:91:06:4b:
         8f:65:82:1a:b6:7c:e6:dc:9c:98:b5:dd:79:c7:9e:49:39:1d:
         20:b6:d8:e6
[root@centos7 ~]# openssl ca -status 01 # 查看指定编号的证书状态
Using configuration from /etc/pki/tls/openssl.cnf
01=Valid (V)

f、CA将已签名证书传输给申请者

[root@centos7 ~]# scp /etc/pki/CA/certs/test.crt 172.16.250.164:/tmp
The authenticity of host '172.16.250.164 (172.16.250.164)' can't be established.
RSA key fingerprint is 46:78:bc:dd:e2:7d:a8:b6:b7:f0:60:53:c4:72:30:f7.
Are you sure you want to continue connecting (yes/no)? yes 
Warning: Permanently added '172.16.250.164' (RSA) to the list of known hosts.
[email protected]'s password: 
test.crt                                          100% 4592     4.5KB/s   00:00 

g、CA删除申请者证书申请文件

[root@centos7 ~]# rm  -f /tmp/test.csr 

4、吊销证书

a、在客户端获取要吊销的证书的serial

[root@centos6 ~]# openssl x509 -in /tmp/test.crt -noout -serial -subject
serial=01
subject= /C=CN/ST=Beijing/O=Hxt/OU=Ops /CN=www.testweb.com/emailAddress=*.testweb.com

b、在CA上,根据客户提交的serial与subject信息,对比检验是否与index.txt文件中的信息一致,一致吊销证书

[root@centos7 ~]# openssl ca -revoke /etc/pki/CA/newcerts/01.pem 
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 01.
Data Base Updated

c、CA指定第一个吊销证书的编号,注意:第一次更新吊销证书列表前,才需要执行

[root@centos7 ~]# echo 01 > /etc/pki/CA/crlnumber

d、CA更新证书吊销列表

[root@centos7 ~]# openssl ca -gencrl -out /etc/pki/CA/crl/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf
[root@centos7 ~]# openssl crl -in /etc/pki/CA/crl/crl.pem -noout -text # 查看crl文件
Certificate Revocation List (CRL):
        Version 2 (0x1)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: /C=CN/ST=Beijing/L=Beijing/O=Hxt/OU=Ops/CN=www.hengxia.top/[email protected]
        Last Update: Jul 17 12:23:07 2017 GMT
        Next Update: Aug 16 12:23:07 2017 GMT
        CRL extensions:
            X509v3 CRL Number: 
                1
Revoked Certificates:
    Serial Number: 01
        Revocation Date: Jul 17 12:21:16 2017 GMT
    Signature Algorithm: sha256WithRSAEncryption
         90:a6:22:84:bf:eb:98:d7:58:bd:22:8d:5c:41:e1:1e:2f:70:
         6c:e2:40:68:ce:c4:06:e1:2d:70:59:98:d9:27:6f:24:d4:63:
         4c:d6:81:25:ab:ac:70:1b:89:65:4c:cc:2e:20:12:66:78:bc:
         3e:60:4f:6d:28:72:53:7f:e0:65:92:c3:86:b2:7c:1f:dc:46:
         2b:f6:ba:c1:2e:73:36:4b:60:08:8f:e1:bb:0d:f9:fe:11:bb:
         8a:4c:92:1f:aa:a8:9f:ec:f6:45:b9:a4:1e:60:ab:70:4e:f9:
         09:23:83:6e:12:ed:42:bd:dd:33:99:e9:ee:a6:44:2b:89:7c:
         60:70:0a:1f:0f:ca:0a:62:5a:b9:5c:f9:ea:46:30:f3:1d:2e:
         a0:89:c1:85:a8:0f:de:3a:3a:0a:1a:c3:76:99:0b:9f:55:d5:
         57:52:65:bc:2e:ff:ee:a6:d0:71:24:02:56:6d:a7:fa:5a:f1:
         88:92:53:35:66:46:ab:59:fa:cf:09:6b:37:b6:39:7a:9d:ba:
         b2:8d:d5:dc:a0:38:39:76:81:85:16:72:22:39:1d:ae:fd:22:
         21:61:00:e9:f2:7e:71:43:e9:a3:f9:44:5b:44:83:a2:1a:82:
         82:8f:e1:0f:f6:57:d5:b4:62:3a:c1:5e:35:21:6f:2f:ff:11:
         fb:98:95:23

四、备注

1、CA生成自签名命令解析: openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days \3650 -out /etc/pki/CA/cacert.pem

     -new: 生成新证书签署请求
     -x509: 专用于CA生成自签证书
     -key: 生成请求时用到的私钥文件
     -days n: 证书的有效期限
     -out /PATH/TO/SOMECRIPTFILE: 证书的保存路径

2、CA的配置文件在/etc/pki/tls/opnenssl.cof,例如CA的三种策略:匹配、支持和可选即在此文件配置;匹配指要求申请填写的信息跟CA设置信息必须一致,支持指必须填写这项申请信息,可选指可有可无。

你可能感兴趣的:(网络安全)