openssl的配置文件: /etc/pki/tls/openssl.cnf,这个文件包含了很多关于CA的配置。
[root@CentOS7 ~]#vim /etc/pki/tls/openssl.cnf
...部分略
####################################################################
[ ca ]
default_ca = CA_default # 默认的CA
####################################################################
[ CA_default ] # CA默认的配置
dir = /etc/pki/CA # 定义CA文件总目录
certs = $dir/certs # 保存发布的证书的目录
crl_dir = $dir/crl # 保存证书吊销列表的目录
database = $dir/index.txt # 证书索引数据库
#unique_subject = no # 是否允许多个证书使用一个subject
new_certs_dir = $dir/newcerts # 新证书目录
certificate = $dir/cacert.pem # CA自己本身的证书(自签名的证书)
serial = $dir/serial # 下一个证书的序列号
crlnumber = $dir/crlnumber # 下一个吊销证书的序列号
crl = $dir/crl.pem # 已吊销的证书的目录
private_key = $dir/private/cakey.pem# CA的私钥
RANDFILE = $dir/private/.rand # 私钥随机数文件
x509_extensions = usr_cert # 数字证书扩展
...
default_days = 365 # 证书有效期
default_crl_days= 30 # 证书吊销列表发布更新时间
default_md = sha256 # 使用的hash算法
preserve = no # keep passed DN ordering
...
policy = policy_match #使用的CA策略
# For the CA policy
[ policy_match ] #CA策略policy_match的定义
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ] #CA策略policy_anything的定义
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
1、创建私有CA的私钥
按照配置上述的配置文件的定义,CA私钥保存在/etc/pki/CA/private/cakey.pem
[root@CentOS7 ~]#(umask 066;openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
...........................................+++
.............................................................+++
e is 65537 (0x10001)
[root@CentOS7 ~]#tree /etc/pki/CA
/etc/pki/CA
├── certs
├── crl
├── newcerts
└── private
└── cakey.pem
4 directories, 1 file
上面的命令,()是打开一个子进程,临时设置umask。这样我们创建的私钥文件权限也同时设定成600了。
2、生成自签名证书
用上一步CA的私钥,生成自签名证书:/etc/pki/CA/cacert.pem
有效期为十年。-x509选项用于生成自签名证书。
[root@CentOS7 ~]#openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:GUANGDONG
Locality Name (eg, city) [Default City]:SHENZHEN
Organization Name (eg, company) [Default Company Ltd]:Magedu.com
Organizational Unit Name (eg, section) []:M24
Common Name (eg, your name or your server's hostname) []:ca.magedu.com
Email Address []:
[root@CentOS7 ~]#tree /etc/pki/CA
/etc/pki/CA
├── cacert.pem
├── certs
├── crl
├── newcerts
└── private
└── cakey.pem
4 directories, 2 files
用以下命令可以查看签名证书的信息
[root@CentOS7 ~]#openssl x509 -in /etc/pki/CA/cacert.pem -noout -text
3、
[root@CentOS7 ~]#touch /etc/pki/CA/index.txt
#生成证书索引数据库文件
[root@CentOS7 ~]#echo 01 > /etc/pki/CA/serial
#指定颁发证书的第一个序列号
[root@CentOS7 ~]#mkdir /etc/pki/CA/csr/
客户端:
1、生成私钥
与CA服务端不同,CA客户端的私钥路径可以自定义。
[root@CentOS6 ~]#(umask 066;openssl genrsa -out /app/service.key 2048)
Generating RSA private key, 2048 bit long modulus
........+++
..................+++
e is 65537 (0x10001)
[root@CentOS6 ~]#ll /app
total 4
-rw-------. 1 root root 1675 Jul 15 09:16 service.key
2、在需要使用证书的主机生成证书请求文件
[root@CentOS6 ~]#openssl req -new -key /app/service.key -out /app/service.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:GUANGDONG
Locality Name (eg, city) [Default City]:SHENZHEN
Organization Name (eg, company) [Default Company Ltd]:Magedu.com
Organizational Unit Name (eg, section) []:beiguoxia
Common Name (eg, your name or your server's hostname) []:www.magedu.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
3、
[root@CentOS6 ~]#scp /app/service.csr 192.168.5.133:/etc/pki/CA/csr
[email protected]'s password:
service.csr 100% 1025 1.0KB/s 00:00
在CA服务端颁发证书:
[root@CentOS7 CA]#openssl ca -in /etc/pki/CA/csr/service.csr -out /etc/pki/CA/certs/service.cer -days 100
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jul 17 12:43:54 2017 GMT
Not After : Oct 25 12:43:54 2017 GMT
Subject:
countryName = CN
stateOrProvinceName = GUANGDONG
organizationName = Magedu.com
organizationalUnitName = beiguoxia
commonName = www.magedu.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
AA:35:D0:2E:EF:8C:91:59:98:FD:7A:96:6A:75:36:4E:97:1D:3A:30
X509v3 Authority Key Identifier:
keyid:91:B1:F6:B0:EA:2A:3F:A2:F8:93:A7:11:75:44:D4:2C:67:2E:2E:31
Certificate is to be certified until Oct 25 12:43:54 2017 GMT (100 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
系统提示已生成证书,并更新了数据库。我们可以看一下
[root@CentOS7 CA]#tree `/etc/pki/CA`
-bash: /etc/pki/CA: Is a directory
.
├── cacert.pem
├── certs
│ └── service.cer
├── crl
├── csr
│ └── service.csr
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│ └── 01.pem
├── private
│ └── cakey.pem
├── serial
└── serial.old
[root@CentOS7 CA]#cat serial
02
可以看到,serial文件的下一个证书序列号从01,变成02了。