Linux操作系统安全-局域网私有CA(Certificate Authority)证书服务器实战篇
作者:尹正杰
版权声明:原创作品,谢绝转载!否则将追究法律责任。
一.试验架构说明
node101.yinzhengjie.org.cn:
CA服务器
node108.yinzhengjie.org.cn:
CA客户端
[[email protected] ~]# uname -r 3.10.0-957.el7.x86_64 [[email protected] ~]# [[email protected] ~]# uname -m x86_64 [[email protected] ~]# [[email protected] ~]# cat /etc/redhat-release CentOS Linux release 7.6.1810 (Core) [[email protected] ~]# [[email protected] ~]# free -h total used free shared buff/cache available Mem: 7.6G 132M 7.2G 8.6M 299M 7.3G Swap: 7.9G 0B 7.9G [[email protected] ~]# [[email protected] ~]# [[email protected] ~]# hostname -i 172.30.1.101 [[email protected] ~]# [[email protected] ~]# cat /etc/hostname node101.yinzhengjie.org.cn [[email protected] ~]# [[email protected] ~]# cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 172.30.1.101 node101.yinzhengjie.org.cn 172.30.1.102 node102.yinzhengjie.org.cn 172.30.1.103 node103.yinzhengjie.org.cn 172.30.1.104 node104.yinzhengjie.org.cn 172.30.1.105 node105.yinzhengjie.org.cn 172.30.1.106 node106.yinzhengjie.org.cn 172.30.1.107 node107.yinzhengjie.org.cn 172.30.1.108 node108.yinzhengjie.org.cn [[email protected] ~]# [[email protected] ~]#
[[email protected] ~]# uname -r 3.10.0-957.el7.x86_64 [[email protected] ~]# [[email protected] ~]# uname -m x86_64 [[email protected] ~]# [[email protected] ~]# free -h total used free shared buff/cache available Mem: 3.7G 98M 3.5G 8.5M 148M 3.4G Swap: 3.9G 0B 3.9G [[email protected] ~]# [[email protected] ~]# cat /etc/redhat-release CentOS Linux release 7.6.1810 (Core) [[email protected] ~]# [[email protected] ~]# hostname -i 172.30.1.108 [[email protected] ~]# [[email protected] ~]# cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 172.30.1.101 node101.yinzhengjie.org.cn 172.30.1.102 node102.yinzhengjie.org.cn 172.30.1.103 node103.yinzhengjie.org.cn 172.30.1.104 node104.yinzhengjie.org.cn 172.30.1.105 node105.yinzhengjie.org.cn 172.30.1.106 node106.yinzhengjie.org.cn 172.30.1.107 node107.yinzhengjie.org.cn 172.30.1.108 node108.yinzhengjie.org.cn [[email protected] ~]# [[email protected] ~]#
二.生成自签名证书
1>.查看opennssl的配置文件
openssl的配置文件:
/etc/pki/tls/openssl.cnf 三种策略:match匹配、optional可选、supplied提供 match:
要求申请填写的信息跟CA设置信息必须一致 optional:
可有可无,跟CA设置信息可不一致 supplied:
必须填写这项申请信息,
[[email protected] ~]# egrep -v "^ *#|^$" /etc/pki/tls/openssl.cnf HOME = . RANDFILE = $ENV::HOME/.rnd oid_section = new_oids [ new_oids ] tsa_policy1 = 1.2.3.4.1 tsa_policy2 = 1.2.3.4.5.6 tsa_policy3 = 1.2.3.4.5.7 [ ca ] default_ca = CA_default # 默认的CA标题名称,该名称会定有很多CA服务器相关参数 [ CA_default ] # 上一行指定的CA标题名称就是这里定义的 dir = /etc/pki/CA # 存放CA的目录 certs = $dir/certs # 存放证书的目录 crl_dir = $dir/crl # 存放证书吊销列表信息 database = $dir/index.txt # 一个文本文件用来保存已颁发证书的信息,该文件默认不存在,需要手动创建 new_certs_dir = $dir/newcerts # 默认存放新颁发的证书 certificate = $dir/cacert.pem # 指定CA的证书,即CA自签名证书 serial = $dir/serial # 指定下一个颁发证书的编号,该文件默认不存在,需要手动创建 crlnumber = $dir/crlnumber # 指定下一个吊销证书的编号 crl = $dir/crl.pem # 指定CRL证书文件文件名称 private_key = $dir/private/cakey.pem # 指定CA的私钥文件名称 RANDFILE = $dir/private/.rand # private random number file x509_extensions = usr_cert # The extentions to add to the cert name_opt = ca_default # Subject Name options cert_opt = ca_default # Certificate field options default_days = 365 # 指定证书的默认有效期 default_crl_days= 30 # 指定多久发布一次CRL信息(证书吊销信息) default_md = sha256 # 使用默认的加密算法 preserve = no # keep passed DN ordering policy = policy_match #匹配策略名称,见下一行有定义该名称 [ policy_match ] #用于CA的策略证书 countryName = match #match要求申请填写的信息跟CA设置信息必须一致。国家信息要一样 stateOrProvinceName = match #同上,省份也要一样 organizationName = match #同上,一般情况下,自建的CA服务器国家,省份和组织单位都是一样的。 organizationalUnitName = optional #optional表示可选项,即可有可无,跟CA设置信息可不一致 commonName = supplied #supplied表示必须填写这项申请信息, 即填写用户申请的域名 emailAddress = optional #optional表示可选项,即邮箱可以写也可以不写 [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional [ req ] default_bits = 2048 default_md = sha256 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = v3_ca # The extentions to add to the self signed cert string_mask = utf8only [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = XX countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) localityName = Locality Name (eg, city) localityName_default = Default City 0.organizationName = Organization Name (eg, company) 0.organizationName_default = Default Company Ltd organizationalUnitName = Organizational Unit Name (eg, section) commonName = Common Name (eg, your name or your server\'s hostname) commonName_max = 64 emailAddress = Email Address emailAddress_max = 64 [ req_attributes ] challengePassword = A challenge password challengePassword_min = 4 challengePassword_max = 20 unstructuredName = An optional company name [ usr_cert ] basicConstraints=CA:FALSE nsComment = "OpenSSL Generated Certificate" subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment [ v3_ca ] subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer basicConstraints = CA:true [ crl_ext ] authorityKeyIdentifier=keyid:always [ proxy_cert_ext ] basicConstraints=CA:FALSE nsComment = "OpenSSL Generated Certificate" subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo [ tsa ] default_tsa = tsa_config1 # the default TSA section [ tsa_config1 ] dir = ./demoCA # TSA root directory serial = $dir/tsaserial # The current serial number (mandatory) crypto_device = builtin # OpenSSL engine to use for signing signer_cert = $dir/tsacert.pem # The TSA signing certificate # (optional) certs = $dir/cacert.pem # Certificate chain to include in reply # (optional) signer_key = $dir/private/tsakey.pem # The TSA private key (optional) default_policy = tsa_policy1 # Policy if request did not specify it # (optional) other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory) accuracy = secs:1, millisecs:500, microsecs:100 # (optional) clock_precision_digits = 0 # number of digits after dot. (optional) ordering = yes # Is ordering defined for timestamps? # (optional, default: no) tsa_name = yes # Must the TSA name be included in the reply? # (optional, default: no) ess_cert_id_chain = no # Must the ESS cert id chain be included? # (optional, default: no) [[email protected] ~]#
2>.生成私钥
[[email protected] ~]# yum -y install tree Loaded plugins: fastestmirror Determining fastest mirrors * base: mirror.bit.edu.cn * extras: mirrors.tuna.tsinghua.edu.cn * updates: mirrors.tuna.tsinghua.edu.cn base | 3.6 kB 00:00:00 extras | 2.9 kB 00:00:00 updates | 2.9 kB 00:00:00 (1/4): base/7/x86_64/group_gz | 165 kB 00:00:00 (2/4): extras/7/x86_64/primary_db | 153 kB 00:00:00 (3/4): base/7/x86_64/primary_db | 6.0 MB 00:00:01 (4/4): updates/7/x86_64/primary_db | 5.8 MB 00:00:01 Resolving Dependencies --> Running transaction check ---> Package tree.x86_64 0:1.6.0-10.el7 will be installed --> Finished Dependency Resolution Dependencies Resolved ============================================================================================================================================================================ Package Arch Version Repository Size ============================================================================================================================================================================ Installing: tree x86_64 1.6.0-10.el7 base 46 k Transaction Summary ============================================================================================================================================================================ Install 1 Package Total download size: 46 k Installed size: 87 k Downloading packages: tree-1.6.0-10.el7.x86_64.rpm | 46 kB 00:00:05 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : tree-1.6.0-10.el7.x86_64 1/1 Verifying : tree-1.6.0-10.el7.x86_64 1/1 Installed: tree.x86_64 0:1.6.0-10.el7 Complete! [[email protected] ~]#
[[email protected] ~]# cd /etc/pki/CA/ [[email protected] /etc/pki/CA]# [[email protected] /etc/pki/CA]# tree . ├── certs ├── crl ├── newcerts └── private 4 directories, 0 files [[email protected] /etc/pki/CA]# [[email protected] /etc/pki/CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048) Generating RSA private key, 2048 bit long modulus ...........................................................................................+++ ........+++ e is 65537 (0x10001) [[email protected] /etc/pki/CA]# [[email protected] /etc/pki/CA]# tree . ├── certs ├── crl ├── newcerts └── private └── cakey.pem 4 directories, 1 file [[email protected] /etc/pki/CA]# [[email protected] /etc/pki/CA]# ll private/ total 4 -rw------- 1 root root 1675 Dec 21 13:02 cakey.pem [[email protected] /etc/pki/CA]# [[email protected] /etc/pki/CA]#
3>.生成自签名证书
[[email protected] /etc/pki/CA]# tree . ├── certs ├── crl ├── newcerts └── private └── cakey.pem 4 directories, 1 file [[email protected] /etc/pki/CA]# [[email protected] /etc/pki/CA]# ll private/ total 4 -rw------- 1 root root 1675 Dec 21 13:02 cakey.pem [[email protected] /etc/pki/CA]# [[email protected] /etc/pki/CA]# [[email protected] /etc/pki/CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 36500 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:shanxi Locality Name (eg, city) [Default City]:ankang Organization Name (eg, company) [Default Company Ltd]:yinzhengjie Organizational Unit Name (eg, section) []:devops Common Name (eg, your name or your server's hostname) []:ca.yinzhengjie.org.cn Email Address []: [[email protected] /etc/pki/CA]# [[email protected] /etc/pki/CA]# tree . ├── cacert.pem #新生成的证书文件,可以下载到windows系统查看,如下图所示(在windows系统需要修改文件后缀为crt才能打开哟). ├── certs ├── crl ├── newcerts └── private └── cakey.pem 4 directories, 2 files [[email protected] /etc/pki/CA]#
三.CA客户端申请证书
1>.生成私钥
[[email protected] ~]# mkdir /data/ssl -pv mkdir: created directory ‘/data’ mkdir: created directory ‘/data/ssl’ [[email protected] ~]# [[email protected] ~]# cd /data/ssl/ [[email protected] /data/ssl]# [[email protected] /data/ssl]# (umask 066;openssl genrsa -out myapp.key 1024) Generating RSA private key, 1024 bit long modulus .++++++ .....................................++++++ e is 65537 (0x10001) [[email protected] /data/ssl]# [[email protected] /data/ssl]# ll total 4 -rw------- 1 root root 887 Dec 21 13:20 myapp.key [[email protected] /data/ssl]# [[email protected] /data/ssl]#
2>.利用私钥生成证书请求并发送至CA服务器上
[[email protected] /data/ssl]# ll total 4 -rw------- 1 root root 887 Dec 21 13:20 myapp.key [[email protected] /data/ssl]# [[email protected] /data/ssl]# openssl req -new -key myapp.key -out myapp.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:shanxi Locality Name (eg, city) [Default City]:ankang Organization Name (eg, company) [Default Company Ltd]:yinzhengjie Organizational Unit Name (eg, section) []:devops Common Name (eg, your name or your server's hostname) []:*.yinzhengjie.org.cn Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: [[email protected] /data/ssl]# [[email protected] /data/ssl]# ll total 8 -rw-r--r-- 1 root root 668 Dec 21 13:53 myapp.csr -rw------- 1 root root 887 Dec 21 13:20 myapp.key [[email protected] /data/ssl]# [[email protected] /data/ssl]# scp myapp.csr node101.yinzhengjie.org.cn:/etc/pki/CA/ The authenticity of host 'node101.yinzhengjie.org.cn (172.30.1.101)' can't be established. ECDSA key fingerprint is SHA256:KEchoZnVBkijeoWfG2nvx2ptthsXv7IjkxIJYule57g. ECDSA key fingerprint is MD5:52:c8:f5:6e:5f:cf:44:ec:c4:11:60:d2:d0:31:3c:da. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'node101.yinzhengjie.org.cn,172.30.1.101' (ECDSA) to the list of known hosts. [email protected]'s password: myapp.csr 100% 668 900.0KB/s 00:00 [[email protected] /data/ssl]# [[email protected] /data/ssl]#
四.颁发证书
1>.颁发证书过程及故障排除
[[email protected] /etc/pki/CA]# tree . ├── cacert.pem ├── certs ├── crl ├── myapp.csr ├── newcerts └── private └── cakey.pem 4 directories, 3 files [[email protected] /etc/pki/CA]# [[email protected] /etc/pki/CA]# openssl ca -in myapp.csr -out certs/myapp.crt -days 1000 Using configuration from /etc/pki/tls/openssl.cnf /etc/pki/CA/index.txt: No such file or directory unable to open '/etc/pki/CA/index.txt' 139995437246352:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/pki/CA/index.txt','r') 139995437246352:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404: [[email protected] /etc/pki/CA]# [[email protected] /etc/pki/CA]# [[email protected] /etc/pki/CA]# [[email protected] /etc/pki/CA]# touch index.txt #根据上面的报错提示,说明缺少index.txt文件,因此我们手动创建出来 [[email protected] /etc/pki/CA]# [[email protected] /etc/pki/CA]# openssl ca -in myapp.csr -out certs/myapp.crt -days 1000 Using configuration from /etc/pki/tls/openssl.cnf /etc/pki/CA/serial: No such file or directory error while loading serial number 139709222610832:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/pki/CA/serial','r') 139709222610832:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404: [[email protected] /etc/pki/CA]# [[email protected] /etc/pki/CA]# echo 0F > serial #根据上面的提示,说明仍然是少了文件,因此我们继续手动创建出来 [[email protected] /etc/pki/CA]# [[email protected] /etc/pki/CA]# cat serial 0F [[email protected] /etc/pki/CA]# [[email protected] /etc/pki/CA]# openssl ca -in myapp.csr -out certs/myapp.crt -days 1000 #执行颁发证书的指令 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 15 (0xf) Validity Not Before: Dec 21 06:27:58 2019 GMT Not After : Sep 16 06:27:58 2022 GMT Subject: countryName = CN stateOrProvinceName = shanxi organizationName = yinzhengjie organizationalUnitName = devops commonName = *.yinzhengjie.org.cn X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: D0:F2:4D:0E:32:E5:FF:0D:AC:51:B2:B3:7C:23:12:F2:AB:31:C1:74 X509v3 Authority Key Identifier: keyid:61:3E:46:F0:EA:BE:7F:DA:8B:A4:7A:F6:89:35:F0:9A:65:BC:05:13 Certificate is to be certified until Sep 16 06:27:58 2022 GMT (1000 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated [[email protected] /etc/pki/CA]# [[email protected] /etc/pki/CA]# tree . ├── cacert.pem ├── certs │ └── myapp.crt ├── crl ├── index.txt ├── index.txt.attr ├── index.txt.old ├── myapp.csr ├── newcerts │ └── 0F.pem ├── private │ └── cakey.pem ├── serial └── serial.old 4 directories, 10 files [[email protected] /etc/pki/CA]# [[email protected] /etc/pki/CA]# [[email protected] /etc/pki/CA]# ll certs/myapp.crt newcerts/0F.pem #我们发现这两个新生成的文件大小是一样的 -rw-r--r-- 1 root root 3771 Dec 21 14:30 certs/myapp.crt -rw-r--r-- 1 root root 3771 Dec 21 14:30 newcerts/0F.pem [[email protected] /etc/pki/CA]# [[email protected] /etc/pki/CA]# diff certs/myapp.crt newcerts/0F.pem #很显然,这两个文件内容是一样的 [[email protected] /etc/pki/CA]# [[email protected] /etc/pki/CA]#
2>.查看证书信息
[[email protected] /etc/pki/CA]# cat newcerts/0F.pem #查看证书信息 Certificate: Data: Version: 3 (0x2) Serial Number: 15 (0xf) Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, ST=shanxi, L=ankang, O=yinzhengjie, OU=devops, CN=ca.yinzhengjie.org.cn Validity Not Before: Dec 21 06:27:58 2019 GMT Not After : Sep 16 06:27:58 2022 GMT Subject: C=CN, ST=shanxi, O=yinzhengjie, OU=devops, CN=*.yinzhengjie.org.cn Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:b7:a1:2e:0c:f3:a4:e8:bc:41:0b:9b:40:3b:26: 80:ed:8d:03:5a:e2:15:4d:05:98:cc:f5:1d:ef:bb: 26:32:d3:3e:a6:47:f8:6d:24:23:35:23:fd:09:cc: 5b:6d:25:23:96:34:90:92:ab:5f:ea:ae:21:07:67: 2c:51:10:e4:34:5f:08:ff:eb:0a:ea:2a:fa:6f:47: 71:88:fb:d1:b4:7e:65:a9:52:ba:87:2e:1c:0f:f6: 55:56:42:e6:c5:ca:35:64:8c:96:76:c7:5d:e0:b6: d7:99:e5:17:b8:95:ff:fb:22:ca:99:cc:d3:7c:6c: 70:c4:b0:f7:f3:87:32:a2:45 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: D0:F2:4D:0E:32:E5:FF:0D:AC:51:B2:B3:7C:23:12:F2:AB:31:C1:74 X509v3 Authority Key Identifier: keyid:61:3E:46:F0:EA:BE:7F:DA:8B:A4:7A:F6:89:35:F0:9A:65:BC:05:13 Signature Algorithm: sha256WithRSAEncryption 29:48:7f:38:fe:e5:c2:ad:fd:dc:c2:bc:0b:38:88:fb:99:a8: 2e:dc:69:8c:f6:a9:24:2d:2a:c1:27:bb:50:5c:16:70:25:1f: 4a:a8:c3:a5:21:1a:79:30:ac:0e:88:82:04:dd:f8:14:22:56: bd:fc:cf:86:8a:cf:7e:88:7a:34:be:a7:3f:58:05:cc:33:95: 71:6f:53:39:5c:c7:0b:fa:c5:66:d2:2f:dc:d3:f4:86:01:53: f2:63:1b:0c:fc:3c:c1:92:c2:c8:24:ed:2a:76:3b:37:20:93: e1:47:71:26:5d:3f:bf:d5:03:62:c2:49:d8:84:dd:fe:1c:83: 60:43:88:77:b7:c8:f2:3e:95:63:d1:57:6c:f6:05:3d:b7:fc: d9:80:be:ad:39:a2:f1:7f:b8:46:59:b2:2e:21:a7:86:53:e1: 7a:43:95:9b:1c:33:7d:84:03:5d:98:ce:c8:6f:eb:01:7e:d5: 82:91:c9:ea:a0:b1:67:39:3b:21:f7:c2:50:8f:8d:b2:a0:92: c6:dd:f3:76:85:de:3a:77:03:26:3e:c2:b0:27:ca:b1:44:2f: fd:e2:75:96:9c:dc:f3:e5:d6:24:62:65:44:3a:42:2c:08:4c: 18:87:41:b7:09:4e:68:bf:9c:1c:0c:f0:ce:50:af:be:33:a7: ea:98:bf:af -----BEGIN CERTIFICATE----- MIIDTDCCAjSgAwIBAgIBDzANBgkqhkiG9w0BAQsFADB2MQswCQYDVQQGEwJDTjEP MA0GA1UECAwGc2hhbnhpMQ8wDQYDVQQHDAZhbmthbmcxFDASBgNVBAoMC3lpbnpo ZW5namllMQ8wDQYDVQQLDAZkZXZvcHMxHjAcBgNVBAMMFWNhLnlpbnpoZW5namll Lm9yZy5jbjAeFw0xOTEyMjEwNjI3NThaFw0yMjA5MTYwNjI3NThaMGQxCzAJBgNV BAYTAkNOMQ8wDQYDVQQIDAZzaGFueGkxFDASBgNVBAoMC3lpbnpoZW5namllMQ8w DQYDVQQLDAZkZXZvcHMxHTAbBgNVBAMMFCoueWluemhlbmdqaWUub3JnLmNuMIGf MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3oS4M86TovEELm0A7JoDtjQNa4hVN BZjM9R3vuyYy0z6mR/htJCM1I/0JzFttJSOWNJCSq1/qriEHZyxREOQ0Xwj/6wrq KvpvR3GI+9G0fmWpUrqHLhwP9lVWQubFyjVkjJZ2x13gtteZ5Re4lf/7IsqZzNN8 bHDEsPfzhzKiRQIDAQABo3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1P cGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQU0PJNDjLl/w2s UbKzfCMS8qsxwXQwHwYDVR0jBBgwFoAUYT5G8Oq+f9qLpHr2iTXwmmW8BRMwDQYJ KoZIhvcNAQELBQADggEBAClIfzj+5cKt/dzCvAs4iPuZqC7caYz2qSQtKsEnu1Bc FnAlH0qow6UhGnkwrA6IggTd+BQiVr38z4aKz36IejS+pz9YBcwzlXFvUzlcxwv6 xWbSL9zT9IYBU/JjGwz8PMGSwsgk7Sp2Ozcgk+FHcSZdP7/VA2LCSdiE3f4cg2BD iHe3yPI+lWPRV2z2BT23/NmAvq05ovF/uEZZsi4hp4ZT4XpDlZscM32EA12Yzshv 6wF+1YKRyeqgsWc5OyH3wlCPjbKgksbd83aF3jp3AyY+wrAnyrFEL/3idZac3PPl 1iRiZUQ6QiwITBiHQbcJTmi/nBwM8M5Qr74zp+qYv68= -----END CERTIFICATE----- [[email protected] /etc/pki/CA]# [[email protected] /etc/pki/CA]#
3>.将证书下载到windows操作系统查看
[[email protected] /etc/pki/CA]# sz certs/myapp.crt #如下图所示,下载文件到本地,下载时选择crt结尾的,其实下载0F.pem也可以(因为文件内容相同),但windows识别crt格式的文件可以直接查看。 [[email protected] /etc/pki/CA]#
4>.颁发证书后查看文件内容变更
[[email protected] /etc/pki/CA]# tree . ├── cacert.pem ├── certs │ └── myapp.crt ├── crl ├── index.txt ├── index.txt.attr ├── index.txt.old ├── myapp.csr ├── newcerts │ └── 0F.pem ├── private │ └── cakey.pem ├── serial └── serial.old 4 directories, 10 files [[email protected] /etc/pki/CA]# [[email protected] /etc/pki/CA]# cat index.txt #该文件记录了证书文件相关信息,首字母"V"表示证书有效,若证书被吊销的话,可能首字母是"R" V 220916062758Z 0F unknown /C=CN/ST=shanxi/O=yinzhengjie/OU=devops/CN=*.yinzhengjie.org.cn [[email protected] /etc/pki/CA]# [[email protected] /etc/pki/CA]# cat serial 10 [[email protected] /etc/pki/CA]# [[email protected] /etc/pki/CA]# cat index.txt.old #存放之前版本的信息 [[email protected] /etc/pki/CA]# [[email protected] /etc/pki/CA]# cat serial.old #存放之前的版本信息 0F [[email protected] /etc/pki/CA]# [[email protected] /etc/pki/CA]# cat index.txt.attr #如果看到"unique_subject=yes"想必大家也猜到啥意思了,没错它规定了证书必须是唯一性的,也就是说我们不能对同一个证书请求多次颁发证书文件。 unique_subject = yes [[email protected] /etc/pki/CA]#
五.windows导入咱们自己生成自签名证书
1>.如下图所示,咱们的操作系统"无法找到该证书的颁发者。",因此我们可以考虑将"*.yinzhengjie.org.cn"证书的颁发者证书也下载到本地导入并安装
2>.下载CA服务器证书到本地并更名为"*.crt"或者"*.cer"文件后缀,如下图所示(紧接着安装证书)
3>.如下图所示,点击"安装证书"会弹出右侧的对话框,继续点击"下一步"
4>.如下图所示,将我们的证书选择为"受信任的根证书颁发机构"
5>.配置完成后,点击"下一步"
6>.继续点击"完成"
7>.接下来会弹出如下图所示的对话框以确认安装证书提示,点击"是"
8>.点击"确定",证书导入成功
9>.证书安装完成后,再次打开证书查看相应信息,如下图所示
六.使用openssl命令在命令行查看证书信息
1>.将证书文件拷贝到客户端
[[email protected] /etc/pki/CA]# ll total 24 -rw-r--r-- 1 root root 1363 Dec 21 13:07 cacert.pem drwxr-xr-x. 2 root root 23 Dec 21 14:26 certs drwxr-xr-x. 2 root root 6 Oct 31 2018 crl -rw-r--r-- 1 root root 92 Dec 21 14:30 index.txt -rw-r--r-- 1 root root 21 Dec 21 14:30 index.txt.attr -rw-r--r-- 1 root root 0 Dec 21 14:26 index.txt.old -rw-r--r-- 1 root root 668 Dec 21 13:58 myapp.csr drwxr-xr-x. 2 root root 20 Dec 21 14:30 newcerts drwx------. 2 root root 23 Dec 21 13:02 private -rw-r--r-- 1 root root 3 Dec 21 14:30 serial -rw-r--r-- 1 root root 3 Dec 21 14:27 serial.old [[email protected] /etc/pki/CA]# [[email protected] /etc/pki/CA]# tree . ├── cacert.pem ├── certs │ └── myapp.crt ├── crl ├── index.txt ├── index.txt.attr ├── index.txt.old ├── myapp.csr ├── newcerts │ └── 0F.pem ├── private │ └── cakey.pem ├── serial └── serial.old 4 directories, 10 files [[email protected] /etc/pki/CA]# [[email protected] /etc/pki/CA]# scp certs/myapp.crt [email protected]:/data/ssl myapp.crt 100% 3771 5.1MB/s 00:00 [[email protected] /etc/pki/CA]#
2>.客户端查看证书信息
[[email protected] ~]# ll /data/ssl/ total 12 -rw-r--r-- 1 root root 3771 Dec 21 15:01 myapp.crt -rw-r--r-- 1 root root 668 Dec 21 13:53 myapp.csr -rw------- 1 root root 887 Dec 21 13:20 myapp.key [[email protected] ~]# [[email protected] ~]# openssl x509 -in /data/ssl/myapp.crt -noout -text #以文本方式在客户端查看证书信息 Certificate: Data: Version: 3 (0x2) Serial Number: 15 (0xf) Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, ST=shanxi, L=ankang, O=yinzhengjie, OU=devops, CN=ca.yinzhengjie.org.cn Validity Not Before: Dec 21 06:27:58 2019 GMT Not After : Sep 16 06:27:58 2022 GMT Subject: C=CN, ST=shanxi, O=yinzhengjie, OU=devops, CN=*.yinzhengjie.org.cn Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:b7:a1:2e:0c:f3:a4:e8:bc:41:0b:9b:40:3b:26: 80:ed:8d:03:5a:e2:15:4d:05:98:cc:f5:1d:ef:bb: 26:32:d3:3e:a6:47:f8:6d:24:23:35:23:fd:09:cc: 5b:6d:25:23:96:34:90:92:ab:5f:ea:ae:21:07:67: 2c:51:10:e4:34:5f:08:ff:eb:0a:ea:2a:fa:6f:47: 71:88:fb:d1:b4:7e:65:a9:52:ba:87:2e:1c:0f:f6: 55:56:42:e6:c5:ca:35:64:8c:96:76:c7:5d:e0:b6: d7:99:e5:17:b8:95:ff:fb:22:ca:99:cc:d3:7c:6c: 70:c4:b0:f7:f3:87:32:a2:45 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: D0:F2:4D:0E:32:E5:FF:0D:AC:51:B2:B3:7C:23:12:F2:AB:31:C1:74 X509v3 Authority Key Identifier: keyid:61:3E:46:F0:EA:BE:7F:DA:8B:A4:7A:F6:89:35:F0:9A:65:BC:05:13 Signature Algorithm: sha256WithRSAEncryption 29:48:7f:38:fe:e5:c2:ad:fd:dc:c2:bc:0b:38:88:fb:99:a8: 2e:dc:69:8c:f6:a9:24:2d:2a:c1:27:bb:50:5c:16:70:25:1f: 4a:a8:c3:a5:21:1a:79:30:ac:0e:88:82:04:dd:f8:14:22:56: bd:fc:cf:86:8a:cf:7e:88:7a:34:be:a7:3f:58:05:cc:33:95: 71:6f:53:39:5c:c7:0b:fa:c5:66:d2:2f:dc:d3:f4:86:01:53: f2:63:1b:0c:fc:3c:c1:92:c2:c8:24:ed:2a:76:3b:37:20:93: e1:47:71:26:5d:3f:bf:d5:03:62:c2:49:d8:84:dd:fe:1c:83: 60:43:88:77:b7:c8:f2:3e:95:63:d1:57:6c:f6:05:3d:b7:fc: d9:80:be:ad:39:a2:f1:7f:b8:46:59:b2:2e:21:a7:86:53:e1: 7a:43:95:9b:1c:33:7d:84:03:5d:98:ce:c8:6f:eb:01:7e:d5: 82:91:c9:ea:a0:b1:67:39:3b:21:f7:c2:50:8f:8d:b2:a0:92: c6:dd:f3:76:85:de:3a:77:03:26:3e:c2:b0:27:ca:b1:44:2f: fd:e2:75:96:9c:dc:f3:e5:d6:24:62:65:44:3a:42:2c:08:4c: 18:87:41:b7:09:4e:68:bf:9c:1c:0c:f0:ce:50:af:be:33:a7: ea:98:bf:af [[email protected] ~]# [[email protected] ~]#
七.吊销证书
1>.吊销证书
[[email protected] /etc/pki/CA]# tree . ├── cacert.pem ├── certs │ └── myapp.crt ├── crl ├── index.txt ├── index.txt.attr ├── index.txt.old ├── myapp.csr ├── newcerts │ └── 0F.pem ├── private │ └── cakey.pem ├── serial └── serial.old 4 directories, 10 files [[email protected] /etc/pki/CA]# [[email protected] /etc/pki/CA]# cat index.txt #注意第一个字母是"V",说明该证书是可以正常使用的 V 220916062758Z 0F unknown /C=CN/ST=shanxi/O=yinzhengjie/OU=devops/CN=*.yinzhengjie.org.cn [[email protected] /etc/pki/CA]# [[email protected] /etc/pki/CA]# openssl ca -revoke certs/myapp.crt #我们将指定的证书吊销 Using configuration from /etc/pki/tls/openssl.cnf Revoking Certificate 0F. Data Base Updated [[email protected] /etc/pki/CA]# [[email protected] /etc/pki/CA]# cat index.txt #注意观察第一个字母是"R",说明该 证书已经被吊销了 R 220916062758Z 191221071820Z 0F unknown /C=CN/ST=shanxi/O=yinzhengjie/OU=devops/CN=*.yinzhengjie.org.cn [[email protected] /etc/pki/CA]#
2>.生成吊销证书列表CRL
[[email protected] /etc/pki/CA]# tree . ├── cacert.pem ├── certs │ └── myapp.crt ├── crl ├── index.txt ├── index.txt.attr ├── index.txt.attr.old ├── index.txt.old ├── myapp.csr ├── newcerts │ └── 0F.pem ├── private │ └── cakey.pem ├── serial └── serial.old 4 directories, 11 files [[email protected] /etc/pki/CA]# [[email protected] /etc/pki/CA]# openssl ca -gencrl -out crl.pem Using configuration from /etc/pki/tls/openssl.cnf /etc/pki/CA/crlnumber: No such file or directory error while loading CRL number 140432981714832:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/pki/CA/crlnumber','r') 140432981714832:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404: [[email protected] /etc/pki/CA]# [[email protected] /etc/pki/CA]# echo FF > crlnumber #根据报错可知是缺少证书吊销列表的编号文件 [[email protected] /etc/pki/CA]# [[email protected] /etc/pki/CA]# openssl ca -gencrl -out crl.pem #生成证书吊销列表 Using configuration from /etc/pki/tls/openssl.cnf [[email protected] /etc/pki/CA]# [[email protected] /etc/pki/CA]# cat crlnumber 0100 [[email protected] /etc/pki/CA]# [[email protected] /etc/pki/CA]# [[email protected] /etc/pki/CA]# tree . ├── cacert.pem ├── certs │ └── myapp.crt ├── crl ├── crlnumber ├── crlnumber.old ├── crl.pem ├── index.txt ├── index.txt.attr ├── index.txt.attr.old ├── index.txt.old ├── myapp.csr ├── newcerts │ └── 0F.pem ├── private │ └── cakey.pem ├── serial └── serial.old 4 directories, 14 files [[email protected] /etc/pki/CA]# [[email protected] /etc/pki/CA]#
3>.查看已经被吊销的证书列表
[[email protected] /etc/pki/CA]# tree . ├── cacert.pem ├── certs │ └── myapp.crt ├── crl ├── crlnumber ├── crlnumber.old ├── crl.pem ├── index.txt ├── index.txt.attr ├── index.txt.attr.old ├── index.txt.old ├── myapp.csr ├── newcerts │ └── 0F.pem ├── private │ └── cakey.pem ├── serial └── serial.old 4 directories, 14 files [[email protected] /etc/pki/CA]# [[email protected] /etc/pki/CA]# openssl crl -in /etc/pki/CA/crl.pem -noout -text Certificate Revocation List (CRL): Version 2 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: /C=CN/ST=shanxi/L=ankang/O=yinzhengjie/OU=devops/CN=ca.yinzhengjie.org.cn Last Update: Dec 21 07:22:48 2019 GMT Next Update: Jan 20 07:22:48 2020 GMT CRL extensions: X509v3 CRL Number: 255 Revoked Certificates: Serial Number: 0F Revocation Date: Dec 21 07:18:20 2019 GMT Signature Algorithm: sha256WithRSAEncryption b5:05:5a:ee:3d:e2:7c:d8:11:12:36:a3:01:43:b8:a7:c4:65: da:a7:87:9f:ff:17:c0:46:45:5e:ca:6e:46:f6:30:ed:e0:58: db:74:36:92:c0:52:95:a7:17:c8:f6:f5:ea:73:ec:35:1b:18: 38:3e:b6:24:69:f5:12:8c:05:06:af:61:aa:76:2e:6c:ac:6c: 8b:72:12:9d:1a:c1:8e:65:b0:cb:07:97:2f:00:15:99:61:76: cd:80:ba:1b:12:db:e5:c1:8f:ea:cd:ce:53:24:e7:ad:4c:2b: 81:43:89:ab:fa:7e:e9:1e:f1:49:b4:87:20:31:a9:c6:24:ef: 91:31:c5:05:1b:05:70:28:ce:5e:4d:ef:83:62:ff:ea:f6:2e: 30:ee:cd:4f:ed:0a:a5:06:c4:83:47:75:61:d7:41:8f:b0:11: 40:5b:0d:8c:20:c4:1f:22:1d:5e:a9:c2:a2:ba:84:6d:e8:5e: 19:77:79:0a:fe:70:f2:8f:29:94:fa:f6:36:d0:b4:a2:d8:69: 6f:ab:25:ae:28:43:5c:ef:ec:8d:28:51:b1:f7:d5:42:01:4e: 02:c8:55:65:3c:c4:2c:a9:65:1e:65:86:94:5a:22:b9:2a:b1: f7:26:3f:4b:1f:3b:06:5c:48:96:ba:8c:5c:8f:80:86:f6:5e: c7:1d:61:e4 [[email protected] /etc/pki/CA]#
4>.将已经吊销的证书文件拷贝到windows操作系统
[[email protected] /etc/pki/CA]# sz crl.pem #下载到windows操作系统后,由于操作系统不识别因此我们得修改文件后缀,如下图所示。 [[email protected] /etc/pki/CA]#
如下图所示,我们可以查看已经被吊销的证书列表。
八.验证证书的合法性
1>.验证CA自签名的证书合法性
[[email protected] /etc/pki/CA]# tree . ├── cacert.pem ├── certs │?? └── myapp.crt ├── crl ├── crlnumber ├── crlnumber.old ├── crl.pem ├── index.txt ├── index.txt.attr ├── index.txt.attr.old ├── index.txt.old ├── myapp.csr ├── newcerts │?? └── 0F.pem ├── private │?? └── cakey.pem ├── serial └── serial.old 4 directories, 14 files [[email protected] /etc/pki/CA]# [[email protected] /etc/pki/CA]# openssl verify -CAfile cacert.pem certs/myapp.crt #很显然,咱们服务器自签名的证书是合法的,输出是"OK" certs/myapp.crt: OK [[email protected] /etc/pki/CA]# [[email protected] /etc/pki/CA]#
2>.验证"*cnblogs.com"证书的合法性
[[email protected] /etc/pki/CA]# ll cnblog.crt.cer -rw-r--r-- 1 root root 1424 Dec 21 15:40 cnblog.crt.cer [[email protected] /etc/pki/CA]# [[email protected] /etc/pki/CA]# openssl verify -CAfile cacert.pem cnblog.crt.cer unable to load certificate 140288852195216:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: TRUSTED CERTIFICATE [[email protected] /etc/pki/CA]# [[email protected] /etc/pki/CA]#