OpenSSL(创建CA和申请证书)

OpenSSL的配置文件etc/pki/tls/openssl.cnf，下面有一些重要的配置，里面的一下目录和文件需要手动创建

name_opt        = ca_default            #  主题名称选项默认ca_default               
cert_opt        = ca_default            # 证书字段选项默认ca_default 
[ CA_default ]                          #默认配置

dir             = /etc/pki/CA           # 默认文件存放的目录，定义的一个dir变量
certs           = $dir/certs            # 签发的证书存放位置
crl_dir         = $dir/crl              #吊销的证书存放文件
database        = $dir/index.txt        #颁发过的证书索引文件
#unique_subject = no                    #能不能设置相同的证书，默认被注释
                                        # several ctificates with same subject.
new_certs_dir   = $dir/newcerts         #新证书默认存放的目录

certificate     = $dir/cacert.pem       #CA的自签证书的名字和存放目录
serial          = $dir/serial           #指明证书序列号，只第一次需要指定  
crlnumber       = $dir/crlnumber        # the current crl number
                                        #吊销证书的序列号，第一次需要指定
crl             = $dir/crl.pem          # The current CRL
private_key     = $dir/private/cakey.pem #CA私钥的文件名和存放文件固定路径
RANDFILE        = $dir/private/.rand    #伪随机数文件

x509_extensions = usr_cert              # The extentions to add to the cert

# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt        = ca_default            # Subject Name options
cert_opt        = ca_default            # Certificate field options

# Extension copying option: use with caution.
# copy_extensions = copy

# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions        = crl_ext

default_days    = 365                   #证书的默认有效期
default_crl_days= 30                    # 吊销证书默认声明有效期
default_md      = sha256                #默认的生成算法
preserve        = no                    # keep passed DN ordering   

# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy          = policy_match           #指定默认的CA属性

# For the CA policy  
[ policy_match ]
countryName             = match     #证书申请时填写的国家,参数match必须CA同一个国家
stateOrProvinceName     = match     #客户机申请时填写省份
organizationName        = match     #机构名称
organizationalUnitName  = optional  #部门，参数optional可以和CA不同
commonName              = supplied  #通用名称
emailAddress            = optional  #邮箱

# For the 'anything' policy                           #另外一套CA属性，规则比较宽松
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]                     
countryName             = optional                    #允许跨国家、地区申请证书
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ req ]                                               #向CA证书签署发起注册请求相关属性
default_bits            = 2048
default_md              = sha256
default_keyfile         = privkey.pem
distinguished_name      = req_distinguished_name
attributes              = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert

创建自签证书

创建私钥

[root@centos7 /etc/pki/CA]#(umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem -des3 1024)   
Generating RSA private key, 1024 bit long modulus    #密钥默认是1024位加密，也可以在命令尾部指定
.............++++++
.................................+++
........................+++
e is 65537 (0x10001)
Enter pass phrase for /etc/pki/CA/private/cakey.pem:         设置密码
Verifying - Enter pass phrase for /etc/pki/CA/private/cakey.pem:    设置密码
[[email protected]  /etc/pki/CA/private]#cat cakey.pem 
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,B63B4943DA7D30F0      DES-EDE3     显示加密
[[email protected] ~]#touch /etc/pki/CA/index.txt       #创建证书索引文件
[[email protected] ~]#echo 01 > /etc/pki/CA/serial      #指定证书颁发的两位16进制数
[[email protected] ~]#echo 01 > /etc/pki/CA/crlnumber   #指定证书吊销的序号
[[email protected] ~]#touch /etc/pki/CA/private/.rand   #创建伪随机数文件
[[email protected] ~]#openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem
 -out /etc/pki/CA/cacert.pem -days 7300     
#创建自签证书 -new：生成新证书签署请求；-x509：生成自签格式证书，专用于创建私有CA时；
#-key：生成请求时用到的私有文件路径；-out：生成的请求文件路径；如果自签操作将直接生成签署过的证书；
#-days：证书的有效时长，单位是day；
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----                                                           #1国家、省州、部门 
Country Name (2 letter code) [XX]:CN                         #填写CA所在的国家，格式为国家代码
State or Province Name (full name) []:xxxxxx                 #填写所在的州或省
Locality Name (eg, city) [Default City]:xxxxxx               #填写所在的城市
Organization Name (eg, company) [Default Company Ltd]:CentOS #机构名称
Organizational Unit Name (eg, section) []:CA                 #部门名称
Common Name (eg, your name or your server's hostname) []:    #通用名称，服务器的主机名
Email Address []:                                            #邮箱地址

[[email protected] ~]#openssl x509 -in /etc/pki/CA/cacert.pem -noout -text     #查看生成的证书，信息有省略
Certificate:  
    Data: 
        Version: 3 (0x2)
        Serial Number: 11088094993200996766 (0x99e0d3a62988619e)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=HeNan, L=ZhengZhou, O=CAServer, OU=CA, CN=www.CAServer.com    #颁发机构的信息
        Validity
            Not Before: Jul 17 14:50:30 2017 GMT
            Not After : Jul 12 14:50:30 2037 GMT
        Subject: C=CN, ST=HeNan, L=ZhengZhou, O=CAServer, OU=CA, CN=www.CAServer.com   #申请者的信息

给客户端颁发证书

生成私钥路径 根据应用web或 ftp放在各自配置文件夹 ，不需要放一起，自定义路径

cd /etc/pki/tls 私钥文件放在private 证书放在certs 后期应用放在openssl.crt里面

[[email protected] ~]#(umask 077;openssl genrsa -out /etc/pki/tls/private/test.key 1024)  
                                                                #在客户端生成私钥
Generating RSA private key, 1024 bit long modulus
..............................++++++
.......++++++
e is 65537 (0x10001)
[[email protected] ~]#openssl req -new -key /etc/pki/tls/private/test.key -out
 /etc/pki/tls/test.pem                                           #生成证书申请文件
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN                            #国家，必须和CA相同
State or Province Name (full name) []:HeNan                     #州或者省份，必须和CA相同
Locality Name (eg, city) [Default City]:zz                      #城市，可以自定义
Organization Name (eg, company) [Default Company Ltd]:CAServer  #机构名必须和CA相同
Organizational Unit Name (eg, section) []:test                  #部门名称，可以自定义
Common Name (eg, your name or your server's hostname) []:test.com     #服务器名称
Email Address []:                                                  #邮箱地址可以忽略
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:admin                                   #设置密码加密
An optional company name []:admin
[[email protected] ~]#scp /etc/pki/tls/test.pem [email protected]:/etc/pki/CA 
                                                                #把他发送到CA服务器上

将证书颁发给请求者centos6

[[email protected] CA]#openssl ca -in test.pem -out certs/test.crt -days 365   
  #请求文件test.pem    生成文件certs/test.crt    时间1年
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)   #1是十进制，（0x1）是16进制
        Validity
            Not Before: Jul 17 16:14:46 2017 GMT
            Not After : Jul 17 16:14:46 2018 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = HeNan
            organizationName          = CAServer
            organizationalUnitName    = test
            commonName                = test.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                3B:F1:1B:6B:88:C2:17:35:19:2E:35:90:C6:22:6E:69:10:FF:B4:02
            X509v3 Authority Key Identifier: 
                keyid:60:3C:95:CB:A1:63:DC:0C:FC:1B:85:22:B3:4D:FD:FB:3B:5E:A4:B8

Certificate is to be certified until Jul 17 16:14:46 2018 GMT (365 days)#有效期1年
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries    #增加一条新纪录
Data Base Updated
[[email protected] CA]#cat serial      
02                                                   #下一个证书的编号
[[email protected] CA]#cat index.txt    
V    180717161446Z        01    unknown    /C=CN/ST=HeNan/O=CAServer/OU=test/CN=test.com   #V证书
[[email protected] CA]#scp certs/test.crt [email protected]:/etc/pki/tls/certs/     
                                                 #   复制给用户就可以使用了

openssl x509 -in /PATH/FROM/CERT_FILE -noout -text 文本|issuer颁发者是谁|subject主题给谁发|serial|dates有效期 #查看证书信息后面可以添加选项

[[email protected] certs]#openssl x509 -in test.crt -noout -text 以文本方式显示一遍
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=HeNan, L=ZhengZhou, O=CAServer, OU=CA, CN=www.CAServer.com
        Validity
            Not Before: Jul 17 16:14:46 2017 GMT   
            Not After : Jul 17 16:14:46 2018 GMT    #有效期一年
        Subject: C=CN, ST=HeNan, O=CAServer, OU=test, CN=test.com
        Subject Public Key Info:

再次申请证书给另一个程序使用

私钥不需要生成，需要在申请一个证书

[[email protected] ~]#openssl req -new -key /etc/pki/tls/private/test.key 
 -out /etc/pki/tls/test2.pem            #生成证书申请文件
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN                            #国家，必须和CA相同
State or Province Name (full name) []:HeNan                     #州或者省份，必须和CA相同
Locality Name (eg, city) [Default City]:zz                      #城市，可以自定义
Organization Name (eg, company) [Default Company Ltd]:CAServer  #机构名必须和CA相同
Organizational Unit Name (eg, section) []:test                  #部门名称，可以自定义
Common Name (eg, your name or your server's hostname) []:test2.com     #服务器名称
Email Address []:                                                  #邮箱地址可以忽略
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:admin                                   #设置密码加密
An optional company name []:admin
[[email protected] ~]#scp /etc/pki/tls/test2.pem [email protected]:/etc/pki/CA  
                                                     #把他发送到CA服务器上

[[email protected] CA]#openssl ca -in test.pem -out certs/test2.crt -days 365   
  #请求文件test.pem    生成文件certs/test.crt    时间1年
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)   #1是十进制，（0x1）是16进制
        Validity
            Not Before: Jul 17 16:14:46 2017 GMT
            Not After : Jul 17 16:14:46 2018 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = HeNan
            organizationName          = CAServer
            organizationalUnitName    = test
            commonName                = test.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                3B:F1:1B:6B:88:C2:17:35:19:2E:35:90:C6:22:6E:69:10:FF:B4:02
            X509v3 Authority Key Identifier: 
                keyid:60:3C:95:CB:A1:63:DC:0C:FC:1B:85:22:B3:4D:FD:FB:3B:5E:A4:B8

Certificate is to be certified until Jul 17 16:14:46 2018 GMT (365 days)#有效期1年
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries    #增加一条新纪录
Data Base Updated
[[email protected] CA]#cat serial      
02                                                   #下一个证书的编号
[[email protected] CA]#cat index.txt    
V    180717161446Z        01    unknown /C=CN/ST=HeNan/O=CAServer/OU=test/CN=test.com   #V证书
[[email protected] CA]#scp certs/test2.crt [email protected]:/etc/pki/tls/certs/       复制给用户就可以使用了

小工具

[root@centos7 /etc/pki/CA]# index.txt.old    serial.old 文件里都是上一次的文件相当于备份
同一个申请发多个证书默认是不允许的，可以修改vim index.txtt.attr
unique_subject = yes  #yes改为no

桌面证书没有路径
[root@centos7 /etc/pki/CA]#  cacert.pem  #sz cacert.pem 传输到桌面
后缀修改成cacert.crt
双击安装证书、下一步，浏览、收信人颁发机构、下一步安装

[root@centos7 /etc/pki/CA]#openssl ca -status 01          #查看证书变数是否有效
Using configuration from /etc/pki/tls/openssl.cnf
01=Valid (V)        #有效

客户端centos6.9做子CA办法

[[email protected] ~]#touch /etc/pki/CA/index.txt       #创建证书索引文件
[[email protected] ~]#echo 01 > /etc/pki/CA/serial      #指定证书颁发的序号，序号必须是两位16进制数
[root@centos6 /etc/pki/CA]#(umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem -des3 1024)   
Generating RSA private key, 1024 bit long modulus    #密钥默认是1024位加密，也可以在命令尾部指定
.............++++++
.................................+++
........................+++
e is 65537 (0x10001)
[[email protected] AC]#openssl req -new -key private/cakey.pem -out subca.csr 
  #生成证书申请文件
[[email protected] AC]#scp subca.csr 172.18.xx.xxx:/etc/pki/CA/   #把他发送到CA服务器上
[[email protected] CA]#openssl ca -in subca.csr -out certs/subca.crt -days 3650 
[[email protected] CA]#scp certs/subca.csr 
 172.18.xx.xxx:/etc/pki/CA/cacert.pem   #把他发送到CA客户端centos60上

[root@centos6 ~]#openssl genrsa -out centos60.key 1024    #生成私钥
Generating RSA private key, 1024 bit long modulus
.....++++++
....................++++++
e is 65537 (0x10001)
[root@centos6 ~]#ll centos60.key 
-rw-r--r--. 1 root root 887 Sep  8 11:38 centos60.key
[root@centos6 ~]#openssl req -new -key centos60.key -out centos60.csr 
#生成证书申请文件
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN                            #国家，必须和子CA相同
State or Province Name (full name) []:HeNan                     #州或者省份，必须和子CA相同
Locality Name (eg, city) [Default City]:zz                      #城市，可以自定义
Organization Name (eg, company) [Default Company Ltd]:CAServer  #机构名必须和子CA相同
#其他自定义
[root@centos6 ~]#scp centos60.csr 172.18.xx.xxx:/etc/pki/CA    证书复制到子CA

子CAcentos6.9颁发证书给centos6

[[email protected] CA]#openssl ca -in centos60.csr -out certs/centos60.csr -days 365   #颁发证书
[email protected] CA]#cat index.txt    颁发的第一个证书存放位置
[email protected] CA]#sz certs/centos60.crt
[email protected] CA]#sz cacert.pem

上传到桌面 CAcentos7 ,子CAcentos6.9 ,客户端centos6的证书都在桌面进行安装

吊销证书

[[email protected] certs]#openssl x509 -in /etc/pki/tls/certs/test.crt -noout -serial -subject     
#在客户主机上面查询证书的编号和信息，提供给CA
serial=01
subject= /C=CN/ST=HeNan/O=CAServer/OU=test/CN=test.com

[[email protected] CA]#cat index.txt                           #CA查看索引文件确认
R    180717161446Z    170717162332Z    01    unknown    /C=CN/ST=HeNan/O=CASe
rver/OU=test/CN=test.com
[[email protected] CA]#ll /etc/pki/CA/newcerts/01.pem                      #
-rw-r--r--. 1 root root 3077 Jul 18 00:14 /etc/pki/CA/newcerts/01.pem    
 #在签发证书之后会在/newcerts生成一个证书编号.pem文件
[[email protected] CA]#cat /etc/pki/CA/newcerts/01.pem    #里面是证书的信息和申请者的公钥
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=HeNan, L=ZhengZhou, O=CAServer, OU=CA, CN=www.CAServer.com
        Validity
            Not Before: Jul 17 16:14:46 2017 GMT
            Not After : Jul 17 16:14:46 2018 GMT
        Subject: C=CN, ST=HeNan, O=CAServer, OU=test, CN=test.com
[[email protected] CA]#openssl -revoke /etc/pki/CA/newcerts/01.pem 
openssl:Error: '-revoke' is an invalid command.

[[email protected] CA]#openssl ca -revoke /etc/pki/CA/newcerts/01.pem     #吊销证书
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 01.
Data Base Updated
[[email protected] CA]#openssl ca -gencrl -out crl/test.crl        #更新证书吊销列表
Using configuration from /etc/pki/tls/openssl.cnf
[[email protected] CA]#openssl crl -in crl/test.crl -noout -text     #查看证书吊销列表
Certificate Revocation List (CRL):
        Version 2 (0x1)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: /C=CN/ST=HeNan/L=ZhengZhou/O=CAServer/OU=CA/CN=w
ww.CAServer.com   #CA的信息
        Last Update: Jul 17 16:24:37 2017 GMT
        Next Update: Aug 16 16:24:37 2017 GMT
        CRL extensions:
            X509v3 CRL Number: 
                2                                                         
Revoked Certificates:
    Serial Number: 01                                                 #证书编号
        Revocation Date: Jul 17 16:23:32 2017 GMT