构建私有的 CA 机构

1、CA 介绍

   CA(Certificate Authority)证书颁发机构主要负责证书的颁发、管理以及归档和吊销。证书内包含了拥有证书者的姓名、地址、电子邮件帐号、公钥、证书有效期、发放证书的CA、CA的数字签名等信息。证书主要有三大功能:加密、签名、身份验证。

为什么要构建私有CA?
因为公共 CA (比如排名前几的这几家:Comodo, Symantec, GlobalSign, DigiCert, StartCom)颁发证书要收费,而且价格很贵。当然现在也有了像 Letsencrypt 这样的免费 CA。 我们的应用是企业内网,域名使用私有域名,没有办法使用互联网的 CA 办法的证书。

         环境:server:192.168.11.12    node1:192.168.11.13

2、构建私有 CA

1)、检查安装 openssl
rpm -qa openssl

如果未安装,则安装 openssl

yum install openssl openssl-devel
2)、查看配置文件

openssl 配置/etc/pki/tls/openssl.cnf有关CA的配置。如果服务器为证书签署者的身份那么就会用到此配置文件,此配置文件对于证书申请者是无作用的。

####################################################################
[ ca ]
default_ca      = CA_default            # 默认的CA配置;CA_default指向下面配置块

####################################################################
[ CA_default ]

dir             = /etc/pki/CA                 # CA的默认工作目录
certs           = $dir/certs                 # 认证证书的目录
crl_dir         = $dir/crl                     # 证书吊销列表的路径
database        = $dir/index.txt       # 数据库的索引文件

new_certs_dir   = $dir/newcerts         # 新颁发证书的默认路径

certificate     = $dir/cacert.pem          # 此服务认证证书,如果此服务器为根CA那么这里为自颁发证书 
serial          = $dir/serial                     # 下一个证书的证书编号
crlnumber       = $dir/crlnumber         # 下一个吊销的证书编号

crl             = $dir/crl.pem          # The current CRL
private_key     = $dir/private/cakey.pem# CA的私钥
RANDFILE        = $dir/private/.rand    # 随机数文件

x509_extensions = usr_cert              # The extentions to add to the cert

name_opt        = ca_default            # 命名方式,以ca_default定义为准
cert_opt        = ca_default            # 证书参数,以ca_default定义为准

default_days    = 365                   # 证书默认有效期
default_crl_days= 30                    # CRl的有效期
default_md      = sha256                # 加密算法
preserve        = no                    # keep passed DN ordering

policy          = policy_match          #policy_match策略生效

# For the CA policy
[ policy_match ]
countryName             = match         #国家;match表示申请者的申请信息必须与此一致
stateOrProvinceName     = match         #州、省
organizationName        = match         #组织名、公司名
organizationalUnitName  = optional      #部门名称;optional表示申请者可以的信息与此可以不一致
commonName              = supplied
emailAddress            = optional

# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]                     #由于定义了policy_match策略生效,所以此策略暂未生效
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional
3)、根证书服务器目录

根CA服务器:因为只有 CA 服务器的角色,所以用到的目录只有/etc/pki/CA

网站服务器:只是证书申请者的角色,所以用到的目录只有/etc/pki/tls

4)、创建所需要的文件
[root@server ~]# cd /etc/pki/CA/
[root@server CA]# ls
certs  crl  newcerts  private
[root@server CA]# touch index.txt        #生成证书索引数据库文件
[root@server CA]# ls
certs  crl  index.txt  newcerts  private
[root@server CA]# echo 01 > serial       #指定第一个颁发证书的序列号
[root@server CA]# ls
certs  crl  index.txt  newcerts  private  serial
5)、创建密钥

在根CA服务器上创建密钥,密钥的位置必须为/etc/pki/CA/private/cakey.pem,这个是openssl.cnf中中指定的路径,只要与配置文件中指定的匹配即可。

[root@server CA]# (umask 066; openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
........................................................+++
.........................+++
e is 65537 (0x10001)
6)、生成自签名证书

根CA自签名证书,根CA是最顶级的认证机构,没有人能够认证他,所以只能自己认证自己生成自签名证书。

[root@server CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 7300 -out /etc/pki/CA/cacert.pem -days 7300 

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN   
State or Province Name (full name) []:BEIJING      
Locality Name (eg, city) [Default City]:BEIJING
Organization Name (eg, company) [Default Company Ltd]:CA
Organizational Unit Name (eg, section) []:OPT
Common Name (eg, your name or your server's hostname) []:ca.qf.com
Email Address []:

[root@server CA]# ls
cacert.pem  certs  crl  index.txt  newcerts  private  serial
-new:   生成新证书签署请求
-x509:  专用于CA生成自签证书
-key:   生成请求时用到的私钥文件
-days n:    证书的有效期限
-out /PATH/TO/SOMECERTFILE:     证书的保存路径
7)、下载安装证书

/etc/pki/CA/cacert.pem就是生成的自签名证书文件,使用 SZ/xftp工具将他导出到窗口机器中。然后双击安装此证书到受信任的根证书颁发机构

或:将/etc/pki/CA/cacert.pem 传到Windows上,看一下 sz /etc/pki/CA/cacert.pem
在Windows上接收并更改后缀名为 .cer

构建私有的 CA_第1张图片

3、CA 证书申请及签名

1)、检查安装 openssl
rpm -qa openssl

如果未安装,则安装 openssl

yum install openssl openssl-devel
2)、客户端生成私钥文件
[root@node1 ~]# (umask 066; openssl genrsa -out /etc/pki/tls/private/www.qf.com.key 2048)
Generating RSA private key, 2048 bit long modulus
......................+++
....................................................................................+++
e is 65537 (0x10001)
[root@node1 ~]# cd /etc/pki/tls/private
[root@node1 private]# ls
www.qf.com.key
3)、客户端用私钥加密生成证书请求
[root@node1 private]# ls ../
cert.pem  certs  misc  openssl.cnf  private  
[root@node1 private]# openssl req -new -key /etc/pki/tls/private/www.qf.com.key -days 365 -out /etc/pki/tls/www.qf.com.csr

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BEIJING
Locality Name (eg, city) [Default City]:BEIJING
Organization Name (eg, company) [Default Company Ltd]:QF
Organizational Unit Name (eg, section) []:OPT
Common Name (eg, your name or your server's hostname) []:www.qf.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@node1 private]# cd ../
[root@node1 tls]# ls
cert.pem  certs  misc  openssl.cnf  private  www.qf.com.csr

CSR(Certificate Signing Request)包含了公钥和名字信息。通常以.csr为后缀,是网站向CA发起认证请求的文件,是中间文件。

在这一命令执行的过程中,系统会要求填写如下信息:

要求添写的内容
Country Name (2 letter code) 使用国际标准组织(ISO)国码格式,填写2个字母的国家代号。中国请填写CN
State or Province Name (full name) 省份,比如填写BeiJing
Locality Name (eg, city) 城市,比如填写BeiJing
Organization Name (eg, company) 组织单位,比如填写公司名称的拼音
Organizational Unit Name (eg, section) 比如填写IT Dept
Common Name (eg, your websites domain name) 城市,比如填写BeiJing
Email Address 邮件地址,可以不填
A challenge password 可以不填
An optional company name 可以不填

最后把生成的请求文件(/etc/pki/tls/www.qf.com.csr)传输给CA ,这里我使用scp命令,通过ssh协议,将该文件传输到CA下的/etc/pki/CA/private/目录

root@node1 tls]# scp www.qf.com.csr 192.168.11.13:/etc/pki/CA/private/  
[email protected]'s password: 
www.qf.com.csr                          100%  997   777.2KB/s   00:00    
4、CA 签署证书
[root@server ~]# openssl ca -in /etc/pki/CA/private/www.qf.com.csr -out 
/etc/pki/CA/certs/www.qf.com.ctr -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Mar 14 13:45:02 2019 GMT
            Not After : Mar 13 13:45:02 2020 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = BEIJING
            organizationName          = QF
            organizationalUnitName    = OPT
            commonName                = www.qf.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                08:65:70:98:2B:0B:15:D0:74:FE:69:58:05:B8:02:BC:45:D8:23:9B
            X509v3 Authority Key Identifier: 
                keyid:60:6B:BC:F1:A1:01:BF:72:FD:7D:02:A8:BD:15:BE:9C:3B:3E:03:30

Certificate is to be certified until Mar 13 13:45:02 2020 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

证书通常以.crt为后缀,表示证书文件

1、可能遇到的问题
[root@server ~]# openssl openssl ca -in /etc/pki/CA/private/www.qf.com.csr -out /etc/pki/CA/certs/www.qf.com.ctr -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
The organizationName field needed to be the same in the
CA certificate (CA) and the request (QF)

因为默认使用/etc/pki/tls/openssl.cnf,里面要求其一致,修改organizationName=supplied

修改 /etc/pki/tls/openssl.cnf

# For the CA policy
[ policy_match ]
countryName             = match
stateOrProvinceName     = match
organizationName        = supplied
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional
2、查看生成的证书的信息
[root@server ~]# openssl x509 -in /etc/pki/CA/certs/www.qf.com.ctr -noout -subject

subject= /C=CN/ST=BEIJING/O=QF/OU=OPT/CN=www.qf.com
3、将生成的证书发放给请求客户端
[root@server ~]# scp www.qf.com.ctr [email protected]:/etc/pki/CA/certs/ 

[email protected]'s password: 
www.qf.com.ctr                            100% 4422     1.3MB/s   00:00  

4、CA吊销证书

1)、知道客户端吊销的证书的serial
[root@server ~]#openssl x509 -in /PATH/FROM/CERT_FILE -noout -serial -subject
2)、吊销证书

先根据客户提交的serial与subject信息,对比检验是否与index.txt文件中的信息一致;然后

[root@server ~]#openssl ca -revoke /etc/pki/CA/newcerts/SERIAL.pem
3)、生成吊销证书的编号

第一次吊销一个证书时才需要执行

[root@server ~]#echo 01 > /etc/pki/CA/crlnumber
4)、更新证书吊销列表
[root@server ~]#openssl ca -gencrl -out thisca.crl
5)、查看证书吊销列表
[root@server ~]#openssl crl -in /PATH/FROM/CRL_FILE.crl -noout -text