很多时候,我们希望在使用互联网的时候,我们的通信是受到保护的,而在互联网上活动时使用最多的莫过于使用网站了,所以我们就需要考虑如何加密使用网站的过程中所传送的消息,htts加密协议的出现解决了我们的困扰,而htts协议是基于证书的方式实现的,那如何用证书来保护我们在网站上所传送的消息了,要想使用证书,要么向互联上的专业证书机构去申请证书,要么自己搭建证书服务器(CA)来给自己的网络设备颁发证书,以保证相互之间的通信是通过加密协议传输的。当然如果去向专业的证书机构申请证书是需要花费较大代价的,所以很多企业想使用证书加密通信,但又不想花太大的代价去申请证书,所以就在自己公司的服务器上的搭建属于自己的证书管理服务器(CA),所以做为一名运维人员,就很有必要来探讨一下这个话题了。


一、CA的搭建和管理的相关知识

    openssl的配置文件:/etc/pki/tls/openssl.cnf

    (1) 创建所需要的文件

        touch /etc/pki/CA/index.txt

        echo 01 > /etc/pki/CA/serial

    (2) CA自签证书

        生成私钥

        cd /etc/pki/CA/

        (umask 066; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)


        生成自签名证书

        openssl req -new -x509 –key /etc/pki/CA/private/cakey.pem -days 7300 

        -out /etc/pki/CA/cacert.pem

        -new: 生成新证书签署请求

        -x509: 专用于CA生成自签证书

        -key: 生成请求时用到的私钥文件

        -days n:证书的有效期限

        -out /PATH/TO/SOMECERTFILE: 证书的保存路径


    (3) 颁发证书

        (a) 在需要使用证书的主机生成证书请求;

            给web服务器生成私钥

            (umask 066; openssl genrsa -out /etc/httpd/ssl/httpd.key 2048)

            生成证书申请文件

            openssl req -new -key /etc/httpd/ssl/httpd.key -days 365 -out /etc/httpd/ssl/httpd.csr

        (b) 将证书请求文件传输给CA

        (c) CA签署证书,并将证书颁发给请求者;

            openssl ca -in /tmp/httpd.csr –out /etc/pki/CA/certs/httpd.crt -days 365

            注意:默认国家,省 ,公司名称必须和CA一致

        (d) 查看证书中的信息:

            openssl x509 -in /PATH/FROM/CERT_FILE -noout -text|subject|serial|dates

    (4) 吊销证书

        (a) 在客户端获取要吊销的证书的serial

            openssl x509 -in /PATH/FROM/CERT_FILE -noout -serial -subject

        (b) 在CA上,根据客户提交的serial与subject信息,对比检验是否与index.txt文件中的信息一致

            吊销证书:openssl ca -revoke /etc/pki/CA/newcerts/SERIAL.pem

        (c) 生成吊销证书的编号(第一次吊销一个证书时才需要执行)

            echo 01 > /etc/pki/CA/crlnumber

        (d) 更新证书吊销列表

            openssl ca -gencrl -out /etc/pki/CA/crl/ca.crl

            查看crl文件:

            openssl crl -in /etc/pki/CA/crl/ca.crl -noout -text


二、搭建CA

1、CA环境展示:

    [root@Centos630G ~]# hostname

    Centos630G

    [root@Centos630G ~]# ip addr show eth0

    2: eth0: mtu 1500 qdisc pfifo_fast state UP qlen 1000

        link/ether 00:0c:29:e1:ee:04 brd ff:ff:ff:ff:ff:ff

        inet 10.1.42.61/16 brd 10.1.255.255 scope global eth0

        inet6 fe80::20c:29ff:fee1:ee04/64 scope link 

           valid_lft forever preferred_lft forever

    [root@Centos630G ~]# cd /etc/pki/CA

    [root@Centos630G CA]# tree

    .

    ├── certs

    ├── crl

    ├── newcerts

    └── private


    4 directories, 0 files

    [root@Centos630G CA]# 


2、创建CA需要的文件:

    [root@Centos630G CA]# touch index.txt

    [root@Centos630G CA]# echo 01 > serial

    [root@Centos630G CA]# ll

    total 20

    drwxr-xr-x. 2 root root 4096 May  9 10:56 certs

    drwxr-xr-x. 2 root root 4096 May  9 10:56 crl

    -rw-r--r--. 1 root root    0 Sep 22 12:27 index.txt

    drwxr-xr-x. 2 root root 4096 May  9 10:56 newcerts

    drwx------. 2 root root 4096 May  9 10:56 private

    -rw-r--r--. 1 root root    3 Sep 22 12:27 serial

    [root@Centos630G CA]# 


3、给CA创建私钥:

    [root@Centos630G CA]# (umask 066;openssl genrsa -out private/cakey.pem 2048)

    Generating RSA private key, 2048 bit long modulus

    .................+++

    .............+++

    e is 65537 (0x10001)

    [root@Centos630G CA]# tree

    .

    ├── certs

    ├── crl

    ├── index.txt

    ├── newcerts

    ├── private

    │   └── cakey.pem

    └── serial


    4 directories, 3 files

    [root@Centos630G CA]# 


4、给CA生成自签名证书:

    [root@Centos630G CA]# openssl req -new -x509 -key private/cakey.pem -days 7300 -out cacert.pem

    You are about to be asked to enter information that will be incorporated

    into your certificate request.

    What you are about to enter is what is called a Distinguished Name or a DN.

    There are quite a few fields but you can leave some blank

    For some fields there will be a default value,

    If you enter '.', the field will be left blank.

    -----

    Country Name (2 letter code) [XX]:cn

    State or Province Name (full name) []:beijing

    Locality Name (eg, city) [Default City]:haidian

    Organization Name (eg, company) [Default Company Ltd]:companyA

    Organizational Unit Name (eg, section) []:IT  

    Common Name (eg, your name or your server's hostname) []:centos630g

    Email Address []:[email protected]

    [root@Centos630G CA]# ls

    cacert.pem  certs  crl  index.txt  newcerts  private  serial

    [root@Centos630G CA]# 



三、使用CA给客户颁发证书

1、申请证书的客户机环境展示:

    [root@centos730g ~]# hostname

    centos730g

    [root@centos730g ~]# ip addr show eno16777736 

    2: eno16777736: mtu 1500 qdisc pfifo_fast state UP qlen 1000

        link/ether 00:0c:29:4c:4a:32 brd ff:ff:ff:ff:ff:ff

        inet 10.1.42.71/16 brd 10.1.255.255 scope global eno16777736

           valid_lft forever preferred_lft forever

        inet6 fe80::20c:29ff:fe4c:4a32/64 scope link 

           valid_lft forever preferred_lft forever

    [root@centos730g ~]# 


2、给客户机生成私钥:

    [root@centos730g ~]# (umask 066;openssl genrsa -out centos730g.prikey 2048)

    Generating RSA private key, 2048 bit long modulus

    ...............................+++

    .............................................................................+++

    e is 65537 (0x10001)

    [root@centos730g ~]# ls

    centos730g.prikey

    [root@centos730g ~]# 


3、给客户机生成证书申请文件:

    [root@centos730g ~]# openssl req -new -key centos730g.prikey -days 365 -out centos730g.csr

    You are about to be asked to enter information that will be incorporated

    into your certificate request.

    What you are about to enter is what is called a Distinguished Name or a DN.

    There are quite a few fields but you can leave some blank

    For some fields there will be a default value,

    If you enter '.', the field will be left blank.

    -----

    Country Name (2 letter code) [XX]:cn

    State or Province Name (full name) []:beijing

    Locality Name (eg, city) [Default City]:haidian

    Organization Name (eg, company) [Default Company Ltd]:companyA

    Organizational Unit Name (eg, section) []:web

    Common Name (eg, your name or your server's hostname) []:centos730g

    Email Address []:[email protected]


    Please enter the following 'extra' attributes

    to be sent with your certificate request

    A challenge password []:

    An optional company name []:

    [root@centos730g ~]# ls

    centos730g.csr  centos730g.prikey

    [root@centos730g ~]# 


4、在客户机上将证书申请文件传输到CA上:

    [root@centos730g ~]# scp centos730g.csr 10.1.42.61:/etc/pki/CA/crl

    The authenticity of host '10.1.42.61 (10.1.42.61)' can't be established.

    RSA key fingerprint is 91:e8:0f:0d:56:3c:38:b4:bf:b0:dd:b5:ee:0c:cb:b4.

    Are you sure you want to continue connecting (yes/no)? yes

    Warning: Permanently added '10.1.42.61' (RSA) to the list of known hosts.

    [email protected]'s password: 

    centos730g.csr               100% 1050     1.0KB/s   00:00    

    [root@centos730g ~]# 


5、在CA上给申请签证的客户签署证书:

    [root@Centos630G CA]# ls crl

    centos730g.csr

    [root@Centos630G CA]# openssl ca -in crl/centos730g.csr -out certs/centos730g.crt -days 365

    Using configuration from /etc/pki/tls/openssl.cnf

    Check that the request matches the signature

    Signature ok

    Certificate Details:

            Serial Number: 1 (0x1)

            Validity

                Not Before: Sep 22 17:15:37 2016 GMT

                Not After : Sep 22 17:15:37 2017 GMT

            Subject:

                countryName               = cn

                stateOrProvinceName       = beijing

                organizationName          = companyA

                organizationalUnitName    = web

                commonName                = centos730g

                emailAddress              = [email protected]

            X509v3 extensions:

                X509v3 Basic Constraints: 

                    CA:FALSE

                Netscape Comment: 

                    OpenSSL Generated Certificate

                X509v3 Subject Key Identifier: 

                    19:A6:3F:5F:8C:75:7F:2F:32:6A:4D:F2:BC:53:BD:C9:F7:66:7C:BC

                X509v3 Authority Key Identifier: 

                    keyid:51:8C:1F:CD:A5:73:04:65:96:55:E4:D3:FE:69:28:DD:07:CE:1B:12


    Certificate is to be certified until Sep 22 17:15:37 2017 GMT (365 days)

    Sign the certificate? [y/n]:y



    1 out of 1 certificate requests certified, commit? [y/n]y

    Write out database with 1 new entries

    Data Base Updated

    [root@Centos630G CA]# ls certs

    centos730g.crt

    [root@Centos630G CA]# 


6、在CA上将签署好的证书传输给申请的客户:

    [root@Centos630G CA]# scp certs/centos730g.crt 10.1.42.71:/rootThe authenticity of host '10.1.42.71 (10.1.42.71)' can't be established.

    RSA key fingerprint is f2:c8:a3:77:da:65:42:3a:bf:53:24:e2:0b:0f:23:eb.

    Are you sure you want to continue connecting (yes/no)? yes

    Warning: Permanently added '10.1.42.71' (RSA) to the list of known hosts.

    [email protected]'s password: 

    centos730g.crt               100% 4596     4.5KB/s   00:00    

    [root@Centos630G CA]# 


7、客户收到颁发的证书之后,就可以配置相应的网络服务开始使用了

    [root@centos730g ~]# ll

    total 16

    -rw-r--r--. 1 root root 4596 Sep 22 17:17 centos730g.crt

    -rw-r--r--. 1 root root 1050 Sep 22 17:10 centos730g.csr

    -rw-------. 1 root root 1675 Sep 22 16:41 centos730g.prikey

    [root@centos730g ~]# 


    查看颁发的证书

    [root@centos730g ~]# openssl x509 -in centos730g.crt -noout -te

    xt

    Certificate:

        Data:

            Version: 3 (0x2)

            Serial Number: 1 (0x1)

        Signature Algorithm: sha1WithRSAEncryption

            Issuer: C=cn, ST=beijing, L=haidian, O=companyA, OU=IT, CN=centos630g/[email protected]

            Validity

                Not Before: Sep 22 17:15:37 2016 GMT

                Not After : Sep 22 17:15:37 2017 GMT

            Subject: C=cn, ST=beijing, O=companyA, OU=web, CN=centos730g/[email protected]

            Subject Public Key Info:

                Public Key Algorithm: rsaEncryption

                    Public-Key: (2048 bit)

                    Modulus:

                        00:ca:a2:3c:e5:04:7a:5c:88:fd:2a:64:5d:41:18:

                        95:4f:4e:b4:ae:06:07:5b:e0:ac:d1:74:99:f4:3d:

                        2a:0a:35:4c:90:49:cf:51:84:69:44:de:e2:c1:9b:

                        9f:8d:29:9c:b7:5a:c2:b0:fd:a6:29:84:91:73:7f:

                        1a:f9:ba:00:f0:8f:2d:28:18:a5:bd:24:8b:cc:a0:

                        31:45:d8:c7:fe:51:da:5f:f5:27:39:02:fb:7e:07:

                        b7:6c:63:0f:b1:ec:7c:f5:57:c7:8c:1a:9f:23:04:

                        e0:2e:d6:c6:3a:ad:b3:5c:42:13:54:62:a1:83:ed:

                        d2:61:48:eb:98:06:a5:32:d3:b2:5b:00:05:0a:6b:

                        fb:97:90:1f:10:d9:8c:e6:00:af:c2:72:cc:ba:08:

                        fd:98:87:99:80:ec:40:41:a2:a6:df:ae:1b:29:bc:

                        22:25:f0:3f:59:6a:10:31:65:c8:44:7a:2b:2f:0b:

                        00:ce:d7:a6:3c:ab:83:47:10:20:75:76:46:51:9d:

                        ca:a8:65:b0:7f:28:d9:4c:24:90:47:4f:40:6c:ba:

                        b5:cf:cd:bb:a3:07:f3:35:f0:08:cc:61:52:90:ea:

                        57:c2:3b:9f:cc:c1:b0:4a:e5:8b:21:8c:c8:74:b2:

                        da:8d:aa:94:de:d3:bb:c3:9e:10:6c:d9:93:7a:b9:

                        5b:8d

                    Exponent: 65537 (0x10001)

            X509v3 extensions:

                X509v3 Basic Constraints: 

                    CA:FALSE

                Netscape Comment: 

                    OpenSSL Generated Certificate

                X509v3 Subject Key Identifier: 

                    19:A6:3F:5F:8C:75:7F:2F:32:6A:4D:F2:BC:53:BD:C9:F7:66:7C:BC

                X509v3 Authority Key Identifier: 

                    keyid:51:8C:1F:CD:A5:73:04:65:96:55:E4:D3:FE:69:28:DD:07:CE:1B:12


        Signature Algorithm: sha1WithRSAEncryption

             10:23:27:f2:3c:ad:3c:ca:6a:d3:ae:db:1d:fb:51:95:2f:91:

             ef:ba:f4:b3:b2:91:dc:0a:e0:7a:3f:45:e5:97:16:24:a0:52:

             a4:3e:51:d1:86:c1:d0:de:d7:3c:7f:62:3c:f1:9e:88:93:03:

             15:c4:38:29:ba:cc:ba:0c:78:d0:7e:76:e5:dd:70:a4:6e:17:

             e7:19:ae:47:f3:39:32:d7:97:67:73:bb:bb:4a:28:ed:a1:f5:

             ec:d6:46:4d:8c:80:27:e2:48:f7:1b:54:58:1e:cc:cb:52:0b:

             91:24:b5:04:28:5c:70:1f:22:aa:3b:7f:4b:7d:f3:8a:f8:35:

             07:38:47:68:8c:57:b8:77:64:7a:bd:95:d5:5e:c8:82:32:a8:

             5b:ac:2b:c2:72:fa:08:ea:ee:30:1b:a9:39:eb:77:6e:65:32:

             90:ee:11:cc:38:05:84:a2:ed:14:d8:cc:73:ac:01:8c:8d:ae:

             27:38:c3:de:cd:75:4d:d3:09:9d:6e:b8:c3:e6:b1:c5:79:12:

             46:da:f4:c8:fe:97:1c:4b:66:c6:98:d6:b9:7c:fe:4a:a1:30:

             97:32:2e:01:cf:3c:eb:b8:bd:e1:da:6f:bc:98:8c:b8:99:b6:

             dc:42:51:b7:d1:ad:92:ff:95:91:ab:0f:3d:1e:db:e4:9e:1d:

             b0:b0:99:04

    [root@centos730g ~]# 



四、CA上吊销证书

1、在申请吊销证书的客户机上查看需要吊销的证书的serial以及subject信息,并提交给CA

    [root@centos730g ~]# openssl x509 -in centos730g.crt -noout -serial -subject

    serial=01

    subject= /C=cn/ST=beijing/O=companyA/OU=web/CN=centos730g/[email protected]

    [root@centos730g ~]# 


2、在CA上根据客户提交的serial以及subject信息,比对服务器上index.txt文件中的信息一致后,执行吊销证书操作

    [root@Centos630G CA]# openssl x509 -in certs/centos730g.crt -noout -serial -subject

    serial=01

    subject= /C=cn/ST=beijing/O=companyA/OU=web/CN=centos730g/[email protected]

    [root@Centos630G CA]# cat index.txt

    V 170922171537Z 01 unknown /C=cn/ST=beijing/O=companyA/OU=web/CN=centos730g/[email protected]

    [root@Centos630G CA]# 


3、信息确认一致,正式执行吊销操作

    [root@Centos630G CA]# tree

    .

    ├── cacert.pem

    ├── certs

    │   └── centos730g.crt

    ├── crl

    │   └── centos730g.csr

    ├── index.txt

    ├── index.txt.attr

    ├── index.txt.old

    ├── newcerts

    │   └── 01.pem

    ├── private

    │   └── cakey.pem

    ├── serial

    └── serial.old


    4 directories, 10 files

    [root@Centos630G CA]# openssl ca -revoke newcerts/01.pem 

    Using configuration from /etc/pki/tls/openssl.cnf

    Revoking Certificate 01.

    Data Base Updated

    [root@Centos630G CA]# tree

    .

    ├── cacert.pem

    ├── certs

    │   └── centos730g.crt

    ├── crl

    │   └── centos730g.csr

    ├── index.txt

    ├── index.txt.attr

    ├── index.txt.attr.old

    ├── index.txt.old

    ├── newcerts

    │   └── 01.pem

    ├── private

    │   └── cakey.pem

    ├── serial

    └── serial.old


    4 directories, 11 files

    [root@Centos630G CA]# 

    此时多出了一个新文件:index.txt.attr.old


4、生成吊销证书的编号(第一次吊销证书时才需要执行本操作)

    [root@Centos630G CA]# echo 01 > crlnumber

    [root@Centos630G CA]# openssl ca -gencrl -out crl/ca.crl

    Using configuration from /etc/pki/tls/openssl.cnf

    [root@Centos630G CA]# tree

    .

    ├── cacert.pem

    ├── certs

    │   └── centos730g.crt

    ├── crl

    │   ├── ca.crl

    │   └── centos730g.csr

    ├── crlnumber

    ├── crlnumber.old

    ├── index.txt

    ├── index.txt.attr

    ├── index.txt.attr.old

    ├── index.txt.old

    ├── newcerts

    │   └── 01.pem

    ├── private

    │   └── cakey.pem

    ├── serial

    └── serial.old


    4 directories, 14 files

    [root@Centos630G CA]# 

    

    第一次吊销操作完成后会在CA上多出4个新文件

    index.txt.attr.old

    ca.crl

    crlnumber.old

    index.txt.attr.old


    查看证书吊销列表文件

    [root@Centos630G CA]# openssl crl -in crl/ca.crl -noout -text

    Certificate Revocation List (CRL):

            Version 2 (0x1)

        Signature Algorithm: sha1WithRSAEncryption

            Issuer: /C=cn/ST=beijing/L=haidian/O=companyA/OU=IT/CN=centos630g/[email protected]

            Last Update: Sep 22 17:44:35 2016 GMT

            Next Update: Oct 22 17:44:35 2016 GMT

            CRL extensions:

                X509v3 CRL Number: 

                    1

    Revoked Certificates:

        Serial Number: 01

            Revocation Date: Sep 22 17:29:54 2016 GMT

        Signature Algorithm: sha1WithRSAEncryption

             11:5a:02:a8:9f:a0:9c:85:c0:cd:e8:65:06:98:90:f0:31:83:

             cc:c6:f5:7d:4b:4b:d7:1a:57:63:c5:ac:ac:51:d4:46:d8:80:

             f7:0c:94:42:5f:24:f1:87:97:f6:05:23:de:b4:3e:3b:3f:4f:

             d2:55:ef:13:c0:78:80:d1:eb:fa:47:eb:1c:58:cb:d4:f2:9b:

             bd:eb:88:2a:d5:be:05:ee:26:f8:ba:ba:cf:a3:7f:8c:73:db:

             84:a3:de:74:9c:4d:eb:64:69:be:78:d1:ec:f9:82:10:46:72:

             5f:5a:e3:99:c4:f9:1c:36:18:f4:b7:5e:f4:72:6b:20:b0:98:

             7a:3c:c1:a4:e6:c3:d5:af:3f:68:44:7b:ae:34:69:0e:49:fd:

             fc:1f:70:9c:f6:b9:d4:a2:c1:25:d8:d1:e1:75:82:53:c4:63:

             c2:ce:1a:47:81:4a:73:18:81:35:ba:24:95:ff:8e:b3:61:6f:

             ce:ae:49:2f:73:d4:14:e3:5a:04:a6:c4:15:71:3b:e2:4c:fa:

             7f:05:42:1a:41:02:98:cb:82:70:ee:de:b2:5f:90:a9:cb:18:

             93:28:dd:ff:62:e1:90:7e:88:cd:19:41:40:5f:17:47:65:2f:

             ab:95:0f:27:8f:95:44:05:b7:d9:90:3e:e3:8c:ff:e9:d0:55:

             49:05:97:a9

    [root@Centos630G CA]# 

    掌握了上述这些操作的同时,搭建及管理私有CA是没什么问题了,所以大家可以自行实践,有什么问题,欢迎留言指正。