CA机构的搭建


1、CA简介:

ca:Certificate Authority,证书颁发机构,也叫证书授权中心。CA主要职责是颁发和管理数字证书。其中心任务是颁发数字证书,并履行用户身份认证的责任。现阶段主要作为电子商务交易中受信任的第三方,承担公钥体系中公钥的合法性检验的责任。


2、公司自建CA实现架构:

    1、使用openssl程序完成搭建;

    2、需要构建角色:

            1、CA服务器;

            2、客户端pc;

            3、电商web服务器;


3、构建CA的过程:

    

    CA服务器上操作:

    [root@localhost ~]# yum -y install openssl            :安装openssl,这是搭建的核心命令;

    [root@localhost ~]# vim /etc/pki/tls/openssl.cnf     

[CA_default]

dir  :ca的工作目录变量。被下方参数引用(注意:centos5上,此参数要改成绝对路径,不能用相对路径);

certs    :证书存放位置;

crl_dir     :吊销证书的存放位置;

database    :索引文件数据库。签署的所有证书索引文件。自动生成;

new_certs_dir    :刚签署的证书存放位置;

certificate       :ca自己的证书位置;

serial        :下一个证书的编号;

crlnumber         :已吊销证书的证书编号;

crl        :当前正在使用的证书吊销列表文件;

private_key        :ca自己的私钥,安全性很高(可以加密私钥位置文件,让别人拿到也看不了。但是每次使用都得解密);

RANDFILE                     :随机种子数据文件;

x509_extensions    :用户证书;

name_opt        :

cert_opt        :

......... 

自签证书默认使用期限

吊销期限

自签证书需要的交互式信息,如国家代码..

..........

                                        :查看CA主配置文件,了解部分参数内容;


   [root@localhost ~]# cd /etc/pki/CA/        :进入CA的工作目录;

   [root@localhost CA]# (umask 077; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
    Generating RSA private key, 2048 bit long modulus
    ................................................+++
    ....................................+++
    e is 65537 (0x10001)        : 生成CA自己的私钥文件,cakey.pem。默认权限为600;

    

    [root@localhost CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki    /CA/cacert.pem -days 365
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [XX]:cn                                      :国家代码;
    State or Province Name (full name) []:beijing                             :所在省份;
    Locality Name (eg, city) [Default City]:beijing                           :所在城市;
    Organization Name (eg, company) [Default Company Ltd]:CA                  :机构名称;
    Organizational Unit Name (eg, section) []:manager                         :部门名称;
    Common Name (eg, your name or your server's hostname) []:ca.manager.com   :主机名称(重要);
    Email Address []:[email protected]                                             :邮箱地址;
    [root@localhost CA]#                          

                                            :根据私钥文件生成CA自签证书。CA给自己签发一个证书;


    [root@localhost CA]# pwd
    /etc/pki/CA
    [root@localhost CA]# touch index.txt            :创建索引文件;
    [root@localhost CA]# touch serial               :证书编号位置;
    [root@localhost CA]# echo 01 > serial           :自定义开始证书编号;
    [root@localhost CA]# touch crlnumber            :已吊销证书编号文件;
    [root@localhost CA]# ll

            :以上的三个文件,是CA配置文件中定义的文件名,必须手动创建出来;

    ok,以上简单自建CA机构配置完毕;


4、为httpd服务签发证书:

    有了自己的CA证书机构,现在测试给httpd服务器颁发一次证书;

    操作位置:

        CA服务器---192.168.57.172;

        httpd服务器---192.168.57.175;


    httpd服务器上操作:

    [root@localhost ~]# cd /etc/httpd/
    [root@localhost httpd]# mkdir ssl

    [root@localhost httpd]# (umask 077; openssl genrsa -out httpd.key 1024)
    Generating RSA private key, 1024 bit long modulus
    ......................++++++
    ..++++++

    e is 65537 (0x10001)          :生成httpd私钥;


    [root@localhost httpd]# mv httpd.key ssl/
    [root@localhost httpd]# openssl req -new -key /etc/httpd/ssl/httpd.key -out /etc/httpd/ssl/httpd.csr     -days 365
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [XX]:cn
    State or Province Name (full name) []:beijing
    Locality Name (eg, city) [Default City]:beijing
    Organization Name (eg, company) [Default Company Ltd]:test
    Organizational Unit Name (eg, section) []:test
    Common Name (eg, your name or your server's hostname) []:www.test.com
    Email Address []:[email protected]

    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:  空
    An optional company name []: 空
    [root@localhost httpd]#          :根据私钥,创建证书申请文件httpd.csr;


    [root@localhost httpd]# scp /etc/httpd/ssl/httpd.csr 192.168.57.172:/tmp/
    The authenticity of host '192.168.57.172 (192.168.57.172)' can't be established.
    RSA key fingerprint is f3:c6:fd:6b:c8:66:56:15:c7:2e:88:07:b3:ff:4b:48.
    Are you sure you want to continue connecting (yes/no)? y
    Please type 'yes' or 'no': yes
    Warning: Permanently added '192.168.57.172' (RSA) to the list of known hosts.
    [email protected]'s password:
    httpd.csr                                                            100%  688     0.7KB/s   00:00  
    [root@localhost httpd]#     :利用scp命令,将httpd证书申请文件复制到CA服务器上,有CA进行数字签名;


    CA服务器上操作:


    [root@localhost tmp]# openssl ca -in /tmp/httpd.csr -out /tmp/httpd.crt -days 365
    Using configuration from /etc/pki/tls/openssl.cnf
    Check that the request matches the signature
    Signature ok
    The organizationName field needed to be the same in the
    CA certificate (CA) and the request (test)
    [root@localhost tmp]#    :报错了,这里说httpd申请里的机构名字跟CA证书里的机构名字不一样。原因就是CA配置文件中有策略定义必须要一样,编辑配置文件,关闭这些策略即可;


    [root@localhost tmp]# vim /etc/pki/tls/openssl.cnf 

    [ policy_match ]
    countryName             = match                 
    stateOrProvinceName     = match
    organizationName        = match
    organizationalUnitName  = optional
    commonName              = supplied
    emailAddress            = optional

        :将match改成optional即可,如下:

        [ policy_match ]
        countryName             = optional
        stateOrProvinceName     = optional
        organizationName        = optional
        organizationalUnitName  = optional
        commonName              = supplied
        emailAddress            = optional


    [root@localhost tmp]# openssl ca -in /tmp/httpd.csr -out /tmp/httpd.crt -days 365
    Using configuration from /etc/pki/tls/openssl.cnf
    Check that the request matches the signature
    Signature ok
    Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Mar 31 12:11:08 2015 GMT
            Not After : Mar 30 12:11:08 2016 GMT
        Subject:
            countryName               = cn
            stateOrProvinceName       = beijing
            organizationName          = test
            organizationalUnitName    = test
            commonName                = www.test.com
            emailAddress              = [email protected]

        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                7E:01:A5:A2:66:F4:5A:8C:D5:A1:2F:6A:B1:86:B2:89:28:D4:24:4D
            X509v3 Authority Key Identifier:
                keyid:25:CE:A2:A1:00:A7:19:69:94:96:7C:4F:32:1C:C8:7E:2D:E1:85:0B

    Certificate is to be certified until Mar 30 12:11:08 2016 GMT (365 days)
    Sign the certificate? [y/n]:y
    1 out of 1 certificate requests certified, commit? [y/n]y
    Write out database with 1 new entries
    Data Base Updated
    [root@localhost tmp]#    :再次执行证书签发,生成httpd.crt证书文件。ok,没问题了;


    [root@localhost tmp]# cat /etc/pki/CA/serial
    02

    [root@localhost tmp]# ll /etc/pki/CA/newcerts/
    总用量 4
    -rw-r--r--. 1 root root 3830 3月  31 20:11 01.pem
    [root@localhost tmp]#                   :查看CA证书编号和已颁发的证书;


    [root@localhost tmp]# pwd
    /tmp
    [root@localhost tmp]# scp httpd.crt 192.168.57.175:/etc/httpd/ssl/
    The authenticity of host '192.168.57.175 (192.168.57.175)' can't be established.
    RSA key fingerprint is f3:c6:fd:6b:c8:66:56:15:c7:2e:88:07:b3:ff:4b:48.
    Are you sure you want to continue connecting (yes/no)? y
    Please type 'yes' or 'no': yes
    Warning: Permanently added '192.168.57.175' (RSA) to the list of known hosts.
    [email protected]'s password:
    httpd.crt                                                            100% 3830     3.7KB/s   00:00  
    [root@localhost tmp]#      :将证书文件复制到httpd服务器的指定目录下面;


    [root@localhost ssl]# pwd
    /etc/httpd/ssl
    [root@localhost ssl]#
    [root@localhost ssl]#
    [root@localhost ssl]# ll
    总用量 12
    -rw-r--r--. 1 root root 3830 3月  31 20:15 httpd.crt
    -rw-r--r--. 1 root root  688 3月  31 19:23 httpd.csr
    -rw-------. 1 root root  887 3月  31 19:20 httpd.key
    [root@localhost ssl]#       :来到httpd服务器上,查看自己成功申请的证书;


    ok,至此,简单的CA搭建和签证过程完成了。