CA机构的搭建
1、CA简介:
ca:Certificate Authority,证书颁发机构,也叫证书授权中心。CA主要职责是颁发和管理数字证书。其中心任务是颁发数字证书,并履行用户身份认证的责任。现阶段主要作为电子商务交易中受信任的第三方,承担公钥体系中公钥的合法性检验的责任。
2、公司自建CA实现架构:
1、使用openssl程序完成搭建;
2、需要构建角色:
1、CA服务器;
2、客户端pc;
3、电商web服务器;
3、构建CA的过程:
CA服务器上操作:
[root@localhost ~]# yum -y install openssl :安装openssl,这是搭建的核心命令;
[root@localhost ~]# vim /etc/pki/tls/openssl.cnf
[CA_default]
dir :ca的工作目录变量。被下方参数引用(注意:centos5上,此参数要改成绝对路径,不能用相对路径);
certs :证书存放位置;
crl_dir :吊销证书的存放位置;
database :索引文件数据库。签署的所有证书索引文件。自动生成;
new_certs_dir :刚签署的证书存放位置;
certificate :ca自己的证书位置;
serial :下一个证书的编号;
crlnumber :已吊销证书的证书编号;
crl :当前正在使用的证书吊销列表文件;
private_key :ca自己的私钥,安全性很高(可以加密私钥位置文件,让别人拿到也看不了。但是每次使用都得解密);
RANDFILE :随机种子数据文件;
x509_extensions :用户证书;
name_opt :
cert_opt :
.........
自签证书默认使用期限
吊销期限
自签证书需要的交互式信息,如国家代码..
..........
:查看CA主配置文件,了解部分参数内容;
[root@localhost ~]# cd /etc/pki/CA/ :进入CA的工作目录;
[root@localhost CA]# (umask 077; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
................................................+++
....................................+++
e is 65537 (0x10001) : 生成CA自己的私钥文件,cakey.pem。默认权限为600;
[root@localhost CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki /CA/cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn :国家代码;
State or Province Name (full name) []:beijing :所在省份;
Locality Name (eg, city) [Default City]:beijing :所在城市;
Organization Name (eg, company) [Default Company Ltd]:CA :机构名称;
Organizational Unit Name (eg, section) []:manager :部门名称;
Common Name (eg, your name or your server's hostname) []:ca.manager.com :主机名称(重要);
Email Address []:[email protected] :邮箱地址;
[root@localhost CA]#
:根据私钥文件生成CA自签证书。CA给自己签发一个证书;
[root@localhost CA]# pwd
/etc/pki/CA
[root@localhost CA]# touch index.txt :创建索引文件;
[root@localhost CA]# touch serial :证书编号位置;
[root@localhost CA]# echo 01 > serial :自定义开始证书编号;
[root@localhost CA]# touch crlnumber :已吊销证书编号文件;
[root@localhost CA]# ll
:以上的三个文件,是CA配置文件中定义的文件名,必须手动创建出来;
ok,以上简单自建CA机构配置完毕;
4、为httpd服务签发证书:
有了自己的CA证书机构,现在测试给httpd服务器颁发一次证书;
操作位置:
CA服务器---192.168.57.172;
httpd服务器---192.168.57.175;
httpd服务器上操作:
[root@localhost ~]# cd /etc/httpd/
[root@localhost httpd]# mkdir ssl
[root@localhost httpd]# (umask 077; openssl genrsa -out httpd.key 1024)
Generating RSA private key, 1024 bit long modulus
......................++++++
..++++++
e is 65537 (0x10001) :生成httpd私钥;
[root@localhost httpd]# mv httpd.key ssl/
[root@localhost httpd]# openssl req -new -key /etc/httpd/ssl/httpd.key -out /etc/httpd/ssl/httpd.csr -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:test
Organizational Unit Name (eg, section) []:test
Common Name (eg, your name or your server's hostname) []:www.test.com
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: 空
An optional company name []: 空
[root@localhost httpd]# :根据私钥,创建证书申请文件httpd.csr;
[root@localhost httpd]# scp /etc/httpd/ssl/httpd.csr 192.168.57.172:/tmp/
The authenticity of host '192.168.57.172 (192.168.57.172)' can't be established.
RSA key fingerprint is f3:c6:fd:6b:c8:66:56:15:c7:2e:88:07:b3:ff:4b:48.
Are you sure you want to continue connecting (yes/no)? y
Please type 'yes' or 'no': yes
Warning: Permanently added '192.168.57.172' (RSA) to the list of known hosts.
[email protected]'s password:
httpd.csr 100% 688 0.7KB/s 00:00
[root@localhost httpd]# :利用scp命令,将httpd证书申请文件复制到CA服务器上,有CA进行数字签名;
CA服务器上操作:
[root@localhost tmp]# openssl ca -in /tmp/httpd.csr -out /tmp/httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
The organizationName field needed to be the same in the
CA certificate (CA) and the request (test)
[root@localhost tmp]# :报错了,这里说httpd申请里的机构名字跟CA证书里的机构名字不一样。原因就是CA配置文件中有策略定义必须要一样,编辑配置文件,关闭这些策略即可;
[root@localhost tmp]# vim /etc/pki/tls/openssl.cnf
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
:将match改成optional即可,如下:
[ policy_match ]
countryName = optional
stateOrProvinceName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[root@localhost tmp]# openssl ca -in /tmp/httpd.csr -out /tmp/httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Mar 31 12:11:08 2015 GMT
Not After : Mar 30 12:11:08 2016 GMT
Subject:
countryName = cn
stateOrProvinceName = beijing
organizationName = test
organizationalUnitName = test
commonName = www.test.com
emailAddress = [email protected]
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
7E:01:A5:A2:66:F4:5A:8C:D5:A1:2F:6A:B1:86:B2:89:28:D4:24:4D
X509v3 Authority Key Identifier:
keyid:25:CE:A2:A1:00:A7:19:69:94:96:7C:4F:32:1C:C8:7E:2D:E1:85:0B
Certificate is to be certified until Mar 30 12:11:08 2016 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@localhost tmp]# :再次执行证书签发,生成httpd.crt证书文件。ok,没问题了;
[root@localhost tmp]# cat /etc/pki/CA/serial
02
[root@localhost tmp]# ll /etc/pki/CA/newcerts/
总用量 4
-rw-r--r--. 1 root root 3830 3月 31 20:11 01.pem
[root@localhost tmp]# :查看CA证书编号和已颁发的证书;
[root@localhost tmp]# pwd
/tmp
[root@localhost tmp]# scp httpd.crt 192.168.57.175:/etc/httpd/ssl/
The authenticity of host '192.168.57.175 (192.168.57.175)' can't be established.
RSA key fingerprint is f3:c6:fd:6b:c8:66:56:15:c7:2e:88:07:b3:ff:4b:48.
Are you sure you want to continue connecting (yes/no)? y
Please type 'yes' or 'no': yes
Warning: Permanently added '192.168.57.175' (RSA) to the list of known hosts.
[email protected]'s password:
httpd.crt 100% 3830 3.7KB/s 00:00
[root@localhost tmp]# :将证书文件复制到httpd服务器的指定目录下面;
[root@localhost ssl]# pwd
/etc/httpd/ssl
[root@localhost ssl]#
[root@localhost ssl]#
[root@localhost ssl]# ll
总用量 12
-rw-r--r--. 1 root root 3830 3月 31 20:15 httpd.crt
-rw-r--r--. 1 root root 688 3月 31 19:23 httpd.csr
-rw-------. 1 root root 887 3月 31 19:20 httpd.key
[root@localhost ssl]# :来到httpd服务器上,查看自己成功申请的证书;
ok,至此,简单的CA搭建和签证过程完成了。