CA是Certificate Authority的缩写,也叫“证书授权中心”。
在web访问中为了保证web内容在网络中的安全传输,就需要用到SSL证书。而想要获得SSL证书就需要得到公认证书签发机构的签发,这些签发机构统称CA。CA主要负责签发证书、认证证书、管理已颁发证书的第三方机构,是PKI的核心。它要制定政策和具体步骤来验证、识别用户身份,并对用户证书进行签名,以确保证书持有者的身份和公钥的拥有权。
一般来说,CA必须是所有行业和所有公众都信任的、认可的。因此它必须具有足够的权威性。
CA证书,顾名思义,就是CA颁发的证书
CA证书也是数字证书的一种,是通过数字签名实现的数字化证书, 具有不能被伪造的特点。是实现web安全通信中必不可少的一环。
如果用户想得到一份属于自己的证书,他应先向 CA 提出申请。在 CA 判明申请者的身份后,便为他分配一个公钥,并且 CA 将该公钥与申请者的身份信息绑在一起,并为之签字后,便形成证书发给申请者。
现在在互联网上大行其道的https协议,就是通过CA证书的认证实现的。但证书虽好却价格昂贵,CA证书的使用者每年都需要向证书颁发机构缴纳一笔不菲的费用,如果搭建的网站只是供自己或局域网内使用,通过证书机构颁发证书就很不划算了。像这种情况,我们就可以通过搭建自己的私有CA来解决,实现局域网内web安全通信。
接下来我会详细介绍如何搭建私有CA,并实现证书的签发和管理。
想要搭建私有CA,/etc/pki/tls/目录下的openssl.cnf文件是你必须要了解的,文件内有关于CA的重要配置信息。
root&localhost: ~># cat /etc/pki/tls/openssl.cnf
……此处省略部分显示内容……
####################################################################
[ ca ]
default_ca = CA_default #指定默认使用的CA
####################################################################
[ CA_default ]
dir = /etc/pki/CA #CA的工作目录,所有与CA相关的信息都在此目录下
certs = $dir/certs #证书的存放路径,需人为指定才会将证书存放在此目录下。
crl_dir = $dir/crl #证书吊销列表的存放路径
database = $dir/index.txt #指定证书数据库文件所在的路径,index.txt文件用于存放证书数据,此文件默认没有,需手工创建。
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts #新证书的存放目录,新生成的证书默认存放于此目录下。
certificate = $dir/cacert.pem #CA自身证书的所在路径
serial = $dir/serial #要颁发的下一个证书的编号,编号要求是16进制数,该文件需手工创建并写入编号。
crlnumber = $dir/crlnumber #下一个要被吊销的证书编号
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem#CA私钥存放的路径
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
# Extension copying option: use with caution.
# copy_extensions = copy
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 365 #指定证书有效期,默认365天。
default_crl_days= 30 # how long before next CRL
default_md = sha256 # use SHA-256 by default
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match #指定默认使用的CA策略
# For the CA policy
[ policy_match ] #记录了CA搭建时和客户端向你申请证书时,提交信息的匹配策略。
countryName = match #省或州的名字
stateOrProvinceName = match #城市名
organizationName = match #公司或组织名
organizationalUnitName = optional #公司或组织下的单位名
commonName = supplied #通用名,一般指定为网站的服务器域名,www.xxxx.com
emailAddress = optional #邮件地址
#match、optional、supplied分别代表三种不同的匹配策略,匹配、支持和可选。匹配指要求申请填写的信息跟CA设置信息必须一致,支持指必须填写这项申请信息,可选指可有可无。
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ] #policy_anything策略,对提交的申请信息要求比 policy_match策略更加宽松。填写申请文件时国家,省,公司名称三项可以和CA不一致。
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
……此处省略部分显示内容……
root&localhost: ~>#touch /etc/pki/CA/index.txt
#创建生成证书索引数据库文件
root&localhost: ~>#echo 01 >/etc/pki/CA/serial
#创建serial文件并指定第一个颁发证书的序列号
root&localhost: ~>#tree /etc/pki/CA/
/etc/pki/CA/
├── certs
├── crl
├── index.txt
├── newcerts
├── private
└── serial
#验证上面的两个文件是否创建成功。
4 directories, 2 files
root&localhost: ~>#cat /etc/pki/CA/serial
01
#验证序列号是否写入到serial文件中。
由于要搭建的这个CA是网络中的第一个CA,没有根CA为其授权,所以这个CA需要自签证书,自己证明自己的身份。要自签证书须先生成私钥,下面是生成私钥的方法。
在上面的openssl.cnf文件中已经写出了CA私钥的存放路径:private_key = $dir/private/cakey.pem,CA私钥必须放于private目录下。
root&localhost: ~>#cd /etc/pki/CA/
#进入/etc/pki/CA/目录
生成私钥文件
root&localhost: CA>#(umask 066;openssl genrsa -out private/cakey.pem -des3 2048)
#在private目录下生成以des3算法加密的私钥文件,私钥长度为2048位,并设定私钥文件的权限为属主读写。
Generating RSA private key, 2048 bit long modulus
.........................+++
...............+++
e is 65537 (0x10001)
Enter pass phrase for private/cakey.pem: #输入私钥加密口令,输入不会回显。
Verifying - Enter pass phrase for private/cakey.pem: #确认加密口令
确认文件生成并且符合要求。
root&localhost: CA>#ll private/cakey.pem
-rw-------. 1 root root 1743 Sep 10 10:45 private/cakey.pem
#确认文件生成并且权限符合要求。
root&localhost: CA>#cat private/cakey.pem
#查看生成的加密过的私钥文件
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,AECFA1468969CFF6
keWwxPfapo/VWX90/MQVrrYgkrBmd+falU+QbgP26NsaUvyBdEahDUNB1lla0HIN
hixPXCyN4G0mgrgx0AkKHSDNWLqKIOjZIkyxcoFcrnHcKSbP2hA+E8K5+hLp7nnk
……此处省略部分显示内容……
root&localhost: CA>#openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 7300
#使用openssl命令生成自签名证书,有效期设为20年。
Enter pass phrase for private/cakey.pem: #生成证书需要调用上一步生成的加密后的私钥文件,所有需要输入密码。此处输入密码不回显。
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN #国家名,只能输两位字母。
State or Province Name (full name) []:shandong #省份名
Locality Name (eg, city) [Default City]:dezhou #城市名
Organization Name (eg, company) [Default Company Ltd]:siwei.com #组织或公司名
Organizational Unit Name (eg, section) []:opt #组织下的部门名称
Common Name (eg, your name or your server's hostname) []:ca.siwei.com #此CA的域名
Email Address []: #邮箱地址,可以选填,不填直接回车即可。
查看有没有在当前目录下生成自签名证书文件cacert.pem
root&localhost: CA>#ls
cacert.pem certs crl index.txt newcerts private serial
选择一台客户端主机向搭建好的CA服务器申请证书
root&Centos6: ~#cd /etc/pki/tls/
#进入客户端主机的/etc/pki/tls/目录内
使用openssl命令在请求客户端生成私钥文件,可以根据需要选择是否加密,如要加密可在秘钥长度前加-des3选项。
root&Centos6: tls#(umask 066;openssl genrsa -out private/app.key 2048)
Generating RSA private key, 2048 bit long modulus
..........................................+++
..................................................................................................................+++
e is 65537 (0x10001)
查看app.key文件是否生成且权限符合设置。
root&Centos6: tls#ll private/
total 4
-rw------- 1 root root 1675 Sep 10 11:35 app.key
注意:填写申请文件时默认国家,省,公司名称三项必须和CA一致
root&Centos6: tls#openssl req -new -key private/app.key -out app.csr
#生成证书申请文件app.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN #国家名,需要与CA一致
State or Province Name (full name) []:shandong #省名,需要与CA一致
Locality Name (eg, city) [Default City]:qingdao
Organization Name (eg, company) [Default Company Ltd]:siwei.com #公司名,需要与CA一致
Organizational Unit Name (eg, section) []:dev
Common Name (eg, your name or your server's hostname) []:app.siwei.com
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
#为发送的证书创建一个密码,可以填写,也可以不填写
A challenge password []: #此处未填写密码,直接回车跳过。
An optional company name []:
查看生成的证书请求文件
root&Centos6: tls#ls
app.csr cert.pem certs misc openssl.cnf private
root&Centos6: tls#scp app.csr 172.18.22.22:/etc/pki/CA
The authenticity of host '172.18.22.22 (172.18.22.22)' can't be established.
RSA key fingerprint is a8:a0:56:46:bb:f2:8b:1b:07:29:e3:7e:9b:ee:32:66.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.18.22.22' (RSA) to the list of known hosts.
root@172.18.22.22's password: #目标主机的登录密码
app.csr 100% 1054 1.0KB/s 00:00
查看/etc/pki/CA/目录下的证书认证请求文件app.csr是否存在
root&localhost: CA>#ls
app.csr certs index.txt private
cacert.pem crl newcerts serial
使用CA的私钥对来申请的证书进行签署,签署的有效期指定为365天。
root&localhost: CA>#openssl ca -in app.csr -out certs/app.crt -days 365
#使用CA的私钥对申请证书进行签署,签署的有效期指定为365天。
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem: #在此输入CA的私钥密码
Check that the request matches the signature
#检查申请信息是否匹配,下面列出的是请求证书的申请信息。
#注意:默认国家,省,公司名称三项必须和CA一致
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Sep 10 03:52:02 2017 GMT
Not After : Sep 10 03:52:02 2018 GMT
Subject:
countryName = CN
stateOrProvinceName = shandong
organizationName = siwei.com
organizationalUnitName = dev
commonName = app.siwei.com
emailAddress = [email protected]
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
71:BF:68:FA:9A:60:E5:53:5A:90:94:03:3A:0C:E9:17:E2:8A:C4:99
X509v3 Authority Key Identifier:
keyid:8C:45:0F:92:30:3C:7D:8E:A6:42:F8:B4:E0:30:AD:17:3C:DF:01:C1
Certificate is to be certified until Sep 10 03:52:02 2018 GMT (365 days)
Sign the certificate? [y/n]:y
#问你是否要签署此证书,选择y就签署了。
1 out of 1 certificate requests certified, commit? [y/n]y #选择y确认颁发
Write out database with 1 new entries #将有一个条目写入数据库,也就是index.txt文件
Data Base Updated
查看新生成的证书数据
root&localhost: CA>#cat index.txt
V 180910035202Z 01 unknown /C=CN/ST=shandong/O=siwei.com/OU=dev/CN=app.siwei.com/emailAddress=admin@siwei.com
scp certs/app.crt 172.18.22.100:/etc/pki/tls/certs
The authenticity of host '172.18.22.100 (172.18.22.100)' can't beestablished.
RSA key fingerprint is 65:57:31:4a:f2:14:24:04:58:6c:29:d8:4b:cc:8f:c2.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.18.22.100' (RSA) to the list of known hosts.
[email protected]'s password:
app.crt 100% 4541 4.4KB/s 00:00
在证书通过审核颁发后,系统会自动将颁发的证书保存一份到/etc/pki/CA/certs/和/etc/pki/CA/newcerts/目录下。CA服务器可以通过查看这两个目录下的文件,来查看已颁发证书的信息。
常用命令如下:
cat certs/app.crt
cat newcerts/01.pem
#直接查看证书文件
root&localhost: CA>#openssl x509 -in certs/app.crt -noout -text
#查看证书所有内容
root&localhost: CA>#openssl x509 -in certs/app.crt -noout -issuer
#查看使用者
root&localhost: CA>#openssl x509 -in certs/app.crt -noout -subject
#查看颁发者
root&localhost: CA>#openssl x509 -in certs/app.crt -noout -dates
#查看证书有效期
root&localhost: CA>#openssl x509 -in certs/app.crt -noout -serial
#查看指定证书的编号
opensslca -status SERIAL
#查看指定编号的证书状态
root&localhost: CA>#openssl x509 -in certs/app.crt -noout -serial-subject
serial=01
subject= /C=CN/ST=shandong/O=siwei.com/OU=dev/CN=app.siwei.com/emailAddress=admin@siwei.com
在CA上,根据客户提交的serial与subject信息,对比检验是否与index.txt文件中的信息一致,然后吊销证书。
root&localhost: CA>#openssl ca -revoke /etc/pki/CA/newcerts/01.pem
#吊销/etc/pki/CA/newcerts/目录下的01.pem证书
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem: #输入私钥密码
Revoking Certificate 01.
Data Base Updated
查看index.txt文件,第一行的大写字母V变成了R说明吊销成功
root&localhost: CA>#cat index.txt
R 180910035202Z 170910071803Z 01 unknown /C=CN/ST=shandong/O=siwei.com/OU=dev/CN=app.siwei.com/emailAddress=admin@siwei.com
注意:只第一次更新证书吊销列表前,才需要执行
root&localhost: CA>#echo 01 > /etc/pki/CA/crlnumber
#指定第一个吊销证书的编号,编号为16进制数
root&localhost: CA>#cat /etc/pki/CA/crlnumber
#确定编号生成
root&localhost: CA>#openssl ca -gencrl -out /etc/pki/CA/crl/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem: #输入私钥密码
openssl crl -in /etc/pki/CA/crl/crl.pem -noout -text