建立私有CA,并实现颁发证书

建立私有CA,并实现颁发证书

    [root@centos7 ~]#rpm -q openssl  //查看有没有安装openssl包 
    openssl-1.0.2k-16.el7.x86_64

    [root@centos7 ~]#rpm -ql openssl  //查看openssl包里文件
    /etc/pki/CA
    /etc/pki/CA/certs
    /etc/pki/CA/crl
    /etc/pki/CA/newcerts
    /etc/pki/CA/private
    /etc/pki/tls/certs/Makefile
    /etc/pki/tls/certs/make-dummy-cert
    /etc/pki/tls/certs/renew-dummy-cert
    /etc/pki/tls/misc/CA
    /etc/pki/tls/misc/c_hash
    /etc/pki/tls/misc/c_info
    /etc/pki/tls/misc/c_issuer
    /etc/pki/tls/misc/c_name
    /usr/bin/openssl
    /usr/share/doc/openssl-1.0.2k
    /usr/share/doc/openssl-1.0.2k/FAQ
    /usr/share/doc/openssl-1.0.2k/NEWS
    /usr/share/doc/openssl-1.0.2k/README
    /usr/share/doc/openssl-1.0.2k/README.FIPS
    /usr/share/doc/openssl-1.0.2k/README.legacy-settings

    [root@centos7 ~]#rpm -qi openssl   //查看openssl包信息
    Name        : openssl
    Epoch       : 1
    Version     : 1.0.2k
    Release     : 16.el7
    Architecture: x86_64
    Install Date: Sat 19 Jan 2019 11:15:33 AM CST
    Group       : System Environment/Libraries
    Size        : 833647
    License     : OpenSSL
    Signature   : RSA/SHA256, Mon 12 Nov 2018 10:42:01 PM CST, Key ID 24c6a8a7f4a80eb5
    Source RPM  : openssl-1.0.2k-16.el7.src.rpm
    Build Date  : Wed 31 Oct 2018 06:43:57 AM CST
    Build Host  : x86-01.bsys.centos.org
    Relocations : (not relocatable)
    Packager    : CentOS BuildSystem 
    Vendor      : CentOS
    URL         : http://www.openssl.org/
    Summary     : Utilities from the general purpose cryptography library with TLS implementation
    Description :
    The OpenSSL toolkit provides support for secure communications between
    machines. OpenSSL includes a certificate management tool and shared
    libraries which provide various cryptographic algorithms and
    protocols.

    CA配置说明 
        [ CA_default ]
        dir             = /etc/pki/CA              # Where everything is kept
        certs           = $dir/certs               # Where the issued certs are kept
        crl_dir         = $dir/crl                 # Where the issued crl are kept
        database        = $dir/index.txt           # database index file.
        new_certs_dir   = $dir/newcerts            # default place for new certs.
        certificate     = $dir/cacert.pem          # The CA certificate
        serial          = $dir/serial              # The current serial number
        crlnumber       = $dir/crlnumber           # the current crl number                  
        crl             = $dir/crl.pem             # The current CRL
        private_key     = $dir/private/cakey.pem

        [root@centos7 ~]#tree /etc/pki/CA
        /etc/pki/CA
        ├── certs
        ├── crl
        ├── newcerts
        └── private

场景一 在两台电脑上实现申请和颁发证书

第一步: 建立CA
    [root@centos7 ~]#cd /etc/pki/CA

    [root@centos7 CA]#(umask 077;openssl genrsa -out private/cakey.pem 2048)   //生成CA私钥
    Generating RSA private key, 2048 bit long modulus
    ...................................................................................................................+++
    ........................................................+++
    e is 65537 (0x10001)

    [root@centos7 CA]#ll private/cakey.pem    //查看私钥已经生成, 且权限为600
    -rw------- 1 root root 1675 Jan 24 10:14 private/cakey.pem

    [root@centos7 CA]#openssl req -new -x509 -key  private/cakey.pem -out cacert.pem -days 3650  //生成CA自签名证书

        选项说明:
            -new:生成新证书签署请求
        -x509:专用于CA生成自签证书
            -key:生成请求时用到的私钥文件
        -days n:证书的有效期限
            -out:/PATH/TO/SOMECERTFILE: 证书的保存路径

    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [XX]:CN
    State or Province Name (full name) []:beijing
    Locality Name (eg, city) [Default City]:beijing
    Organization Name (eg, company) [Default Company Ltd]:magedu
    Organizational Unit Name (eg, section) []:devops
    Common Name (eg, your name or your server's hostname) []:ca.magedu.com   //提供CA服务的主机名
    Email Address []:[email protected]           //选填项

    [root@centos7 CA]#openssl x509 -in cacert.pem -noout -text    //查看CA证书

            查看证书中的信息:
            #openssl x509 -in /PATH/FROM/CERT_FILE -noout -text|issuer|subject|serial|dates
            #openssl ca -status SERIAL 查看指定编号的证书状态

    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number:
                d2:55:57:30:3c:89:1c:26
        Signature Algorithm: sha256WithRSAEncryption
            Issuer: C=CN, ST=beijing, L=beijing, O=magedu, OU=devops, CN=ca.magedu.com/[email protected]
            Validity
                Not Before: Jan 24 02:33:35 2019 GMT
                Not After : Jan 21 02:33:35 2029 GMT
            Subject: C=CN, ST=beijing, L=beijing, O=magedu, OU=devops, CN=ca.magedu.com/[email protected]
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                    Public-Key: (2048 bit)
                    Modulus:
                        00:a6:df:43:16:00:85:02:55:a3:6d:e3:db:7e:73:
                        9a:5d:9f:6d:a6:1f:27:6d:b7:f2:06:f3:72:3e:60:
                        6f:b6:ee:fc:d0:20:65:73:83:ed:95:3a:a3:a8:12:
                        29:0e:a8:64:ea:33:31:48:6e:80:d1:2c:56:61:64:
                        25:fa:dc:22:b9:a8:3d:ea:72:ac:0c:0d:60:48:29:
                        0e:a8:4b:69:88:46:7a:b3:a5:ff:32:d5:44:6a:b3:
                        4a:4c:2f:6f:a1:01:f1:fe:d0:cc:3f:ab:71:ff:cb:
                        19:51:a7:61:f0:d2:00:4c:e1:3a:e6:3a:20:87:e8:
                        a0:78:31:70:7b:01:db:40:4f:75:b9:60:e2:38:4f:
                        1b:19:32:68:cf:c9:de:a9:7f:f8:b1:8d:a0:de:3d:
                        33:a7:66:09:40:a9:c9:7f:58:25:6b:e0:16:16:28:
                        36:fc:f1:b6:af:db:27:a1:75:1f:3b:e8:8e:b4:12:
                        5e:a2:95:d0:1c:db:30:d0:eb:e2:a8:09:ea:33:54:
                        90:6d:45:bc:16:46:b6:89:ee:1a:f2:31:97:12:be:
                        e8:ea:2c:20:fa:4c:3b:a3:ea:6b:b0:f2:85:96:b8:
                        98:37:e9:00:7e:64:9a:3e:ea:30:5d:99:30:d3:0d:
                        53:9c:b7:fa:a7:7c:7b:64:b0:69:7f:50:14:0b:15:
                        62:d5
                    Exponent: 65537 (0x10001)
            X509v3 extensions:
                X509v3 Subject Key Identifier: 
                    FA:3C:86:67:9F:86:58:23:E2:B9:E1:C9:B9:E0:32:16:FD:97:D4:B4
                X509v3 Authority Key Identifier: 
                    keyid:FA:3C:86:67:9F:86:58:23:E2:B9:E1:C9:B9:E0:32:16:FD:97:D4:B4

                X509v3 Basic Constraints: 
                    CA:TRUE
        Signature Algorithm: sha256WithRSAEncryption
            6f:ea:38:75:d7:be:f6:c4:e0:ae:ea:c7:cb:0d:09:b7:a9:d4:
            9c:c3:dc:2c:b2:6c:e2:76:51:24:4e:63:25:64:26:5e:b0:79:
            0c:d2:9f:cb:c1:fe:18:1b:d0:49:63:72:fd:1f:5a:3e:a8:0d:
            52:2a:c9:8d:e1:80:a3:c7:75:01:85:a3:93:33:1f:5e:13:54:
            d8:8e:71:01:5b:2e:20:02:35:e2:55:16:05:24:1c:ba:81:19:
            51:0a:ef:5c:e4:e1:42:f6:3f:7f:f5:55:d3:79:26:c5:9c:ba:
            1d:54:96:2f:ac:0e:16:7e:8c:c9:e9:5a:b2:b2:cd:94:b4:2c:
            c0:e6:d7:80:63:f4:2a:6f:cd:09:4e:ac:4d:5f:52:04:3a:eb:
            3f:45:bf:fc:a6:c9:ad:74:81:47:c7:c8:f5:d9:a5:04:ed:5a:
            2c:06:4a:89:cb:45:f3:f7:b0:2a:1f:2e:a0:1d:e1:8e:87:b5:
            11:63:af:62:e1:8a:7a:6c:2c:b2:10:73:a2:80:c1:bd:b4:6b:
            37:ea:f5:eb:88:49:b4:1f:d0:1f:a4:c9:ce:b1:8e:92:e0:4d:
            f7:ad:c1:17:cc:da:cd:ab:65:9f:d0:fc:b0:32:99:0d:88:3b:
            6b:a9:d2:33:42:5d:8e:a4:45:e9:37:f6:bf:02:9c:2c:15:d6:
            9c:41:8c:73

第二步 申请证书

    在需要使用证书的主机生成证书请求
     [root@rhel6 data]#(umask 066;openssl genrsa -out app.key 1024)   //针对某个应用(app)生成私钥文件(app.key)
     Generating RSA private key, 1024 bit long modulus
     .......++++++
     ......++++++
     e is 65537 (0x10001)

     [root@rhel6 data]#openssl req -new -key app.key -out app.csr      //生成证书申请文件
     You are about to be asked to enter information that will be incorporated
     into your certificate request.
     What you are about to enter is what is called a Distinguished Name or a DN.
     There are quite a few fields but you can leave some blank
     For some fields there will be a default value,
     If you enter '.', the field will be left blank.
     -----
     Country Name (2 letter code) [XX]:CN
     State or Province Name (full name) []:beijing
     Locality Name (eg, city) [Default City]:beijing
     Organization Name (eg, company) [Default Company Ltd]:magedu
     Organizational Unit Name (eg, section) []:IT
     Common Name (eg, your name or your server's hostname) []:www.magedu.com
     Email Address []:[email protected]

     Please enter the following 'extra' attributes
     to be sent with your certificate request
     A challenge password []:
     An optional company name []:

     [root@rhel6 data]#scp app.csr  192.168.33.131:/etc/pki/CA  //将证书请求文件传输给CA
     [email protected]'s password: 
     app.csr                                                                      100%  696     0.7KB/s   00:00   

第三步 颁发证书

    [root@centos7 CA]#> index.txt          //建数据库文件
    [root@centos7 CA]#echo 09 > serial     //创建序列号文件
    [root@centos7 CA]#tree
    .
    ├── app.csr
    ├── cacert.pem
    ├── certs
    ├── crl
    ├── index.txt
    ├── newcerts
    ├── private
    │   └── cakey.pem
    └── serial

    4 directories, 5 files

    [root@centos7 CA]#openssl ca -in app.csr -out certs/app.crt -days 100   //CA签署证书,并将证书颁发给请求者
    Using configuration from /etc/pki/tls/openssl.cnf
    Check that the request matches the signature
    Signature ok
    Certificate Details:
            Serial Number: 9 (0x9)
            Validity
                Not Before: Jan 24 03:37:17 2019 GMT
                Not After : May  4 03:37:17 2019 GMT
            Subject:
                countryName               = CN
                stateOrProvinceName       = beijing
                organizationName          = magedu
                organizationalUnitName    = IT
                commonName                = www.magedu.com
                emailAddress              = [email protected]
            X509v3 extensions:
                X509v3 Basic Constraints: 
                    CA:FALSE
                Netscape Comment: 
                    OpenSSL Generated Certificate
                X509v3 Subject Key Identifier: 
                    24:FC:B8:01:48:D1:E1:FC:B2:7E:6C:D3:5A:93:74:59:50:76:FD:8F
                X509v3 Authority Key Identifier: 
                    keyid:FA:3C:86:67:9F:86:58:23:E2:B9:E1:C9:B9:E0:32:16:FD:97:D4:B4

    Certificate is to be certified until May  4 03:37:17 2019 GMT (100 days)
    Sign the certificate? [y/n]:y

    1 out of 1 certificate requests certified, commit? [y/n]y
    Write out database with 1 new entries
    Data Base Updated

    [root@centos7 CA]#tree
    .
    ├── app.csr
    ├── cacert.pem
    ├── certs
    │   └── app.crt
    ├── crl
    ├── index.txt
    ├── index.txt.attr
    ├── index.txt.old
    ├── newcerts
    │   └── 09.pem
    ├── private
    │   └── cakey.pem
    ├── serial
    └── serial.old

    4 directories, 10 files

第四步 把CA自签证书 cacert.pem 和申请下来的证书app.crt 拷贝到要使用证书的主机上就可以使用了
    [root@centos7 CA]#scp certs/app.crt cacert.pem 192.168.33.132:/data
    [email protected]'s password: 
    app.crt                                                                                100% 3869     4.3MB/s   00:00    
    cacert.pem                                                                             100% 1432     2.0MB/s   00:00

场景二 在同一台电脑申请和颁发证书:
[root@centos7 CA]#(umask 066;openssl genrsa -out /data/app2.key 1024) //生成私钥app2.key
[root@centos7 CA]#openssl req -new -key /data/app2.key -out /data/app2.csr //用私钥生成申请证书
[root@centos7 CA]#openssl ca -in /data/app2.csr -out certs/app2.crt -days 100 //颁发证书
[root@centos7 CA]#tree
.
├── app.csr
├── cacert.pem
├── certs
│   ├── app2.crt
│   └── app.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── newcerts
│   ├── 09.pem
│   └── 0A.pem
├── private
│   └── cakey.pem
├── serial
└── serial.old

    通过同一个证书申请文件,再申请一个证书:
    [root@centos7 CA]#vim index.txt.attr               //vim 数据库属性文件, 把yes改为no 
    unique_subject = no 

    [root@centos7 CA]#openssl ca -in /data/app2.csr -out certs/app3.crt -days 200   //颁发证书app3.crt 

吊销证书:
[root@centos7 CA]#cat index.txt //吊销证书前,先看一开目前都有哪些证书
V 190504033717Z 09 unknown /C=CN/ST=beijing/O=magedu/OU=IT/CN=www.magedu.com/[email protected]
V 190504060111Z 0A unknown /C=CN/ST=beijing/O=magedu/OU=hr/CN=www.magedu.com
V 190812061729Z 0B unknown /C=CN/ST=beijing/O=magedu/OU=hr/CN=www.magedu.com

    [root@centos7 CA]#openssl ca -revoke newcerts/0B.pem   //吊销证书0B.pem
    Using configuration from /etc/pki/tls/openssl.cnf
    Revoking Certificate 0B.
    Data Base Updated

    [root@centos7 CA]#openssl ca -status 0B    //查看证书0B状态
    Using configuration from /etc/pki/tls/openssl.cnf
    0B=Revoked (R)

    [root@centos7 CA]#echo 09 >crlnumber  //生成crlnumber文件 (crlnumber = $dir/crlnumber # the current crl number)
    [root@centos7 CA]#openssl ca -gencrl -out /etc/pki/CA/crl.pem   //更新证书吊销列表
    Using configuration from /etc/pki/tls/openssl.cnf

    [root@centos7 CA]#tree
    .
    ├── app.csr
    ├── cacert.pem
    ├── certs
    │   ├── app2.crt
    │   ├── app3.crt
    │   └── app.crt
    ├── crl
    ├── crlnumber
    ├── crlnumber.old
    ├── crl.pem
    ├── index.txt
    ├── index.txt.attr
    ├── index.txt.attr.old
    ├── index.txt.old
    ├── newcerts
    │   ├── 09.pem
    │   ├── 0A.pem
    │   └── 0B.pem
    ├── private
    │   └── cakey.pem
    ├── serial
    └── serial.old

    [root@centos7 CA]#openssl crl -in /etc/pki/CA/crl.pem -noout -text    //查看吊销crl文件
    Certificate Revocation List (CRL):
            Version 2 (0x1)
        Signature Algorithm: sha256WithRSAEncryption
            Issuer: /C=CN/ST=beijing/L=beijing/O=magedu/OU=devops/CN=ca.magedu.com/[email protected]
            Last Update: Jan 24 06:39:52 2019 GMT
            Next Update: Feb 23 06:39:52 2019 GMT
            CRL extensions:
                X509v3 CRL Number: 
                    9
    Revoked Certificates:
        Serial Number: 0B
            Revocation Date: Jan 24 06:26:09 2019 GMT
        Signature Algorithm: sha256WithRSAEncryption
            0a:80:7b:b2:b0:b1:ba:2e:10:23:18:c9:8c:ca:54:d1:c8:fe:
            69:87:9f:05:b8:6d:4e:ca:2e:f1:b9:83:1b:d0:02:84:1d:c2:
            91:56:2b:0c:99:57:0c:aa:ba:f6:06:f3:c2:a8:ad:b1:b4:2d:
            0f:54:97:eb:d2:bd:29:2d:e4:86:86:7b:05:5d:52:5d:f3:d0:
            90:28:36:46:fa:6e:00:63:40:74:99:9b:fa:a5:3e:33:d6:6a:
            02:b0:a9:13:5e:68:0f:bd:6d:e0:17:f4:93:7f:cc:54:ce:7b:
            e7:cb:d4:53:35:df:8c:1a:ce:5a:0f:50:fa:f1:08:02:ea:de:
            2c:75:9c:99:d4:21:ce:44:d5:c4:34:02:f7:25:d3:fd:8e:ec:
            75:11:f2:31:38:6a:0f:0f:26:ba:54:78:8c:e1:ce:a2:10:80:
            c2:7f:0b:a0:83:e9:da:b4:30:4d:54:90:fe:01:b6:2d:7b:f6:
            eb:7c:a9:68:9f:ff:4c:0b:0d:fb:fc:a0:2c:03:5d:5d:b9:75:
            d2:e5:57:db:41:d7:76:52:d1:a9:f8:c6:be:d6:f0:92:76:1f:
            3a:1a:52:5c:7f:e2:b7:5a:27:1a:55:44:71:83:56:1e:fa:2c:
            3e:e9:77:c6:46:d2:42:4e:f2:4c:5b:11:fc:66:07:06:19:a5:
            0c:9a:75:94

转载于:https://blog.51cto.com/8845692/2346252

你可能感兴趣的:(devops,数据库,开发工具)