建立私有CA,并实现颁发证书
[root@centos7 ~]#rpm -q openssl //查看有没有安装openssl包
openssl-1.0.2k-16.el7.x86_64
[root@centos7 ~]#rpm -ql openssl //查看openssl包里文件
/etc/pki/CA
/etc/pki/CA/certs
/etc/pki/CA/crl
/etc/pki/CA/newcerts
/etc/pki/CA/private
/etc/pki/tls/certs/Makefile
/etc/pki/tls/certs/make-dummy-cert
/etc/pki/tls/certs/renew-dummy-cert
/etc/pki/tls/misc/CA
/etc/pki/tls/misc/c_hash
/etc/pki/tls/misc/c_info
/etc/pki/tls/misc/c_issuer
/etc/pki/tls/misc/c_name
/usr/bin/openssl
/usr/share/doc/openssl-1.0.2k
/usr/share/doc/openssl-1.0.2k/FAQ
/usr/share/doc/openssl-1.0.2k/NEWS
/usr/share/doc/openssl-1.0.2k/README
/usr/share/doc/openssl-1.0.2k/README.FIPS
/usr/share/doc/openssl-1.0.2k/README.legacy-settings
[root@centos7 ~]#rpm -qi openssl //查看openssl包信息
Name : openssl
Epoch : 1
Version : 1.0.2k
Release : 16.el7
Architecture: x86_64
Install Date: Sat 19 Jan 2019 11:15:33 AM CST
Group : System Environment/Libraries
Size : 833647
License : OpenSSL
Signature : RSA/SHA256, Mon 12 Nov 2018 10:42:01 PM CST, Key ID 24c6a8a7f4a80eb5
Source RPM : openssl-1.0.2k-16.el7.src.rpm
Build Date : Wed 31 Oct 2018 06:43:57 AM CST
Build Host : x86-01.bsys.centos.org
Relocations : (not relocatable)
Packager : CentOS BuildSystem
Vendor : CentOS
URL : http://www.openssl.org/
Summary : Utilities from the general purpose cryptography library with TLS implementation
Description :
The OpenSSL toolkit provides support for secure communications between
machines. OpenSSL includes a certificate management tool and shared
libraries which provide various cryptographic algorithms and
protocols.
CA配置说明
[ CA_default ]
dir = /etc/pki/CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem
[root@centos7 ~]#tree /etc/pki/CA
/etc/pki/CA
├── certs
├── crl
├── newcerts
└── private
场景一 在两台电脑上实现申请和颁发证书
第一步: 建立CA
[root@centos7 ~]#cd /etc/pki/CA
[root@centos7 CA]#(umask 077;openssl genrsa -out private/cakey.pem 2048) //生成CA私钥
Generating RSA private key, 2048 bit long modulus
...................................................................................................................+++
........................................................+++
e is 65537 (0x10001)
[root@centos7 CA]#ll private/cakey.pem //查看私钥已经生成, 且权限为600
-rw------- 1 root root 1675 Jan 24 10:14 private/cakey.pem
[root@centos7 CA]#openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650 //生成CA自签名证书
选项说明:
-new:生成新证书签署请求
-x509:专用于CA生成自签证书
-key:生成请求时用到的私钥文件
-days n:证书的有效期限
-out:/PATH/TO/SOMECERTFILE: 证书的保存路径
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:devops
Common Name (eg, your name or your server's hostname) []:ca.magedu.com //提供CA服务的主机名
Email Address []:[email protected] //选填项
[root@centos7 CA]#openssl x509 -in cacert.pem -noout -text //查看CA证书
查看证书中的信息:
#openssl x509 -in /PATH/FROM/CERT_FILE -noout -text|issuer|subject|serial|dates
#openssl ca -status SERIAL 查看指定编号的证书状态
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
d2:55:57:30:3c:89:1c:26
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=beijing, L=beijing, O=magedu, OU=devops, CN=ca.magedu.com/[email protected]
Validity
Not Before: Jan 24 02:33:35 2019 GMT
Not After : Jan 21 02:33:35 2029 GMT
Subject: C=CN, ST=beijing, L=beijing, O=magedu, OU=devops, CN=ca.magedu.com/[email protected]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:a6:df:43:16:00:85:02:55:a3:6d:e3:db:7e:73:
9a:5d:9f:6d:a6:1f:27:6d:b7:f2:06:f3:72:3e:60:
6f:b6:ee:fc:d0:20:65:73:83:ed:95:3a:a3:a8:12:
29:0e:a8:64:ea:33:31:48:6e:80:d1:2c:56:61:64:
25:fa:dc:22:b9:a8:3d:ea:72:ac:0c:0d:60:48:29:
0e:a8:4b:69:88:46:7a:b3:a5:ff:32:d5:44:6a:b3:
4a:4c:2f:6f:a1:01:f1:fe:d0:cc:3f:ab:71:ff:cb:
19:51:a7:61:f0:d2:00:4c:e1:3a:e6:3a:20:87:e8:
a0:78:31:70:7b:01:db:40:4f:75:b9:60:e2:38:4f:
1b:19:32:68:cf:c9:de:a9:7f:f8:b1:8d:a0:de:3d:
33:a7:66:09:40:a9:c9:7f:58:25:6b:e0:16:16:28:
36:fc:f1:b6:af:db:27:a1:75:1f:3b:e8:8e:b4:12:
5e:a2:95:d0:1c:db:30:d0:eb:e2:a8:09:ea:33:54:
90:6d:45:bc:16:46:b6:89:ee:1a:f2:31:97:12:be:
e8:ea:2c:20:fa:4c:3b:a3:ea:6b:b0:f2:85:96:b8:
98:37:e9:00:7e:64:9a:3e:ea:30:5d:99:30:d3:0d:
53:9c:b7:fa:a7:7c:7b:64:b0:69:7f:50:14:0b:15:
62:d5
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
FA:3C:86:67:9F:86:58:23:E2:B9:E1:C9:B9:E0:32:16:FD:97:D4:B4
X509v3 Authority Key Identifier:
keyid:FA:3C:86:67:9F:86:58:23:E2:B9:E1:C9:B9:E0:32:16:FD:97:D4:B4
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
6f:ea:38:75:d7:be:f6:c4:e0:ae:ea:c7:cb:0d:09:b7:a9:d4:
9c:c3:dc:2c:b2:6c:e2:76:51:24:4e:63:25:64:26:5e:b0:79:
0c:d2:9f:cb:c1:fe:18:1b:d0:49:63:72:fd:1f:5a:3e:a8:0d:
52:2a:c9:8d:e1:80:a3:c7:75:01:85:a3:93:33:1f:5e:13:54:
d8:8e:71:01:5b:2e:20:02:35:e2:55:16:05:24:1c:ba:81:19:
51:0a:ef:5c:e4:e1:42:f6:3f:7f:f5:55:d3:79:26:c5:9c:ba:
1d:54:96:2f:ac:0e:16:7e:8c:c9:e9:5a:b2:b2:cd:94:b4:2c:
c0:e6:d7:80:63:f4:2a:6f:cd:09:4e:ac:4d:5f:52:04:3a:eb:
3f:45:bf:fc:a6:c9:ad:74:81:47:c7:c8:f5:d9:a5:04:ed:5a:
2c:06:4a:89:cb:45:f3:f7:b0:2a:1f:2e:a0:1d:e1:8e:87:b5:
11:63:af:62:e1:8a:7a:6c:2c:b2:10:73:a2:80:c1:bd:b4:6b:
37:ea:f5:eb:88:49:b4:1f:d0:1f:a4:c9:ce:b1:8e:92:e0:4d:
f7:ad:c1:17:cc:da:cd:ab:65:9f:d0:fc:b0:32:99:0d:88:3b:
6b:a9:d2:33:42:5d:8e:a4:45:e9:37:f6:bf:02:9c:2c:15:d6:
9c:41:8c:73
第二步 申请证书
在需要使用证书的主机生成证书请求
[root@rhel6 data]#(umask 066;openssl genrsa -out app.key 1024) //针对某个应用(app)生成私钥文件(app.key)
Generating RSA private key, 1024 bit long modulus
.......++++++
......++++++
e is 65537 (0x10001)
[root@rhel6 data]#openssl req -new -key app.key -out app.csr //生成证书申请文件
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:www.magedu.com
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@rhel6 data]#scp app.csr 192.168.33.131:/etc/pki/CA //将证书请求文件传输给CA
[email protected]'s password:
app.csr 100% 696 0.7KB/s 00:00
第三步 颁发证书
[root@centos7 CA]#> index.txt //建数据库文件
[root@centos7 CA]#echo 09 > serial //创建序列号文件
[root@centos7 CA]#tree
.
├── app.csr
├── cacert.pem
├── certs
├── crl
├── index.txt
├── newcerts
├── private
│ └── cakey.pem
└── serial
4 directories, 5 files
[root@centos7 CA]#openssl ca -in app.csr -out certs/app.crt -days 100 //CA签署证书,并将证书颁发给请求者
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 9 (0x9)
Validity
Not Before: Jan 24 03:37:17 2019 GMT
Not After : May 4 03:37:17 2019 GMT
Subject:
countryName = CN
stateOrProvinceName = beijing
organizationName = magedu
organizationalUnitName = IT
commonName = www.magedu.com
emailAddress = [email protected]
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
24:FC:B8:01:48:D1:E1:FC:B2:7E:6C:D3:5A:93:74:59:50:76:FD:8F
X509v3 Authority Key Identifier:
keyid:FA:3C:86:67:9F:86:58:23:E2:B9:E1:C9:B9:E0:32:16:FD:97:D4:B4
Certificate is to be certified until May 4 03:37:17 2019 GMT (100 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@centos7 CA]#tree
.
├── app.csr
├── cacert.pem
├── certs
│ └── app.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│ └── 09.pem
├── private
│ └── cakey.pem
├── serial
└── serial.old
4 directories, 10 files
第四步 把CA自签证书 cacert.pem 和申请下来的证书app.crt 拷贝到要使用证书的主机上就可以使用了
[root@centos7 CA]#scp certs/app.crt cacert.pem 192.168.33.132:/data
[email protected]'s password:
app.crt 100% 3869 4.3MB/s 00:00
cacert.pem 100% 1432 2.0MB/s 00:00
场景二 在同一台电脑申请和颁发证书:
[root@centos7 CA]#(umask 066;openssl genrsa -out /data/app2.key 1024) //生成私钥app2.key
[root@centos7 CA]#openssl req -new -key /data/app2.key -out /data/app2.csr //用私钥生成申请证书
[root@centos7 CA]#openssl ca -in /data/app2.csr -out certs/app2.crt -days 100 //颁发证书
[root@centos7 CA]#tree
.
├── app.csr
├── cacert.pem
├── certs
│ ├── app2.crt
│ └── app.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── newcerts
│ ├── 09.pem
│ └── 0A.pem
├── private
│ └── cakey.pem
├── serial
└── serial.old
通过同一个证书申请文件,再申请一个证书:
[root@centos7 CA]#vim index.txt.attr //vim 数据库属性文件, 把yes改为no
unique_subject = no
[root@centos7 CA]#openssl ca -in /data/app2.csr -out certs/app3.crt -days 200 //颁发证书app3.crt
吊销证书:
[root@centos7 CA]#cat index.txt //吊销证书前,先看一开目前都有哪些证书
V 190504033717Z 09 unknown /C=CN/ST=beijing/O=magedu/OU=IT/CN=www.magedu.com/[email protected]
V 190504060111Z 0A unknown /C=CN/ST=beijing/O=magedu/OU=hr/CN=www.magedu.com
V 190812061729Z 0B unknown /C=CN/ST=beijing/O=magedu/OU=hr/CN=www.magedu.com
[root@centos7 CA]#openssl ca -revoke newcerts/0B.pem //吊销证书0B.pem
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 0B.
Data Base Updated
[root@centos7 CA]#openssl ca -status 0B //查看证书0B状态
Using configuration from /etc/pki/tls/openssl.cnf
0B=Revoked (R)
[root@centos7 CA]#echo 09 >crlnumber //生成crlnumber文件 (crlnumber = $dir/crlnumber # the current crl number)
[root@centos7 CA]#openssl ca -gencrl -out /etc/pki/CA/crl.pem //更新证书吊销列表
Using configuration from /etc/pki/tls/openssl.cnf
[root@centos7 CA]#tree
.
├── app.csr
├── cacert.pem
├── certs
│ ├── app2.crt
│ ├── app3.crt
│ └── app.crt
├── crl
├── crlnumber
├── crlnumber.old
├── crl.pem
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── newcerts
│ ├── 09.pem
│ ├── 0A.pem
│ └── 0B.pem
├── private
│ └── cakey.pem
├── serial
└── serial.old
[root@centos7 CA]#openssl crl -in /etc/pki/CA/crl.pem -noout -text //查看吊销crl文件
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: /C=CN/ST=beijing/L=beijing/O=magedu/OU=devops/CN=ca.magedu.com/[email protected]
Last Update: Jan 24 06:39:52 2019 GMT
Next Update: Feb 23 06:39:52 2019 GMT
CRL extensions:
X509v3 CRL Number:
9
Revoked Certificates:
Serial Number: 0B
Revocation Date: Jan 24 06:26:09 2019 GMT
Signature Algorithm: sha256WithRSAEncryption
0a:80:7b:b2:b0:b1:ba:2e:10:23:18:c9:8c:ca:54:d1:c8:fe:
69:87:9f:05:b8:6d:4e:ca:2e:f1:b9:83:1b:d0:02:84:1d:c2:
91:56:2b:0c:99:57:0c:aa:ba:f6:06:f3:c2:a8:ad:b1:b4:2d:
0f:54:97:eb:d2:bd:29:2d:e4:86:86:7b:05:5d:52:5d:f3:d0:
90:28:36:46:fa:6e:00:63:40:74:99:9b:fa:a5:3e:33:d6:6a:
02:b0:a9:13:5e:68:0f:bd:6d:e0:17:f4:93:7f:cc:54:ce:7b:
e7:cb:d4:53:35:df:8c:1a:ce:5a:0f:50:fa:f1:08:02:ea:de:
2c:75:9c:99:d4:21:ce:44:d5:c4:34:02:f7:25:d3:fd:8e:ec:
75:11:f2:31:38:6a:0f:0f:26:ba:54:78:8c:e1:ce:a2:10:80:
c2:7f:0b:a0:83:e9:da:b4:30:4d:54:90:fe:01:b6:2d:7b:f6:
eb:7c:a9:68:9f:ff:4c:0b:0d:fb:fc:a0:2c:03:5d:5d:b9:75:
d2:e5:57:db:41:d7:76:52:d1:a9:f8:c6:be:d6:f0:92:76:1f:
3a:1a:52:5c:7f:e2:b7:5a:27:1a:55:44:71:83:56:1e:fa:2c:
3e:e9:77:c6:46:d2:42:4e:f2:4c:5b:11:fc:66:07:06:19:a5:
0c:9a:75:94
转载于:https://blog.51cto.com/8845692/2346252