创建CA和申请证书(一)

实验环境:
两台centos主机,一台充当CA,一台充当客户机

在实现这个实验之前我们先来,看一下openssl的配置文件:/etc/pki/tls/openssl.cnf。在这个文件中定义了CA证书颁发的一些策略和文件命名和存放的规则。

[root@CA ~]# cat /etc/pki/tls/openssl.cnf 
[ ca ]
default_ca	= CA_default		# The default ca section
####################################################################
[ CA_default ]

dir		= /etc/pki/CA		# Where everything is kept
certs		= $dir/certs		# Where the issued certs are kept
crl_dir		= $dir/crl		# Where the issued crl are kept
database	= $dir/index.txt	# database index file.
#unique_subject	= no			# Set to 'no' to allow creation of
					# several ctificates with same subject.
new_certs_dir	= $dir/newcerts		# default place for new certs.

certificate	= $dir/cacert.pem 	# The CA certificate
serial		= $dir/serial 		# The current serial number
crlnumber	= $dir/crlnumber	# the current crl number
					# must be commented out to leave a V1 CRL
crl		= $dir/crl.pem 		# The current CRL
private_key	= $dir/private/cakey.pem# The private key
RANDFILE	= $dir/private/.rand	# private random number file

x509_extensions	= usr_cert		# The extentions to add to the cert

# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt 	= ca_default		# Subject Name options
cert_opt 	= ca_default		# Certificate field options
default_days	= 365			# how long to certify for
default_crl_days= 30			# how long before next CRL
default_md	= sha256		# use SHA-256 by default
preserve	= no			# keep passed DN ordering

policy		= policy_match

# For the CA policy
[ policy_match ]
countryName		= match
stateOrProvinceName	= match
organizationName	= match
organizationalUnitName	= optional
commonName		= supplied
emailAddress		= optional

[ policy_anything ]
countryName		= optional
stateOrProvinceName	= optional
localityName		= optional
organizationName	= optional
organizationalUnitName	= optional
commonName		= supplied
emailAddress		= optional

/etc/pki/CA/的目录结构树

[root@CA CA]# tree
.
├── certs
├── crl
├── newcerts
└── private

接下来实现OpenSSL证书申请和颁发
在CA主机上
1、创建所需要的文件,这两个文件默认不存在,必须事先创建好,否则无法颁发证书。

[root@CA CA]# touch /etc/pki/CA/index.txt   //生成证书索引数据库文件
[root@CA CA]# echo 01 > /etc/pki/CA/serial   //指定第一个颁发证书的序列号

2、 CA自签证书
生成私钥

[root@CA ~]# cd /etc/pki/CA/
[root@CA CA]# (umask 066;openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
.........................................................................+++
......................................................+++
e is 65537 (0x10001)

3、生成自签名证书

[root@CA CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 7300 -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HN
Locality Name (eg, city) [Default City]:wenchang
Organization Name (eg, company) [Default Company Ltd]:hailian    
Organizational Unit Name (eg, section) []:hailian-30
Common Name (eg, your name or your server's hostname) []:www.cwj.com
Email Address []:

-new: 生成新证书签署请求
-x509: 专用于CA生成自签证书
-key: 生成请求时用到的私钥文件
-days n:证书的有效期限
-out /PATH/TO/SOMECERTFILE: 证书的保存路径
在申请证书的主机上
4、 在需要使用证书的主机生成证书请求

[root@client pki]# (umask 066; openssl genrsa -out /etc/pki/tls/private/test.key 2048)
Generating RSA private key, 2048 bit long modulus
.....+++
..............................................................................+++
e is 65537 (0x10001)

5、生成证书申请文件

[root@client pki]# openssl req -new -key /etc/pki/tls/private/test.key -days 365 -out /etc/pki/tls/test.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN    
State or Province Name (full name) []:HN
Locality Name (eg, city) [Default City]:hangzhou
Organization Name (eg, company) [Default Company Ltd]:hailian
Organizational Unit Name (eg, section) []:hailian-30
Common Name (eg, your name or your server's hostname) []:www.yd.cwj.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

6、 将证书请求文件传输给CA

[root@client pki]# scp /etc/pki/tls/test.csr 192.168.239.130:/data/
test.csr                                                                                                                                                 100% 1013    32.2KB/s   00:00  

在CA上
7、 CA签署证书,并将证书颁发给请求者

[root@CA CA]# openssl ca -in /data/test.csr -out /etc/pki/CA/certs/test.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Oct 17 14:04:52 2019 GMT
            Not After : Oct 16 14:04:52 2020 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = HN
            organizationName          = hailian
            organizationalUnitName    = hailian-30
            commonName                = www.yd.cwj.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                76:F4:4D:C1:96:21:98:A3:D2:6A:70:AF:C8:9E:C1:C4:26:9D:06:7D
            X509v3 Authority Key Identifier: 
                keyid:C7:93:0F:D2:1D:E4:FA:2E:11:52:48:5D:9E:9F:10:98:71:DE:BB:20

Certificate is to be certified until Oct 16 14:04:52 2020 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

8、把证书复制到申请的主机上即可。

[root@CA CA]# scp /etc/pki/CA/certs/test.crt 192.168.239.128:/data
test.crt                                                                                                                                                 100% 4471   187.3KB/s   00:00    

注意:默认国家,省,公司名称三项必须和CA一致
证书颁发完成后,可以查看证书中的信息:

[root@CA CA]# openssl x509 -in /etc/pki/CA/certs/test.crt -noout -issuer
issuer= /C=CN/ST=HN/L=wenchang/O=hailian/OU=hailian-30/CN=www.cwj.com
[root@CA CA]# openssl x509 -in /etc/pki/CA/certs/test.crt -noout -subject
subject= /C=CN/ST=HN/O=hailian/OU=hailian-30/CN=www.yd.cwj.com
[root@CA CA]# openssl x509 -in /etc/pki/CA/certs/test.crt -noout -serial -dates
serial=01
notBefore=Oct 17 14:04:52 2019 GMT
notAfter=Oct 16 14:04:52 2020 GMT

也可以查看指定编号的证书状态

[root@CA CA]# openssl ca -status 01  //查看指定编号的证书状态
Using configuration from /etc/pki/tls/openssl.cnf
01=Valid (V)
 

颁发完证书后CA的目录树结构

[root@CA CA]# tree
.
├── cacert.pem
├── certs
│   └── test.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│   └── 01.pem
├── private
│   └── cakey.pem
├── serial
└── serial.old

我们也可以吊销证书,下面是吊销证书的步骤。
1、在客户端获取要吊销的证书的serial

[root@CA CA]# openssl x509 -in /etc/pki/CA/certs/test.crt -noout -serial -subject
serial=01
subject= /C=CN/ST=HN/O=hailian/OU=hailian-30/CN=www.yd.cwj.com
[root@CA CA]# cat index.txt
V	201016140452Z		01	unknown	/C=CN/ST=HN/O=hailian/OU=hailian-30/CN=www.yd.cwj.com

2、在CA上,根据客户提交的serial与subject信息,对比检验是否与index.txt文件中的信息一致,然后选择要吊销的证书:

[root@CA CA]# openssl ca -revoke /etc/pki/CA/newcerts/01.pem
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 01.
Data Base Updated

3、指定第一个吊销证书的编号
注意:第一次更新证书吊销列表前,才需要执行

[root@CA CA]# echo 01 > /etc/pki/CA/crlnumber

4、更新证书吊销列表

[root@CA CA]# openssl ca -gencrl -out /etc/pki/CA/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf

完成后可以查看crl文件:

[root@CA CA]# openssl crl -in /etc/pki/CA/crl.pem -noout -text
Certificate Revocation List (CRL):
        Version 2 (0x1)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: /C=CN/ST=HN/L=wenchang/O=hailian/OU=hailian-30/CN=www.cwj.com
        Last Update: Oct 17 14:22:47 2019 GMT
        Next Update: Nov 16 14:22:47 2019 GMT
        CRL extensions:
            X509v3 CRL Number: 
                1
Revoked Certificates:
    Serial Number: 01
        Revocation Date: Oct 17 14:21:28 2019 GMT
    Signature Algorithm: sha256WithRSAEncryption
         80:89:a6:52:0a:09:94:cf:73:60:ee:cb:f9:d4:a3:76:48:26:
         b2:b2:f0:5c:b4:45:af:35:12:f4:7e:06:e8:80:1a:1c:38:cd:
         5b:37:2e:f4:e7:7a:48:f4:cb:a7:e9:9a:85:8a:44:18:08:61:
         39:d3:61:c3:df:a2:f7:02:6f:df:53:6b:36:39:6a:0e:41:d8:
         71:46:5b:52:fb:3d:96:9a:46:a4:f4:5e:84:41:31:56:ee:85:
         e4:37:c7:64:d7:37:80:5c:11:b5:8e:b3:7f:db:4f:2b:98:a5:
         b7:73:d1:90:26:ff:04:68:dd:65:5e:67:1c:98:67:4e:6c:9f:
         d7:63:c8:b6:cf:17:aa:ee:d4:ca:ad:c1:9d:a8:57:38:14:e9:
         16:52:68:ea:6c:48:f8:92:03:bd:b3:88:47:c5:4a:50:7c:df:
         ee:b5:70:75:c7:d0:93:68:5e:6e:a4:45:54:5b:73:60:8e:a4:
         da:ef:8f:0d:2a:5b:33:20:07:39:0d:c5:ee:ce:27:20:9c:fa:
         12:4e:ea:62:95:16:ea:64:a1:0d:b0:cb:57:6c:a8:96:fa:a9:
         fa:44:99:bb:c5:56:5a:3b:0d:dc:d2:42:c6:77:12:27:79:f7:
         90:a6:e4:61:00:fb:64:a6:94:b9:aa:32:3c:07:c0:58:5d:4e:
         91:f9:4a:1d

吊销证书后CA的目录结构

[root@CA CA]# ls
cacert.pem  certs  crl  crlnumber  crlnumber.old  crl.pem  index.txt  index.txt.attr  index.txt.attr.old  index.txt.old  newcerts  private  serial  serial.old
[root@CA CA]# tree
.
├── cacert.pem
├── certs
│   └── test.crt
├── crl
├── crlnumber
├── crlnumber.old
├── crl.pem
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── newcerts
│   └── 01.pem
├── private
│   └── cakey.pem
├── serial
└── serial.old

4 directories, 13 files

你可能感兴趣的:(创建CA和申请证书(一))