Openssl 创建CA和申请证书
===============================================================================
概述:
本章是上篇加密解密技术的续,主要介绍Openssl创建CA、申请证书、办法证书的整个操作,具体内容如下:
创建私有CA;
给节点颁发证书;
吊销证书
详情查看上篇加密解密技术:http://1992tao.blog.51cto.com/11606804/1856438
===============================================================================
创建CA
1.创建CA
★数字证书的获取有两种方法:
☉向RA注册申请即公共信任的CA;
☉自己创建私有CA
openssl
OpenCA
★使用OpenSSL创建私有CA的步骤:
在确定配置为CA的服务上生成一个自签证书,并为CA提供所需要的目录及文件即可;
①生成私钥;
私钥用于签发证书时,向证书添加数字签名使用;
②生成自签署证书;
证书:每个通信方都导入此证书至“受信任的证书颁发机构”
★openssl配置文件:
/etc/pki/tls/openssl.cnf
☉工作目录:
/etc/pki/CA
★具体步骤:
☉生成私钥文件/etc/pki/CA/private/cakey.pem
# (umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 4096)
☉生成自签证书;
# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3650
其中:
-new:生成新证书签署请求;
-x509:生成自签格式证书,专用于创建私有CA时;
-key:生成请求时用到的私有文件路径;
-days n:证书的有效时间,单位是day;
-out /PATH/TO/SOMECERTFILE:生成的请求证书路径;如果自签操作将直接生成签署过得证书
☉为CA提供所需的目录及文件
# mkdir /etc/pki/CA/{certs,crl,newcerts} (存在的话就不用创建了)
# toouch /etc/pkl/CA/index.txt (数据库文件)
# echo 01 > /etc/pki/CA/serial (序列号文件并给明第一个证书的序列号码)
2.给节点颁发证书
★给节点颁发证书
☉要用到证书进行安全通信的服务器,需要向CA请求签署证书;
☉在证书申请的主机上进行如下步骤:
生成私钥;
生成证书签署请求; (注意:默认国家,省,公司名称必须和CA一致)
将请求通过可靠方式发送给CA主机
☉在CA主机上签发证书
验证请求者信息;
签署证书;
把签署好的证书发还给请求者
3.吊销证书(了解)
★吊销证书
☉在客户端获取要吊销的证书的序列号serial;
# openssl x509 -in httpd.crt -noout -serial -subject
☉在CA上,根据客户提交的serial与subject信息,对比检验是否与index.txt文件中的信息一致;
☉吊销证书;
# openssl ca -revoke /etc/pki/CA/newcerts/SERIAL.pem
其中SERIAL要替换成证书真正的序列号
☉生成吊销证书的编号(第一次吊销证书时才需要执行);
# echo 01 > /etc/pki/CA/crlnumber
☉更新证书吊销列表
# openssl crl -gencrl -out THISCA.crl
实验:创建私有CA并给节点颁发证书
1.创建私有CA步骤演示:
1)生成私钥文件/etc/pki/CA/private/cakey.pem
# 查看私钥文件为空 [root@centos7 ~]# ls /etc/pki/CA/private/ [root@centos7 ~]# (umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 4096) # 生成私钥文件 Generating RSA private key, 4096 bit long modulus ..............++ ...........................................................................................................................................................................................................................................................................................................................++ e is 65537 (0x10001) [root@centos7 ~]# ls /etc/pki/CA/private/ cakey.pem # 查看文件,并确定其权限仅为属主自己 [root@centos7 ~]# ll /etc/pki/CA/private/ total 4 -rw------- 1 root root 3247 Sep 28 19:03 cakey.pem
2)生成自签证书
# 生成自签证书指明私钥文件,证书保存路径,有效期限等 [root@centos7 ~]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3650 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN # 所在国家 State or Province Name (full name) []:Beijing # 所在省 Locality Name (eg, city) [Default City]:Beijing # 所在城市 Organization Name (eg, company) [Default Company Ltd]:Magedu # 组织(公司)名称 Organizational Unit Name (eg, section) []:Ops # 所在岗位 Common Name (eg, your name or your server's hostname) []:ca.magedu.com # 证书持有者姓名或请求证书服务器的主机名 Email Address []:[email protected] # 邮件地址 [root@centos7 ~]# ls /etc/pki/CA cacert.pem # 生成的自签证书 certs crl newcerts private
3)为CA提供所需的目录和文件
# 创建数据库文件 [root@centos7 ~]# touch /etc/pki/CA/index.txt # 创建序列号文件并给明第一个证书的序列号码 [root@centos7 ~]# echo 01 > /etc/pki/CA/serial [root@centos7 ~]# ls /etc/pki/CA/ cacert.pem certs crl index.txt newcerts private serial
2.给节点颁发证书步骤演示
假设CentOS 6为一个web服务器,要向客户端提供https服务就需要证书文件,并把请求发送给CA进行签署
1)在证书申请的主机上生成私钥
[root@CentOS6 ~]# rpm -q httpd # 这里以http服务为例 httpd-2.2.15-53.el6.centos.x86_64 [root@CentOS6 ~]# cd /etc/httpd/ [root@CentOS6 httpd]# ls conf conf.d logs modules run [root@CentOS6 httpd]# mkdir ssl # 在文件中创建ssl目录 [root@CentOS6 httpd]# cd ssl # 在此目录中生成私钥 [root@CentOS6 ssl]# (umask 077;openssl genrsa -out httpd.key 2048) # 注意这里不是在 /etc/pki/CA下创建,只有作为CA时才在其下进行创建 Generating RSA private key, 2048 bit long modulus .............+++ .........................................................................................+++ e is 65537 (0x10001) [root@CentOS6 ssl]# ll total 4 -rw------- 1 root root 1675 Sep 28 16:55 httpd.key # 生成的私钥文件
2)生成证书签署请求:
[root@CentOS6 ssl]# openssl req -new -key httpd.key -out httpd.csr -days 365 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:Beijing Locality Name (eg, city) [Default City]:Beijing Organization Name (eg, company) [Default Company Ltd]:Magedu Organizational Unit Name (eg, section) []:Ops Common Name (eg, your name or your server's hostname) []:CentOS.magedu.com Email Address []:[email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
3)把请求发送给CA
# 这里使用scp 远程复制命令 [root@CentOS6 ssl]# scp httpd.csr [email protected]:/tmp/ The authenticity of host '10.1.249.203 (10.1.249.203)' can't be established. RSA key fingerprint is cf:7d:49:75:55:54:45:88:a3:dd:ff:f3:87:be:3f:06. Are you sure you want to continue connecting (yes/no)? y Please type 'yes' or 'no': yes Warning: Permanently added '10.1.249.203' (RSA) to the list of known hosts. [email protected]'s password: httpd.csr 100% 1062 1.0KB/s 00:00 [root@centos7 ~]# ls /tmp/ # 查看文件 httpd.csr # 申请主机发送过来的文件 systemd-private-c7c1f3e358e34fc2add5b3729e413ed8-cups.service-KSESlC systemd-private-d276c273baee4a299b8d240ba604a5f2-cups.service-etgI6i
4)CA签发证书
# 签发证书,-in指明要签的证书文件位置,-out指明签好后输出的文件位置,必须放在certs下,指明期限 [root@centos7 ~]# openssl ca -in /tmp/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Sep 28 13:21:38 2016 GMT Not After : Sep 28 13:21:38 2017 GMT Subject: countryName = CN stateOrProvinceName = Beijing organizationName = Magedu organizationalUnitName = Ops commonName = CentOS.magedu.com emailAddress = [email protected] X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 04:FD:4F:25:36:40:D1:CA:9A:2B:4C:AD:7D:C9:CD:18:34:E7:D0:33 X509v3 Authority Key Identifier: keyid:44:82:7B:4C:D4:19:C4:28:F9:72:41:1D:01:5D:B9:CB:84:9E:43:61 Certificate is to be certified until Sep 28 13:21:38 2017 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated [root@centos7 ~]# cd /etc/pki/CA [root@centos7 CA]# ls cacert.pem crl index.txt.attr newcerts serial certs index.txt index.txt.old private serial.old [root@centos7 CA]# cat index.txt # 可以看到第一个签署的证书编号为01 V 170928132138Z 01 unknown /C=CN/ST=Beijing/O=Magedu/OU=Ops/CN=CentOS.magedu.com/[email protected]
5)把签署好的证书发还给请求者
[root@centos7 CA]# scp certs/httpd.crt [email protected]:/etc/httpd/ssl The authenticity of host '10.1.252.153 (10.1.252.153)' can't be established. RSA key fingerprint is f7:91:35:d1:33:ab:e8:af:4c:cc:39:45:e7:12:2f:b3. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '10.1.252.153' (RSA) to the list of known hosts. [email protected]'s password: httpd.crt 100% 5886 5.8KB/s 00:00
请求者查看证书
# 请求者收到后查看 [root@CentOS6 ssl]# ls httpd.crt(# 签署的证书) httpd.csr httpd.key [root@CentOS6 ssl]# rm -f httpd.csr # 没用的文件就可以删除了 [root@CentOS6 ssl]# openssl x509 -in httpd.crt -noout -serial -subject # 查看序列号和主题 serial=01 subject= /C=CN/ST=Beijing/O=Magedu/OU=Ops/CN=CentOS.magedu.com/[email protected]
总结: