如何在Ubuntu 20.04上设置和配置证书颁发机构(CA)

介绍 (Introduction)

A Certificate Authority (CA) is an entity responsible for issuing digital certificates to verify identities on the internet. Although public CAs are a popular choice for verifying the identity of websites and other services that are provided to the general public, private CAs are typically used for closed groups and private services.

证书颁发机构 (CA)是负责颁发数字证书以在Internet上验证身份的实体。 尽管公共CA是验证提供给公众的网站和其他服务的身份的流行选择,但私有CA通常用于封闭组和私有服务。

Building a private Certificate Authority will enable you to configure, test, and run programs that require encrypted connections between a client and a server. With a private CA, you can issue certificates for users, servers, or individual programs and services within your infrastructure.

构建专用的证书颁发机构将使您能够配置,测试和运行需要客户端与服务器之间进行加密连接的程序。 使用专用CA,您可以为基础结构中的用户,服务器或单个程序和服务颁发证书。

Some examples of programs on Linux that use their own private CA are OpenVPN and Puppet . You can also configure your web server to use certificates issued by a private CA in order to make development and staging environments match production servers that use TLS to encrypt connections.

Linux上使用自己的专用CA的程序的一些示例是OpenVPN和Puppet 。 您还可以将Web服务器配置为使用私有CA颁发的证书,以使开发和登台环境与使用TLS加密连接的生产服务器匹配。

In this guide, we’ll learn how to set up a private Certificate Authority on an Ubuntu 20.04 server, and how to generate and sign a testing certificate using your new CA. You will also learn how to import the CA server’s public certificate into your operating system’s certificate store so that you can verify the chain of trust between the CA and remote servers or users. Finally you will learn how to revoke certificates and distribute a Certificate Revocation List to make sure only authorized users and systems can use services that rely on your CA.

在本指南中,我们将学习如何在Ubuntu 20.04服务器上设置私有证书颁发机构,以及如何使用新的CA生成并签署测试证书。 您还将学习如何将CA服务器的公共证书导入到操作系统的证书存储中,以便可以验证CA与远程服务器或用户之间的信任链。 最后,您将学习如何吊销证书和分发证书吊销列表,以确保只有授权的用户和系统才能使用依赖您的CA的服务。

先决条件 (Prerequisites)

To complete this tutorial, you will need access to an Ubuntu 20.04 server to host your CA server. You will need to configure a non-root user with sudo privileges before you start this guide. You can follow our Ubuntu 20.04 initial server setup guide to set up a user with appropriate permissions. The linked tutorial will also set up a firewall, which is assumed to be in place throughout this guide.

要完成本教程,您将需要访问Ubuntu 20.04服务器来托管您的CA服务器。 在开始本指南之前,您将需要使用sudo特权配置非root用户。 您可以按照我们的Ubuntu 20.04初始服务器设置指南来设置具有适当权限的用户。 链接的教程还将设置一个防火墙 ,在本指南中假定该防火墙已安装到位。

This server will be referred to as the CA Server in this tutorial.

在本教程中,此服务器将称为CA Server

Ensure that the CA Server is a standalone system. It will only be used to import, sign, and revoke certificate requests. It should not run any other services, and ideally it will be offline or completely shut down when you are not actively working with your CA.

确保CA Server是独立系统。 它仅用于导入,签名和吊销证书申请。 它不应运行任何其他服务,并且理想情况下,当您不积极使用CA时,它将脱机或完全关闭。

Note: The last section of this tutorial is optional if you would like to learn about signing and revoking certificates. If you choose to complete those practice steps, you will need a second Ubuntu 20.04 server or you can also use your own local Linux computer running Ubuntu or Debian, or distributions derived from either of those.

注意:如果您想了解有关签名和吊销证书的信息,本教程的最后一部分是可选的。 如果您选择完成这些练习步骤,则将需要第二台Ubuntu 20.04服务器,或者您也可以使用自己的本地Linux计算机,该计算机运行Ubuntu或Debian,或从这两个服务器衍生的发行版。

第1步-安装Easy-RSA (Step 1 — Installing Easy-RSA)

The first task in this tutorial is to install the easy-rsa set of scripts on your CA Server. easy-rsa is a Certificate Authority management tool that you will use to generate a private key, and public root certificate, which you will then use to sign requests from clients and servers that will rely on your CA.

本教程的首要任务是在CA Server上安装easy-rsa脚本集。 easy-rsa是一个证书颁发机构管理工具,将用于生成私钥和公共根证书,然后将其用于对来自依赖于CA的客户端和服务器的请求进行签名。

Login to your CA Server as the non-root sudo user that you created during the initial setup steps and run the following:

以您在初始设置步骤中创建的非根sudo用户身份登录到CA Server,然后运行以下命令:

  • sudo apt update

    sudo apt更新
  • sudo apt install easy-rsa

    sudo apt安装easy-rsa

You will be prompted to download the package and install it. Press y to confirm you want to install the package.

系统将提示您下载软件包并安装。 按y确认您要安装该软件包。

At this point you have everything you need set up and ready to use Easy-RSA. In the next step you will create a Public Key Infrastructure, and then start building your Certificate Authority.

至此,您已经准备就绪,可以使用Easy-RSA。 在下一步中,您将创建一个公共密钥基础结构,然后开始构建您的证书颁发机构。

步骤2 —准备公钥基础结构目录 (Step 2 — Preparing a Public Key Infrastructure Directory)

Now that you have installed easy-rsa, it is time to create a skeleton Public Key Infrastructure (PKI) on the CA Server. Ensure that you are still logged in as your non-root user and create an easy-rsa directory. Make sure that you do not use sudo to run any of the following commands, since your normal user should manage and interact with the CA without elevated privileges.

现在,您已经安装了easy-rsa ,是时候在CA Server上创建骨架公钥基础结构 (PKI)了。 确保您仍以非root用户身份登录并创建一个easy-rsa目录。 确保不要使用sudo运行以下任何命令,因为普通用户应在没有提升特权的情况下管理CA并与之交互。

  • mkdir ~/easy-rsa

    mkdir〜/ easy-rsa

This will create a new directory called easy-rsa in your home folder. We’ll use this directory to create symbolic links pointing to the easy-rsa package files that we’ve installed in the previous step. These files are located in the /usr/share/easy-rsa folder on the CA Server.

这将在您的主文件夹中创建一个名为easy-rsa的新目录。 我们将使用此目录创建指向上一步中安装的easy-rsa软件包文件的符号链接。 这些文件位于CA Server上的/usr/share/easy-rsa文件夹中。

Create the symlinks with the ln command:

使用ln命令创建符号链接:

  • ln -s /usr/share/easy-rsa/* ~/easy-rsa/

    ln -s / usr / share / easy-rsa / *〜/ easy-rsa /

Note: While other guides might instruct you to copy the easy-rsa package files into your PKI directory, this tutorial adopts a symlink approach. As a result, any updates to the easy-rsa package will be automatically reflected in your PKI’s scripts.

注意:虽然其他指南可能会指导您将easy-rsa软件包文件复制到PKI目录中,但本教程采用了符号链接方法。 因此,对easy-rsa软件包的任何更新将自动反映在您的PKI脚本中。

To restrict access to your new PKI directory, ensure that only the owner can access it using the chmod command:

要限制对新PKI目录的访问,请确保只有所有者可以使用chmod命令访问它:

  • chmod 700 /home/sammy/easy-rsa

    chmod 700 /家庭/ sammy / easy-rsa

Finally, initialize the PKI inside the easy-rsa directory:

最后,在easy-rsa目录中初始化PKI:

  • cd ~/easy-rsa

    光盘〜/ easy-rsa
  • ./easyrsa init-pki

    ./easyrsa init-pki

   
   
   
     
     
     
     
Output
init-pki complete; you may now create a CA or requests. Your newly created PKI dir is: /home/sammy/easy-rsa/pki

After completing this section you have a directory that contains all the files that are needed to create a Certificate Authority. In the next section you will create the private key and public certificate for your CA.

完成本节后,您将拥有一个目录,其中包含创建证书颁发机构所需的所有文件。 在下一部分中,您将为CA创建私钥和公共证书。

步骤3 —创建证书颁发机构 (Step 3 — Creating a Certificate Authority)

Before you can create your CA’s private key and certificate, you need to create and populate a file called vars with some default values. First you wil

你可能感兴趣的:(linux,java,python,ubuntu,大数据)