OpenSSL

加密技术

单向加密

• 介绍：
  通过对数据进行摘要计算生成密文，密文不可逆推还原。
• 特点：
  定长输出，雪崩效应。
• 场景：
  签名。

算法：md5(128bits)
     sha1(160bits)
     sha224
     sha256
     sha384
     sha512

对称加密

• 介绍：
  同一个密钥可以同时用作信息的加密和解密
• 特点：
  加密计算量小、速度块。
• 场景：
  适用加密大量数据。

算法：des
     3des
     aes

非对称加密

• 介绍：
  密钥对包含公钥和私钥，公钥由私钥生成。公钥加密，私钥解密；私钥加密，公钥解密。
• 特点：
  安全性高，但加密计算量大，速度慢。
• 场景：
  适用加密少了数据。

算法：rsa
     dsa

证书

简单来说证书就是“公钥”+“签名”。

X509

X.509的 v3版本规范 (RFC5280）, 其中定义了如下证书信息域：

版本号(Version Number）
序列号（Serial Number）
签名算法ID（ID Signature Algorithm）
颁发者名称（Issuer Name）
有效期限（Validity period）
主体名称（Subject Name）
主体公钥 (SubJect Public Key Info）
公钥算法 (Public Key Algorithm）
主体唯一标识符（Subject Unique Identifier）
颁发者唯一标识符（Issuer Unique Identifier）
扩展：
    ……省略……
签名（Certificate Signature）
签名算法（Certificate Sigature Algorithm）

编码格式

• der
  二进制存储格式
• pem
  二进制存储格式的 Base64 编码格式
• CRT
  CRT应该是certificate的三个字母,其实还是证书的意思,常见于*NIX系统,有可能是PEM编码,也有可能是DER编码,大多数应该是PEM编码,相信你已经知道怎么辨别。
• CER
  还是certificate,还是证书,常见于Windows系统,同样的,可能是PEM编码,也可能是DER编码,大多数应该是DER编码。
• KEY
  通常用来存放一个公钥或者私钥,并非X.509证书,编码同样的,可能是PEM,也可能是DER。

查看KEY的办法:openssl rsa -in mykey.key -text -noout
如果是DER格式的话,同理应该这样了:openssl rsa -in mykey.key -text -noout -inform der

• CSR
  Certificate Signing Request,即证书签名请求,这个并不是证书,而是向权威证书颁发机构获得签名证书的申请,其核心内容是一个公钥(当然还附带了一些别的信息),在生成这个申请的时候,同时也会生成一个私钥,私钥要自己保管好。

证书格式转换

# 从 PEM 转换到 DER：
$ openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER

# 从 DER 转换到 PEM：
$ openssl x509 -in cert.der -inform DER -out cert.pem -outform PE

PKI

CA（Certification Authority）：负责证书的颁发和吊销（Revoke），接收来自 RA 的请求，是最核心的部分；
RA（Registration Authority）：对用户身份进行验证，校验数据合法性，负责登记，审核过了就发给 CA；
证书数据库：存放证书，多采用 X.500 系列标准格式。可以配合LDAP 目录服务管理用户信息。

OpenSSL

单向加密

[root@server ~]# openssl dgst --help
Usage: dgst [options] [file...]

 -out /path/file：              输出加密文件
 -hex：                         16进制格式输出
 -binary：                      二进制格式输出
 -sign /path/private.key：      签名操作
 -sginature /path/file.sign：   签名文件
 -verify /path/public.key ：    公钥验证
 -prverify /path/private.key：  私钥验证
 
 -md5：                         摘要算法md5
 -sha：                         摘要算法sha
 -sha1：                        摘要算法sha1
 -sha224：                      摘要算法sha223
 -sha256：                      摘要算法sha256
 -sha384：                      摘要算法sha384
 -sha512：                      摘要算法sha512

• 摘要计算

[root@server ~]# echo 12345 > sFile
[root@server ~]# openssl dgst -sha1 sFile  #支持更多摘要算法：md5、sha256、sha512……
SHA1(sFile)= 2672275fe0c456fb671e4f417fb2f9892c7573ba
[root@server ~]# openssl dgst -sha1 -out sFile.dgst sFile  #结果保存到指定文件
[root@server ~]# cat sFile.dgst 
SHA1(sFile)= 2672275fe0c456fb671e4f417fb2f9892c7573ba

[root@server ~]# openssl dgst -sha1 -hex sFile  #16进制格式
SHA1(sFile)= 2672275fe0c456fb671e4f417fb2f9892c7573ba
[root@server ~]# openssl dgst -sha1 -binary sFile  #二进制格式
&r'_ზ²봳º

• 签名操作

#生成私钥
Generating RSA private key, 2048 bit long modulus (2 primes)
.....................................................................................+++++
........+++++
e is 65537 (0x010001)
#签名
[root@server ~]# openssl dgst -sign private.key -sha256 -out sFile.sign sFile
[root@server ~]# ll
-rw-r--r--  1 root root   54 Feb  7 04:45 sFile.dgst
#验证签名
#私钥验证
[root@server ~]# openssl dgst -prverify private.key -sha256 -signature sFile.sign sFile
Verified OK
#公钥验证
[root@server ~]# openssl rsa -in private.key -pubout -out public.key
writing RSA key
[root@server ~]# openssl dgst -verify public.key -sha256 -signature sFile.sign sFile
Verified OK

对称加密

[root@server ~]# openssl enc --help
Usage: enc -cipher [options]

--help                     帮助
-in /path/file.plain       明文
-out /path/file.cipher     密文
-pass val                  密码
   -val：pass、stdin、file
-e                         加密
-d                         解密
-salt                      盐值
-nosalt                    无盐值
-base64                    base64编码

#下面两个参数使用了更新的函数更安全
-iter int
-pbkdf2

-base64 是一种能将任意Binary资料用64种字元组合成字串的方法，而这个Binary资料和字串资料彼此之间是可以互相转换的，十分方便。在实际应用上，Base64除了能将Binary资料可视化之外，也常用来表示字串加密过后的内容。
-hex 也就是base16

• 加解密

#加密
1.
[root@server ~]# openssl enc -e -salt -des3 -base64 -in sFile -out sFile.cipher -pass pass:"1234"
2.
[root@server ~]# echo "1234" | openssl enc -e -salt -des3 -base64 -in sFile -out sFile.cipher -pass stdin
3.
[root@server ~]# echo "1234" > passwd.txt
[root@server ~]# openssl enc -e -salt -des3 -base64 -in sFile -out sFile.cipher -pass file:passwd.txt
#解密
[root@server ~]# openssl enc -d -salt -des3 -base64 -in sFile.cipher -out sFile1 -pass pass:"1234"

非对称加密

密钥生成

[root@server ~]# openssl genrsa --help
Usage: genrsa [options] bits

-out /path/private.key   私钥
bits                     密钥长度

[root@server ~]#(umask 077; openssl genrsa -out private.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
.............+++++
..+++++
e is 65537 (0x010001)
[root@server ~]# cat private.key 
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAyns8awGpDKSi9M/DAyqs7k8sAEqmvRhGAKdEb1+CR64GXF8F
DFyrqRQ0Ils2pG7vto7LtSUowkJOnYVExxXS7ssCqoC6T0V1FN4CKEOWUWtjaxKR
F0A9Sr/pabGH8r7DB9MO7MAeymyNLWXTgm4W0jC6jO2RXwGNxrjZhEgHXNFmsWAC
LbjeDCMJonneOLqilZXzYqnjzaA9hrD4knLgbAgFBrr9SY1++WxBcpCkgpQpbrYE
qqd5Q/6T0mlbe1GRC3X8yzHtOTLtj0i+alsumYJT5j+4h/Ae/Rj8IAKik6fvjI6N
lWMVnr6TNp+EGzRptNJV13XD65qkitIhuQjQFwIDAQABAoIBAEwq0Y57QGlWIUqw
QO6XBhhbRfUSH+jwEZ07Tr4Kkop+RzxGLjL5RUXEKNxnrYVridcFnlGVGeEBamtM
75NofUGAso8K/4rEWQexf+Q/kHMuT2a+xD+X1bahvJ8avkYtRlZSKcIbfzmsXese
69KbsQ/+bp6G23F+tyNy87gUFFjwbI7ye7BwT1hxu5umGoEGllZyVUvFb8pncJqt
Cqktoa/PdFXgbbiLx/HM0hA5ypbIZckUWOV3A9PKL815K+GSVz3bJtA04/2jDQvc
pQ8tAPqm3m/eOVCBHXy97wHJYrYDywGCPOL2vIeiUXXX0pyJZpAJyU1W7QvE+3BX
XWYE8EECgYEA+U41b3vdX4Up1r3Ip6+I2l2lx5Hx8eBxbo7yqf/n45l0g0CHSxRq
b0j2tiBF3c5OPjdK5N1mKVxXN883ohYN4Wgi7lhaaoqEljt272QYDOki+Kv7dL0Q
WeTVyCrz9prrqmvYZJq+F4v3yVOEgaayNNs4q5vF2T4I10Vc6x78h+ECgYEAz+sl
ZSaYh3sdKzx7kSgqCCHqtjbEI/rLRsdWE/D7yrRDcZpKNo24AZTkSDKshiEz6s55
nD9GGJ8uyHpvfD7/HyFfkp/e2Zo5Tgt/Tr2ijL4XbK+hswe11BdIM0kCSej84+iN
OMLIIzv7egq30M4KXLXKyeyZaQkIXZ4mmQTAdvcCgYAxUMs5NmNgFdNk6z3aDdsg
dw3oIHKfyiomGJjgEAMq/pwRqp4Yt/0l7mT/OfsYGUtY+08RXspqvB10qMT0hzBP
um3OgCPCl4wKu9CXIlGvnB6S2lJvkUa+wYmYgwanbZXYrGSt4f5gYguuA5temj7+
Pa9EIxhMFP1iuBHdYM/LgQKBgQCu02g0L0nd0XVrX4X/PihpgitbX515K241a3ND
fUQa44w6P6PbTzrDibCRzJoohk6jR04WRVXpah/qTpjjfg0C3gsAvRCjI/y/VQeM
7AN8GHKV3vA2G2uWlKUPCnq0LwZFlMr6ST4D8nG34r9BAZ7Q6cNEGn+8Q+4W2d5W
mBpFbQKBgQCQLjG2ptTqfLz8CjGAqtBt2a8qtbGyLrNBiPTOnds70w2Ct/lAwjcX
etVfgG5/fBGvZGsNyrC4bE7Ov07yFfrm5at4sP+sYiDScdGbqAS+5l8O76SfeCuv
XYiF3Y4OYzByIbgdjuHJW83RkYHaZPS8BmRuTgBiyjwIij6ZjuEC+g==
-----END RSA PRIVATE KEY-----

公钥提取

[root@server ~]# openssl rsa --help
Usage: rsa [options]

-in /path/private.key     私钥
-pubout                   输出为公钥
-out /path/public.key     公钥

[root@server ~]# openssl rsa -in private.key -pubout -out public.key
[root@server ~]# cat public.key 
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyns8awGpDKSi9M/DAyqs
7k8sAEqmvRhGAKdEb1+CR64GXF8FDFyrqRQ0Ils2pG7vto7LtSUowkJOnYVExxXS
7ssCqoC6T0V1FN4CKEOWUWtjaxKRF0A9Sr/pabGH8r7DB9MO7MAeymyNLWXTgm4W
0jC6jO2RXwGNxrjZhEgHXNFmsWACLbjeDCMJonneOLqilZXzYqnjzaA9hrD4knLg
bAgFBrr9SY1++WxBcpCkgpQpbrYEqqd5Q/6T0mlbe1GRC3X8yzHtOTLtj0i+alsu
mYJT5j+4h/Ae/Rj8IAKik6fvjI6NlWMVnr6TNp+EGzRptNJV13XD65qkitIhuQjQ
FwIDAQAB
-----END PUBLIC KEY-----

密钥查看

[root@server ~]# openssl rsa --help
Usage: rsa [options]

-in /path/private.key     私钥
-text                     输出私钥信息
-noout                    不显示密钥

[root@server ~]# openssl rsa -in private.key -text -noout

格式转换

[root@server ~]# openssl rsa --help
Usage: rsa [options]

-in /path/rsa             要转换格式的密钥
-inform pem|der           要转换格式密钥的密钥格式
-outform pem|der          按给定格式输出密钥
-out /path/rsa            转换格式后的密钥

• pem→der

[root@server ~]# openssl genrsa -out rsa.pem 1024
[root@server ~]# openssl rsa -in rsa.pem -inform pem -outform der -out rsa.der

• der→pem

[root@server ~]# openssl rsa -in rsa.der -inform der -outform pem -out rsa.pem

rsautl

[root@server ~]# openssl rsautl --help
Usage: rsautl [options]
-help                帮助
-in infile           输入文件
-out outfile         输出文件
-inkey keyfile       密钥文件
-pubin pubic.key     指明密钥文件为公钥
-certin              输入一个证书，使用证书的公钥
-sgin                签名，使用私钥加密
-verfy               验证，使用公钥解密
-hexdump             16进制格式
-encrypt             加密
-decrypt             解密

加解密

公钥加密

#生成公私钥
[root@server ~]# openssl genrsa -out private.key 2048
[root@server ~]# openssl rsa -in private.key -pubout -out public.key
1.传入公钥加密
#加密
[root@server ~]# echo hello > plain.txt
[root@server ~]# openssl rsautl -encrypt -in plain.txt -pubin -inkey public.key -out cipher.txt
#解密
[root@server ~]# openssl rsautl -decrypt -in cipher.txt -inkey private.key -out plain.txt
2.传入私钥加密（实际提取私钥的公钥进行加密）
#加密
[root@server ~]# openssl rsautl -encrypt -in plain.txt -inkey private.key -out cipher.txt
#解密
[root@server ~]# openssl rsautl -decrypt -in cipher.txt -inkey private.key -out plain.txt

私钥加密（签名）

#生成公私钥
[root@server ~]# openssl genrsa -out private.key 2048
[root@server ~]# openssl rsa -in private.key -pubout -out public.key
1.传入公钥解密
#加密
[root@server ~]# echo hello > plain.txt
[root@server ~]# openssl rsautl -sign -in plain.txt -inkey private.key -out sign.txt
#解密
[root@server ~]# openssl rsautl -verify -in sign.txt -pubin -inkey public.key -out plain.txt
2.传入私钥解密（实际提取私钥的公钥进行加密）
#加密
[root@server ~]# openssl rsautl -sign -in plain.txt -inkey private.key -out sign.txt
#解密
[root@server ~]# openssl rsautl -verify -in sign.txt -inkey private.key -out plain.txt

rand

[root@server ~]# openssl rand --help
Usage: rand [flags] num

 -out outfile     输出到文件
 -base64          64种字元组合成格式，6位
 -hex             16种字元组合成格式，4位
 num：            字节数，一个字节8位

[root@server ~]# openssl rand -base64 3
wNgL  #3*8/6=4

passwd

[root@server ~]# openssl passwd -help
Usage: passwd [options]

-in file          从文件中读取密码
-stdin            从标准输入读取密码
-salt val         盐值
-6                sha512
-5                sha256
-1                md5

[root@server ~]# echo '1234' | openssl passwd -1 -salt `openssl rand -hex 4` -stdin

对称加密脚本

#对称加密文件

#!/bin/bash

Usage() {
cat << 'EOF'

Usage:
  enc.sh [-e|-d] -t=enc_type [-n=] [-k=] --in=/path/file --out=/path/file
    
	-e 加密
	-d 解密
	-t 密钥类型
	-n 新生成密码
	-k 加解密时指定密码
	-in 待加解密文件
	-out 加解密输出文件

	-t 默认类型des3
	-n 给出选项时刷新密码，不指定参数默认位置:./
	-k 默认位置:./
    -n 不可和 -d 同时使用
	-in 必要
	-out 加密时必要，解密看需要

EOF
}


paras=$(getopt -o e,d,t:,n::,k:: -l in:,out::,usage -n "$0" -- "$@")
[ $? != 0 ] && exit 1
eval set -- "$paras"

while [ -n "$1" ]
do
	case $1 in
	    -e) e=1; shift;;
		-d) d=1; shift;;
		-t) t=1; enc_type=${2##*=}; shift 2;;
		-n) n=1; pass_dir=${2##*=}; shift 2;;
		-k) k=1; key_dir=${2##*=}; shift 2;;
		--in) i=1; in_file=${2##*=}; shift 2;;
		--out) o=1; out_file=${2##*=}; shift 2;;
		--usage) Usage; shift ;;
		--) break ;;
		*) break ;;
	esac
done

e=${e:-0}
d=${d:-0}
t=${t:-0}
n=${n:-0}
k=${k:-0}
i=${i:-0}
o=${o:-0}

gen_passwd() {
	$(openssl rand -hex 4 > $pass_dir/$pass_file)
}

enc_file() {
	if [ -f $pass_dir/$pass_file -a -f $in_file ] ; then
		$(openssl enc -e -salt -pbkdf2 -$enc_type -in $in_file -out $out_file -pass file:$key_dir/$key_file)
	fi

}

dec_cipher() {
	if [ -f $pass_dir/$pass_file -a -f $in_file ] ; then
		[ $o == 1 ] && $(openssl enc -d -salt -pbkdf2 -$enc_type -in $in_file -out $out_file -pass file:$key_dir/$key_file)
		[ $o == 0 ] && echo "$(openssl enc -d -salt -pbkdf2 -$enc_type -in $in_file -pass file:$key_dir/$key_file)"
	fi
}

pass_file="enc.key"
pass_dir=${pass_dir:-"./"}

if [ $n == 1 ] ; then
	gen_passwd
fi

enc_type=${enc_type:-"des3"}

[ x$in_file == x ] && exit 1
[ -f $in_file ] || exit 1

key_file="enc.key"
key_dir=${key_dir:-"./"}

if [ $e == 1 -a $o == 1 ] ; then
	enc_file
fi

if [ $d == 1 -a $n == 0 ] ; then
	dec_cipher
fi

私有CA

配置文件openssl.cnf

####################################################################
[ ca ]
default_ca      = CA_default            # 默认的CA配置；CA_default指向下面配置块

####################################################################
[ CA_default ]

dir             = /etc/pki/CA           # 定义路径变量
certs           = $dir/certs            # 已颁发证书的保存目录
crl_dir         = $dir/crl              # 证书吊销列表的路径
database        = $dir/index.txt        # 数据库的索引文件

new_certs_dir   = $dir/newcerts         # 新颁发证书的默认路径

certificate     = $dir/cacert.pem       # 此服务认证证书，如果此服务器为根CA那么这里为自颁发证书
serial          = $dir/serial           # 下一个证书的证书编号
crlnumber       = $dir/crlnumber        # 下一个吊销的证书编号

crl             = $dir/crl.pem          # The current CRL
private_key     = $dir/private/cakey.pem# CA的私钥
RANDFILE        = $dir/private/.rand    # 随机数文件


default_days    = 365                   # 证书默认有效期
default_crl_days= 30                    # CRl的有效期
default_md      = sha256                # 加密算法
preserve        = no


policy          = policy_match          #policy_match策略生效

# For the CA policy
#match 表示证书认证机构和证书申请者该项必须匹配
#optional 表示该项可选
#supplied 表示该项必填
[ policy_match ]
countryName             = match         #国家或地区
stateOrProvinceName     = match         #省份/州
organizationName        = match         #公司组织名称
organizationalUnitName  = optional      #部门名称
commonName              = supplied      #主机名/域名
emailAddress            = optional      #邮件地址

根CA搭建

1. 为CA提供所需目录和文件

[root@server ~]# mkdir -p /etc/pki/CA/{private，certs,crl,newcerts}
[root@server ~]# touch /etc/pki/CA/{serial,index.txt}
[root@server ~]# echo 01 > /etc/pki/CA/serial

2. 生成CA的私钥

[root@server ~]# (umask 077; openssl genrsa -out /etc/pki/CA/private/cakey.pem 4096)

3. 生成自签证书

[root@server ~]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:CQ
Locality Name (eg, city) [Default City]:CQ
Organization Name (eg, company) [Default Company Ltd]:CA
Organizational Unit Name (eg, section) []:CR      
Common Name (eg, your name or your server's hostname) []:master
Email Address []:

子CA搭建

1. 为子CA提供所需目录和文件

[root@sub_server ~]# mkdir -p /etc/pki/CA/{private，certs,crl,newcerts}
[root@sub_server ~]# touch /etc/pki/CA/{serial,index.txt}
[root@sub_server ~]# echo 01 > /etc/pki/CA/serial

2. 生成子CA的私钥

[root@sub_server ~]# (umask 077; openssl genrsa -out /etc/pki/tls/private/sub_server.key 2048)

3. 生成子CA证书申请文件

[root@sub_server ~]# openssl req -new -key /etc/pki/tls/private/sub_server.key -out /etc/pki/tls/sub_master.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:CQ
Locality Name (eg, city) [Default City]:CQ
Organization Name (eg, company) [Default Company Ltd]:CA
Organizational Unit Name (eg, section) []:CA
Common Name (eg, your name or your server's hostname) []:sub_server
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

4. 复制子CA证书申请文件到根CA服务器

[root@sub_server ~]# scp /etc/pki/tls/sub_master.csr [email protected]:/etc/pki/CA/certs/
[email protected]'s password: 
sub_master.csr                                                           100%  980   282.5KB/s   00:00

5. 在根CA上签署子CA请求文件

[root@server ~]# openssl ca -in /etc/pki/CA/certs/sub_master.csr -out /etc/pki/CA/certs/sub_master.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Feb 14 05:49:06 2020 GMT
            Not After : Feb 13 05:49:06 2021 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = CQ
            organizationName          = CA
            organizationalUnitName    = CA
            commonName                = sub_server
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                F9:B8:43:87:C6:57:5F:56:48:32:A8:DE:86:E2:7B:E0:9F:70:D4:B3
            X509v3 Authority Key Identifier: 
                keyid:F0:86:B1:A1:1D:77:9C:58:B0:32:A0:8B:AF:02:C1:89:CE:12:AF:6D

Certificate is to be certified until Feb 13 05:49:06 2021 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

6. 查看根CA目录

[root@server ~]# tree /etc/pki/CA/
/etc/pki/CA/
├── cacert.pem
├── certs
│   ├── sub_master.crt
│   └── sub_master.csr
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│   └── 01.pem
├── private
│   └── cakey.pem
├── serial
└── serial.old

7. 回传子CA证书

[root@server ~]# scp /etc/pki/CA/certs/sub_master.crt [email protected]:/etc/pki/CA/cacert.pem
[email protected]'s password: 
sub_master.crt                                                           100% 5635     1.6MB/s   00:00

8. 复制/tls/private生成的私钥到/CA下

[root@client ~]# cp /etc/pki/tls/private/sub_server.key /etc/pki/CA/private/cakey.pem

nginx向子CA申请证书

1. 生成/etc/pki/nginx目录

[root@nginx ~]# mkdir -p /etc/pki/nginx/private

2. 生成密钥

[root@nginx ~]# (umask 077; openssl genrsa -out /etc/pki/nginx/private/nginx.key 2048) &> /dev/null

3. 生成申请文件

[root@nginx ~]# openssl req -new -key /etc/pki/nginx/private/nginx.key -out /etc/pki/nginx/private/nginx.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:CQ
Locality Name (eg, city) [Default City]:CQ
Organization Name (eg, company) [Default Company Ltd]:nginx 
Organizational Unit Name (eg, section) []:nginx
Common Name (eg, your name or your server's hostname) []:10.10.10.12
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

4. 复制nginx申请文件到根CA服务器

[root@nginx ~]# scp /etc/pki/nginx/private/nginx.csr [email protected]:/etc/pki/CA/certs
[email protected]'s password: 
nginx.csr                                                                100%  989   284.1KB/s   00:00 

5. CA服务器签署nginx证书

[root@sub_server ~]# openssl ca -in /etc/pki/CA/certs/nginx.csr -out /etc/pki/CA/certs/nginx.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Feb 14 06:36:17 2020 GMT
            Not After : Feb 13 06:36:17 2021 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = CQ
            organizationName          = nginx
            organizationalUnitName    = nginx
            commonName                = 10.10.10.12
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                B7:F4:BB:2A:7C:6A:07:54:44:84:E5:76:BA:73:8F:4A:17:F6:B3:A8
            X509v3 Authority Key Identifier: 
                keyid:F9:B8:43:87:C6:57:5F:56:48:32:A8:DE:86:E2:7B:E0:9F:70:D4:B3

Certificate is to be certified until Feb 13 06:36:17 2021 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

5. 查看根CA目录

[root@sub_server ~]# tree /etc/pki/CA/
/etc/pki/CA
├── cacert.pem
├── cakey.pem
├── certs
│   ├── nginx.crt
│   └── nginx.csr
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│   └── 01.pem
├── private
│   └── cakey.pem
├── serial
└── serial.old

6. 回传nginx证书

[root@sub_server ~]# scp /etc/pki/CA/certs/nginx.crt [email protected]:/etc/pki/nginx/
[email protected]'s password: 
nginx.crt                                                                100% 5654     1.2MB/s   00:00

nginx服务https配置

浏览器测试

测试浏览器火狐，导入根证书，访问https://10.10.10.12

证书吊销

1. 查看要吊销证书的信息

[root@nginx ~]# openssl x509 -in /etc/pki/nginx/nginx.crt -noout -serial -subject -dates
serial=01
subject=C = CN, ST = CQ, O = nginx, OU = nginx, CN = 10.10.10.12
notBefore=Feb 14 06:36:17 2020 GMT
notAfter=Feb 13 06:36:17 2021 GMT

2. 在授权CA上对比要吊销证书信息

[root@sub_server ~]# cat /etc/pki/CA/index.txt
V	210213063617Z		01	unknown	/C=CN/ST=CQ/O=nginx/OU=nginx/CN=10.10.10.12

3. 在授权CA上吊销证书

[root@client ~]# openssl ca -revoke /etc/pki/CA/newcerts/01.pem 
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 01.
Data Base Updated

4. 首次吊销时，创建吊销列表

[root@client ~]# echo 01 > /etc/pki/CA/crlnumber

5. CA更新证书吊销列表

[root@client ~]# openssl ca -gencrl -out /etc/pki/CA/crl/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf

6. 查看吊销证书

[root@client ~]# openssl crl -in /etc/pki/CA/crl/crl.pem -noout -text 
Certificate Revocation List (CRL):
        Version 2 (0x1)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = CN, ST = CQ, O = CA, OU = CA, CN = sub_server
        Last Update: Feb 14 07:15:51 2020 GMT
        Next Update: Mar 15 07:15:51 2020 GMT
        CRL extensions:
            X509v3 CRL Number: 
                1
Revoked Certificates:
    Serial Number: 01
        Revocation Date: Feb 14 07:12:26 2020 GMT
    Signature Algorithm: sha256WithRSAEncryption
         79:04:61:b6:a7:7d:3a:99:de:44:63:2d:a5:5a:43:c7:57:27:
         23:ae:6e:fc:32:4e:98:53:b6:68:84:a4:29:e0:e2:da:b0:ed:
         75:52:2a:29:10:9f:c4:ca:1f:cc:de:39:27:75:01:c4:76:b2:
         8e:87:1b:3b:81:78:ae:0d:18:e8:83:09:d9:05:e1:8a:72:f9:
         4c:b4:7c:e0:26:9a:4c:e4:d5:bd:23:ff:77:9b:17:44:76:59:
         13:b9:62:91:bc:3f:22:47:a2:4e:53:db:b7:30:cc:30:f1:48:
         82:d6:58:e6:f5:7f:8e:0d:ec:23:a7:2f:f1:31:e7:5b:31:84:
         43:30:81:dc:0c:8a:54:f1:30:05:08:17:8b:99:03:68:ab:e2:
         e7:b9:e2:ac:02:d5:51:40:50:8e:57:81:06:d5:3e:0e:59:7b:
         dd:7b:29:b5:d3:d3:99:1e:8c:22:aa:ce:e8:fe:2b:e6:00:fc:
         6e:dd:3e:1c:7c:9e:ac:c8:e7:2d:6b:46:49:89:ab:86:00:8d:
         fe:c2:be:26:77:9c:26:5a:38:ec:26:82:d1:db:20:df:1f:68:
         c0:54:74:a9:ed:5d:26:82:a4:7f:e3:c1:e6:a2:7b:86:c2:82:
         2d:ce:67:ed:a1:89:fc:30:b4:97:d1:e1:ca:66:b4:56:d9:a4:
         09:c9:c4:0a