证书组成部分:
owner(拥有者):证书所属用户的身份信息和公钥;
issue (发证机构):发证机构的签名和发证机构的信息;
Period of Vailidity 有效期限
类型:证书颁发机构所发的证书
服务器(自签名证书)证书
目前使用广泛的证书格式X.509
如何生成一个证书?
1 作为一个申请者,要先生成一个密钥(公钥/私钥对);
2 利用公钥生成一个证书签署请求,签署请求包含个人身份信息,个人公钥等,然后将证书签署请求发给CA;
3 CA验证所声明的信息和证书中所要包含的公钥以后,给证书签名,并组织成证书的格式;
4 客户端接收到证书(Certificate)。
生成一个密钥:
[root@localhost ~]# openssl genrsa 1024 >./my.key
Generating RSA private key, 1024 bit long modulus
..............................................++++++
..++++++
e is 65537 (0x10001)
PS:公钥是从私钥中提取出来,即公钥隐藏私钥当中。
[root@localhost ~]# openssl rsa -in ./my.key -pubout
使用输出重定向保存到一个文件中:
[root@localhost ~]# openssl rsa -in ./my.key -pubout -out ./my.pub
writing RSA key
针对公钥(私钥也可,因为公钥即从私钥当中提取)生成一个证书颁发申请:
[root@localhost ~]# openssl req -new -key ./my.key -out ./my.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:HA
Locality Name (eg, city) [Newbury]:ZZ
Organization Name (eg, company) [My Company Ltd]:RHCE
Organizational Unit Name (eg, section) []:linna
Common Name (eg, your name or your server's hostname) []:linna
Email Address []:mail.a.com
建立一个自签名证书对发来的证书签署请求进行签名:
[root@localhost ~]# openssl req -new -x509 -key ./my.key -out ./my.crt -days 3655
输入证书信息
查看证书签署请求内容:
[root@localhost ~]# openssl req -noout -in ./my.csr –text
下面我们来完完整整实现一个颁发证书的过程:
服务器端:先把自己做成一个CA
编辑/etc/pki/tls/openssl.conf文件,修改CA的默认配置
###################################################################
[ CA_default ]
dir = /etc/pki/CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
生成一个密钥:
[root@localhost CA]# openssl genrsa 1024 > private/cakey.pem
Generating RSA private key, 1024 bit long modulus
.............++++++
.............++++++
e is 65537 (0x10001)
生成一个自签署证书
PS:生成自签署证书可以直接生成,不用生成自签署证书请求。
[root@localhost CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3655
前面openssl.conf文件里默认设置里的文件和目录都还没有,我们这里需要手动创建
[root@localhost CA]# mkdir certs newcerts crl
[root@localhost CA]# touch index.txt serial
[root@localhost CA]# ehco 01 > serial
[root@localhost CA]# ls
cacert.pem certs crl index.txt newcerts private serial
PS :申请者的证书签署请求的国家名,地区名等信息必须与CA保持一致。
客户端:假设有一个http服务需要提供证书
[root@localhost httpd]# mkdir certs
[root@localhost httpd]# pwd
/etc/httpd
[root@localhost httpd]# umask 077;openssl genrsa 1024 > httpd.key
Generating RSA private key, 1024 bit long modulus
...........++++++
.........++++++
e is 65537 (0x10001)
umask 077 要保证所生成的密钥必须是600的权限
-rw------- 1 root root 887 02-25 23:54 httpd.key
生成一个证书签署请求
[root@localhost httpd]# openssl req -new -key httpd.key -out httpd.csr
输入证书信息,务必与CA保持一致
[root@localhost httpd]# ls
certs conf conf.d httpd.csr httpd.key logs modules run
此时我们使用SCP的方法将httpd.csr 拷贝到服务器端,当然我们这里是为了演示效果,真实生产环境中并不建议这样使用。
[root@localhost httpd]# scp ./httpd.csr 192.168.0.127:/tmp/
服务器端:
对证书进行签名
[root@localhost tmp]# openssl ca -in httpd.csr -out httpd.crt
证书签署完成以后,再使用SCP命令将证书拷贝到客户端
[root@localhost certs]# ls
httpd.crt httpd.csr
OK,此时客户端和服务器端就可以利用证书来通信了。
PS:系统给我们提供了一种很简单的机制,可以实现自我发证的功能,仅供测试使用。
在/etc/pki/tls/certs 目录下直接使用make命令(根据makefile文件来定义):
make filename.pem
编辑/etc/pki/tls/openssl.conf文件可以修改证书信息的默认配置。