1 CA简介
CA是证书的签发机构,它是PKI的核心。CA是负责签发证书、认证证书、管理已颁发证书的机关。它要制定政策和具体步骤来验证、识别用户身份,并对用户证书进行签名,以确保证书持有者的身份和公钥的拥有权。比如Alice和Bob通信,中间通信万一被黑客C监听到,冒充Alice和Bob,这样信息就会泄密,这时候通过CA来验证双方身份的真实性。证书内容包括1,证书的持有者的相关信息2,CA的相关信息3,证书的使用方法4,公钥信息PKI―public key instruction 公钥基础设施:核心是CA。
2 CA建立的步骤
1 ),openssl 建立私有CA,其中包括生成秘钥;自签证书
2),节点需要:生成秘钥对;生成证书签署请求;把请求发送给CA
3),CA:验证请求者的信息;签署证书;签好的证书发送给请求者。
3,实验步骤
1,建立CA服务器,生成秘钥,文件必须是400或者是600权限
[root@localhost private]# (umask 077; openssl genrsa -out /etc/pki/CA/private/ccc.pem 2048)
Generating RSA private key, 2048 bit long modulus
................................................................................................+++
.........+++
e is 65537 (0x10001)
[root@localhost private]# ls
cakey.pem ccc.pem
这里必须是 在/etc/pki/CA/private目录下,之前已经生成cakey.pem文件,此次用ccc.pem文件。
2 req:生成证书签署请求
-x509 生成签署证书
-day X 有效X天
-new 心情求
-key /path/to/keyfile:制定私钥文件
-out /path/to/somefile 指定加密后要保存的文件名
自签证书
[root@localhost private]# openssl req -new -x509 -key /etc/pki/CA/private/ccc.pem -out /etc/pki/CA/cace.pem -days 30
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HA
Locality Name (eg, city) [Default City]:ZZ
Organization Name (eg, company) [Default Company Ltd]:ZZC
Organizational Unit Name (eg, section) []:SI
Common Name (eg, your name or your server's hostname) []:localhost.localdomain
Email Address []:cc.ccc.com
[root@localhost private]# ls
cakey.pem ccc.pem
3,我们要初始化环境
[root@localhost private]# touch /etc/pki/CA/{index1.txt,serial1}
[root@localhost private]# echo 01 > /etc/pki/CA/serial1
4,节点申请证书
1)生成密钥对
[root@stu31 ssl]# (umask 077; openssl genrsa -out /etc/httpd/ssl/htt.key 2048)
Generating RSA private key, 2048 bit long modulus
...................+++
.............+++
e is 65537 (0x10001)
这时是在另外一台主机上建立生成的密钥对
2)生成证书签署请求
[root@stu31 ssl]# (umask 077; openssl genrsa -out /etc/httpd/ssl/htt.key 2048)
Generating RSA private key, 2048 bit long modulus
...................+++
.............+++
e is 65537 (0x10001)
[root@stu31 ssl]# openssl req -new -key /etc/httpd/ssl/htt.key -out /etc/httpd/ssl/htt.csr
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HA
Locality Name (eg, city) [Default City]:ZZ
Organization Name (eg, company) [Default Company Ltd]:ZZX
Organizational Unit Name (eg, section) []:localhost.localdomain
Common Name (eg, your name or your server's hostname) []:cc.ccc.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
3)把签署请求发送给CA服务器
[root@stu31 ssl]# scp htt.csr 172.16.249.55:/etc/pki/CA/csr/
[email protected]'s password:
htt.csr 100% 1009 1.0KB/s 00:00
5 CA签署证书
[root@localhost CA]# openssl ca -in csr/htt.csr -out csr/htt.crt -days 30
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
The stateOrProvinceName field needed to be the same in the
CA certificate (Henan) and the request (HA) 二者不一致的话,是不签署的,所以要在从新生成一个openssl req -new -key /etc/httpd/ssl/htt.key -out /etc/httpd/ssl/htt.csr
[root@localhost CA]# openssl ca -in csr/htt.csr -out csr/htt.crt -days 30
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 2 (0x2)
Validity
Not Before: Aug 1 05:37:57 2014 GMT
Not After : Aug 31 05:37:57 2014 GMT
Subject:
countryName = CN
stateOrProvinceName = Henan
organizationName = MageEdu
organizationalUnitName = Ops
commonName = localhost.localdomain
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
90:AB:55:BA:57:63:2E:06:93:FD:EA:50:4B:9E:5B:40:C1:56:43:6E
X509v3 Authority Key Identifier:
keyid:59:50:01:C7:01:0A:49:70:21:71:AE:A4:26:94:25:78:1A:EA:35:14
Certificate is to be certified until Aug 31 05:37:57 2014 GMT (30 days)
Sign the certificate? [y/n]:
3 发送给请求者
[root@localhost CA]# scp csr/htt.crt 172.16.31.1:/root
[email protected]'s password:
htt.crt 100% 4556 4.5KB/s 00:00
[root@stu31 ~]# mv htt.crt /etc/httpd/ssl 验证机在吧证书放到这个/etc/httpd/ssl目录下
一次CA签证结束,祝您成功~~~