如何利用 OpenSSL 来实现自制 CA 服务器呢? 这种情况下一般在一个公司内部可用到这种机制。
一、实现自建 CA 的大致流程
大致操作流程如上图所示。
二、自建 CA 的详细操作流程
第一步:自建 CA 服务器
1、生成秘钥
[root@centos6-5 ~]# (umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 4096) Generating RSA private key, 4096 bit long modulus ....................................................................................................++ .........................................................................................................++ e is 65537 (0x10001) [root@centos6-5 ~]# # 秘钥文件的名称不能自己改动
2、自签证书
[root@centos6-5 ~]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 360 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:Henan Locality Name (eg, city) [Default City]:ZZ Organization Name (eg, company) [Default Company Ltd]:MageEdu Organizational Unit Name (eg, section) []:Ops Common Name (eg, your name or your server's hostname) []:ca.magedu.com Email Address []:[email protected] [root@centos6-5 ~]# # req 生成证书签署请求 # -news 新请求 # -key 指定私钥文件 # -out 签署文件的存放地方 # -x509 生成字签署文件 # -days 有效天数
对于秘钥文件的名称和自签署文件的名称不能自己指定的原因是:
在/etc/pki/tls/openssl.cnf 配置文件中:
这些文件名称在配置文件里里面指定好了。发现还需要有 index.txt 和 serial 俩个文件。
3、创建必要文件,初始化工作环境
[root@centos6-5 ~]# touch /etc/pki/CA/index.txt [root@centos6-5 ~]# echo "00" > /etc/pki/CA/serial
第二步:节点申请证书
1、生成密钥对儿
[root@centos6-5 ~]# mkdir /etc/httpd/ssl;(umask 077;openssl genrsa -out /etc/httpd/ssl/httpd.key 4096) mkdir: cannot create directory `/etc/httpd/ssl': File exists Generating RSA private key, 4096 bit long modulus .................................................................................................................................................................++ ...............................++ e is 65537 (0x10001) [root@centos6-5 ~]#
2、生成证书签署请求
[root@centos6-5 ~]# openssl req -new -key /etc/httpd/ssl/httpd.key -out /etc/httpd/ssl/httpd.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [Henan]: Locality Name (eg, city) [ZZ]: Organization Name (eg, company) [MageEdu]: Organizational Unit Name (eg, section) [Ops]: Common Name (eg, your name or your server's hostname) []:www.magedu.com Email Address []:[email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: # 请求证书是否加密,此时设定密码,CA签名时需要输入密码 An optional company name []: [root@centos6-5 ~]#
# 这里再输入相关名称时,如何修改默认值:
3、把签署请求文件发送给 CA 服务
# 由于这里请求签署的节点和 CA 服务器是同一台机器,所以在这里不需要这一步。 # 如果不是在同一台机器上,需要拷贝到 CA 服务器上。通常使用 scp 命令完成。 # 例如:scp /path/to/secert.crs root@CA_HOST_NAME:/path/to/somewhere/
第三步:CA签署证书
1、验正证书中的信息,签署证书
[root@centos6-5 ~]# openssl ca -in /etc/httpd/ssl/httpd.csr -out /etc/httpd/ssl/httpd.crt -days 300 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 0 (0x0) Validity Not Before: Aug 1 15:37:48 2014 GMT Not After : May 28 15:37:48 2015 GMT Subject: countryName = CN stateOrProvinceName = Henan organizationName = MageEdu organizationalUnitName = Ops commonName = www.magedu.com emailAddress = [email protected] X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 04:5E:41:F4:DF:77:DE:64:D3:C0:AC:3C:2E:69:C1:01:E5:80:30:4B X509v3 Authority Key Identifier: keyid:AF:D8:63:8A:94:87:40:2A:EA:15:FB:D4:E2:61:23:D7:E8:96:40:3B Certificate is to be certified until May 28 15:37:48 2015 GMT (300 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated [root@centos6-5 ~]#
2、发送给请求者
# 使用 scp 发送给请求者
至此签名完成,如下:
[root@centos6-5 ~]# cat /etc/pki/CA/index.txt V 150528153748Z 00 unknown /C=CN/ST=Henan/O=MageEdu/OU=Ops/CN=www.magedu.com/[email protected] [root@centos6-5 ~]# cat /etc/pki/CA/serial 01 [root@centos6-5 ~]#
三、证书的吊销
有时候我们的的节点秘钥丢了,此时就需要向 CA 申请吊销。
在节点:此时首先要在节点获取证书的serial
[root@server ssl]# openssl x509 -in /etc/httpd/ssl/httpd.crt -noout -serial -subject serial=01 subject= /C=CN/ST=Henan/O=MageEdu/OU=Ops/CN=www2.magedu.com/[email protected] [root@server ssl]# # noout 不输出额外信息 # serial 输出 serial 信息,在 serial 文件中 # 输出 subject 信息,在 index.txt 文件中
在CA:
1、验证信息
根据节点提交的serial和subject信息来验正与index.txt文件中的信息是否一致
[root@centos6-5 ~]# cat /etc/pki/CA/index.txt V150528153748Z00unknown/C=CN/ST=Henan/O=MageEdu/OU=Ops/CN=www.magedu.com/[email protected] V140831155108Z01unknown/C=CN/ST=Henan/O=MageEdu/OU=Ops/CN=www2.magedu.com/[email protected]
2、吊销证书
1)吊销证书
# 要吊销的证书一般在 /etc/pki/CA/newcerts 目录下,名称是 序列号.pem [root@centos6-5 ~]# openssl ca -revoke /etc/pki/CA/newcerts/01.pem Using configuration from /etc/pki/tls/openssl.cnf Revoking Certificate 01. Data Base Updated [root@centos6-5 ~]# cat /etc/pki/CA/index.txt V 150528153748Z 00 unknown /C=CN/ST=Henan/O=MageEdu/OU=Ops/CN=www.magedu.com/[email protected] R 140831155108Z 140801160733Z 01 unknown /C=CN/ST=Henan/O=MageEdu/OU=Ops/CN=www2.magedu.com/[email protected] [root@centos6-5 ~]#
2)生成吊销列表(第一次吊销是需要)
[root@centos6-5 ~]# echo 00 > /etc/pki/CA/crlnumber [root@centos6-5 ~]# # 吊销列表文件也在/etc/pki/tls/openssl.cnf 里面定义的。
3)更新证书吊销列表
[root@centos6-5 ~]# openssl ca -gencrl -out /etc/pki/CA/crl/01.crl Using configuration from /etc/pki/tls/openssl.cnf
查看 crl 里的内容:
[root@centos6-5 ~]# openssl crl -in /etc/pki/CA/crl/01.crl -noout -text Certificate Revocation List (CRL): Version 2 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: /C=CN/ST=Henan/L=ZZ/O=MageEdu/OU=Ops/CN=ca.magedu.com/[email protected] Last Update: Aug 1 16:15:12 2014 GMT Next Update: Aug 31 16:15:12 2014 GMT CRL extensions: X509v3 CRL Number: 0 Revoked Certificates: Serial Number: 01 Revocation Date: Aug 1 16:07:33 2014 GMT Signature Algorithm: sha1WithRSAEncryption 75:29:0d:44:97:a7:8d:a0:2c:30:a7:97:9c:b1:30:9b:ef:c7: d4:53:d2:39:2e:5e:9d:5e:28:97:92:1a:04:ec:78:5d:8d:db: 85:44:d3:bc:fa:db:d2:76:16:d5:79:20:3a:10:db:18:d3:e7: 8e:3d:80:04:8c:92:6a:ae:ac:61:a5:dc:2d:9d:1f:ca:b3:03: db:c1:ce:41:5f:91:f3:8b:7a:ff:c6:5b:5a:1f:fa:69:68:a3: b0:2b:e8:22:58:53:57:c0:20:ec:be:21:bf:36:20:c2:a9:77: 85:21:f7:7f:87:a9:43:d3:01:45:c1:fd:1b:45:8d:8b:af:88: 83:17:2e:a0:8b:85:b6:cc:b4:54:9b:50:fa:e2:8a:7e:d4:6c: a6:02:8a:e3:7e:11:03:0c:64:1e:13:07:10:b1:54:97:af:5a: d8:ec:cd:62:02:1a:2d:a4:c8:b4:09:ef:d6:e1:c0:cb:f1:10: ba:c1:12:3d:a6:8f:5a:5e:81:77:5a:58:52:47:ab:96:84:b3: b8:2a:0e:cf:89:63:00:e3:90:df:c3:f6:f0:e5:d2:cc:9f:38: 31:e4:88:ad:55:1a:e1:83:0b:a3:32:28:2a:8e:1b:b7:2b:12: 01:0a:11:df:10:0e:34:ce:84:24:9e:5e:fa:f9:43:c9:c7:a4: a4:a1:07:53:b1:74:9f:20:ba:a2:f7:30:11:1f:20:38:be:a7: d9:1f:c1:12:21:71:e3:78:20:80:ec:46:d9:92:95:34:f5:ea: da:6f:d8:e4:0f:f4:c1:09:6c:e6:55:fe:f6:ef:62:73:96:94: 4e:30:94:1c:e0:5f:ec:5e:13:ce:0a:5e:5e:88:3f:49:61:0c: e2:c7:5a:33:72:1d:a3:84:5b:a8:e5:31:05:f2:5a:ac:0b:7d: 29:5a:60:b4:53:dd:33:f1:e2:e8:de:66:3b:da:4d:c9:56:eb: 85:08:f9:6b:5b:11:cc:c9:32:ec:5a:7a:4c:26:42:8f:fe:25: a7:b9:31:6f:42:60:6d:8a:59:15:2e:b2:e0:7b:a3:b2:b6:d6: 93:c8:4d:b8:70:b3:54:78:c1:ac:8a:f8:a4:cb:6f:95:51:2d: 2b:64:90:b2:ed:51:01:5c:d2:2a:a2:9a:60:45:bb:c1:d3:87: 5c:aa:9f:0b:05:55:cf:3a:e9:d9:b5:23:80:6a:e4:9c:f6:90: f5:af:24:94:00:88:67:d2:61:4d:66:b9:38:a7:d4:87:04:e1: ad:11:4e:07:0d:88:33:96:34:25:e9:29:77:4e:61:b5:dd:1a: 15:d6:62:77:a3:f8:95:43:a0:52:f7:09:40:58:6b:5a:a3:88: d8:0d:7b:6b:6e:ab:3a:65 [root@centos6-5 ~]#
至此如何如何自建 CA,签名证书和吊销证书构建完毕。至于,如何将获得签名的证书导入我们需要的应用程序中,在后续博客中讲解。