使用openssl生成密钥对
使用 genrsa 子命令生成私钥
[root@CentOS7 data]# (umask 066;openssl genrsa -out private.key -des 1024) #在子shell中生成私钥
Generating RSA private key, 1024 bit long modulus
.......++++++
.......................++++++
e is 65537 (0x10001)
Enter pass phrase for private.key:
Verifying - Enter pass phrase for private.key:
[root@CentOS7 data]# ll private.key
-rw------- 1 root root 946 May 20 20:07 private.key
[root@CentOS7 data]# cat private.key
-----BEGIN RSA PRIVATE KEY----- #说明这是私钥
Proc-Type: 4,ENCRYPTED #说明私钥已经被加密过
DEK-Info: DES-CBC,A8D5413C36EB6057 #说明使用的加密算法
qa7VvzrQmttQW/TSDG7uCh3l6xoobQJ12zwEPSd+meHd8MCUfjxefOmxPYRUFFI3
zGPjiqVC4RqR8qt76QJEtsdi7x9WewpHkAQEzyMex0vxCnsp75l8PmKn1zqD+zdc
...
命令中选项:
-out 指定输出私钥的文件名
-des 指定使用 des 对称加密私钥文件,选填,也可以使用其他加密算法
1024 指定密钥长度
[root@CentOS7 data]# (umask 066;openssl rsa -in private.key -pubout -out public.key) #在子shell中推导生成公钥
Enter pass phrase for private.key: #输入私钥文件的加密口令
writing RSA key
[root@CentOS7 data]# ll *.key
-rw------- 1 root root 946 May 20 20:07 private.key
-rw-r--r-- 1 root root 272 May 20 20:19 public.key
[root@CentOS7 data]# cat public.key
-----BEGIN PUBLIC KEY----- #说明这是公钥
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDWPKYeK49RUxZgpva51gNtkRBh
P1SazmeDWAbFai0cLBboATK/4mZRq1ow1ylNPcJ+b6cyp6SGmmughmjLdXi9aRwm
gzXM70CuYNYVnJ94gkeTP1fApcPjJ09f2Iw99KV+kVytcPONTAiwAXipUE4mWN5J
wBwy/qXUB+JGBGIS4QIDAQAB
-----END PUBLIC KEY-----
命令中选项:
-in 指定要被处理的文件,这里是私钥文件
-pubout 推导公钥
-out 指定输出的文件名
PKI
一个典型、完整、有效的PKI应用系统至少应具有以下部分:RA:注册中心负责审核证书申请者的真实身份
CRL:黑名单的发布和管理
CA:即数字证书的申请及签发机关,CA必须具备权威性的特征
数字证书库:用于存储已签发的数字证书及公钥,用户可由此获得所需的其他用户的证书及公钥
创建CA和申请证书
查看搭建CA的配置文件 /etc/pki/tls/openssl.cnf
####################################################################
[ ca ] #从这里开始是CA的配置
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = /etc/pki/CA # Where everything is kept #定义CA的工作目录
certs = $dir/certs # Where the issued certs are kept #存放证书的目录
crl_dir = $dir/crl # Where the issued crl are kept #存放证书吊销列表的目录
database = $dir/index.txt # database index file. #数据库索引文件,需要手工创建
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs. #新建证书的存放目录
certificate = $dir/cacert.pem # The CA certificate #CA的证书文件
serial = $dir/serial # The current serial number #下一个颁发证书的序列号,需要手工创建
crlnumber = $dir/crlnumber # the current crl number #下一个吊销证书的序列号,需要手工创建
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL #私钥吊销列表
private_key = $dir/private/cakey.pem # The private key #CA私钥文件
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
# Extension copying option: use with caution.
# copy_extensions = copy
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 365 # how long to certify for #默认证书有效值
default_crl_days= 30 # how long before next CRL #吊销证书列表发布间隔
default_md = sha256 # use SHA-256 by default #默认加密算法
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match #默认策略匹配
# For the CA policy
[ policy_match ]
countryName = match #必须一致
stateOrProvinceName = match #必须一致
organizationName = match #必须一致
organizationalUnitName = optional #可选
commonName = supplied #必须填写
emailAddress = optional #可选
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
1)创建CA,自签名数字证书
1、新建需要手工创建的文件
[root@CentOS7 CA]# touch index.txt serial crlnumber
[root@CentOS7 CA]# ll
total 0
drwxr-xr-x. 2 root root 6 Aug 4 2017 certs
drwxr-xr-x. 2 root root 6 Aug 4 2017 crl
-rw-r--r-- 1 root root 0 May 21 20:04 crlnumber
-rw-r--r-- 1 root root 0 May 21 20:04 index.txt
drwxr-xr-x. 2 root root 6 Aug 4 2017 newcerts
drwx------. 2 root root 6 Aug 4 2017 private
-rw-r--r-- 1 root root 0 May 21 20:04 serial
2、生成名为
cakey.pem 的私钥文件
[root@CentOS7 CA]# ll private/
total 4
-rw------- 1 root root 946 May 20 20:07 cakey.pem
3、使用
req 子命令生成CA的证书文件
[root@CentOS7 CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650
Enter pass phrase for private/cakey.pem: #输入私钥的口令
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:Linux
Organizational Unit Name (eg, section) []:CentOS7
Common Name (eg, your name or your server's hostname) []:www.jiangbowen.com
Email Address []:
[root@CentOS7 CA]# ll cacert.pem
-rw-r--r-- 1 root root 989 May 21 20:22 cacert.pem
命令中选项:
-new 新建证书
-x509 使用 X.509 协议进行自签名
-key 指定私钥文件
-out 指定证书文件名
-days 设置证书有效期
4、查看证书内容
因为证书文件默认由 base64 编码显示,所以需要使用 -text 选项来进行查看
[root@CentOS7 CA]# openssl x509 -in cacert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
e6:0a:0d:5e:78:57:e3:54
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=beijing, L=beijing, O=Linux, OU=CentOS7, CN=www.jiangbowen.com
Validity
Not Before: May 21 12:22:58 2018 GMT
Not After : May 18 12:22:58 2028 GMT
Subject: C=CN, ST=beijing, L=beijing, O=Linux, OU=CentOS7, CN=www.jiangbowen.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:d6:3c:a6:1e:2b:8f:51:53:16:60:a6:f6:b9:d6:
03:6d:91:10:61:3f:54:9a:ce:67:83:58:06:c5:6a:
2d:1c:2c:16:e8:01:32:bf:e2:66:51:ab:5a:30:d7:
29:4d:3d:c2:7e:6f:a7:32:a7:a4:86:9a:6b:a0:86:
...
[root@CentOS7 CA]# openssl x509 -in cacert.pem -noout -issuer
issuer= /C=CN/ST=beijing/L=beijing/O=Linux/OU=CentOS7/CN=www.jiangbowen.com
[root@CentOS7 CA]# openssl x509 -in cacert.pem -noout -subject
subject= /C=CN/ST=beijing/L=beijing/O=Linux/OU=CentOS7/CN=www.jiangbowen.com
[root@CentOS7 CA]# openssl x509 -in cacert.pem -noout -dates
notBefore=May 21 12:22:58 2018 GMT
notAfter=May 18 12:22:58 2028 GMT
2)使用私钥申请CA证书
1、生成私钥
[root@CentOS6 data]# (umask 066;openssl genrsa -out test.pem 2048)
Generating RSA private key, 2048 bit long modulus
...........................+++
..............................................................................+++
e is 65537 (0x10001)
[root@CentOS6 data]# ll test.pem
-rw------- 1 root root 1679 May 21 20:40 test.pem
2、使用
req 子命令生成证书的申请文件
[root@CentOS6 data]# openssl req -new -key test.pem -out test.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:Linux
Organizational Unit Name (eg, section) []:CentOS
Common Name (eg, your name or your server's hostname) []:www.Miriam.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@CentOS6 data]# ll test.csr
-rw-r--r-- 1 root root 1009 May 21 20:45 test.csr
3、将证书申请文件发送给CA,CA审核后颁发证书
[root@CentOS7 CA]# echo 01 > serial #指定证书序列号
[root@CentOS7 CA]# openssl ca -in test.csr -out certs/test.crt -days 30
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: May 21 13:04:46 2018 GMT
Not After : Jun 20 13:04:46 2018 GMT
Subject:
countryName = CN
stateOrProvinceName = beijing
organizationName = Linux
organizationalUnitName = CentOS
commonName = www.Miriam.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
C4:F8:48:FD:4A:E7:E7:0F:5A:E3:B8:CC:7B:21:9A:BB:6C:25:6E:4B
X509v3 Authority Key Identifier:
keyid:24:BA:29:B4:64:57:4D:BC:E6:C5:7F:CD:61:69:EA:16:65:A0:D7:DE
Certificate is to be certified until Jun 20 13:04:46 2018 GMT (30 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
查看 /etc/pki/CA 下文件
[root@CentOS7 CA]# tree
.
├── cacert.pem #CA的证书
├── certs #证书目录
│ └── test.crt #证书
├── crl #吊销的证书目录
├── crlnumber #吊销证书的序列号
├── index.txt #证书数据库
├── index.txt.attr
├── index.txt.old #证书数据库备份
├── newcerts #证书私钥目录
│ └── 01.pem #证书私钥
├── private #CA私钥目录
│ └── cakey.pem #CA私钥
├── serial #证书序列号
├── serial.old #证书序列号备份
└── test.csr #证书申请文件
4 directories, 11 files
在 policy_match 策略下,有些选项必须一致
[root@CentOS7 CA]# openssl ca -in test2.csr -out certs/test.crt -days 30
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
The countryName field needed to be the same in the
CA certificate (CN) and the request (US)
但是在 policy_anything 策略下就可以宽松很多
吊销证书
1、查看需要吊销的证书序列号,并使用 ca 子命令吊销证书
[root@CentOS7 CA]# cat index.txt
V 180620130446Z 01 unknown /C=CN/ST=beijing/O=Linux/OU=CentOS/CN=www.Miriam.com
V 180620132623Z 02 unknown /C=US/ST=NY/L=New York/O=Unix/OU=unix/CN=www.unix.com
V 180620132727Z 03 unknown /C=CN/ST=beijing/L=beijing/O=Linux/OU=CentOS/CN=www.Miriam.com
[root@CentOS7 CA]#⮀openssl ca -revoke /etc/pki/CA/newcerts/03.pem
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 03.
Data Base Updated
2、更新证书吊销列表
[root@CentOS7 CA]#⮀openssl ca -gencrl -out /etc/pki/CA/crl.pem #更新证书吊销列表
Using configuration from /etc/pki/tls/openssl.cnf
[root@CentOS7 CA]#⮀openssl crl -in /etc/pki/CA/crl.pem -noout -issuer #查看被吊销的证书信息
issuer=/C=CN/ST=beijing/L=beijing/O=Linux/OU=CentOS7/CN=www.jiangbowen.com
3、将被吊销的证书移动到
/etc/pki/CA/crl 目录中
[root@CentOS7 CA]#⮀mv newcerts/03.pem crl/
[root@CentOS7 CA]#⮀tree
.
├── cacert.pem
├── certs
│ ├── test2.crt
│ └── test.crt
├── crl
│ └── 03.pem
├── crlnumber
├── crlnumber.old
├── crl.pem
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── newcerts
│ ├── 01.pem
│ └── 02.pem
├── private
│ └── cakey.pem
├── serial
├── serial.old
├── test2.csr
└── test.csr
4 directories, 18 files