CA认证:
CA认证,即电子认证服务 [1] ,是指为电子签名相关各方提供真实性、可靠性验证的活动。
证书颁发机构(CA, Certificate Authority)即颁发数字证书的机构。是负责发放和管理数字证书的权威机构,并作为电子商务交易中受信任的第三方,承担公钥体系中公钥的合法性检验的责任。
1、配置证书服务器
安装openssl
yum install -y openssl*
首先在配置文件里面查看CA证书需要哪些文件和哪些目录
vim /etc/pki/tls/openssl.cnf
54 ####################################################################
55 [ ca ]
56 default_ca = CA_default # The default ca section
57
58 ####################################################################
59 [ CA_default ]
60
61 dir = /etc/pki/CA # Where everything is kept 所有东西保存的位置
62 certs = $dir/certs # Where the issued certs are kept 已发出证书存放与何处
63 crl_dir = $dir/crl # Where the issued crl are kept 已签发的crl保存位置
64 database = $dir/index.txt # database index file. 数据库索引文件
65 #unique_subject = no # Set to 'no' to allow creation of 设置为no以允许创建
66 # several certs with same subject. 几个相同科目的证书
67 new_certs_dir = $dir/newcerts # default place for new certs. 新证书默认位置
68
69 certificate = $dir/cacert.pem # The CA certificate CA证书
70 serial = $dir/serial # The current serial number 当前序列号
71 crlnumber = $dir/crlnumber # the current crl number 当前crl编号
72 # must be commented out to leave a V1 CRL 必须注释掉以留下V1 CRL
73 crl = $dir/crl.pem # The current CRL 当前CRL
74 private_key = $dir/private/cakey.pem# The private key 私钥
查看配置文件后发现需要在 /etc/pki/CA 下创建CA文件夹
在CA文件夹的private下创建一个私钥cakey.pem
[root@CA ~]# cd /etc/pki/CA/
[root@CA CA]# openssl genrsa -out private/cakey.pem
在CA文件夹下创建CA根证书
[root@CA CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijin
Organization Name (eg, company) [Default Company Ltd]:skills
Organizational Unit Name (eg, section) []:system
Common Name (eg, your name or your server's hostname) []:CA.skills.com
Email Address []:
在CA文件下创建 数据库索引文件和当前序列号
[root@CA CA]# touch /etc/pki/CA/index.txt
[root@CA CA]# echo 00 > /etc/pki/CA/serial
证书机构就配置好了
2、签署证书
创建私钥
openssl genrsa -out nginx.key
创建证书请求文件
openssl req -new -key nginx.key -out nginx.csr #需要注意的是国家,所在省,公司名称这三项一定要和证书服务器一致
签署证书
[root@CA ssl]# openssl ca -in nginx.csr -out nginx.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Mar 8 14:55:29 2022 GMT
Not After : Mar 8 14:55:29 2023 GMT
Subject:
countryName = CN
stateOrProvinceName = Beijing
organizationName = skills
organizationalUnitName = system
commonName = nginx
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
30:05:71:33:2A:C2:97:2B:2C:5F:A4:5A:F6:3E:BB:00:13:88:8F:F2
X509v3 Authority Key Identifier:
keyid:7E:D2:9B:80:D2:FA:13:3C:9E:E3:13:DA:B5:6E:68:BB:51:0D:D7:AACertificate is to be certified until Mar 8 14:55:29 2023 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
查看证书信息
[root@CA ssl]# openssl x509 -in nginx.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CN, ST = Beijing, L = Beijin, O = skills, OU = system, CN = CA.skills.com
Validity
Not Before: Mar 8 14:55:29 2022 GMT
Not After : Mar 8 14:55:29 2023 GMT
Subject: C = CN, ST = Beijing, O = skills, OU = system, CN = nginx
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:be:ca:d8:96:33:d6:6f:be:78:06:0f:93:c3:43:
a1:6f:d9:69:31:70:c7:a0:60:a6:b9:7f:10:35:b3:
11:be:4e:c9:13:53:2a:49:23:64:4c:ce:ae:00:e1:
2d:8a:f3:70:d0:27:28:dd:da:13:4b:06:06:63:8d:
ad:7b:c8:8c:47:e8:2e:8f:a0:2d:c9:29:45:b7:7c:
c4:e6:9c:21:65:85:38:ac:56:32:70:4b:c2:94:c8:
d3:c5:67:21:6c:b2:5c:f3:68:ab:14:28:a2:d5:a1:
bc:b0:25:1d:03:d5:31:a0:bf:a1:f9:8e:9f:5c:d6:
fb:21:7b:11:ab:52:c0:13:ae:3d:ab:86:4e:f4:42:
74:52:7d:61:2f:a8:98:2e:79:10:ef:d2:60:ba:42:
75:12:d2:e1:31:1c:2c:fd:1b:b7:79:38:e9:a1:a9:
d2:77:df:03:e2:df:07:bc:8a:47:b6:86:71:1d:46:
d9:06:eb:77:ca:4e:b8:c2:2a:2f:27:b3:7c:74:54:
a2:16:c0:3d:90:70:47:06:6f:d8:76:2e:97:32:43:
ad:08:20:7e:8f:83:6b:bc:7b:57:76:88:f8:6d:de:
ce:9b:b8:23:63:47:03:a8:0f:9a:74:e6:a6:be:e1:
dd:cf:0d:b6:2a:bf:f4:7f:e2:1e:74:f2:68:4b:32:
24:c9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
30:05:71:33:2A:C2:97:2B:2C:5F:A4:5A:F6:3E:BB:00:13:88:8F:F2
X509v3 Authority Key Identifier:
keyid:7E:D2:9B:80:D2:FA:13:3C:9E:E3:13:DA:B5:6E:68:BB:51:0D:D7:AASignature Algorithm: sha256WithRSAEncryption
47:5e:ca:af:7f:0b:79:99:d0:3a:74:46:38:aa:75:ef:8a:52:
eb:41:e2:81:6c:9e:47:5f:64:50:ab:b3:b0:42:6e:e3:0f:05:
55:3a:86:f6:88:79:80:89:d6:4b:d6:70:ad:db:50:0a:36:eb:
4c:d9:35:90:e5:79:4c:e5:27:13:59:dc:91:b8:ef:75:35:c8:
2b:25:94:ad:2f:20:97:f6:90:49:7c:e7:24:42:f8:59:3d:3a:
1d:c3:d2:34:43:0f:19:c1:a7:e1:0c:79:78:e0:e9:3d:19:d4:
88:12:c5:91:cb:b6:c4:fd:82:5d:b7:9c:35:16:86:c5:a3:b3:
19:f8:07:58:2d:e6:89:0a:a0:10:e3:af:44:93:5d:f8:4b:64:
6b:55:49:cb:3b:a9:de:87:c6:96:00:83:63:a4:9e:0e:1f:a6:
6c:50:30:71:b4:d2:aa:41:62:52:a9:21:34:42:60:fe:d8:da:
f0:58:df:ea:3a:1c:df:56:40:94:ca:0f:76:f6:87:3d:c3:bb:
01:06:b5:76:11:bb:29:e2:dd:55:32:22:70:76:c4:00:76:00:
c5:f7:79:b3:a1:a4:ab:1a:89:cd:7b:37:55:64:c7:cc:0d:2d:
73:5d:78:96:61:d9:81:d0:2b:05:41:9e:88:81:cc:99:ed:31:
22:a7:c2:a0