构建私有的 CA 机构
1、CA 介绍
CA(Certificate Authority)证书颁发机构主要负责证书的颁发、管理以及归档和吊销。证书内包含了拥有证书者的姓名、地址、电子邮件帐号、公钥、证书有效期、发放证书的CA、CA的数字签名等信息。证书主要有三大功能:加密、签名、身份验证。为什么要构建私有CA?
因为公共 CA (比如排名前几的这几家:Comodo, Symantec, GlobalSign, DigiCert, StartCom)颁发证书要收费,而且价格很贵。当然现在也有了像 Letsencrypt 这样的免费 CA。 我们的应用是企业内网,域名使用私有域名,没有办法使用互联网的 CA 办法的证书。
环境:server:192.168.11.12 node1:192.168.11.132、构建私有 CA
1)、检查安装 openssl
rpm -qa openssl如果未安装,则安装 openssl
yum install openssl openssl-devel2)、查看配置文件
openssl 配置/etc/pki/tls/openssl.cnf有关CA的配置。如果服务器为证书签署者的身份那么就会用到此配置文件,此配置文件对于证书申请者是无作用的。
####################################################################
[ ca ]
default_ca = CA_default # 默认的CA配置;CA_default指向下面配置块
####################################################################
[ CA_default ]
dir = /etc/pki/CA # CA的默认工作目录
certs = $dir/certs # 认证证书的目录
crl_dir = $dir/crl # 证书吊销列表的路径
database = $dir/index.txt # 数据库的索引文件
new_certs_dir = $dir/newcerts # 新颁发证书的默认路径
certificate = $dir/cacert.pem # 此服务认证证书,如果此服务器为根CA那么这里为自颁发证书
serial = $dir/serial # 下一个证书的证书编号
crlnumber = $dir/crlnumber # 下一个吊销的证书编号
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# CA的私钥
RANDFILE = $dir/private/.rand # 随机数文件
x509_extensions = usr_cert # The extentions to add to the cert
name_opt = ca_default # 命名方式,以ca_default定义为准
cert_opt = ca_default # 证书参数,以ca_default定义为准
default_days = 365 # 证书默认有效期
default_crl_days= 30 # CRl的有效期
default_md = sha256 # 加密算法
preserve = no # keep passed DN ordering
policy = policy_match #policy_match策略生效
# For the CA policy
[ policy_match ]
countryName = match #国家;match表示申请者的申请信息必须与此一致
stateOrProvinceName = match #州、省
organizationName = match #组织名、公司名
organizationalUnitName = optional #部门名称;optional表示申请者可以的信息与此可以不一致
commonName = supplied
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ] #由于定义了policy_match策略生效,所以此策略暂未生效
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional3)、根证书服务器目录
根CA服务器:因为只有 CA 服务器的角色,所以用到的目录只有/etc/pki/CA
网站服务器:只是证书申请者的角色,所以用到的目录只有/etc/pki/tls
4)、创建所需要的文件
[root@server ~]# cd /etc/pki/CA/
[root@server CA]# ls
certs crl newcerts private
[root@server CA]# touch index.txt #生成证书索引数据库文件
[root@server CA]# ls
certs crl index.txt newcerts private
[root@server CA]# echo 01 > serial #指定第一个颁发证书的序列号
[root@server CA]# ls
certs crl index.txt newcerts private serial5)、创建密钥
在根CA服务器上创建密钥,密钥的位置必须为/etc/pki/CA/private/cakey.pem,这个是openssl.cnf中中指定的路径,只要与配置文件中指定的匹配即可。
[root@server CA]# (umask 066; openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
........................................................+++
.........................+++
e is 65537 (0x10001)6)、生成自签名证书
根CA自签名证书,根CA是最顶级的认证机构,没有人能够认证他,所以只能自己认证自己生成自签名证书。
[root@server CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 7300 -out /etc/pki/CA/cacert.pem -days 7300
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BEIJING
Locality Name (eg, city) [Default City]:BEIJING
Organization Name (eg, company) [Default Company Ltd]:CA
Organizational Unit Name (eg, section) []:OPT
Common Name (eg, your name or your server's hostname) []:ca.qf.com
Email Address []:
[root@server CA]# ls
cacert.pem certs crl index.txt newcerts private serial-new: 生成新证书签署请求
-x509: 专用于CA生成自签证书
-key: 生成请求时用到的私钥文件
-days n: 证书的有效期限
-out /PATH/TO/SOMECERTFILE: 证书的保存路径7)、下载安装证书
/etc/pki/CA/cacert.pem就是生成的自签名证书文件,使用 SZ/xftp工具将他导出到窗口机器中。然后双击安装此证书到受信任的根证书颁发机构
或:将/etc/pki/CA/cacert.pem 传到Windows上,看一下 sz /etc/pki/CA/cacert.pem
在Windows上接收并更改后缀名为 .cer
3、CA 证书申请及签名
1)、检查安装 openssl
rpm -qa openssl如果未安装,则安装 openssl
yum install openssl openssl-devel2)、客户端生成私钥文件
[root@node1 ~]# (umask 066; openssl genrsa -out /etc/pki/tls/private/www.qf.com.key 2048)
Generating RSA private key, 2048 bit long modulus
......................+++
....................................................................................+++
e is 65537 (0x10001)
[root@node1 ~]# cd /etc/pki/tls/private
[root@node1 private]# ls
www.qf.com.key3)、客户端用私钥加密生成证书请求
[root@node1 private]# ls ../
cert.pem certs misc openssl.cnf private
[root@node1 private]# openssl req -new -key /etc/pki/tls/private/www.qf.com.key -days 365 -out /etc/pki/tls/www.qf.com.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BEIJING
Locality Name (eg, city) [Default City]:BEIJING
Organization Name (eg, company) [Default Company Ltd]:QF
Organizational Unit Name (eg, section) []:OPT
Common Name (eg, your name or your server's hostname) []:www.qf.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@node1 private]# cd ../
[root@node1 tls]# ls
cert.pem certs misc openssl.cnf private www.qf.com.csrCSR(Certificate Signing Request)包含了公钥和名字信息。通常以.csr为后缀,是网站向CA发起认证请求的文件,是中间文件。
在这一命令执行的过程中,系统会要求填写如下信息:
| 要求添写的内容 | |
|---|---|
| Country Name (2 letter code) | 使用国际标准组织(ISO)国码格式,填写2个字母的国家代号。中国请填写CN |
| State or Province Name (full name) | 省份,比如填写BeiJing |
| Locality Name (eg, city) | 城市,比如填写BeiJing |
| Organization Name (eg, company) | 组织单位,比如填写公司名称的拼音 |
| Organizational Unit Name (eg, section) | 比如填写IT Dept |
| Common Name (eg, your websites domain name) | 城市,比如填写BeiJing |
| Email Address | 邮件地址,可以不填 |
| A challenge password | 可以不填 |
| An optional company name | 可以不填 |
最后把生成的请求文件(/etc/pki/tls/www.qf.com.csr)传输给CA ,这里我使用scp命令,通过ssh协议,将该文件传输到CA下的/etc/pki/CA/private/目录
root@node1 tls]# scp www.qf.com.csr 192.168.11.13:/etc/pki/CA/private/
root@192.168.11.13's password:
www.qf.com.csr 100% 997 777.2KB/s 00:00 4、CA 签署证书
[root@server ~]# openssl ca -in /etc/pki/CA/private/www.qf.com.csr -out
/etc/pki/CA/certs/www.qf.com.ctr -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Mar 14 13:45:02 2019 GMT
Not After : Mar 13 13:45:02 2020 GMT
Subject:
countryName = CN
stateOrProvinceName = BEIJING
organizationName = QF
organizationalUnitName = OPT
commonName = www.qf.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
08:65:70:98:2B:0B:15:D0:74:FE:69:58:05:B8:02:BC:45:D8:23:9B
X509v3 Authority Key Identifier:
keyid:60:6B:BC:F1:A1:01:BF:72:FD:7D:02:A8:BD:15:BE:9C:3B:3E:03:30
Certificate is to be certified until Mar 13 13:45:02 2020 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
证书通常以.crt为后缀,表示证书文件
1、可能遇到的问题
[root@server ~]# openssl openssl ca -in /etc/pki/CA/private/www.qf.com.csr -out /etc/pki/CA/certs/www.qf.com.ctr -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
The organizationName field needed to be the same in the
CA certificate (CA) and the request (QF)因为默认使用/etc/pki/tls/openssl.cnf,里面要求其一致,修改organizationName=supplied
修改 /etc/pki/tls/openssl.cnf
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = supplied
organizationalUnitName = optional
commonName = supplied
emailAddress = optional2、查看生成的证书的信息
[root@server ~]# openssl x509 -in /etc/pki/CA/certs/www.qf.com.ctr -noout -subject
subject= /C=CN/ST=BEIJING/O=QF/OU=OPT/CN=www.qf.com3、将生成的证书发放给请求客户端
[root@server ~]# scp www.qf.com.ctr root@192.168.11.12:/etc/pki/CA/certs/
root@192.168.11.12's password:
www.qf.com.ctr 100% 4422 1.3MB/s 00:00 4、CA吊销证书
1)、知道客户端吊销的证书的serial
[root@server ~]#openssl x509 -in /PATH/FROM/CERT_FILE -noout -serial -subject2)、吊销证书
先根据客户提交的serial与subject信息,对比检验是否与index.txt文件中的信息一致;然后
[root@server ~]#openssl ca -revoke /etc/pki/CA/newcerts/SERIAL.pem3)、生成吊销证书的编号
第一次吊销一个证书时才需要执行
[root@server ~]#echo 01 > /etc/pki/CA/crlnumber4)、更新证书吊销列表
[root@server ~]#openssl ca -gencrl -out thisca.crl5)、查看证书吊销列表
[root@server ~]#openssl crl -in /PATH/FROM/CRL_FILE.crl -noout -text转载于:https://blog.51cto.com/14237756/2395976
9170
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
