中小型企业证书认证服务器的搭建详解

一、准备工作

　　调试好一台Red Hat 5.8的服务器一台、安装好openssl，openssl-devel两个软件包

二、设定好需要认证的单位信息

　　国家：中国

　　省份：河南

　　城市：郑州

　　公司：网E家

　　部门：技术部

　　服务器的主机名：ca.wangej.com

　　管理员邮箱：caadmin@wangej.com

三、关键字和命令分析

目前最通行的标准CA存储格式为x509格式。

 

一个完整意义上的证书：

x509：   

公钥及其过期时间

证书的合法拥有者

证书该如何被使用

CA认证机构的信息

CA签名的校验码(CA的签名)

互联网上著名的安全机制TLS/SSL使用的就是x509的格式，除此之外还有OpenGPGA的机制，这些都属于PKI的实现架构。

PS：如有错误欢迎指出，谢谢！

 

openssl version  查看openssl版本

1. openssl speed：测试openssl对各种加密算法的速度 
2. openssl enc： 
3.     -e：加密 
4.     -d：解密 
5.     -k：指定加密密钥 
6.     -a：基于base64机制处理 
7.     openssl enc -des3(指定加密算法) -salt -a -in(对哪个文件) inittab(文件) -out(放到哪个文件中) inittab.des3 
8. openssl提取特征码： 
9.     openssl dgst -sha1 passwd  使用sha1方式 
10.     openssl dgst -md5 passwd   使用md5方式 
11. openssl passwd： 
12.     openssl passwd -1(指定md5格式)  
13.                     -salt(指定杂质) 
14.             openssl passwd -1 -salt 1234567 
15.              
16. openssl rand -base64 长度  用来生成随机数 

四、搭建操作

openssl实现私有CA：

1、为服务创建必须的目录及文件

在/etc/pki/CA目录下创建 certs, crl, newcerts三个目录和serial, index.txt两个文件并给serial创建抬头。

1. [root@www CA]# mkdir crl newcerts certs  
2. [root@www CA]# touch serial  
3. [root@www CA]# touch index.txt  
4. [root@www CA]# ls  
5. cacert.pem  crl  index.txt.attr  newcerts  serial  certs  index.txt  private   

2、生成一对密钥

[root@www CA]# (umask 077; openssl genrsa -out private/cakey.pem 2048 ) #直接指定600权限并保存在private/cakey.pem

1. [root@www private]# cat cakey.pem  
2. -----BEGIN RSA PRIVATE KEY----- 
3. MIIEowIBAAKCAQEA0SBIoqQIrTCIaAUUta9mhEz/CSotVj214Iv8xgiLl8Z0ElU+ 
4. mgipTVhCS6e9KV3IaKymUoAxKbW1zntCe7OBVMOPoPEAip1qTxohkIIF9K+8lC94 
5. rbLJPORVMDd8l2MeqoK9gSt57aWbxJspG50T8egxjK5gL5gLRdSUqcmpsuWkdZP8 
6. znR/AhEH+zpT6bmg1ds99yl5Yg42hFeiulUwddlZmVvneZVDduuovOmGX2dtwqQM 
7. rympbdRt2FzP6LWdQBykVstw1SVN0p6cnbxTPTCZTRFD0AgRoMPSsYxh2cpYC5Gs 
8. bydXiToi50VLy8M/AGz1eOE+xgquD5jVpcr2OQIDAQABAoIBAF7SmJzGa/i7jN49 
9. j4piIcXTc8CgEzaLfLB4SQEyVrlXDsJRTLVjQAEGB+luAWOEVp6/yhqWbbRP5EPf 
10. t+GHHxlkIvgCzxALGG0NmDKCAllUZdl7POjlrEGj9syKHEA4fWsrJOow4HRVJzAa 
11. eqU+sBB8DBuR5aMu+c2L+mySOBQZInJoMZTwoXMHquV1UUJuFwSzuRTe6z5lLxnH 
12. 50qAYFxReepSPq+cdRM3f8mJwaxU4xmx3vIF98Je1o+fg7bZJEUYTHI44TylqLnn 
13. 3PLzR/gqgdcMUilM+2iMwORKpXYT722m0ZoJicRISW9jmrZYrskBzN2n/+ANBIg6 
14. upjfJkECgYEA7ivEThNhFcb06iDrKdjtCUc1s8gqSZ+O7Aw+Avd1vtBxIxNL6ISt 
15. tyNxuy86yOraBrlZpt8uvRNXiLnKykmsEHRTm+I6f0yAcUtDtcciShUiBUb3IGt4 
16. SinR9TGqAxJaqzxQGEKiS3W736kV+9uTYyTpvrVADwmCzAbXjz3pLv0CgYEA4Mfp 
17. FE7I7GMJ8JkBrQObVjt43WX1tY4LzdZ+Tj5g8+WxWfMo+G2FMdaOMuCLZC/jChOe 
18. v8mHQvtbbT92HYzep8sFs/kntWxT53TGvEp8uFGyfCoX/ciSFPNyHHuL3JWqI9G3 
19. yBAHcZzdocSr5l8vthNDWCAuN1oA1LjZgpwtLu0CgYAfqDOciRjjcyGEqUF4u3uu 
20. OwfZUKbGSG4P1AS+EjRVW5FeLydszY3lhNGOJtXydLzsHeDbvFiTCyocY02gG7DC 
21. MyQV2TkbSIjeBjoGxGQ7Ypm2B9u7NG21td9RbvuBEwR4NDkVMG4wB4MkVG42ntX1 
22. XKexEJhmJ0Z6ZgJq6LjA5QKBgEdWSpt+UXfsCpiIBqchEOhyIW6qUCuZdBeUbito 
23. 0p41FG8Go8cMAwyJGkH9T1+xbu2gwm39iGbynNZ0IIlKTtOTtDCk7zw9r/cx8WyK 
24. e0CH9QxA07JgODRb+qgdcYrFGOUbRqdApwwgi5oub5vCM8MmI+ZQ+Dnq336jV6yC 
25. 4jgVAoGBAKDdoyPEUHyszUVf9MWNAQCeJNiH3Wpj6dY+e66bpkShrQ7JFRpw+fXt 
26. icy4xC6lhd4tD9M9ODCC/n9906ySurij9lOCO0X00coSlE9/44lrRwz9hD5KTYKJ 
27. zeGNRLJixgIFnMzbanzmvr4+zgJz9G1RW9BtDm1Pmdo+TrZDg2kK 
28. -----END RSA PRIVATE KEY----- 

3、生成自签署证书

openssl req -new -x509(生成自签证书) -key(指定密钥文件) siyaoa -out(指定存储)  cakey.pem 

1. [root@www CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem 
2. You are about to be asked to enter information that will be incorporated 
3. into your certificate request. 
4. What you are about to enter is what is called a Distinguished Name or a DN. 
5. There are quite a few fields but you can leave some blank 
6. For some fields there will be a default value, 
7. If you enter '.', the field will be left blank. 
8. ----- 
9. Country Name (2 letter code) [GB]:CN                                        #国家 
10. State or Province Name (full name) [Berkshire]:Henan                        #省份 
11. Locality Name (eg, city) [Newbury]:zhengzhou                                #城市 
12. Organization Name (eg, company) [My Company Ltd]:wangej                     #公司 
13. Organizational Unit Name (eg, section) []:jishubu                           #部门 
14. Common Name (eg, your name or your server's hostname) []:ca.wangej.com      #服务器的主机名 
15. Email Address []:caadmin@wangej.com                                         #管理员邮箱 

4、查看证书信息

openssl x509 -text(输出成文本格式) -in(读取证书信息) 

1. [root@www CA]# openssl x509 -text -in cacert.pem  
2. Certificate: 
3.     Data: 
4.         Version: 3 (0x2) 
5.         Serial Number: 
6.             b5:4a:6d:18:6c:ac:eb:b5 
7.         Signature Algorithm: sha1WithRSAEncryption 
8.         Issuer: C=CN, ST=Henan, L=Zhengzhou, O=Wangej, OU=jishubu, CN=ca.wangej.com/emailAddress=caadmin@wangej.com 
9.         Validity 
10.             Not Before: Apr  7 06:26:56 2013 GMT 
11.             Not After : May  7 06:26:56 2013 GMT 
12.         Subject: C=CN, ST=Henan, L=Zhengzhou, O=Wangej, OU=jishubu, CN=ca.wangej.com/emailAddress=caadmin@wangej.com 
13.         Subject Public Key Info: 
14.             Public Key Algorithm: rsaEncryption 
15.             RSA Public Key: (2048 bit) 
16.                 Modulus (2048 bit): 
17.                     00:d1:20:48:a2:a4:08:ad:30:88:68:05:14:b5:af: 
18.                     66:84:4c:ff:09:2a:2d:56:3d:b5:e0:8b:fc:c6:08: 
19.                     8b:97:c6:74:12:55:3e:9a:08:a9:4d:58:42:4b:a7: 
20.                     bd:29:5d:c8:68:ac:a6:52:80:31:29:b5:b5:ce:7b: 
21.                     42:7b:b3:81:54:c3:8f:a0:f1:00:8a:9d:6a:4f:1a: 
22.                     21:90:82:05:f4:af:bc:94:2f:78:ad:b2:c9:3c:e4: 
23.                     55:30:37:7c:97:63:1e:aa:82:bd:81:2b:79:ed:a5: 
24.                     9b:c4:9b:29:1b:9d:13:f1:e8:31:8c:ae:60:2f:98: 
25.                     0b:45:d4:94:a9:c9:a9:b2:e5:a4:75:93:fc:ce:74: 
26.                     7f:02:11:07:fb:3a:53:e9:b9:a0:d5:db:3d:f7:29: 
27.                     79:62:0e:36:84:57:a2:ba:55:30:75:d9:59:99:5b: 
28.                     e7:79:95:43:76:eb:a8:bc:e9:86:5f:67:6d:c2:a4: 
29.                     0c:af:29:a9:6d:d4:6d:d8:5c:cf:e8:b5:9d:40:1c: 
30.                     a4:56:cb:70:d5:25:4d:d2:9e:9c:9d:bc:53:3d:30: 
31.                     99:4d:11:43:d0:08:11:a0:c3:d2:b1:8c:61:d9:ca: 
32.                     58:0b:91:ac:6f:27:57:89:3a:22:e7:45:4b:cb:c3: 
33.                     3f:00:6c:f5:78:e1:3e:c6:0a:ae:0f:98:d5:a5:ca: 
34.                     f6:39 
35.                 Exponent: 65537 (0x10001) 
36.         X509v3 extensions: 
37.             X509v3 Subject Key Identifier:  
38.                 9A:78:03:D5:26:0E:2D:11:6D:FD:57:22:6E:09:E4:62:DA:37:19:9A 
39.             X509v3 Authority Key Identifier:  
40.                 keyid:9A:78:03:D5:26:0E:2D:11:6D:FD:57:22:6E:09:E4:62:DA:37:19:9A 
41.                 DirName:/C=CN/ST=Henan/L=Zhengzhou/O=Wangej/OU=jishubu/CN=ca.wangej.com/emailAddress=caadmin@wangej.com 
42.                 serial:B5:4A:6D:18:6C:AC:EB:B5 
43.  
44.             X509v3 Basic Constraints:  
45.                 CA:TRUE 
46.     Signature Algorithm: sha1WithRSAEncryption 
47.         a6:57:5d:59:76:60:27:88:3b:14:3a:91:43:7a:f3:c7:50:d9: 
48.         ba:0e:9f:83:b5:c9:4e:a3:fa:85:72:3c:73:d5:2e:e1:cd:fd: 
49.         6c:ed:41:db:3e:52:00:4a:0a:dc:bc:a2:7a:c1:25:7b:39:ad: 
50.         94:4a:8b:c6:15:1b:df:1c:1d:c7:1c:e3:96:c5:75:f8:9c:9c: 
51.         49:0b:fb:00:76:16:77:e9:f6:7d:87:53:46:e8:af:7f:c1:6d: 
52.         8e:9d:28:bc:57:ec:35:af:29:fc:51:a8:81:50:6f:a7:b8:e6: 
53.         f1:d7:23:ad:98:8f:e0:28:a0:b5:d8:5d:2b:5a:94:a3:1b:74: 
54.         ee:8e:30:42:05:f4:1c:89:d8:f9:fd:64:c4:98:f5:1c:88:39: 
55.         b6:c4:2c:a7:2f:9f:59:5d:29:4d:6b:0a:1b:cc:a2:dd:6d:82: 
56.         2a:cf:dd:23:fa:5b:b2:e5:0b:07:fc:c7:25:ea:8d:40:16:3c: 
57.         8d:15:f7:6a:bb:3e:08:d3:3c:3d:b8:f4:fc:36:42:11:80:ad: 
58.         79:29:bf:70:90:e6:e9:a9:75:f6:2b:dc:cc:e4:18:5b:fc:79: 
59.         5d:74:17:39:6c:a8:ac:8d:2a:9f:b4:ac:cc:30:a7:fd:10:63: 
60.         b2:78:f0:24:f7:8b:71:02:55:87:ad:ed:ee:23:e0:60:31:03: 
61.         81:31:e8:7e 
62. -----BEGIN CERTIFICATE----- 
63. MIIEmzCCA4OgAwIBAgIJALVKbRhsrOu1MA0GCSqGSIb3DQEBBQUAMIGPMQswCQYD 
64. VQQGEwJDTjEOMAwGA1UECBMFSGVuYW4xEjAQBgNVBAcTCVpoZW5nemhvdTEPMA0G 
65. A1UEChMGV2FuZ2VqMRAwDgYDVQQLEwdqaXNodWJ1MRYwFAYDVQQDEw1jYS53YW5n 
66. ZWouY29tMSEwHwYJKoZIhvcNAQkBFhJjYWFkbWluQHdhbmdlai5jb20wHhcNMTMw 
67. NDA3MDYyNjU2WhcNMTMwNTA3MDYyNjU2WjCBjzELMAkGA1UEBhMCQ04xDjAMBgNV 
68. BAgTBUhlbmFuMRIwEAYDVQQHEwlaaGVuZ3pob3UxDzANBgNVBAoTBldhbmdlajEQ 
69. MA4GA1UECxMHamlzaHVidTEWMBQGA1UEAxMNY2Eud2FuZ2VqLmNvbTEhMB8GCSqG 
70. SIb3DQEJARYSY2FhZG1pbkB3YW5nZWouY29tMIIBIjANBgkqhkiG9w0BAQEFAAOC 
71. AQ8AMIIBCgKCAQEA0SBIoqQIrTCIaAUUta9mhEz/CSotVj214Iv8xgiLl8Z0ElU+ 
72. mgipTVhCS6e9KV3IaKymUoAxKbW1zntCe7OBVMOPoPEAip1qTxohkIIF9K+8lC94 
73. rbLJPORVMDd8l2MeqoK9gSt57aWbxJspG50T8egxjK5gL5gLRdSUqcmpsuWkdZP8 
74. znR/AhEH+zpT6bmg1ds99yl5Yg42hFeiulUwddlZmVvneZVDduuovOmGX2dtwqQM 
75. rympbdRt2FzP6LWdQBykVstw1SVN0p6cnbxTPTCZTRFD0AgRoMPSsYxh2cpYC5Gs 
76. bydXiToi50VLy8M/AGz1eOE+xgquD5jVpcr2OQIDAQABo4H3MIH0MB0GA1UdDgQW 
77. BBSaeAPVJg4tEW39VyJuCeRi2jcZmjCBxAYDVR0jBIG8MIG5gBSaeAPVJg4tEW39 
78. VyJuCeRi2jcZmqGBlaSBkjCBjzELMAkGA1UEBhMCQ04xDjAMBgNVBAgTBUhlbmFu 
79. MRIwEAYDVQQHEwlaaGVuZ3pob3UxDzANBgNVBAoTBldhbmdlajEQMA4GA1UECxMH 
80. amlzaHVidTEWMBQGA1UEAxMNY2Eud2FuZ2VqLmNvbTEhMB8GCSqGSIb3DQEJARYS 
81. Y2FhZG1pbkB3YW5nZWouY29tggkAtUptGGys67UwDAYDVR0TBAUwAwEB/zANBgkq 
82. hkiG9w0BAQUFAAOCAQEAplddWXZgJ4g7FDqRQ3rzx1DZug6fg7XJTqP6hXI8c9Uu 
83. 4c39bO1B2z5SAEoK3LyiesElezmtlEqLxhUb3xwdxxzjlsV1+JycSQv7AHYWd+n2 
84. fYdTRuivf8Ftjp0ovFfsNa8p/FGogVBvp7jm8dcjrZiP4CigtdhdK1qUoxt07o4w 
85. QgX0HInY+f1kxJj1HIg5tsQspy+fWV0pTWsKG8yi3W2CKs/dI/pbsuULB/zHJeqN 
86. QBY8jRX3ars+CNM8Pbj0/DZCEYCteSm/cJDm6al19ivczOQYW/x5XXQXOWyorI0q 
87. n7SszDCn/RBjsnjwJPeLcQJVh63t7iPgYDEDgTHofg== 
88. -----END CERTIFICATE----- 

5、在另外一台主机中生成密钥，然后申请一个CA认证

(umask 077; openssl genrsa -out httpd.key 1024）                #生成 主机私钥

openssl req -new -key httpd.key -out httpd.csr                 #向服务器申请认证

openssl ca -in httpd.csr -out httpd.crt -days 365 #服务器签署确认

1. [root@www ssl]# openssl ca -in httpd.csr -out httpd.crt -days 365 
2. Using configuration from /etc/pki/tls/openssl.cnf 
3. Check that the request matches the signature 
4. Signature ok 
5. Certificate Details: 
6.         Serial Number: 1 (0x1) 
7.         Validity 
8.             Not Before: Apr  7 06:41:12 2013 GMT 
9.             Not After : Apr  7 06:41:12 2014 GMT 
10.         Subject: 
11.             countryName               = CN 
12.             stateOrProvinceName       = Henan 
13.             organizationName          = Wangej 
14.             organizationalUnitName    = jishubu 
15.             commonName                = www.wangej.com 
16.             emailAddress              = wwwadmin@wangej.com 
17.         X509v3 extensions: 
18.             X509v3 Basic Constraints:  
19.                 CA:FALSE 
20.             Netscape Comment:  
21.                 OpenSSL Generated Certificate 
22.             X509v3 Subject Key Identifier:  
23.                 17:C6:85:DB:34:DC:AE:21:79:CA:22:90:C9:E2:14:7B:C3:3B:02:7D 
24.             X509v3 Authority Key Identifier:  
25.                 keyid:9A:78:03:D5:26:0E:2D:11:6D:FD:57:22:6E:09:E4:62:DA:37:19:9A 
26.  
27. Certificate is to be certified until Apr  7 06:41:12 2014 GMT (365 days) 
28. Sign the certificate? [y/n]:y 
29.  
30.  
31. 1 out of 1 certificate requests certified, commit? [y/n]y 
32. Write out database with 1 new entries 
33. Data Base Updated 

如此一个完整的认证过程就已经实现了，此时将httpd.crt的认证证书发送给请求认证的服务器即可。

转载于:https://blog.51cto.com/yhwhzhang/1173083