证书组成部分:

    owner(拥有者):证书所属用户的身份信息和公钥;

    issue (发证机构):发证机构的签名和发证机构的信息;

Period of  Vailidity 有效期限

类型:证书颁发机构所发的证书

      服务器(自签名证书)证书

目前使用广泛的证书格式X.509

如何生成一个证书?

1 作为一个申请者,要先生成一个密钥(公钥/私钥对);

2 利用公钥生成一个证书签署请求,签署请求包含个人身份信息,个人公钥等,然后将证书签署请求发给CA;

3 CA验证所声明的信息和证书中所要包含的公钥以后,给证书签名,并组织成证书的格式;

4 客户端接收到证书(Certificate)。

生成一个密钥:

[root@localhost ~]# openssl genrsa 1024 >./my.key

Generating RSA private key, 1024 bit long modulus

..............................................++++++

..++++++

e is 65537 (0x10001)

PS:公钥是从私钥中提取出来,即公钥隐藏私钥当中。

[root@localhost ~]# openssl rsa -in ./my.key -pubout

wps_clip_p_w_picpath-26216

使用输出重定向保存到一个文件中:

[root@localhost ~]# openssl rsa -in ./my.key -pubout -out ./my.pub

writing RSA key

针对公钥(私钥也可,因为公钥即从私钥当中提取)生成一个证书颁发申请:

[root@localhost ~]# openssl req -new -key ./my.key -out ./my.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [GB]:CN

State or Province Name (full name) [Berkshire]:HA

Locality Name (eg, city) [Newbury]:ZZ

Organization Name (eg, company) [My Company Ltd]:RHCE

Organizational Unit Name (eg, section) []:linna

Common Name (eg, your name or your server's hostname) []:linna      

Email Address []:mail.a.com

建立一个自签名证书对发来的证书签署请求进行签名:

[root@localhost ~]# openssl req -new -x509 -key ./my.key -out ./my.crt  -days 3655

输入证书信息

查看证书签署请求内容:

[root@localhost ~]# openssl req -noout -in ./my.csr –text

下面我们来完完整整实现一个颁发证书的过程:

服务器端:先把自己做成一个CA

编辑/etc/pki/tls/openssl.conf文件,修改CA的默认配置

###################################################################

[ CA_default ]

dir             = /etc/pki/CA           # Where everything is kept

certs           = $dir/certs            # Where the issued certs are kept

crl_dir         = $dir/crl              # Where the issued crl are kept

database        = $dir/index.txt        # database index file.

#unique_subject = no                    # Set to 'no' to allow creation of

                                        # several ctificates with same subject.

new_certs_dir   = $dir/newcerts         # default place for new certs.

certificate     = $dir/cacert.pem       # The CA certificate

serial          = $dir/serial           # The current serial number

crlnumber       = $dir/crlnumber        # the current crl number

                                        # must be commented out to leave a V1 CRL

crl             = $dir/crl.pem          # The current CRL

private_key     = $dir/private/cakey.pem# The private key

RANDFILE        = $dir/private/.rand    # private random number file

x509_extensions = usr_cert              # The extentions to add to the cert

生成一个密钥:

[root@localhost CA]# openssl genrsa 1024 > private/cakey.pem

Generating RSA private key, 1024 bit long modulus

.............++++++

.............++++++

e is 65537 (0x10001)

生成一个自签署证书

PS:生成自签署证书可以直接生成,不用生成自签署证书请求。

[root@localhost CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3655

wps_clip_p_w_picpath-6999

前面openssl.conf文件里默认设置里的文件和目录都还没有,我们这里需要手动创建

[root@localhost CA]# mkdir certs newcerts crl

[root@localhost CA]# touch index.txt serial

[root@localhost CA]# ehco 01 > serial

[root@localhost CA]# ls

cacert.pem  certs  crl  index.txt  newcerts  private  serial

PS :申请者的证书签署请求的国家名,地区名等信息必须与CA保持一致。

客户端:假设有一个http服务需要提供证书

[root@localhost httpd]# mkdir certs

[root@localhost httpd]# pwd

/etc/httpd

[root@localhost httpd]# umask 077;openssl genrsa 1024 > httpd.key

Generating RSA private key, 1024 bit long modulus

...........++++++

.........++++++

e is 65537 (0x10001)

umask 077  要保证所生成的密钥必须是600的权限

-rw------- 1 root root  887 02-25 23:54 httpd.key

生成一个证书签署请求

[root@localhost httpd]# openssl req -new -key httpd.key -out httpd.csr

输入证书信息,务必与CA保持一致

[root@localhost httpd]# ls

certs  conf  conf.d  httpd.csr  httpd.key  logs  modules  run

此时我们使用SCP的方法将httpd.csr 拷贝到服务器端,当然我们这里是为了演示效果,真实生产环境中并不建议这样使用。

[root@localhost httpd]# scp ./httpd.csr 192.168.0.127:/tmp/

服务器端:

对证书进行签名

[root@localhost tmp]# openssl ca -in httpd.csr -out httpd.crt

wps_clip_p_w_picpath-14451

证书签署完成以后,再使用SCP命令将证书拷贝到客户端

[root@localhost certs]# ls

httpd.crt  httpd.csr

OK,此时客户端和服务器端就可以利用证书来通信了。

PS:系统给我们提供了一种很简单的机制,可以实现自我发证的功能,仅供测试使用。

在/etc/pki/tls/certs 目录下直接使用make命令(根据makefile文件来定义):

make  filename.pem

编辑/etc/pki/tls/openssl.conf文件可以×××信息的默认配置。