版本:openssl-1.0.1e
/usr/local/nginx/demoCA/ # ca证书存放位置
/usr/local/nginx/conf/ssl/ #服务器证书存放位置
/home/samba/ca/ #存放要发布的证书
编译安装
1 2 3 4 5 6 | tar zxvf openssl-1.0.1e.tar.gzcd openssl-1.0.1e ./confg --prefix=/usr/local/ssl shared zlib-dynamic enable-camelliamake && make installecho "/usr/local/ssl/lib/" >/etc/ld.so.conf.d/usr_local_ssl_lib.conf/sbin/ldconfig |
CA 实现介绍
1.创建CA根中心用于签名
利用openssl的命令生成加密的CA根私钥( -keyout 指定),然后自己(-x509 参数)给自己签名,签名后的( -out 指定)文件即CA的公钥,用于验证CA私钥签名的证书
openssl req -new -x509 -passout pass:ca_password -newkey rsa:2048 -days 7305 -keyout /usr/local/nginx/demoCA/private/cakey.pem -config /usr/local/ssl/openssl.cnf -out /usr/local/nginx/demoCA/cacert.pem -subj '/C=CN/ST=ZHEJIANG/L=HANGZHOU/O=CAID/OU=CAID CA Center/CN=CAID ROOT CA/emailAddress=checaide@outlook.com' |
2.创建用于服务器的CA证书
1)创建服务器私钥及给CA根请求其签名的csr文件
openssl req -new -passout pass:server_password -sha1 -newkey rsa:1024 -keyout /usr/local/nginx/demoCA/private/server.key -out /usr/local/nginx/demoCA/csr/client.csr -config /usr/local/ssl/openssl.cnf -subj '/C=CN/ST=ZHEJIANG/L=HANGZHOU/O=CAID/OU=CAID Web Services/CN=127.0.0.1/emailAddress=420400178@qq.com' |
2)CA根用自己的私钥对.csr进行签名
openssl ca -passin pass:ca_password -days 3650 -config /usr/local/ssl/openssl.cnf -policy policy_match -extensions ssl_server -out /usr/local/nginx/demoCA/certs/server.pem -infiles /usr/local/nginx/demoCA/csr/client.csr |
这样便生出服务器的私钥server.key,被CA私钥签名后的公钥server.pem ,CA根的公钥cacert.pem
在apache中设定SSL的配置指定参数就可以用CA对SSL连接进行验证
//* -subj 内参数可用于匹配验证连接PHP即可读取该信息 */
3.创建用于客户端的证书
1)同server-1
openssl req -new -passout pass:user_password -sha1 -newkey rsa:1024 -keyout /usr/local/nginx/demoCA/private/client_01001.key -out /usr/local/nginx/demoCA/csr/client.csr -config /usr/local/ssl/openssl.cnf -subj '/C=CN/ST=JIANGSU/L=CHANGZHOU/O=CAID/OU=CAID_01/CN=client_01001/emailAddress=CAID_2013@gmail.com' |
2)同server-2,通过expect-shell脚本sgin.exp签名,免去交互
expect sgin.exp ca_password 365 policy_anything ssl_client client_01001 |
4.导出CA的公钥,客户端的私钥&被CA签名的公钥
1)导出CA的公钥
openssl x509 -in /usr/local/nginx/demoCA/cacert.pem -out /home/samba/ca/CA_Root.cer |
2)导出客户端的私钥+被CA签名的公钥,文件被以pkcs12格式编码输出,import_password是客户端导入文件时的密码
openssl pkcs12 -passin pass:user_password -export -clcerts -in /usr/local/nginx/demoCA/certs/client_01001.pem -inkey /usr/local/nginx/demoCA/private/client_01001.key -passout pass:import_password -camellia256 -out /home/samba/ca/client_01001.pfx -name "luck_01001" |
这样客户端拥有CA_Root.cer,client_01001.pfx。导入CA_Root.cer文件就可以验证CA签名的网站,导入client_01001.pfx文件网站就可以验证客户端身份
5.证书吊销
假设某客户端要取消其查看网站SSL保护的链接,则吊销他的证书即可
1)吊销已经签名的client_01001.pem
openssl ca -passin pass:ca_password -keyfile /usr/local/nginx/demoCA/private/cakey.pem -cert /usr/local/nginx/demoCA/cacert.pem -revoke /usr/local/nginx/demoCA/certs/client_01001.pem -config /usr/local/ssl/openssl.cnf |
2)生成吊销证书列表crl.pem,用于服务器检测链接进入的证书是否可用
openssl ca -gencrl -keyfile /usr/local/nginx/demoCA/private/cakey.pem -cert /usr/local/nginx/demoCA/cacert.pem -out /usr/local/nginx/demoCA/crl.pem -config /usr/local/ssl/openssl.cnf -passin pass:ca_password |
sgin.exp
#!/usr/bin/expectset passwd [lindex $argv 0]set days [lindex $argv 1]set policy [lindex $argv 2]set extension [lindex $argv 3]set name [lindex $argv 4]spawn /usr/local/ssl/bin/openssl ca -passin pass:$passwd -days $days -config /usr/local/ssl/openssl.cnf -policy $policy -extensions $extension -out /usr/local/nginx/demoCA/certs/$name.pem -infiles /usr/local/nginx/demoCA/csr/client.csr
expect {
"y/n" { send "y\r";exp_continue }
"y/n" { send "y\r" }} |
ca-install.sh
#! /bin/bashrm -rf /usr/local/nginx/demoCA/ # ca证书存放位置rm -rf /usr/local/nginx/conf/ssl/ #服务器证书存放位置mkdir -p /home/samba/ca/ #存放要发布的证书mkdir -p /usr/local/nginx/conf/ssl/mkdir -p /usr/local/nginx/demoCA/{private,newcerts,crl,certs,csr,p12}touch /usr/local/nginx/demoCA/{serial,crlnumber,index.txt,private/.rand}#echo 0 > /usr/local/nginx/demoCA/index.txt echo 00 >/usr/local/nginx/demoCA/serialecho 00 >/usr/local/nginx/demoCA/crlnumber/usr/local/ssl/bin/openssl rand -out /usr/local/nginx/demoCA/private/.rand 1024#生成CA中心/usr/local/ssl/bin/openssl req -new -x509 -passout pass:ca_password -newkey rsa:2048 -keyout /usr/local/nginx/demoCA/private/cakey.pem -config /usr/local/ssl/openssl.cnf -out /usr/local/nginx/demoCA/cacert.pem -subj '/C=CN/ST=ZHEJIANG/L=HANGZHOU/O=CAID/OU=CAID CA Center/CN=CAID ROOT CA/emailAddress=checaide@outlook.com'#签名服务器相关/usr/local/ssl/bin/openssl req -new -passout pass:server_password -sha1 -newkey rsa:1024 -keyout /usr/local/nginx/demoCA/private/server.key -out /usr/local/nginx/demoCA/csr/client.csr -config /usr/local/ssl/openssl.cnf -subj '/C=CN/ST=ZHEJIANG/L=HANGZHOU/O=CAID/OU=CAID Web Services/CN=127.0.0.1/emailAddress=420400178@outlook.com'#使用sgin.exp脚本进行签名/usr/local/bin/expect sgin.exp ca_password 3650 policy_match ssl_server server#移动至web服务器下,去掉调用私钥时候的密码验证mv {/usr/local/nginx/demoCA/certs/server.pem,/usr/local/nginx/demoCA/private/server.key} /usr/local/nginx/conf/ssl//usr/local/ssl/bin/openssl rsa -passin pass:server_password </usr/local/nginx/conf/ssl/server.key >/usr/local/nginx/conf/ssl/serverkey.pem#签名客户端证书/usr/local/ssl/bin/openssl req -new -passout pass:user_password -sha1 -newkey rsa:1024 -keyout /usr/local/nginx/demoCA/private/client_01001.key -out /usr/local/nginx/demoCA/csr/client.csr -config /usr/local/ssl/openssl.cnf -subj '/C=CN/ST=JIANGSU/L=CHANGZHOU/O=CAID/OU=CAID_01/OU=CAID_GROUP1/CN=client_01001/emailAddress=CAIDer_2013@outlook.com'expect sgin.exp ca_password 365 policy_anything ssl_client client_01001#导出CA公钥/usr/local/ssl/bin/openssl x509 -in /usr/local/nginx/demoCA/cacert.pem -out /home/samba/ca/CA_Root.cer#导出客户端的私钥+被CA签名的公钥/usr/local/ssl/bin/openssl pkcs12 -passin pass:user_password -export -clcerts -in /usr/local/nginx/demoCA/certs/client_01001.pem -inkey /usr/local/nginx/demoCA/private/client_01001.key -passout pass:import_password -camellia256 -out /home/samba/ca/client_01001.pfx -name "good luck 01001" #=============#吊销客户端证书#/usr/local/ssl/bin/openssl ca -passin pass:ca_password -revoke /usr/local/nginx/demoCA/certs/client_01001.pem -config /usr/local/ssl/openssl.cnf/usr/local/ssl/bin/openssl ca -passin pass:ca_password -gencrl -config /usr/local/ssl/openssl.cnf -out /usr/local/nginx/demoCA/crl.pem#web服务器检测吊销列表ln -s /usr/local/nginx/demoCA/crl.pem /usr/local/nginx/conf/ssl/crl.pem
转载于:https://blog.51cto.com/caidui/1676038
4049
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
