文章目录
一、证书相关概念
- 公共密钥加密体系:PKI
- 签证机构:CA
- 注册机构:RA
- 证书吊销列表:CRL
- X.509:定义了证书的结构以及认证协议标准(包含:版本号、序列号、签名算法、颁发者、有效期限、主体名称等等)
证书类型:
- 证书授权机构的证书
- 服务器证书
- 用户证书
获取证书两种方法:
1.自签名的证书: 自已签发自己的公钥
2.使用证书授权机构:
- 生成证书请求(csr)
- 将证书请求csr发送给CA
- CA签名颁发证书
二、实现私有CA和证书申请
建立私有CA:可以使用OpenCA软件,也可以直接使用openssl。
2.1 创建CA的私钥
使用openssl命令生成需要的私钥,默认密钥长度为2048。修改文件权限为600.
[root@centos7 ~]# openssl genrsa -out /etc/pki/CA/private/cakey.pem
Generating RSA private key, 2048 bit long modulus
..................+++
.....+++
e is 65537 (0x10001)
[root@centos7 ~]# cd /etc/pki/CA
[root@centos7 CA]# ll private/cakey.pem
-rw-r--r--. 1 root root 1675 Feb 22 16:29 private/cakey.pem
[root@centos7 CA]# chmod 600 private/cakey.pem
[root@centos7 CA]# ll private/cakey.pem
-rw-------. 1 root root 1675 Feb 22 16:29 private/cakey.pem
[root@centos7 CA]#
2.2 给CA颁发自签名证书
给CA颁发自签名证书,有效期为10年。
[root@centos7 CA]# openssl req -new -x509 -key private/cakey.pem -days 3650 -out cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:GD
Locality Name (eg, city) [Default City]:GZ
Organization Name (eg, company) [Default Company Ltd]:AI
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:jiangde.com
Email Address []:jiang111@139.com
[root@centos7 CA]#
[root@centos7 CA]# tree
.
├── cacert.pem
├── certs
├── crl
├── newcerts
└── private
└── cakey.pem
4 directories, 2 files
[root@centos7 CA]#
2.3 用户生成私钥和证书申请
根据/etc/pki/tls/openssl.cnf配置文件中的策略,证书申请中的countryName、stateOrProvinceName、organizationName需要上面第2点填写一致。commonName该项为必须填写的。
[root@centos7 CA]# cd /data
[root@centos7 data]# (umask 066; openssl genrsa -out /data/app1.key 2048)
Generating RSA private key, 2048 bit long modulus
.....................+++
........+++
e is 65537 (0x10001)
[root@localhost CA]# vim /etc/pki/tls/openssl.cnf
......省略部分输出
81 policy = policy_match
82
83 # For the CA policy
84 [ policy_match ]
85 countryName = match
86 stateOrProvinceName = match
87 organizationName = match
88 organizationalUnitName = optional
89 commonName = supplied
90 emailAddress = optional
......省略部分输出
[root@centos7 data]#
[root@centos7 data]# openssl req