使用openssl建立私有CA

最新推荐文章于 2022-07-21 14:13:08 发布

learner_1234

最新推荐文章于 2022-07-21 14:13:08 发布

阅读量596

点赞数 1

文章标签： openssl linux

本文链接：https://blog.csdn.net/weixin_50904580/article/details/110819145

版权

本文详细介绍了如何使用OpenSSL在CentOS系统中创建私有证书颁发机构（CA），包括生成CA私钥和自签名证书，用户私钥和证书请求，CA签发用户证书，以及证书吊销和生成CRL的过程。同时，提到了配置文件openssl.cnf中的策略设置和相关文件的作用。

摘要由CSDN通过智能技术生成

证书申请及签署步骤：

生成证书申请请求
RA核验
CA签署
获取证书

使用到的包文件openssl-libs，其中配置文件/etc/pki/tls/openssl.cnf非常重要

[root@centos ~]# rpm -ql openssl-libs
/etc/pki/tls
/etc/pki/tls/certs
/etc/pki/tls/ct_log_list.cnf
/etc/pki/tls/misc
/etc/pki/tls/openssl.cnf
/etc/pki/tls/private
/usr/lib/.build-id
/usr/lib/.build-id/00
/usr/lib/.build-id/00/2a6b0c4063f20cd80099a3b4d9e3732e0bbc73
/usr/lib/.build-id/32
/usr/lib/.build-id/32/e275760859214d906dab89c9ab008bc40f6e6f
/usr/lib/.build-id/39
/usr/lib/.build-id/39/da39ce3c907073d0e69f48906646b3e288ca78
/usr/lib/.build-id/54
/usr/lib/.build-id/54/eb62cc41d23c3de00b5d5745322de1383acf26
/usr/lib/.build-id/fc
/usr/lib/.build-id/fc/a69d9f4bc067ffa2f880051d3979ce96070ac5
/usr/lib64/.libcrypto.so.1.1.1c.hmac
/usr/lib64/.libcrypto.so.1.1.hmac
/usr/lib64/.libssl.so.1.1.1c.hmac
/usr/lib64/.libssl.so.1.1.hmac
/usr/lib64/engines-1.1
/usr/lib64/engines-1.1/afalg.so
/usr/lib64/engines-1.1/capi.so
/usr/lib64/engines-1.1/padlock.so
/usr/lib64/libcrypto.so.1.1
/usr/lib64/libcrypto.so.1.1.1c
/usr/lib64/libssl.so.1.1
/usr/lib64/libssl.so.1.1.1c
/usr/share/licenses/openssl-libs
/usr/share/licenses/openssl-libs/LICENSE

openssl.cnf中的三种策略：match匹配、optional可选、supplied提供

match：要求申请填写的信息跟CA设置信息必须一致
optional：可有可无，跟CA设置信息可不一致
supplied：必须填写这项申请信息

policy		= policy_match

# For the CA policy
[ policy_match ]
countryName		= match
stateOrProvinceName	= match
organizationName	= match
organizationalUnitName	= optional
commonName		= supplied
emailAddress		= optional

# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName		= optional
stateOrProvinceName	= optional
localityName		= optional
organizationName	= optional
organizationalUnitName	= optional
commonName		= supplied
emailAddress		= optional

其中，数据库文件必须创建

[root@centos ~]# cat /etc/pki/tls/openssl.cnf 

####################################################################
[ ca ]
default_ca	= CA_default		# The default ca section

####################################################################
[ CA_default ]

dir		= /etc/pki/CA		# Where everything is kept
certs		= $dir/certs		# Where the issued certs are kept
crl_dir		= $dir/crl		# Where the issued crl are kept
database	= $dir/index.txt	# database index file.
#unique_subject	= no			# Set to 'no' to allow creation of
					# several certs with same subject.
new_certs_dir	= $dir/newcerts		# default place for new certs.

certificate	= $dir/cacert.pem 	# The CA certificate
serial		= $dir/serial 		# The current serial number
crlnumber	= $dir/crlnumber	# the current crl number
					# must be commented out to leave a V1 CRL
crl		= $dir/crl.pem 		# The current CRL
private_key	= $dir/private/cakey.pem# The private key

x509_extensions	= usr_cert		# The extensions to add to the cert

# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt 	= ca_default		# Subject Name options
cert_opt 	= ca_default		# Certificate field options

# Extension copying option: use with caution.
# copy_extensions = copy

# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions	= crl_ext

default_days	= 365			# how long to certify for
default_crl_days= 30			# how long before next CRL
default_md	= sha256		# use SHA-256 by default
preserve	= no			# keep passed DN ordering

# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy		= policy_match

建立私有CA

1、创建CA所需要的目录和文件
centos8默认没有/etc/pki/CA目录及其子目录，需手工创建

7和8默认路径对比
[root@centos7-ld-v587 ~]# tree /etc/pki/CA/
/etc/pki/CA/
├── certs
├── crl
├── newcerts
└── private

4 directories, 0 files

[root@centos8-LD-V587 ~]# tree /etc/pki/CA/
/etc/pki/CA/ [error opening dir]

0 directories, 0 files
[root@centos8-LD-V587 ~]# mkdir -pv /etc/pki/CA/{certs,crl,newcerts,private}
mkdir: created directory '/etc/pki/CA'
mkdir: created directory '/etc/pki/CA/certs'
mkdir: created directory '/etc/pki/CA/crl'
mkdir: created directory '/etc/pki/CA/newcerts'
mkdir: created directory '/etc/pki/CA/private'
[root@centos8-LD-V587 ~]# tree /etc/pki/CA/
/etc/pki/CA/
├── certs
├── crl
├── newcerts
└── private

4 directories, 0 files

1.1CA服务器创建CA的私钥

参数	作用
-out private/cakey.pem	私钥的保存路径
2048	RSA长度

[root@centos8-LD-V587 CA]# (umask 066; openssl genrsa -out private/cakey.pem 2048)
[root@centos8-LD-V587 CA]# tree
.
├── certs
├── crl
├── newcerts
└── private
    └── cakey.pem

1.2CA服务器给CA颁发自签名证书

参数	作用
-new	生成新证书签署请求
-x509	专用于CA生成自签证书
-key	生成请求时用到的私钥文件
-days n	证书的有效期限
-out /etc/pki/CA/cacert.pem	证书的保存路径，需与配置文件中的一致

[root@centos8-LD-V587 CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN                                        
State or Province Name (full name) []:Zhejiang
Locality Name (eg, city) [Default City]:Hangzhou
Organization Name (eg, company) [Default Company Ltd]:Bolian.ltd
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:ca.Bolian.org      
Email Address []:admin@Bolian.org
[root@centos8-LD-V587 CA]# tree
.
├── cacert.pem
├── certs
├── crl
├── newcerts
└── private
    └── cakey.pem

4 directories, 2 files
###查看CA证书
[root@centos8-LD-V587 CA]# openssl x509 -in /etc/pki/CA/cacert.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            37:98:c0:bb:d7:99:63:aa:92:de:e3:2b:9d:f7:6f:c7:e4:9d:7a:ac
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = CN, ST = Zhejiang, L = Hangzhou, O = Bolian.ltd, CN = ca.Bolian.org, emailAddress = admin@Bolian.org
        Validity
            Not Before: Dec  6 22:03:28 2020 GMT
            Not After : Dec  4 22:03:28 2030 GMT
        Subject: C = CN, ST = Zhejiang, L = Hangzhou, O = Bolian.ltd, CN = ca.Bolian.org, emailAddress = admin@Bolian.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:ac:93:2b:d1:6d:e6:10:2b:60:2d:54:4b:ba:b6:
                    15:54:c1:6d:62:80:3d:06:2f:1a:37:ca:14:7f:cd:
                    26:57:05:71:a3:11:33:27:e9:b3:d7:d2:ac:24:37:
                    35:d1:3a:c5:f5:29:65:bb:26:12:2b:77:1c:27:74:
                    b9:d6:82:34:a9:be:f3:62:12:3b:c0:be:9f:46:14:
                    12:74:5f:eb:b0:ee:2d:74:0c:ee:ca:48:bd:67:ab:
                    ff:30:4b:66:98:6b:28:0b:5d:d8:a0:96:b4:bf:33:
                    98:a7:5d:7e:51:05:a4:93:5b:2f:2a:e6:50:c8:51:
                    4b:ea:37:a7:f4:bf:95:28:75:9e:2d:4c:17:05:eb:
                    57:e2:f0:30:69:61:7c:f9:d8:92:20:57:3d:b3:f8:
                    54:81:5e:23:e7:98:06:ee:63:47:a1:d6:88:d4:42:
                    4a:80:b3:8f:a2:4e:98:7f:49:f9:94:4e:bf:b0:ae:
                    2c:b5:69:a6:42:07:a5:e8:a8:30:cc:06:36:b5:88:
                    a2:d2:d8:25:f9:0a:ff:c9:89:4c:6e:39:38:1e:21:
                    0a:32:71:e3:84:1c:12:e1:4c:9a:5f:fa:2c:1e:cc:
                    09:7a:39:a2:26:86:22:67:7e:1b:2b:00:41:5c:80:
                    9c:6f:11:ed:9c:58:41:3d:a6:7c:d4:90:8c:92:5a:
                    2f:53
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                62:F3:3E:ED:1F:12:6B:5F:4A:F4:B4:70:D9:8D:19:09:DA:4F:8A:50
            X509v3 Authority Key Identifier: 
                keyid:62:F3:3E:ED:1F:12:6B:5F:4A:F4:B4:70:D9:8D:19:09:DA:4F:8A:50

            X509v3 Basic Constraints: critical
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         60:c3:d5:24:40:0c:75:b9:ab:09:04:7e:5c:56:e8:57:56:17:
         ae:75:33:c6:30:19:49:32:69:2d:03:42:52:09:aa:5b:aa:68:
         66:ed:1e:74:40:6e:b0:60:b2:89:31:1c:66:d1:07:ec:a8:c0:
         cd:d4:a9:63:fa:60:cc:5b:a7:7c:36:5e:51:47:9f:d7:95:3a:
         30:28:78:80:df:60:4d:0a:7c:12:3a:b9:14:6e:b0:dc:c2:20:
         b1:93:7d:42:fc:f7:3f:39:7f:82:06:91:bb:1b:01:43:25:c5:
         0b:af:84:d4:e9:a2:60:c4:66:f4:b6:06:00:b5:02:f5:e9:01:
         c8:98:97:e2:fe:d9:cd:28:83:49:9a:4c:93:70:b6:dd:c9:30:
         26:15:f7:df:21:b1:bb:2a:65:87:e7:8a:41:fc:db:e8:6f:8a:
         85:d9:87:dc:f8:0f:15:dc:e8:98:8f:f3:ee:33:ce:e4:39:1e:
         dc:a4:06:03:e9:5b:6e:69:f1:3f:1b:d6:0a:f3:11:2e:d6:db:
         1a:59:c4:ff:0e:31:5f:a2:9f:a8:94:54:3e:c8:ee:bc:5f:72:
         14:76:0f:ca:2f:31:12:bb:d3:a3:db:6f:67:dd:f7:31:d8:b1:
         c0:44:2d:c4:74:10:d2:a3:5b:9c:99:84:c5:37:54:eb:d5:86:
         f5:38:a7:b5

1.3用户生成私钥并向CA申请证书

###生成私钥
[root@centos8-LD-V587 data]# (umask 066 ; openssl genrsa -out /data/app1/app1.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
..................+++++
..................+++++
e is 65537 (0x010001)
###生成证书申请文件csr，默认要求 国家，省，公司名称三项必须和CA一致。在模拟中，笔者搞错了公司名字，没写相同的，最后证书没申请成功
[root@centos7-ld-v587 opt]# openssl ca -in /opt/app1.csr -out /etc/pki/CA/certs/app1.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
The organizationName field needed to be the same in the
CA certificate (Bolian) and the request (lianlian)
修改后：
[root@centos8-LD-V587 data]# openssl req -new -key /data/app1/app1.key -out /data/app1/app1.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Zhejiang
Locality Name (eg, city) [Default City]:Hangzhou
Organization Name (eg, company) [Default Company Ltd]:Bolian    
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:app1.Bolian.ord^Hg
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
###将证书申请文件发送给CA服务器

1.4CA服务器颁发证书
/etc/pki/CA/index.txt和/etc/pki/CA/serial如果不存在，必须提前创建好。不然会报以下错误：

[root@centos7-ld-v587 opt]# openssl ca -in /opt/app1.csr -out /etc/pki/CA/certs/app1.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
/etc/pki/CA/index.txt: No such file or directory
unable to open '/etc/pki/CA/index.txt'
140654440109968:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/pki/CA/index.txt','r')
140654440109968:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:

index.txt用来索引数据库
serial用来指定第一个颁发证书的序列号，十六进制，第一个指定后依次递增

[root@centos7-ld-v587 opt]# touch /etc/pki/CA/index.txt
[root@centos7-ld-v587 opt]# echo 01 > /etc/pki/CA/serial

颁发证书：

[root@centos7-ld-v587 opt]# openssl ca -in /opt/app1.csr -out /etc/pki/CA/certs/app1.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Dec  7 11:40:08 2020 GMT
            Not After : Sep  3 11:40:08 2023 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = Zhejiang
            organizationName          = Bolian
            organizationalUnitName    = it
            commonName                = app1.Bolian.ord\08g
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                73:7C:D0:03:8A:2A:9B:30:33:F2:EE:B9:2E:1D:AC:F3:0B:BE:2D:FC
            X509v3 Authority Key Identifier: 
                keyid:A5:9A:CD:1A:09:BE:E8:DA:D1:CC:1B:6F:B3:27:03:42:01:E7:8D:65

Certificate is to be certified until Sep  3 11:40:08 2023 GMT (1000 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

查看证书：

[root@centos7-ld-v587 opt]# cat /etc/pki/CA/certs/app1.crt

或

[root@centos7-ld-v587 opt]# openssl x509 -in /etc/pki/CA/certs/app1.crt -noout -text

参数	作用
-issuer	查看颁发者
-subject	查看请求者（使用者）
-dates	查看证书有效日期
-serial	查看证书编号

查看证书有效性

[root@centos7-ld-v587 opt]# openssl ca -status 01
Using configuration from /etc/pki/tls/openssl.cnf
01=Valid (V)

证书创建成功后，会生成index.txt.old和serial.old文件。

index.txt.old文件用于保存证书更新后上一次的索引
serial.old文件用于存放当前证书编号，系统在serial中生成下一个证书使用的编号

[root@centos7-ld-v587 opt]# tree /etc/pki/CA/
/etc/pki/CA/
├── cacert.pem
├── certs
│   └── app1.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│   └── 01.pem
├── private
│   └── cakey.pem
├── serial
└── serial.old

4 directories, 9 files
[root@centos7-ld-v587 opt]# cat /etc/pki/CA/index.txt
V	230903114008Z		01	unknown	/C=CN/ST=Zhejiang/O=Bolian/OU=it/CN=app1.Bolian.ord\x08g
[root@centos7-ld-v587 opt]# cat /etc/pki/CA/index.txt.old
[root@centos7-ld-v587 opt]# cat /etc/pki/CA/serial
02
[root@centos7-ld-v587 opt]# cat /etc/pki/CA/serial.old 
01

1.5用户下载证书相关文件

[root@centos8-LD-V587 data]# ll /data/app1/
total 16
-rw-r--r--. 1 root root 4556 Dec  7 09:10 app1.crt
-rw-r--r--. 1 root root 1013 Dec  7 09:05 app1.csr
-rw-------. 1 root root 1679 Dec  7 06:53 app1.key

1.6吊销证书并生成吊销列表
如无crlnumber文件，必须先创建，不然会报以下错误：

[root@centos7-ld-v587 opt]# openssl ca -gencrl -out /etc/pki/CA/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf
/etc/pki/CA/crlnumber: No such file or directory
error while loading CRL number
140694794561424:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/pki/CA/crlnumber','r')
140694794561424:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:

[root@centos7-ld-v587 opt]# echo 01 > /etc/pki/CA/crlnumber

吊销证书

[root@centos7-ld-v587 opt]# openssl ca -revoke /etc/pki/CA/newcerts/01.pem
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 01.
Data Base Updated
[root@centos7-ld-v587 opt]# cat /etc/pki/CA/index.txt
R	230903114008Z	201207122348Z	01	unknown	/C=CN/ST=Zhejiang/O=Bolian/OU=it/CN=app1.Bolian.ord\x08g
[root@centos7-ld-v587 opt]# cat /etc/pki/CA/index.txt.old 
V	230903114008Z		01	unknown	/C=CN/ST=Zhejiang/O=Bolian/OU=it/CN=app1.Bolian.ord\x08g

生成吊销列表

[root@centos7-ld-v587 opt]# openssl ca -gencrl -out /etc/pki/CA/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf
[root@centos7-ld-v587 opt]# tree /etc/pki/CA
/etc/pki/CA
├── cacert.pem
├── certs
│   └── app1.crt
├── crl
├── crlnumber
├── crlnumber.old
├── crl.pem
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── newcerts
│   └── 01.pem
├── private
│   └── cakey.pem
├── serial
└── serial.old

4 directories, 13 files
[root@centos7-ld-v587 opt]# cat /etc/pki/CA/crlnumber
02
[root@centos7-ld-v587 opt]# cat /etc/pki/CA/crlnumber.old 
01

openssl crl查看命令参数与openssl x509等同。