证书申请及签署步骤:
- 生成证书申请请求
- RA核验
- CA签署
- 获取证书
使用到的包文件openssl-libs
,其中配置文件/etc/pki/tls/openssl.cnf
非常重要
[root@centos ~]# rpm -ql openssl-libs
/etc/pki/tls
/etc/pki/tls/certs
/etc/pki/tls/ct_log_list.cnf
/etc/pki/tls/misc
/etc/pki/tls/openssl.cnf
/etc/pki/tls/private
/usr/lib/.build-id
/usr/lib/.build-id/00
/usr/lib/.build-id/00/2a6b0c4063f20cd80099a3b4d9e3732e0bbc73
/usr/lib/.build-id/32
/usr/lib/.build-id/32/e275760859214d906dab89c9ab008bc40f6e6f
/usr/lib/.build-id/39
/usr/lib/.build-id/39/da39ce3c907073d0e69f48906646b3e288ca78
/usr/lib/.build-id/54
/usr/lib/.build-id/54/eb62cc41d23c3de00b5d5745322de1383acf26
/usr/lib/.build-id/fc
/usr/lib/.build-id/fc/a69d9f4bc067ffa2f880051d3979ce96070ac5
/usr/lib64/.libcrypto.so.1.1.1c.hmac
/usr/lib64/.libcrypto.so.1.1.hmac
/usr/lib64/.libssl.so.1.1.1c.hmac
/usr/lib64/.libssl.so.1.1.hmac
/usr/lib64/engines-1.1
/usr/lib64/engines-1.1/afalg.so
/usr/lib64/engines-1.1/capi.so
/usr/lib64/engines-1.1/padlock.so
/usr/lib64/libcrypto.so.1.1
/usr/lib64/libcrypto.so.1.1.1c
/usr/lib64/libssl.so.1.1
/usr/lib64/libssl.so.1.1.1c
/usr/share/licenses/openssl-libs
/usr/share/licenses/openssl-libs/LICENSE
openssl.cnf中的三种策略:match匹配、optional可选、supplied提供
- match:要求申请填写的信息跟CA设置信息必须一致
- optional:可有可无,跟CA设置信息可不一致
- supplied:必须填写这项申请信息
policy = policy_match
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
其中,数据库文件必须创建
[root@centos ~]# cat /etc/pki/tls/openssl.cnf
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = /etc/pki/CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several certs with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
x509_extensions = usr_cert # The extensions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
# Extension copying option: use with caution.
# copy_extensions = copy
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = sha256 # use SHA-256 by default
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match
建立私有CA
1、创建CA所需要的目录和文件
centos8默认没有/etc/pki/CA目录及其子目录,需手工创建
7和8默认路径对比
[root@centos7-ld-v587 ~]# tree /etc/pki/CA/
/etc/pki/CA/
├── certs
├── crl
├── newcerts
└── private
4 directories, 0 files
[root@centos8-LD-V587 ~]# tree /etc/pki/CA/
/etc/pki/CA/ [error opening dir]
0 directories, 0 files
[root@centos8-LD-V587 ~]# mkdir -pv /etc/pki/CA/{certs,crl,newcerts,private}
mkdir: created directory '/etc/pki/CA'
mkdir: created directory '/etc/pki/CA/certs'
mkdir: created directory '/etc/pki/CA/crl'
mkdir: created directory '/etc/pki/CA/newcerts'
mkdir: created directory '/etc/pki/CA/private'
[root@centos8-LD-V587 ~]# tree /etc/pki/CA/
/etc/pki/CA/
├── certs
├── crl
├── newcerts
└── private
4 directories, 0 files
1.1CA服务器创建CA的私钥
参数 | 作用 |
---|---|
-out private/cakey.pem | 私钥的保存路径 |
2048 | RSA长度 |
[root@centos8-LD-V587 CA]# (umask 066; openssl genrsa -out private/cakey.pem 2048)
[root@centos8-LD-V587 CA]# tree
.
├── certs
├── crl
├── newcerts
└── private
└── cakey.pem
1.2CA服务器给CA颁发自签名证书
参数 | 作用 |
---|---|
-new | 生成新证书签署请求 |
-x509 | 专用于CA生成自签证书 |
-key | 生成请求时用到的私钥文件 |
-days n | 证书的有效期限 |
-out /etc/pki/CA/cacert.pem | 证书的保存路径,需与配置文件中的一致 |
[root@centos8-LD-V587 CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Zhejiang
Locality Name (eg, city) [Default City]:Hangzhou
Organization Name (eg, company) [Default Company Ltd]:Bolian.ltd
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:ca.Bolian.org
Email Address []:admin@Bolian.org
[root@centos8-LD-V587 CA]# tree
.
├── cacert.pem
├── certs
├── crl
├── newcerts
└── private
└── cakey.pem
4 directories, 2 files
###查看CA证书
[root@centos8-LD-V587 CA]# openssl x509 -in /etc/pki/CA/cacert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
37:98:c0:bb:d7:99:63:aa:92:de:e3:2b:9d:f7:6f:c7:e4:9d:7a:ac
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CN, ST = Zhejiang, L = Hangzhou, O = Bolian.ltd, CN = ca.Bolian.org, emailAddress = admin@Bolian.org
Validity
Not Before: Dec 6 22:03:28 2020 GMT
Not After : Dec 4 22:03:28 2030 GMT
Subject: C = CN, ST = Zhejiang, L = Hangzhou, O = Bolian.ltd, CN = ca.Bolian.org, emailAddress = admin@Bolian.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:ac:93:2b:d1:6d:e6:10:2b:60:2d:54:4b:ba:b6:
15:54:c1:6d:62:80:3d:06:2f:1a:37:ca:14:7f:cd:
26:57:05:71:a3:11:33:27:e9:b3:d7:d2:ac:24:37:
35:d1:3a:c5:f5:29:65:bb:26:12:2b:77:1c:27:74:
b9:d6:82:34:a9:be:f3:62:12:3b:c0:be:9f:46:14:
12:74:5f:eb:b0:ee:2d:74:0c:ee:ca:48:bd:67:ab:
ff:30:4b:66:98:6b:28:0b:5d:d8:a0:96:b4:bf:33:
98:a7:5d:7e:51:05:a4:93:5b:2f:2a:e6:50:c8:51:
4b:ea:37:a7:f4:bf:95:28:75:9e:2d:4c:17:05:eb:
57:e2:f0:30:69:61:7c:f9:d8:92:20:57:3d:b3:f8:
54:81:5e:23:e7:98:06:ee:63:47:a1:d6:88:d4:42:
4a:80:b3:8f:a2:4e:98:7f:49:f9:94:4e:bf:b0:ae:
2c:b5:69:a6:42:07:a5:e8:a8:30:cc:06:36:b5:88:
a2:d2:d8:25:f9:0a:ff:c9:89:4c:6e:39:38:1e:21:
0a:32:71:e3:84:1c:12:e1:4c:9a:5f:fa:2c:1e:cc:
09:7a:39:a2:26:86:22:67:7e:1b:2b:00:41:5c:80:
9c:6f:11:ed:9c:58:41:3d:a6:7c:d4:90:8c:92:5a:
2f:53
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
62:F3:3E:ED:1F:12:6B:5F:4A:F4:B4:70:D9:8D:19:09:DA:4F:8A:50
X509v3 Authority Key Identifier:
keyid:62:F3:3E:ED:1F:12:6B:5F:4A:F4:B4:70:D9:8D:19:09:DA:4F:8A:50
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
60:c3:d5:24:40:0c:75:b9:ab:09:04:7e:5c:56:e8:57:56:17:
ae:75:33:c6:30:19:49:32:69:2d:03:42:52:09:aa:5b:aa:68:
66:ed:1e:74:40:6e:b0:60:b2:89:31:1c:66:d1:07:ec:a8:c0:
cd:d4:a9:63:fa:60:cc:5b:a7:7c:36:5e:51:47:9f:d7:95:3a:
30:28:78:80:df:60:4d:0a:7c:12:3a:b9:14:6e:b0:dc:c2:20:
b1:93:7d:42:fc:f7:3f:39:7f:82:06:91:bb:1b:01:43:25:c5:
0b:af:84:d4:e9:a2:60:c4:66:f4:b6:06:00:b5:02:f5:e9:01:
c8:98:97:e2:fe:d9:cd:28:83:49:9a:4c:93:70:b6:dd:c9:30:
26:15:f7:df:21:b1:bb:2a:65:87:e7:8a:41:fc:db:e8:6f:8a:
85:d9:87:dc:f8:0f:15:dc:e8:98:8f:f3:ee:33:ce:e4:39:1e:
dc:a4:06:03:e9:5b:6e:69:f1:3f:1b:d6:0a:f3:11:2e:d6:db:
1a:59:c4:ff:0e:31:5f:a2:9f:a8:94:54:3e:c8:ee:bc:5f:72:
14:76:0f:ca:2f:31:12:bb:d3:a3:db:6f:67:dd:f7:31:d8:b1:
c0:44:2d:c4:74:10:d2:a3:5b:9c:99:84:c5:37:54:eb:d5:86:
f5:38:a7:b5
1.3用户生成私钥并向CA申请证书
###生成私钥
[root@centos8-LD-V587 data]# (umask 066 ; openssl genrsa -out /data/app1/app1.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
..................+++++
..................+++++
e is 65537 (0x010001)
###生成证书申请文件csr,默认要求 国家,省,公司名称三项必须和CA一致。在模拟中,笔者搞错了公司名字,没写相同的,最后证书没申请成功
[root@centos7-ld-v587 opt]# openssl ca -in /opt/app1.csr -out /etc/pki/CA/certs/app1.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
The organizationName field needed to be the same in the
CA certificate (Bolian) and the request (lianlian)
修改后:
[root@centos8-LD-V587 data]# openssl req -new -key /data/app1/app1.key -out /data/app1/app1.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Zhejiang
Locality Name (eg, city) [Default City]:Hangzhou
Organization Name (eg, company) [Default Company Ltd]:Bolian
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:app1.Bolian.ord^Hg
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
###将证书申请文件发送给CA服务器
1.4CA服务器颁发证书
/etc/pki/CA/index.txt
和/etc/pki/CA/serial
如果不存在,必须提前创建好。不然会报以下错误:
[root@centos7-ld-v587 opt]# openssl ca -in /opt/app1.csr -out /etc/pki/CA/certs/app1.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
/etc/pki/CA/index.txt: No such file or directory
unable to open '/etc/pki/CA/index.txt'
140654440109968:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/pki/CA/index.txt','r')
140654440109968:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:
index.txt用来索引数据库
serial用来指定第一个颁发证书的序列号,十六进制,第一个指定后依次递增
[root@centos7-ld-v587 opt]# touch /etc/pki/CA/index.txt
[root@centos7-ld-v587 opt]# echo 01 > /etc/pki/CA/serial
颁发证书:
[root@centos7-ld-v587 opt]# openssl ca -in /opt/app1.csr -out /etc/pki/CA/certs/app1.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Dec 7 11:40:08 2020 GMT
Not After : Sep 3 11:40:08 2023 GMT
Subject:
countryName = CN
stateOrProvinceName = Zhejiang
organizationName = Bolian
organizationalUnitName = it
commonName = app1.Bolian.ord\08g
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
73:7C:D0:03:8A:2A:9B:30:33:F2:EE:B9:2E:1D:AC:F3:0B:BE:2D:FC
X509v3 Authority Key Identifier:
keyid:A5:9A:CD:1A:09:BE:E8:DA:D1:CC:1B:6F:B3:27:03:42:01:E7:8D:65
Certificate is to be certified until Sep 3 11:40:08 2023 GMT (1000 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
查看证书:
[root@centos7-ld-v587 opt]# cat /etc/pki/CA/certs/app1.crt
或
[root@centos7-ld-v587 opt]# openssl x509 -in /etc/pki/CA/certs/app1.crt -noout -text
参数 | 作用 |
---|---|
-issuer | 查看颁发者 |
-subject | 查看请求者(使用者) |
-dates | 查看证书有效日期 |
-serial | 查看证书编号 |
查看证书有效性
[root@centos7-ld-v587 opt]# openssl ca -status 01
Using configuration from /etc/pki/tls/openssl.cnf
01=Valid (V)
证书创建成功后,会生成index.txt.old
和serial.old
文件。
index.txt.old
文件用于保存证书更新后上一次的索引
serial.old
文件用于存放当前证书编号,系统在serial
中生成下一个证书使用的编号
[root@centos7-ld-v587 opt]# tree /etc/pki/CA/
/etc/pki/CA/
├── cacert.pem
├── certs
│ └── app1.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│ └── 01.pem
├── private
│ └── cakey.pem
├── serial
└── serial.old
4 directories, 9 files
[root@centos7-ld-v587 opt]# cat /etc/pki/CA/index.txt
V 230903114008Z 01 unknown /C=CN/ST=Zhejiang/O=Bolian/OU=it/CN=app1.Bolian.ord\x08g
[root@centos7-ld-v587 opt]# cat /etc/pki/CA/index.txt.old
[root@centos7-ld-v587 opt]# cat /etc/pki/CA/serial
02
[root@centos7-ld-v587 opt]# cat /etc/pki/CA/serial.old
01
1.5用户下载证书相关文件
[root@centos8-LD-V587 data]# ll /data/app1/
total 16
-rw-r--r--. 1 root root 4556 Dec 7 09:10 app1.crt
-rw-r--r--. 1 root root 1013 Dec 7 09:05 app1.csr
-rw-------. 1 root root 1679 Dec 7 06:53 app1.key
1.6吊销证书并生成吊销列表
如无crlnumber
文件,必须先创建,不然会报以下错误:
[root@centos7-ld-v587 opt]# openssl ca -gencrl -out /etc/pki/CA/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf
/etc/pki/CA/crlnumber: No such file or directory
error while loading CRL number
140694794561424:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/pki/CA/crlnumber','r')
140694794561424:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:
[root@centos7-ld-v587 opt]# echo 01 > /etc/pki/CA/crlnumber
吊销证书
[root@centos7-ld-v587 opt]# openssl ca -revoke /etc/pki/CA/newcerts/01.pem
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 01.
Data Base Updated
[root@centos7-ld-v587 opt]# cat /etc/pki/CA/index.txt
R 230903114008Z 201207122348Z 01 unknown /C=CN/ST=Zhejiang/O=Bolian/OU=it/CN=app1.Bolian.ord\x08g
[root@centos7-ld-v587 opt]# cat /etc/pki/CA/index.txt.old
V 230903114008Z 01 unknown /C=CN/ST=Zhejiang/O=Bolian/OU=it/CN=app1.Bolian.ord\x08g
生成吊销列表
[root@centos7-ld-v587 opt]# openssl ca -gencrl -out /etc/pki/CA/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf
[root@centos7-ld-v587 opt]# tree /etc/pki/CA
/etc/pki/CA
├── cacert.pem
├── certs
│ └── app1.crt
├── crl
├── crlnumber
├── crlnumber.old
├── crl.pem
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── newcerts
│ └── 01.pem
├── private
│ └── cakey.pem
├── serial
└── serial.old
4 directories, 13 files
[root@centos7-ld-v587 opt]# cat /etc/pki/CA/crlnumber
02
[root@centos7-ld-v587 opt]# cat /etc/pki/CA/crlnumber.old
01
openssl crl
查看命令参数与openssl x509
等同。