实验环境:
两台centos主机,一台充当CA,一台充当客户机。
在实现这个实验之前我们先来,看一下openssl的配置文件:/etc/pki/tls/openssl.cnf。在这个文件中定义了CA证书颁发的一些策略和文件命名和存放的规则。
[root@CA ~]# cat /etc/pki/tls/openssl.cnf
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = /etc/pki/CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = sha256 # use SHA-256 by default
preserve = no # keep passed DN ordering
policy = policy_match
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
/etc/pki/CA/的目录结构树
[root@CA CA]# tree
.
├── certs
├── crl
├── newcerts
└── private
接下来实现OpenSSL证书申请和颁发
在CA主机上
1、创建所需要的文件,这两个文件默认不存在,必须事先创建好,否则无法颁发证书。
[root@CA CA]# touch /etc/pki/CA/index.txt //生成证书索引数据库文件
[root@CA CA]# echo 01 > /etc/pki/CA/serial //指定第一个颁发证书的序列号
2、 CA自签证书
生成私钥
[root@CA ~]# cd /etc/pki/CA/
[root@CA CA]# (umask 066;openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
.........................................................................+++
......................................................+++
e is 65537 (0x10001)
3、生成自签名证书
[root@CA CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 7300 -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HN
Locality Name (eg, city) [Default City]:wenchang
Organization Name (eg, company) [Default Company Ltd]:hailian
Organizational Unit Name (eg, section) []:hailian-30
Common Name (eg, your name or your server's hostname) []:www.cwj.com
Email Address []:
-new: 生成新证书签署请求
-x509: 专用于CA生成自签证书
-key: 生成请求时用到的私钥文件
-days n:证书的有效期限
-out /PATH/TO/SOMECERTFILE: 证书的保存路径
在申请证书的主机上
4、 在需要使用证书的主机生成证书请求
[root@client pki]# (umask 066; openssl genrsa -out /etc/pki/tls/private/test.key 2048)
Generating RSA private key, 2048 bit long modulus
.....+++
..............................................................................+++
e is 65537 (0x10001)
5、生成证书申请文件
[root@client pki]# openssl req -new -key /etc/pki/tls/private/test.key -days 365 -out /etc/pki/tls/test.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HN
Locality Name (eg, city) [Default City]:hangzhou
Organization Name (eg, company) [Default Company Ltd]:hailian
Organizational Unit Name (eg, section) []:hailian-30
Common Name (eg, your name or your server's hostname) []:www.yd.cwj.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
6、 将证书请求文件传输给CA
[root@client pki]# scp /etc/pki/tls/test.csr 192.168.239.130:/data/
test.csr 100% 1013 32.2KB/s 00:00
在CA上
7、 CA签署证书,并将证书颁发给请求者
[root@CA CA]# openssl ca -in /data/test.csr -out /etc/pki/CA/certs/test.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Oct 17 14:04:52 2019 GMT
Not After : Oct 16 14:04:52 2020 GMT
Subject:
countryName = CN
stateOrProvinceName = HN
organizationName = hailian
organizationalUnitName = hailian-30
commonName = www.yd.cwj.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
76:F4:4D:C1:96:21:98:A3:D2:6A:70:AF:C8:9E:C1:C4:26:9D:06:7D
X509v3 Authority Key Identifier:
keyid:C7:93:0F:D2:1D:E4:FA:2E:11:52:48:5D:9E:9F:10:98:71:DE:BB:20
Certificate is to be certified until Oct 16 14:04:52 2020 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
8、把证书复制到申请的主机上即可。
[root@CA CA]# scp /etc/pki/CA/certs/test.crt 192.168.239.128:/data
test.crt 100% 4471 187.3KB/s 00:00
注意:默认国家,省,公司名称三项必须和CA一致
证书颁发完成后,可以查看证书中的信息:
[root@CA CA]# openssl x509 -in /etc/pki/CA/certs/test.crt -noout -issuer
issuer= /C=CN/ST=HN/L=wenchang/O=hailian/OU=hailian-30/CN=www.cwj.com
[root@CA CA]# openssl x509 -in /etc/pki/CA/certs/test.crt -noout -subject
subject= /C=CN/ST=HN/O=hailian/OU=hailian-30/CN=www.yd.cwj.com
[root@CA CA]# openssl x509 -in /etc/pki/CA/certs/test.crt -noout -serial -dates
serial=01
notBefore=Oct 17 14:04:52 2019 GMT
notAfter=Oct 16 14:04:52 2020 GMT
也可以查看指定编号的证书状态
[root@CA CA]# openssl ca -status 01 //查看指定编号的证书状态
Using configuration from /etc/pki/tls/openssl.cnf
01=Valid (V)
颁发完证书后CA的目录树结构
[root@CA CA]# tree
.
├── cacert.pem
├── certs
│ └── test.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│ └── 01.pem
├── private
│ └── cakey.pem
├── serial
└── serial.old
我们也可以吊销证书,下面是吊销证书的步骤。
1、在客户端获取要吊销的证书的serial
[root@CA CA]# openssl x509 -in /etc/pki/CA/certs/test.crt -noout -serial -subject
serial=01
subject= /C=CN/ST=HN/O=hailian/OU=hailian-30/CN=www.yd.cwj.com
[root@CA CA]# cat index.txt
V 201016140452Z 01 unknown /C=CN/ST=HN/O=hailian/OU=hailian-30/CN=www.yd.cwj.com
2、在CA上,根据客户提交的serial与subject信息,对比检验是否与index.txt文件中的信息一致,然后选择要吊销的证书:
[root@CA CA]# openssl ca -revoke /etc/pki/CA/newcerts/01.pem
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 01.
Data Base Updated
3、指定第一个吊销证书的编号
注意:第一次更新证书吊销列表前,才需要执行
[root@CA CA]# echo 01 > /etc/pki/CA/crlnumber
4、更新证书吊销列表
[root@CA CA]# openssl ca -gencrl -out /etc/pki/CA/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf
完成后可以查看crl文件:
[root@CA CA]# openssl crl -in /etc/pki/CA/crl.pem -noout -text
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: /C=CN/ST=HN/L=wenchang/O=hailian/OU=hailian-30/CN=www.cwj.com
Last Update: Oct 17 14:22:47 2019 GMT
Next Update: Nov 16 14:22:47 2019 GMT
CRL extensions:
X509v3 CRL Number:
1
Revoked Certificates:
Serial Number: 01
Revocation Date: Oct 17 14:21:28 2019 GMT
Signature Algorithm: sha256WithRSAEncryption
80:89:a6:52:0a:09:94:cf:73:60:ee:cb:f9:d4:a3:76:48:26:
b2:b2:f0:5c:b4:45:af:35:12:f4:7e:06:e8:80:1a:1c:38:cd:
5b:37:2e:f4:e7:7a:48:f4:cb:a7:e9:9a:85:8a:44:18:08:61:
39:d3:61:c3:df:a2:f7:02:6f:df:53:6b:36:39:6a:0e:41:d8:
71:46:5b:52:fb:3d:96:9a:46:a4:f4:5e:84:41:31:56:ee:85:
e4:37:c7:64:d7:37:80:5c:11:b5:8e:b3:7f:db:4f:2b:98:a5:
b7:73:d1:90:26:ff:04:68:dd:65:5e:67:1c:98:67:4e:6c:9f:
d7:63:c8:b6:cf:17:aa:ee:d4:ca:ad:c1:9d:a8:57:38:14:e9:
16:52:68:ea:6c:48:f8:92:03:bd:b3:88:47:c5:4a:50:7c:df:
ee:b5:70:75:c7:d0:93:68:5e:6e:a4:45:54:5b:73:60:8e:a4:
da:ef:8f:0d:2a:5b:33:20:07:39:0d:c5:ee:ce:27:20:9c:fa:
12:4e:ea:62:95:16:ea:64:a1:0d:b0:cb:57:6c:a8:96:fa:a9:
fa:44:99:bb:c5:56:5a:3b:0d:dc:d2:42:c6:77:12:27:79:f7:
90:a6:e4:61:00:fb:64:a6:94:b9:aa:32:3c:07:c0:58:5d:4e:
91:f9:4a:1d
吊销证书后CA的目录结构
[root@CA CA]# ls
cacert.pem certs crl crlnumber crlnumber.old crl.pem index.txt index.txt.attr index.txt.attr.old index.txt.old newcerts private serial serial.old
[root@CA CA]# tree
.
├── cacert.pem
├── certs
│ └── test.crt
├── crl
├── crlnumber
├── crlnumber.old
├── crl.pem
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── newcerts
│ └── 01.pem
├── private
│ └── cakey.pem
├── serial
└── serial.old
4 directories, 13 files
1482
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
