linux安全和加密篇(四)—openssl证书申请和创建CA
OpenSSL证书申请
1、PKI: Public Key Infrastructure
- CA 证书颁发机构
- RA 证书请求机构 request
- CRL
2、建立私有CA: 搭建CA
- OpenCA
- openssl
3、证书申请及签署步骤:
- 1、生成申请请求 后缀位csr
- 2、 RA核验
- 3、 CA签署
- 4、获取证书
创建CA和申请证书
创建私有CA:
[[email protected] ~]# cd /etc/pki/tls/
[[email protected] tls]# ls
cert.pem certs misc openssl.cnf private*******openssl的配置文件: /etc/pki/tls/openssl.cnf CA重要配置文件******
三种策略: 匹配、支持和可选
匹配指要求申请填写的信息跟CA设置信息必须一致, 支持指必须填写这项申请信息, 可选指可有可无
openssl.cnf文件中和证书相关的项目有
[[email protected] tls]# vim openssl.cnf [ ca ] #default_ca默认ca 为 CA_default
default_ca = CA_default # The default ca section
[ CA_default ]
dir = /etc/pki/CA # Where everything is kept (CA的工作目录)
certs = $dir/certs # Where the issued certs are kept (颁发证书的目录)
crl_dir = $dir/crl # Where the issued crl are kept (证书吊销列表目录)
database = $dir/index.txt # database index file. (证书数据库索引文件目录)
index.txt 文件默认不存在 需要手工创建,其中的内容由CA自动生成
new_certs_dir = $dir/newcerts # default place for new certs. (新证书的存放路径)
certificate = $dir/cacert.pem # The CA certificate ( CA的根证书存放文件)
serial = $dir/serial # The current serial number (证书编号 16进制)
crlnumber = $dir/crlnumber # the current crl number (吊销证书编号存放处)
crl = $dir/crl.pem # The current CRL (证书吊销列表文件)
private_key = $dir/private/cakey.pem # The private key ( CA证书私钥)后缀必须命名为cakey.pem)
RANDFILE = $dir/private/.rand # private random number file ( 随机文件不重要)
default_days = 365 # how long to certify for (证书默认有效期)
default_crl_days= 30 # how long before next (CRL吊销列表有效期发布时间)
default_md = default # use public key default MD ( 默认公钥机密机制为MD5)
preserve = no # keep passed DN ordering ( 不重要)
CA策略问题 很重要
[ policy_match ]
countryName = match(CA所在的国家和客户端必须相同)
stateOrProvinceName = match(省必须相同)
organizationName = match (组织必须相同)
organizationalUnitName = optional (部门)
commonName = supplied (给谁颁发的证书必须填)
emailAddress = optional (邮箱可选)
创建CA
1、创建所需要的文件
[[email protected] CA]# touch /etc/pki/CA/index.txt生成证书索引数据库文件 (默认为空文件)
[[email protected] CA]# echo 01 > /etc/pki/CA/serial指定第一个颁发证书的***
2、 CA自签证书
生成私钥
- cd /etc/pki/CA/
- (umask 066; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
[[email protected] ~]# cd /etc/pki/CA/
[[email protected] CA]# (umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
.......................................................................................+++
...................................+++生成自签名证书
- openssl req -new -x509 –key(私钥的文件名)
- /etc/pki/CA/private/cakey.pem -days 7300 -out
- /etc/pki/CA/cacert.pem
- -new: 生成新证书签署请求
- -x509: 专用于CA生成自签证书
- -key: 生成请求时用到的私钥文件 (private下的cakey.pem文件名)
- -days n:证书的有效期限
- -out /PATH/TO/SOMECERTFILE: 证书的保存路径
[[email protected] CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650
Country Name (2 letter code) [XX]:CN ##国家
State or Province Name (full name) []:beijing ##省份
Locality Name (eg, city) [Default City]:beijing ##城市
Organization Name (eg, company) [Default Company Ltd]:magedu ##机构
Organizational Unit Name (eg, section) []:opt
Common Name (eg, your name or your server's hostname) []:ca.magedu.com
Email Address []:
[[email protected] CA]# ll
total 4
-rw-r--r-- 1 root root 1322 Oct 5 11:12 cacert.pem
drwxr-xr-x. 2 root root 6 Aug 4 2017 certs
drwxr-xr-x. 2 root root 6 Aug 4 2017 crl
drwxr-xr-x. 2 root root 6 Aug 4 2017 newcerts
drwx------. 2 root root 23 Oct 5 11:07 private同时也可以把CA证书导出到windows中
[[email protected] CA]# sz cacert.pem
rz
Starting zmodem transfer. Press Ctrl+C to cancel.
Transferring cacert.pem...
100% 1 KB 1 KB/sec 00:00:01 0 Errors导出后修改文件后缀:cacert.pem.crt
[[email protected] CA]# openssl x509 -in cacert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
d4:a9:a8:07:a3:d3:fd:13
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=beijing, L=beijing, O=magedu, OU=opt, CN=ca.magedu.com
Validity
Not Before: Oct 5 03:12:54 2018 GMT
Not After : Oct 2 03:12:54 2028 GMT
Subject: C=CN, ST=beijing, L=beijing, O=magedu, OU=opt, CN=ca.magedu.com***********************************查看已经存在的CA证书*************************
客户端向服务器申请证书
3、颁发证书
1、在需要使用证书的主机生成证书请求
给web服务器生成私钥
(umask 066; openssl genrsa -out /etc/pki/tls/private/test.key 2048)
例子:生成私钥的目录可以根据需求放置
[[email protected] /etc/httpd 07:17:49]#(umask 066;openssl genrsa -out app.key 1024)
Generating RSA private key, 1024 bit long modulus
....................................................................++++++
....................++++++
e is 65537 (0x10001)2、生成证书申请文件
openssl req -new -key /etc/pki/tls/private/test.key -days 365 -out etc/pki/tls/text.csr
[[email protected] /etc/httpd 07:19:57]#openssl req -new -key app.key -out app.csr
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:opt
Common Name (eg, your name or your server's hostname) []:www.bgg.com
Email Address []:***********注意:客户端向服务器申请证书时,填写的国家、省份、组织,必须和CA证书相同
[[email protected] /etc/httpd 07:23:06]#ls
app.csr app.key3、将证书请求文件传输给CA服务器
[[email protected] /etc/httpd 07:25:32]#scp app.csr 192.168.161.130:/etc/pki/CA
[email protected]'s password:
app.csr 100% 647 0.6KB/s 00:004、CA签署证书,并将证书颁发给请求者
[[email protected] CA]# openssl ca -in app.csr -out certs/app.crt -days 360
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Oct 5 06:15:04 2018 GMT
Not After : Sep 30 06:15:04 2019 GMT
Subject:
countryName = CN
stateOrProvinceName = beijing
organizationName = magedu
organizationalUnitName = opt
commonName = www.bgg.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
62:B6:BA:94:C0:24:F1:B1:A1:37:20:C1:25:59:DA:A9:FA:65:C2:B1
X509v3 Authority Key Identifier:
keyid:45:26:FF:3F:81:CF:80:5C:35:C5:4D:FB:E2:DE:DA:6E:63:35:9A:4E
Certificate is to be certified until Sep 30 06:15:04 2019 GMT (360 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y[[email protected] CA]# tree
.
├── app.csr
├── cacert.pem
├── certs
│ └── app.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│ └── 01.pem
├── private
│ └── cakey.pem
├── serial
└── serial.old注意:默认国家,省,公司名称三项必须和CA一致
[[email protected] CA]# sz certs/app.crt
rz
Starting zmodem transfer. Press Ctrl+C to cancel.
Transferring app.crt...
100% 3 KB 3 KB/sec 00:00:01 0 Errors导出到windows中
如果默认国家,省,公司名称三项必须和CA不一致,我们可以修改策略来解决证书颁发问题
[[email protected] tls]# vim /etc/pki/tls/openssl.cnf ##修改策咯
[ policy_match ]
countryName = match ##改为optional
stateOrProvinceName = match ##改为optional
organizationName = match
organizationalUnitName = optional
********************************证书颁发完成*************************************
5、吊销证书
3、吊销证书:openssl ca -revoke /etc/pki/CA/newcerts/01.pem
[[email protected] CA]# openssl ca -revoke newcerts/01.pem4、指定第一个吊销证书的编号,注意:第一次更新证书吊销列表前,才需要执行 echo 01 > /etc/pki/CA/crlnumber
[[email protected] CA]# echo 01 > /etc/pki/CA/crlnumber5、更新证书吊销列表
[[email protected] CA]# openssl ca -gencrl -out /etc/pki/CA/crl.pem6、查看crl吊销列表文件:
[[email protected] CA]# openssl crl -in /etc/pki/CA/crl.pem -noout -text