龙之介大人

内网创建私有CA证书
关建立私有CA证书OpenSSL: 三个组件: openssl: 多用途的命令行工具; libcrypto: 加密...
扫描右侧二维码阅读全文
09
2019/12

内网创建私有CA证书

关建立私有CA证书

  • OpenSSL: 三个组件: openssl: 多用途的命令行工具; libcrypto: 加密解密库; libssl:ssl协议的实现;
# PKI:Public Key Infrastructure
#     CA
#     RA
#     CRL
#     证书存取库

# 建立私有CA:
#     OpenCA
#     openssl

# 证书申请及签署步骤:
#     1、生成申请请求;
#     2、RA核验;
#     3、CA签署;
#     4、获取证书;

创建私有CA步骤

openssl的配置文件:/etc/pki/tls/openssl.conf
  • 签发流程:
#1. 创建需要的文件
#    touch index.txt
#    echo 01 > serial
#2. CA自签证书
#    (umask 077; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
#    openssl req -new -x509 -key /etc/pki/CA/private/cakey.epm -days 7300 -out /etc/pki/CA/cacert.pem
#        -new: 生成新证书签署请求;
#        -x509: 专用于CA生成自签证书;
#        -key: 生成请求时用到的私钥文件;
#        -days n:证书的有效期限;
#        -out /PATH/TO/SOMECERTFILE: 证书的保存路径;
#3. 发证
#    (a) 用到证书的主机生成证书请求;
#        (umask 077; openssl genrsa -out /etc/httpd/ssl/httpd.key 2048)
#        openssl req -new -key /etc/httpd/ssl/httpd.key -days 365 -out /etc/httpd/ssl/httpd.csr

#    (b) 把请求文件传输给CA;

#    (c) CA签署证书,并将证书发还给请求者;
#        openssl ca -in /tmp/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365

#        查看证书中的信息:
#        openssl x509 -in /PATH/FROM/CERT_FILE -noout -text|-subject|-serial
#4. 吊销证书
#    (a) 客户端获取要吊销的证书的serial
#        openssl x509 -in /PATH/FROM/CERT_FILE -noout -serial -subject

#    (b) CA
#        先根据客户提交的serial与subject信息,对比检验是否与index.txt文件中的信息一致;
#        吊销证书:
#        openssl ca -revoke /etc/pki/CA/newcerts/SERIAL.pem

#    (c) 生成吊销证书的编号(第一次吊销一个证书)
#        echo 01 > /etc/pki/CA/crlnumber

#    (d) 更新证书吊销列表
#        openssl ca -gencrl -out thisca.crl

#        查看crl文件:
#           openssl crl -in /PATH/FROM/CRL_FILE.crl -noout -text





证书的签发与吊销测试

#生成CA
[root@master CA]# touch index.txt
[root@master CA]# echo 01 > serial
[root@master CA]# (umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
..................................................+++
..........................................................+++
e is 65537 (0x10001)
[root@master CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 7300 -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN #城市名
State or Province Name (full name) []:GuangZhou  #省名   
Locality Name (eg, city) [Default City]:TianHe  #地方名字
Organization Name (eg, company) [Default Company Ltd]:itab  #公司名字
Organizational Unit Name (eg, section) []:jkl  #名字
Common Name (eg, your name or your server's hostname) []:ca.itab.com #主机名
Email Address []:caadmin@itab.com #邮箱
[root@master CA]# ll
total 8
-rw-r--r--  1 root root 1407 Nov 28 11:06 cacert.pem
drwxr-xr-x. 2 root root    6 Aug  9 09:38 certs
drwxr-xr-x. 2 root root    6 Aug  9 09:38 crl
-rw-r--r--  1 root root    0 Nov 28 07:58 index.txt
drwxr-xr-x. 2 root root    6 Aug  9 09:38 newcerts
drwx------. 2 root root   22 Nov 28 07:59 private
-rw-r--r--  1 root root    3 Nov 28 07:58 serial


#主机申请证书发送至CA服务器签署证书
[root@slave httpd]# (umask 077; openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus
.........................................................................................................................+++
............................................+++
e is 65537 (0x10001)
[root@slave httpd]# openssl req -new -key httpd.key -days 365 -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:GuangZhou
Locality Name (eg, city) [Default City]:TianHe
Organization Name (eg, company) [Default Company Ltd]:itab
Organizational Unit Name (eg, section) []:jkl 
Common Name (eg, your name or your server's hostname) []:www.itab.com
Email Address []:webadmin.itab.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
#需要主机的是主机生成证书的时候要和CA的信息一致

#上传证书至CA服务器签名
[root@slave httpd]# scp httpd.csr root@10.10.1.109:/tmp/
httpd.csr                                                                         100% 1050     1.0KB/s   00:00 

[root@master CA]# openssl ca -in /tmp/httpd.csr -out /tmp/httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Nov 28 03:52:57 2019 GMT
            Not After : Nov 27 03:52:57 2020 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = GuangZhou
            organizationName          = itab
            organizationalUnitName    = jkl
            commonName                = www.itab.com
            emailAddress              = webadmin.itab.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                28:98:E1:2E:E2:20:B2:F9:A7:ED:72:37:BE:87:C4:E4:45:2A:6A:5B
            X509v3 Authority Key Identifier: 
                keyid:D6:30:CC:B0:D7:5E:A1:8E:C7:8F:D1:8A:9A:A1:27:03:8C:C7:ED:B6

Certificate is to be certified until Nov 27 03:52:57 2020 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

[root@master CA]# cat index.txt #签好的证书会在index.txt里面显示信息
V       201127035257Z           01      unknown /C=CN/ST=GuangZhou/O=itab/OU=jkl/CN=www.itab.com/emailAddress=webadmin.itab.com

[root@master CA]# cp newcerts/01.pem certs/ #把签好的证书放到certs目录下


#把证书发送回需要签名的主机上
[root@master CA]# scp /tmp/httpd.crt root@10.10.1.216:/etc/httpd/ssl/httpd.crt
httpd.crt                                                                         100% 4600     5.8MB/s   00:00  
[root@slave ssl]# ll -h
total 8.0K
-rw-r--r-- 1 root root 4.5K Nov 28 11:57 httpd.crt
最后修改:2019 年 12 月 14 日 05 : 23 PM

发表评论