如何利用 OpenSSL 来实现自制 CA 服务器呢? 这种情况下一般在一个公司内部可用到这种机制。
一、实现自建 CA 的大致流程
大致操作流程如上图所示。
二、自建 CA 的详细操作流程
第一步:自建 CA 服务器
1、生成秘钥
[root@centos6-5 ~]# (umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 4096)
Generating RSA private key, 4096 bit long modulus
....................................................................................................++
.........................................................................................................++
e is 65537 (0x10001)
[root@centos6-5 ~]#
# 秘钥文件的名称不能自己改动
2、自签证书
[root@centos6-5 ~]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 360
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Henan
Locality Name (eg, city) [Default City]:ZZ
Organization Name (eg, company) [Default Company Ltd]:MageEdu
Organizational Unit Name (eg, section) []:Ops
Common Name (eg, your name or your server's hostname) []:ca.magedu.com
Email Address []:root@magedu.com
[root@centos6-5 ~]#
# req 生成证书签署请求
# -news 新请求
# -key 指定私钥文件
# -out 签署文件的存放地方
# -x509 生成字签署文件
# -days 有效天数
对于秘钥文件的名称和自签署文件的名称不能自己指定的原因是:
在/etc/pki/tls/openssl.cnf 配置文件中:
这些文件名称在配置文件里里面指定好了。发现还需要有 index.txt 和 serial 俩个文件。
3、创建必要文件,初始化工作环境
[root@centos6-5 ~]# touch /etc/pki/CA/index.txt
[root@centos6-5 ~]# echo "00" > /etc/pki/CA/serial
第二步:节点申请证书
1、生成密钥对儿
[root@centos6-5 ~]# mkdir /etc/httpd/ssl;(umask 077;openssl genrsa -out /etc/httpd/ssl/httpd.key 4096)
mkdir: cannot create directory `/etc/httpd/ssl': File exists
Generating RSA private key, 4096 bit long modulus
.................................................................................................................................................................++
...............................++
e is 65537 (0x10001)
[root@centos6-5 ~]#
2、生成证书签署请求
[root@centos6-5 ~]# openssl req -new -key /etc/httpd/ssl/httpd.key -out /etc/httpd/ssl/httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Henan]:
Locality Name (eg, city) [ZZ]:
Organization Name (eg, company) [MageEdu]:
Organizational Unit Name (eg, section) [Ops]:
Common Name (eg, your name or your server's hostname) []:www.magedu.com
Email Address []:www@magedu.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: # 请求证书是否加密,此时设定密码,CA签名时需要输入密码
An optional company name []:
[root@centos6-5 ~]#
# 这里再输入相关名称时,如何修改默认值:
3、把签署请求文件发送给 CA 服务
# 由于这里请求签署的节点和 CA 服务器是同一台机器,所以在这里不需要这一步。
# 如果不是在同一台机器上,需要拷贝到 CA 服务器上。通常使用 scp 命令完成。
# 例如:scp /path/to/secert.crs root@CA_HOST_NAME:/path/to/somewhere/
第三步:CA签署证书
1、验正证书中的信息,签署证书
[root@centos6-5 ~]# openssl ca -in /etc/httpd/ssl/httpd.csr -out /etc/httpd/ssl/httpd.crt -days 300
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Aug 1 15:37:48 2014 GMT
Not After : May 28 15:37:48 2015 GMT
Subject:
countryName = CN
stateOrProvinceName = Henan
organizationName = MageEdu
organizationalUnitName = Ops
commonName = www.magedu.com
emailAddress = www@magedu.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
04:5E:41:F4:DF:77:DE:64:D3:C0:AC:3C:2E:69:C1:01:E5:80:30:4B
X509v3 Authority Key Identifier:
keyid:AF:D8:63:8A:94:87:40:2A:EA:15:FB:D4:E2:61:23:D7:E8:96:40:3B
Certificate is to be certified until May 28 15:37:48 2015 GMT (300 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@centos6-5 ~]#
2、发送给请求者
# 使用 scp 发送给请求者
至此签名完成,如下:
[root@centos6-5 ~]# cat /etc/pki/CA/index.txt
V 150528153748Z 00 unknown /C=CN/ST=Henan/O=MageEdu/OU=Ops/CN=www.magedu.com/emailAddress=www@magedu.com
[root@centos6-5 ~]# cat /etc/pki/CA/serial
01
[root@centos6-5 ~]#
三、证书的吊销
有时候我们的的节点秘钥丢了,此时就需要向 CA 申请吊销。
在节点:此时首先要在节点获取证书的serial
[root@server ssl]# openssl x509 -in /etc/httpd/ssl/httpd.crt -noout -serial -subject
serial=01
subject= /C=CN/ST=Henan/O=MageEdu/OU=Ops/CN=www2.magedu.com/emailAddress=www2@magedu.com
[root@server ssl]#
# noout 不输出额外信息
# serial 输出 serial 信息,在 serial 文件中
# 输出 subject 信息,在 index.txt 文件中
在CA:
1、验证信息
根据节点提交的serial和subject信息来验正与index.txt文件中的信息是否一致
[root@centos6-5 ~]# cat /etc/pki/CA/index.txt
V150528153748Z00unknown/C=CN/ST=Henan/O=MageEdu/OU=Ops/CN=www.magedu.com/emailAddress=www@magedu.com
V140831155108Z01unknown/C=CN/ST=Henan/O=MageEdu/OU=Ops/CN=www2.magedu.com/emailAddress=www2@magedu.com
2、吊销证书
1)吊销证书
# 要吊销的证书一般在 /etc/pki/CA/newcerts 目录下,名称是 序列号.pem
[root@centos6-5 ~]# openssl ca -revoke /etc/pki/CA/newcerts/01.pem
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 01.
Data Base Updated
[root@centos6-5 ~]# cat /etc/pki/CA/index.txt
V 150528153748Z 00 unknown /C=CN/ST=Henan/O=MageEdu/OU=Ops/CN=www.magedu.com/emailAddress=www@magedu.com
R 140831155108Z 140801160733Z 01 unknown /C=CN/ST=Henan/O=MageEdu/OU=Ops/CN=www2.magedu.com/emailAddress=www2@magedu.com
[root@centos6-5 ~]#
2)生成吊销列表(第一次吊销是需要)
[root@centos6-5 ~]# echo 00 > /etc/pki/CA/crlnumber
[root@centos6-5 ~]#
# 吊销列表文件也在/etc/pki/tls/openssl.cnf 里面定义的。
3)更新证书吊销列表
[root@centos6-5 ~]# openssl ca -gencrl -out /etc/pki/CA/crl/01.crl
Using configuration from /etc/pki/tls/openssl.cnf
查看 crl 里的内容:
[root@centos6-5 ~]# openssl crl -in /etc/pki/CA/crl/01.crl -noout -text
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: /C=CN/ST=Henan/L=ZZ/O=MageEdu/OU=Ops/CN=ca.magedu.com/emailAddress=root@magedu.com
Last Update: Aug 1 16:15:12 2014 GMT
Next Update: Aug 31 16:15:12 2014 GMT
CRL extensions:
X509v3 CRL Number:
0
Revoked Certificates:
Serial Number: 01
Revocation Date: Aug 1 16:07:33 2014 GMT
Signature Algorithm: sha1WithRSAEncryption
75:29:0d:44:97:a7:8d:a0:2c:30:a7:97:9c:b1:30:9b:ef:c7:
d4:53:d2:39:2e:5e:9d:5e:28:97:92:1a:04:ec:78:5d:8d:db:
85:44:d3:bc:fa:db:d2:76:16:d5:79:20:3a:10:db:18:d3:e7:
8e:3d:80:04:8c:92:6a:ae:ac:61:a5:dc:2d:9d:1f:ca:b3:03:
db:c1:ce:41:5f:91:f3:8b:7a:ff:c6:5b:5a:1f:fa:69:68:a3:
b0:2b:e8:22:58:53:57:c0:20:ec:be:21:bf:36:20:c2:a9:77:
85:21:f7:7f:87:a9:43:d3:01:45:c1:fd:1b:45:8d:8b:af:88:
83:17:2e:a0:8b:85:b6:cc:b4:54:9b:50:fa:e2:8a:7e:d4:6c:
a6:02:8a:e3:7e:11:03:0c:64:1e:13:07:10:b1:54:97:af:5a:
d8:ec:cd:62:02:1a:2d:a4:c8:b4:09:ef:d6:e1:c0:cb:f1:10:
ba:c1:12:3d:a6:8f:5a:5e:81:77:5a:58:52:47:ab:96:84:b3:
b8:2a:0e:cf:89:63:00:e3:90:df:c3:f6:f0:e5:d2:cc:9f:38:
31:e4:88:ad:55:1a:e1:83:0b:a3:32:28:2a:8e:1b:b7:2b:12:
01:0a:11:df:10:0e:34:ce:84:24:9e:5e:fa:f9:43:c9:c7:a4:
a4:a1:07:53:b1:74:9f:20:ba:a2:f7:30:11:1f:20:38:be:a7:
d9:1f:c1:12:21:71:e3:78:20:80:ec:46:d9:92:95:34:f5:ea:
da:6f:d8:e4:0f:f4:c1:09:6c:e6:55:fe:f6:ef:62:73:96:94:
4e:30:94:1c:e0:5f:ec:5e:13:ce:0a:5e:5e:88:3f:49:61:0c:
e2:c7:5a:33:72:1d:a3:84:5b:a8:e5:31:05:f2:5a:ac:0b:7d:
29:5a:60:b4:53:dd:33:f1:e2:e8:de:66:3b:da:4d:c9:56:eb:
85:08:f9:6b:5b:11:cc:c9:32:ec:5a:7a:4c:26:42:8f:fe:25:
a7:b9:31:6f:42:60:6d:8a:59:15:2e:b2:e0:7b:a3:b2:b6:d6:
93:c8:4d:b8:70:b3:54:78:c1:ac:8a:f8:a4:cb:6f:95:51:2d:
2b:64:90:b2:ed:51:01:5c:d2:2a:a2:9a:60:45:bb:c1:d3:87:
5c:aa:9f:0b:05:55:cf:3a:e9:d9:b5:23:80:6a:e4:9c:f6:90:
f5:af:24:94:00:88:67:d2:61:4d:66:b9:38:a7:d4:87:04:e1:
ad:11:4e:07:0d:88:33:96:34:25:e9:29:77:4e:61:b5:dd:1a:
15:d6:62:77:a3:f8:95:43:a0:52:f7:09:40:58:6b:5a:a3:88:
d8:0d:7b:6b:6e:ab:3a:65
[root@centos6-5 ~]#
至此如何如何自建 CA,签名证书和吊销证书构建完毕。至于,如何将获得签名的证书导入我们需要的应用程序中,在后续博客中讲解。
亿速云提供多种品牌、不同类型SSL证书签发服务,包含:域名型、企业型、企业型专业版、增强型以及增强型专业版,单域名SSL证书300元/年起。点击查看>>
免责声明:本站发布的内容(图片、视频和文字)以原创、转载和分享为主,文章观点不代表本网站立场,如果涉及侵权请联系站长邮箱:is@yisu.com进行举报,并提供相关证据,一经查实,将立刻删除涉嫌侵权内容。