Linux系統搭建私有CA證書服務器
1、CA簡介node
CA是什麼?CA是Certificate Authority的簡寫,從字面意思翻譯過來是憑證管理中心,認證受權。它有點相似咱們生活中的身份證頒發機構,這裏的CA就至關於生活中頒發身份證的機構。不一樣於生活中的頒發機構,這裏的CA是給服務器頒發證書。頒發證書的目的同生活中的辦理身份證的目的相似,都是爲了證實一件事,生活中的身份證能夠證實咱們是一個合法的公民,而服務器頒發證書的目的也是證實咱們服務是一個合法的服務器,換句話說就是有了證書咱們就能夠清楚知道咱們訪問的服務器究竟是不是咱們真正想訪問的服務器。從而識別咱們訪問的服務器的真假。ios
2、中間人攻擊原理算法
如上圖所示,咱們在和對方服務器通訊的過程,存在着中間人攻擊的狀況。所謂中間人攻擊,就是攻擊者站在通信雙方的中間,對於客戶端它充當着服務器的角色,對於服務器端它又充當着客戶端的角色。簡單說它就是兩邊欺騙。當咱們向服務器發起通訊請求時,中間人會截獲咱們發向服務器端的報文,從而進行修改,而後把修改後的報文發送給服務端,服務端收到中間人篡改的數據報文,進行響應,把響應報文發送給中間人,而後中間人再發給客戶端。這樣一個過程就是中間人攻擊的過程。能夠看到客戶端服務端雙方直接通訊是不安全的。如上圖所示,通訊雙方交換密鑰,直接交換就存在中間人欺騙,由於咱們不可以肯定遠端服務器的真僞和客戶端的真僞。爲了解決這一問題,由此衍生出CA。CA在這裏的充當的角色至關於中間人角色,不一樣的是CA是一個權威的中間人。它能夠證實客戶端和服務端的真僞。windows
3、加密解密以及獲取公鑰過程安全
衆所周知經常使用的加密方式有三種,單向加密,對稱加密,和非對稱加密。單向加密從字面意思理解就是一方加密,在加密過程當中不使用密鑰,咱們把單向加密也叫不可逆加密,一般用於驗證文件的真假,或者驗證文件是否改動,從而驗證文件的完整性。經常使用的單向加密算法有md5,sha。對稱加密講的是加密和解密用的同一密鑰。換句話說對稱加密只有一個密鑰,只要拿到對應的密鑰就能夠解密。經常使用的對稱加密有des。非對稱加密講的是公鑰加密私鑰解密,私鑰加密公鑰解密,且公鑰和私鑰是一對,加密解密都須要的是一對密鑰裏的任意一個。這種加密比前兩種更加安全和適用,缺點是加解密大文件速度慢。bash
瞭解了非對稱加密的特性,咱們再來講說它的過程。通訊雙方要進行非對稱加密通訊,前提是須要拿到對方的公鑰,私鑰放在各自手裏,各自的公鑰則存放在對方的手上。換句話講,客戶端須要拿到服務端的公鑰,才能和服務端通訊,服務端須要拿到客戶端的公鑰,才能主動和客戶端通訊。從而才能夠實現非對稱加密通訊。那麼客戶端怎麼獲得服務端的公鑰呢?若是客戶端直接向服務端發送公鑰,上面咱們說過,這種方式存在中間人攻擊,由於直接交換公鑰是不都能肯定對方身份的。這個時候就須要說說CA證書的做用了。服務器
證書裏面存放了申請證書機構服務器的公鑰和CA的信息以及有效期。通信雙方在創建加密通訊的時候,須要驗證證書的合法性,從而實現驗證身份的目的。一般狀況咱們要驗證證書的合法性就須要證書頒發機構的公鑰來對證書解密,由於證書在頒發的時候,裏面的公鑰是經過頒發機構的私鑰對其進行加密的。只要咱們可以用頒發機構的公鑰解開證書,那麼就說明這個證書就是一個合法的證書,至少它證實了這個證書是權威機構(咱們信任的)CA頒發的。同理通訊雙方要進行加密通訊也是經過證書來獲取密鑰的。具體過程是這樣的,客戶端向服務端發起通訊請求,服務端發送證書給客戶端,客戶端拿到證書進行解密,若是可以用信任CA機構的公鑰解開,說明服務器發送過來的證書沒有問題,而後把服務端公鑰給存起來。客戶端有了服務端的公鑰後就能夠向服務端發送用服務端的公鑰加密的數據了,可是服務端沒有客戶端的公鑰,它不可以用本身的私鑰來加密數據發送給客戶端,由於它的公鑰是公開的,不光客戶端上有服務端的公鑰,中間人也有。因此爲了確保數據的安全,客戶端須要隨機生成一個密碼,而後經過服務器的公鑰,把隨機生成的密碼加密後發送給服務端,服務端收到客戶端發來的加密數據後,用本身的私鑰解開,從而拿到客戶端發來的隨機密碼,有了這個隨機密碼後,服務端就拿這個隨機密碼對稱加密數據,而後發送給客戶端。客戶端收到服務端發送過來的加密報文,用剛纔發送給服務端的隨機密碼解密,從而獲得真正的數據。後續雙方就是經過這個隨機密碼來加密解密傳輸數據。這裏還須要說明的是,這個隨機密碼不是一直不變的,每隔一段時間後,客戶端和服務端就會協商,重複上面的過程,生成新的隨機密碼進行加密解密通訊。mvc
從上面的通訊過程咱們能夠知道,證書的做用就是爲了驗證其服務器的真實合法性,以及傳輸服務端的公鑰的做用。而服務器的公鑰就是用來客戶端向服務端發送隨機密碼,用來加密隨機密碼的做用,從而實現,只有服務端能夠拿到這個隨機密碼的做用,實現安全加密通訊。app
4、CA服務器的實現dom
一、安裝openssl軟件
[root@test ~]# yum install openssl -y
說明:一般狀況下openssl是系統默認安裝的有,若是沒有須要安裝。
二、查看配置文件,以及匹配策略
36 [ ca ] 37 default_ca = CA_default # The default ca section 38 39 #################################################################### 40 [ CA_default ] 41 42 dir = /etc/pki/CA # Where everything is kept 43 certs = $dir/certs # Where the issued certs are kept 44 crl_dir = $dir/crl # Where the issued crl are kept 45 database = $dir/index.txt # database index file. 46 #unique_subject = no # Set to 'no' to allow creation of 47 # several ctificates with same subject. 48 new_certs_dir = $dir/newcerts # default place for new certs. 49 50 certificate = $dir/cacert.pem # The CA certificate 51 serial = $dir/serial # The current serial number 52 crlnumber = $dir/crlnumber # the current crl number 53 # must be commented out to leave a V1 CRL 54 crl = $dir/crl.pem # The current CRL 55 private_key = $dir/private/cakey.pem# The private key 56 RANDFILE = $dir/private/.rand # private random number file 57 58 x509_extensions = usr_cert # The extentions to add to the cert 59 60 # Comment out the following two lines for the "traditional" 61 # (and highly broken) format. 62 name_opt = ca_default # Subject Name options 63 cert_opt = ca_default # Certificate field options 64 65 # Extension copying option: use with caution. 66 # copy_extensions = copy 67 68 # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs 69 # so this is commented out by default to leave a V1 CRL. 70 # crlnumber must also be commented out to leave a V1 CRL. 71 # crl_extensions = crl_ext 72 73 default_days = 365 # how long to certify for 74 default_crl_days= 30 # how long before next CRL 75 default_md = sha256 # use SHA-256 by default 76 preserve = no # keep passed DN ordering 77 78 # A few difference way of specifying how similar the request should look 79 # For type CA, the listed attributes must be the same, and the optional 80 # and supplied fields are just that :-) 81 policy = policy_match 82 83 # For the CA policy 84 [ policy_match ] 85 countryName = match 86 stateOrProvinceName = match 87 organizationName = match 88 organizationalUnitName = optional 89 commonName = supplied 90 emailAddress = optional 91 92 # For the 'anything' policy 93 # At this point in time, you must list all acceptable 'object' 94 # types. 95 [ policy_anything ] 96 countryName = optional 97 stateOrProvinceName = optional 98 localityName = optional 99 organizationName = optional 100 organizationalUnitName = optional 101 commonName = supplied 102 emailAddress = optional 103 104 ####################################################################
說明:可看到openssl默認配置裏面指定了證書存放相關文件的路徑,和CA默認匹配策略,其中國家名稱、省州名稱、組織名稱是必須同CA設置的信息一致,固然這些匹配是否和CA設置的同樣,是經過配置文件來判斷的可自行設置。通用名稱是必需要填寫的,其餘都是可選。
三、建立CA自簽名證書
3.一、生成私鑰
[root@test ~]# cd /etc/pki/CA/
[root@test CA]# tree
.
├── certs
├── crl
├── newcerts
└── private
4 directories, 0 files
[root@test CA]# (umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
..............................+++
............+++
e is 65537 (0x10001)
[root@test CA]# tree
.
├── certs
├── crl
├── newcerts
└── private
└── cakey.pem
4 directories, 1 file
[root@test CA]# cat private/cakey.pem
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAmM8gDY90zksYI2myhqsGgMBGAPnlLbIBwiqYnte2PJZRnEJv
aYRzCgw9wSca9oI5rUGu1wLOk8NlAkE6W4hXu6JaAp/eMZcqzYVU2a6VhxPQLBP3
5dvfZT4vps737OR+l8gcJRX2VPcfJuMU+r4KbBT4F3gP79hz/JxwK0yShlIGCnPP
cCK5xS6jKBH3ezdLsRy0ZCRUwX+ivlAJ8zJ/bV4m2OesiDW1LFPrvotRo+aBwexI
1vk01Yww1x/DUnxiYCrOPS0V3wWpSS6r2qXVv0FyZGS1ZP/+Jf1ZfbvL2w9kcmlQ
0wadHkx3M4HJyvWinOEpMsrTr3p9RK67oNs48QIDAQABAoIBADUWQBx16i6BCDHF
VrBSWkAAjFFqf6QQY2wBQGRurHEAB/oxWmNeEFk9R3cDDur08vSuDP/Fid7r0vul
jZCfHVuiW4Lt51NzIPulhoTZkjkLORcXGNhSOpoBsKxS2u8BsrkoXB7GMn3yHHB2
E6PIwfYqksYUf/TjTehEsPNZ9s2Sx/ioscHfnIRd7Uct0Gu5mI5C6qP/7BhEyNRb
bnFGGB0dSFDtFPqGUIfTeWApJUH1/vUTUXrrZLH4FEubMuf4k0ZIV3cGyvdZVVQ+
iyoWTTetPOhFbRMnKtqgJ+yVhck7uEAgIB/JrMI3x768JoJpyAgxGlZFmxS86mdr
TzDzZcECgYEAxwv/Jcrb3E5gGC77qSEWlq+IVomAgHRVU4M81byw6YV7wAssW10t
X8pm84H3G8yJMuxGYdHdXpl9PzxwXaS7Qh82uZVQbGALiWyhHloEIoI+oH9pGtXf
uWqQKmrYURtq8AoULhALn03zCjJINGfY9/WlYX6qi32UpnKg6snmDD8CgYEAxIhA
u+By9YazW/YVgEHoh5UmWL0yfX8rBEn1fRwwhjfhQtfs50zoL83SVKpKY8VtfR/r
/YcIaWx8+R5g+g/aAYDeKHO1x+uW2yqWMdXjdkY/kzoM0G7gPvSC7F3vr6dWuHUC
6v4839EElIKHyCK0NMumnPvoUUDrbP1YlJ1cLs8CgYBsGU/QLoOI+eemOp3iFF44
J8xbcwGewY81c6iuS3Oo3x1+BpNoawohY8LVrFePeV1pkngG1/rpTWJ/3UsJEFXC
a0FFOJocwWyCjcRSv4BPXXy1nXxvXofKIt14q94e7kz9X/vlqEEnmyXK+9PK4jsr
LvVKJYhpiSIZ41cRK+UL8QKBgF0S3f1b3XWTtkt97k7QZ8wWAZQS/d9bI0cjs4Pt
nrlhq2eZlNMxo+BHzC1WfGZlsGWKgZuOoJg0zba5AVpLuYXuvsdPjS5Bzy66K2ks
j02LFT6nRjxL1h1adMp17jY0vKgcmiYqAzBH77BZZO6OKOO78orz7eDVKulxzcqL
/4UXAoGAKk1Yfa8ZVJGlzjZHl/imvce2B+78ALJItw8hUAOxjU3780vzuppyG5o/
Zg25XbW9FbOUXt+8Tyd3/yFBBGdZ1OvL9YSngtGyLX7X3aWbg9xwR7fz8bheI+J7
QcLouNuHoUis+3EHbQIcQM9CTrP7sjFMM2LxPzxz7qPuV0ru2bg=
-----END RSA PRIVATE KEY-----
[root@test CA]#
說明:爲了建立的私鑰的安全,建議把其權限修改爲600。固然建立私鑰的時候也能夠用對稱加密算法對其私鑰加密,這樣更加安全。須要注意的是加密後的私鑰,咱們要用的時候就須要對其輸入對稱加密的口令。若是須要把私鑰用對稱加密算法加密,須要指定其加密算法便可。生成的私鑰名稱必須同配置文件中的名稱相同。
3.二、簽發自簽名證書
[root@test CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 1000You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:SICHUAN
Locality Name (eg, city) [Default City]:GUANGYUAN
Organization Name (eg, company) [Default Company Ltd]:TEST
Organizational Unit Name (eg, section) []:DEVOPS
Common Name (eg, your name or your server's hostname) []:ca.test.com
Email Address []:
[root@test CA]# tree
.
├── cacert.pem
├── certs
├── crl
├── newcerts
└── private
└── cakey.pem
4 directories, 2 files
[root@test CA]# cat cacert.pem
-----BEGIN CERTIFICATE-----
MIIDpTCCAo2gAwIBAgIJANCoyQ6AYK/SMA0GCSqGSIb3DQEBCwUAMGkxCzAJBgNV
BAYTAkNOMRAwDgYDVQQIDAdTSUNIVUFOMRIwEAYDVQQHDAlHVUFOR1lVQU4xDTAL
BgNVBAoMBFRFU1QxDzANBgNVBAsMBkRFVk9QUzEUMBIGA1UEAwwLY2EudGVzdC5j
b20wHhcNMjAwMTI5MTAzNjM2WhcNMjIxMDI1MTAzNjM2WjBpMQswCQYDVQQGEwJD
TjEQMA4GA1UECAwHU0lDSFVBTjESMBAGA1UEBwwJR1VBTkdZVUFOMQ0wCwYDVQQK
DARURVNUMQ8wDQYDVQQLDAZERVZPUFMxFDASBgNVBAMMC2NhLnRlc3QuY29tMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmM8gDY90zksYI2myhqsGgMBG
APnlLbIBwiqYnte2PJZRnEJvaYRzCgw9wSca9oI5rUGu1wLOk8NlAkE6W4hXu6Ja
Ap/eMZcqzYVU2a6VhxPQLBP35dvfZT4vps737OR+l8gcJRX2VPcfJuMU+r4KbBT4
F3gP79hz/JxwK0yShlIGCnPPcCK5xS6jKBH3ezdLsRy0ZCRUwX+ivlAJ8zJ/bV4m
2OesiDW1LFPrvotRo+aBwexI1vk01Yww1x/DUnxiYCrOPS0V3wWpSS6r2qXVv0Fy
ZGS1ZP/+Jf1ZfbvL2w9kcmlQ0wadHkx3M4HJyvWinOEpMsrTr3p9RK67oNs48QID
AQABo1AwTjAdBgNVHQ4EFgQUQ/0tcuVAvzoOA13SD2x8W9Brx0EwHwYDVR0jBBgw
FoAUQ/0tcuVAvzoOA13SD2x8W9Brx0EwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0B
AQsFAAOCAQEAAl/gUsSCgKjeSq5K2TyLc3VUP2KN1m+Wu9qWKAgXiaMxY8iWj3I8
AxfNkTAqNGz66BpXh9G4hDL844spvnomjdUbCufFlNLnrkxCIyWPNVKk69fCa61T
ANzgvTbIfh/xfdfyctZpU3q9Ptcra9ksYUg7mY7209xJ+emqsBnKwYKigCCrQTT3
dxvRHFOV3Z0wJgHCtTetMI25OcpEXk3Tk75k+ayEmiTdMp2Zdk00qmOtZfCmtHO9
KdHVTAOCAOaQtd4aOZMsgADBWXVP2NPmosUm2onvrKTFB6tYXXhj5j6tPVFunCZE
R2w2VMa+Q+Pgmmt5AeqoALQaBdR31IFj0Q==
-----END CERTIFICATE-----
[root@test CA]#
說明:頒發的證書默認是無法用cat命令來查看證書裏面的信息的,咱們能夠經過把證書導出到windows上查看,也能夠經過openssl來查看。ca的私鑰和證書存放路徑須要參考其配置文件中的定義來指定存放。
在windows上查看辦法的證書
說明:在Windows上查看,須要把其後綴更改成.crt才能夠雙擊查看。之因此它提示咱們說此CA根目錄證書不受信用,是由於windows上沒有將其證書導入,沒有改根CA的信息。默認狀況下,Windows裏面內置了一些權威CA的證書,因此咱們在權威的CA下申請的證書,放在windows上就不會報不信任的CA證書了。
用openssl查看證書
[root@test CA]# openssl x509 -in cacert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
d0:a8:c9:0e:80:60:af:d2
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=SICHUAN, L=GUANGYUAN, O=TEST, OU=DEVOPS, CN=ca.test.com
Validity
Not Before: Jan 29 10:36:36 2020 GMT
Not After : Oct 25 10:36:36 2022 GMT
Subject: C=CN, ST=SICHUAN, L=GUANGYUAN, O=TEST, OU=DEVOPS, CN=ca.test.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:98:cf:20:0d:8f:74:ce:4b:18:23:69:b2:86:ab:
06:80:c0:46:00:f9:e5:2d:b2:01:c2:2a:98:9e:d7:
b6:3c:96:51:9c:42:6f:69:84:73:0a:0c:3d:c1:27:
1a:f6:82:39:ad:41:ae:d7:02:ce:93:c3:65:02:41:
3a:5b:88:57:bb:a2:5a:02:9f:de:31:97:2a:cd:85:
54:d9:ae:95:87:13:d0:2c:13:f7:e5:db:df:65:3e:
2f:a6:ce:f7:ec:e4:7e:97:c8:1c:25:15:f6:54:f7:
1f:26:e3:14:fa:be:0a:6c:14:f8:17:78:0f:ef:d8:
73:fc:9c:70:2b:4c:92:86:52:06:0a:73:cf:70:22:
b9:c5:2e:a3:28:11:f7:7b:37:4b:b1:1c:b4:64:24:
54:c1:7f:a2:be:50:09:f3:32:7f:6d:5e:26:d8:e7:
ac:88:35:b5:2c:53:eb:be:8b:51:a3:e6:81:c1:ec:
48:d6:f9:34:d5:8c:30:d7:1f:c3:52:7c:62:60:2a:
ce:3d:2d:15:df:05:a9:49:2e:ab:da:a5:d5:bf:41:
72:64:64:b5:64:ff:fe:25:fd:59:7d:bb:cb:db:0f:
64:72:69:50:d3:06:9d:1e:4c:77:33:81:c9:ca:f5:
a2:9c:e1:29:32:ca:d3:af:7a:7d:44:ae:bb:a0:db:
38:f1
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
43:FD:2D:72:E5:40:BF:3A:0E:03:5D:D2:0F:6C:7C:5B:D0:6B:C7:41
X509v3 Authority Key Identifier:
keyid:43:FD:2D:72:E5:40:BF:3A:0E:03:5D:D2:0F:6C:7C:5B:D0:6B:C7:41
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
02:5f:e0:52:c4:82:80:a8:de:4a:ae:4a:d9:3c:8b:73:75:54:
3f:62:8d:d6:6f:96:bb:da:96:28:08:17:89:a3:31:63:c8:96:
8f:72:3c:03:17:cd:91:30:2a:34:6c:fa:e8:1a:57:87:d1:b8:
84:32:fc:e3:8b:29:be:7a:26:8d:d5:1b:0a:e7:c5:94:d2:e7:
ae:4c:42:23:25:8f:35:52:a4:eb:d7:c2:6b:ad:53:00:dc:e0:
bd:36:c8:7e:1f:f1:7d:d7:f2:72:d6:69:53:7a:bd:3e:d7:2b:
6b:d9:2c:61:48:3b:99:8e:f6:d3:dc:49:f9:e9:aa:b0:19:ca:
c1:82:a2:80:20:ab:41:34:f7:77:1b:d1:1c:53:95:dd:9d:30:
26:01:c2:b5:37:ad:30:8d:b9:39:ca:44:5e:4d:d3:93:be:64:
f9:ac:84:9a:24:dd:32:9d:99:76:4d:34:aa:63:ad:65:f0:a6:
b4:73:bd:29:d1:d5:4c:03:82:00:e6:90:b5:de:1a:39:93:2c:
80:00:c1:59:75:4f:d8:d3:e6:a2:c5:26:da:89:ef:ac:a4:c5:
07:ab:58:5d:78:63:e6:3e:ad:3d:51:6e:9c:26:44:47:6c:36:
54:c6:be:43:e3:e0:9a:6b:79:01:ea:a8:00:b4:1a:05:d4:77:
d4:81:63:d1
[root@test CA]#
四、在客戶端建立證書申請
4.一、生成私鑰信息
[root@test-node3 ~]# mkdir ssl [root@test-node3 ~]# cd ssl/ [root@test-node3 ssl]# (umask 077;openssl genrsa -out /root/ssl/app.key 2048) Generating RSA private key, 2048 bit long modulus .............................................................+++ .........................+++ e is 65537 (0x10001) [root@test-node3 ssl]# ls app.key [root@test-node3 ssl]# cat app.key -----BEGIN RSA PRIVATE KEY----- MIIEpQIBAAKCAQEA6XtScxyxgI7gC+1xYQFSXIF9RqCTAZ4WpWGQYzs30XLT1cxl /hJ8McxMQ137H1g+PeEFbNV3oyBjEt3feCck5sb9TP4tsIhT6Lt3Zt6PIqOfDZ8k OxWDJp/DNXHwuC8ME/mfv3CleJbL5Clyb9ovYeZkEQPK9TgG7pCHU0AxTw0r7ELP A29Ugd/lFGQNTJt39Kmy7uBOPhKEQ+fHVaMqtmy1q/SpnM92vGvR40xRgl+HJ17A 0ACAEjbf3wK+qoQ/WBCCpMkeTLoFEn/Sa7SmZZt2F0k2cTyxSzVKadPQUlrpWVHb zX4IDI/ssS9weiDsLL5eScj/CWWRFhKu7z98YQIDAQABAoIBAQDKu6RqA741DNqK QNC0FHu5i06GJyO+wdCUJdVD9MWQ/o3mFSdyqAZjDywhStek7fCNtngJeon5gUPF vBYwtHycTqjfU83EfXuumCkjj5jl0QFoyIijLRjGTu8n1xnYNDHenmAR0PQ9c2Lz aPHPIbsG3RCCnbJ7nvyV5bU7mn+2TOb41csMVjLJoK2N91QEljkAn+4oqpTVJgJa TnUKvafBjCn+ctZDKcsZ0H/yFhGbt0ZFEXql3WFM5AOE5tBmlmqrQY/4CzeqlPCX zYpuUCHQBj9UYj58SfVUEoaN+gNX82amUqBOablJMpGR0vDh0CxsAxnPYF7O1o6P hXIjjmPJAoGBAPg74aMUMoG3o91NpoedLdRrMOYcYBdd3H7KwPyXzHMoYHQjfHEm hJKqZgE53U+TfxdFr8EJcR8aoDzDLp3+5F1ANCZD2FgvWptAyABx+I09J0OES0VB M3hhp0pOYot1ylBbFrvGGANFa8WAnO+yyNU91CFUhp7kmQ5TuUUHt2kzAoGBAPDJ SiXn30hQO8zVCHXzCrcltKfSnU4LiceI0jhneHfW8b42/tEegXVTEOIBiPmhLA8x 8xeIC/fS1B0ih7Uus9MUBJUN7RhlWSxGPcxA//JAxffGJwmxoYxYFkwvoTyTQrJE igBmE6+PdSb7JOB4c3nt/YwPYvjQOieNolRMIwwbAoGBAOoNhA2AwLKAVVgXnBoo QIsV2pBNVukRThKa1+YStuopuvAmeXIysDOdyPoE9j/OwblOso2fenKqZ0WDf1Pn fqjSHZmqxLU5SQQzy6Bn1cROUdQeS95rwL0TzmmIiPAXyv+DM2cvO3ryHNCnGNIF T8mIN5iJmzj8L7hLhteok+3zAoGAbot7RzvU/tYXHksPv1b9rGfbMNE49wPFFZ5z JQIcBKjiA3osMsXWmY6xSZF62WBtYeyEtmD3XaelSlr4Au6WEGo4UFY8a97bub/l z0hoOUgTm1WVxpWOnWgzlHaph630CPP+h4BVuVwbZPIYVBX4rhndNdg6kBDJIi+c PydVT9ECgYEAwF5U/YS9IIb8n1NXARXA3nWmfqdJM2JcYwh33ILFB0+2gm4nr4Ie xb14BlFMl8mYVKqykHpdE73/LYZWu/inkti8APmHyP3+7QHMWagpCucCHxGzagWy sdo8HSqbkcQJoB0pTLPZGHEGuLMzzAII6fc+sZsHPi2NLbZZFPGdWjk= -----END RSA PRIVATE KEY----- [root@test-node3 ssl]#
4.二、生成證書申請文件
[root@test-node3 ssl]# ll total 4 -rw------- 1 root root 1679 Jan 29 18:55 app.key [root@test-node3 ssl]# openssl req -new -key app.key -out app.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:SICHUAN Locality Name (eg, city) [Default City]:CHENGDU Organization Name (eg, company) [Default Company Ltd]:TEST Organizational Unit Name (eg, section) []:DEVOPS Common Name (eg, your name or your server's hostname) []:www.test.org Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: [root@test-node3 ssl]# ll total 8 -rw-r--r-- 1 root root 1005 Jan 29 19:02 app.csr -rw------- 1 root root 1679 Jan 29 18:55 app.key [root@test-node3 ssl]
4.三、把文件傳給CA,在CA上進行證書頒發
[root@test CA]# rz
rz waiting to receive.
zmodem trl+C ȡ
100% 1005 bytes 1005 bytes/s 00:00:01 0 Errors
[root@test CA]# ls
app.csr cacert.pem certs crl newcerts private
[root@test CA]# openssl ca -in app.csr -out /etc/pki/CA/certs/app.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
/etc/pki/CA/index.txt: No such file or directory
unable to open '/etc/pki/CA/index.txt'
140645247747984:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/pki/CA/index.txt','r')
140645247747984:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:
[root@test CA]# touch /etc/pki/CA/index.txt
[root@test CA]# openssl ca -in app.csr -out /etc/pki/CA/certs/app.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
/etc/pki/CA/serial: No such file or directory
error while loading serial number
140572255938448:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/pki/CA/serial','r')
140572255938448:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:
[root@test CA]# echo 00 > /etc/pki/CA/serial
[root@test CA]# openssl ca -in app.csr -out /etc/pki/CA/certs/app.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Jan 29 11:06:08 2020 GMT
Not After : Jan 28 11:06:08 2021 GMT
Subject:
countryName = CN
stateOrProvinceName = SICHUAN
organizationName = TEST
organizationalUnitName = DEVOPS
commonName = www.test.org
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
AE:E9:31:DE:B1:86:4F:68:AB:D7:BB:E3:1B:74:AD:7A:44:D2:60:BB
X509v3 Authority Key Identifier:
keyid:43:FD:2D:72:E5:40:BF:3A:0E:03:5D:D2:0F:6C:7C:5B:D0:6B:C7:41
Certificate is to be certified until Jan 28 11:06:08 2021 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@test CA]# tree
.
├── app.crs
├── cacert.pem
├── certs
│ └── app.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│ └── 00.pem
├── private
│ └── cakey.pem
├── serial
└── serial.old
4 directories, 10 files
[root@test CA]#
說明:在跟客戶端頒發證書的時候須要依賴兩個文件/etc/pki/CA/index.txt和/etc/pki/CA/serial,前者文件主要存放已經頒發的證書信息,後者存放下一個將要頒發的證書的序列號。這裏說一下/etc/pki/CA下的各個文件和目錄的做用吧,certs目錄存放頒發證書的目錄,crl存放吊銷證書列表文件的目錄,index.txt.attr存放證書subject信息是否惟一的配置信息,index.txt.old存放上一次頒發證書的信息,newcerts目錄存放已經頒發的證書,而且以序列號命名的證書,每頒發一次證書,在咱們指定的路徑下生成指定名稱的證書後,newcerts目錄下會自動生成一個以序列號爲名稱的證書,這個證書同咱們指定路徑下存放的證書信息如出一轍。private目錄存放私鑰文件。serial.old存放上一次頒發證書的序列號。
4.四、查看頒發證書的信息
Windows上查看
Linux上查看
[root@test CA]# openssl x509 -in certs/app.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=SICHUAN, L=GUANGYUAN, O=TEST, OU=DEVOPS, CN=ca.test.com
Validity
Not Before: Jan 29 11:06:08 2020 GMT
Not After : Jan 28 11:06:08 2021 GMT
Subject: C=CN, ST=SICHUAN, O=TEST, OU=DEVOPS, CN=www.test.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:e9:7b:52:73:1c:b1:80:8e:e0:0b:ed:71:61:01:
52:5c:81:7d:46:a0:93:01:9e:16:a5:61:90:63:3b:
37:d1:72:d3:d5:cc:65:fe:12:7c:31:cc:4c:43:5d:
fb:1f:58:3e:3d:e1:05:6c:d5:77:a3:20:63:12:dd:
df:78:27:24:e6:c6:fd:4c:fe:2d:b0:88:53:e8:bb:
77:66:de:8f:22:a3:9f:0d:9f:24:3b:15:83:26:9f:
c3:35:71:f0:b8:2f:0c:13:f9:9f:bf:70:a5:78:96:
cb:e4:29:72:6f:da:2f:61:e6:64:11:03:ca:f5:38:
06:ee:90:87:53:40:31:4f:0d:2b:ec:42:cf:03:6f:
54:81:df:e5:14:64:0d:4c:9b:77:f4:a9:b2:ee:e0:
4e:3e:12:84:43:e7:c7:55:a3:2a:b6:6c:b5:ab:f4:
a9:9c:cf:76:bc:6b:d1:e3:4c:51:82:5f:87:27:5e:
c0:d0:00:80:12:36:df:df:02:be:aa:84:3f:58:10:
82:a4:c9:1e:4c:ba:05:12:7f:d2:6b:b4:a6:65:9b:
76:17:49:36:71:3c:b1:4b:35:4a:69:d3:d0:52:5a:
e9:59:51:db:cd:7e:08:0c:8f:ec:b1:2f:70:7a:20:
ec:2c:be:5e:49:c8:ff:09:65:91:16:12:ae:ef:3f:
7c:61
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
AE:E9:31:DE:B1:86:4F:68:AB:D7:BB:E3:1B:74:AD:7A:44:D2:60:BB
X509v3 Authority Key Identifier:
keyid:43:FD:2D:72:E5:40:BF:3A:0E:03:5D:D2:0F:6C:7C:5B:D0:6B:C7:41
Signature Algorithm: sha256WithRSAEncryption
46:94:4f:ab:6f:43:43:fb:0d:d1:e2:71:ff:5d:5b:0e:39:59:
c2:3f:92:47:88:84:2f:80:e4:00:a1:94:86:9a:bc:19:bb:22:
22:e1:2f:93:d1:1b:19:92:5f:de:46:47:30:e4:f5:b7:d8:b4:
e7:62:37:9c:17:cc:e7:8c:f4:b7:8a:cc:09:62:fd:6f:56:e3:
a3:22:1d:d8:01:e2:34:87:45:86:04:be:c7:91:b4:e9:49:f6:
39:c9:c4:67:6a:f7:8b:96:09:2f:d3:d4:a4:e5:a3:f0:d9:1d:
e6:dc:28:65:da:70:27:9b:70:5a:6a:a5:5a:77:c3:51:e0:54:
b0:7f:e4:a1:9a:4c:b5:d2:82:84:d9:3f:c8:57:dd:25:0a:80:
81:61:c6:a4:d1:5b:19:21:5d:19:1e:7d:b4:4f:a2:54:f4:bf:
f9:d0:2e:ba:4a:94:f1:93:be:54:cc:3b:19:7a:ae:fd:bd:4a:
b5:e3:55:a3:2a:a0:69:0e:08:78:9d:91:d5:df:02:bd:ec:c9:
cc:d2:6e:68:bf:48:3c:73:df:e9:62:92:8f:6c:9d:2f:2c:32:
85:46:a7:30:22:22:9c:2d:af:d0:cf:02:e0:21:3b:1d:6a:a3:
f7:81:0b:63:10:8c:f1:30:4a:05:08:4b:52:ad:4a:1d:14:9c:
0c:64:2b:71
[root@test CA]#
到此私有CA服務器的搭建、證書的申請和頒發就完成了,後續使用證書,就須要把證書放到對應的應用目錄,配置其應用服務來使用其證書便可。一般申請證書不用在客戶端申請,在服務端建立私鑰,建立申請證書文件,而後簽發證書,生成證書文件,而後把私鑰和證書發給客戶端便可。
五、吊銷證書
[root@test CA]# openssl x509 -in certs/app.crt -noout -serial -subject serial=00 subject= /C=CN/ST=SICHUAN/O=TEST/OU=DEVOPS/CN=www.test.org [root@test CA]#
說明:以上命令是對要吊銷的證書獲取其序列號和subject信息,這個操做通常是客戶端上查看,而後把信息發送給CA
[root@test CA]# openssl ca -revoke /etc/pki/CA/newcerts/00.pem Using configuration from /etc/pki/tls/openssl.cnf Revoking Certificate 00. Data Base Updated [root@test CA]#
說明:在CA上,根據客戶端提交的serial與subject信息,對比檢驗是否與index.txt文件的信息一致,而後在進行吊銷證書操做
六、更新證書吊銷列表crl文件
[root@test CA]# openssl ca -gencrl -out /etc/pki/CA/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf
/etc/pki/CA/crlnumber: No such file or directory
error while loading CRL number
140437997475728:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/pki/CA/crlnumber','r')
140437997475728:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:
[root@test CA]# echo 00 > /etc/pki/CA/crlnumber
[root@test CA]# openssl ca -gencrl -out /etc/pki/CA/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf
[root@test CA]#
說明:第一次更新證書吊銷列表,它會提示咱們說缺乏crlnumber文件,這個文件同serial的做用相似,都是存放的是版本號,咱們須要建立其文件,並寫一個16進制的編號,一般是從00或者01開始。(這個文件同serial同樣都會自動增加,通常後續不須要怎麼維護它)
[root@test CA]# openssl crl -in /etc/pki/CA/crl.pem -noout -text
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: /C=CN/ST=SICHUAN/L=GUANGYUAN/O=TEST/OU=DEVOPS/CN=ca.test.com
Last Update: Jan 29 11:48:03 2020 GMT
Next Update: Feb 28 11:48:03 2020 GMT
CRL extensions:
X509v3 CRL Number:
0
Revoked Certificates:
Serial Number: 00
Revocation Date: Jan 29 11:41:28 2020 GMT
Signature Algorithm: sha256WithRSAEncryption
87:12:f8:b2:ec:b7:77:94:4b:bc:e4:ea:69:03:27:78:d3:b5:
43:8d:45:c5:a4:50:53:d7:3b:81:48:a1:cf:5d:43:4e:13:01:
91:5e:a2:f2:87:44:87:84:16:b2:1d:0e:28:81:88:d4:1a:c2:
a4:55:22:9f:d0:b9:6b:3c:80:e2:6e:98:fb:c3:18:3e:d3:a0:
49:a3:0e:19:64:2f:03:51:4b:ec:32:1c:c8:41:62:46:e8:4f:
8c:ec:a2:07:1c:fc:4b:20:61:ca:04:0e:31:8b:b9:4e:ce:42:
81:66:d6:09:3e:1e:15:44:76:33:27:07:fd:17:10:6d:d0:12:
cf:4f:ce:cb:3d:b4:6d:68:f1:5a:1a:4f:44:a6:65:cd:f6:3b:
4e:2e:3f:6d:2a:f8:d5:8a:52:5a:b0:8d:b1:8f:73:08:50:9c:
89:d3:c0:97:0e:13:89:37:cc:13:ad:d9:db:61:06:6d:4f:0a:
6b:58:a0:53:0a:2b:e8:23:18:cd:3b:0c:5d:9e:77:c3:85:3e:
e3:3c:ab:ad:45:9e:3c:18:7a:85:b0:51:7e:4d:8e:c6:18:e7:
fc:4d:f1:01:ac:b3:89:2c:eb:f7:0e:f9:3c:ea:5a:42:ff:43:
6b:98:9f:a0:89:59:28:92:c9:ed:d3:59:87:ca:04:8c:8c:92:
c0:a1:72:8a
[root@test CA]# cat /etc/pki/CA/index.txt
R 210128110608Z 200129114128Z 00 unknown /C=CN/ST=SICHUAN/O=TEST/OU=DEVOPS/CN=www.test.org
[root@test CA]# cat /etc/pki/CA/crlnumber
01
[root@test CA]#
說明:證書吊銷後其index.txt裏的信息會發生變化,R表示該證書已經被吊銷,V表示該證書未吊銷。
在windows上查看證書吊銷列表crl文件
相關文章
- 1. 搭建私有CA服務器
- 2. 搭建私有CA,並頒發證書
- 3. 建立私有CA和證書申請
- 4. 建立私有CA並簽發證書
- 5. 創建私有CA並簽發證書
- 6. 創建私有CA及頒發證書
- 7. Openssl搭建私有CA認證
- 8. 自建CA證書搭建https服務器
- 9. Linux搭建CA服務
- 10. centos7搭建CA服務器頒發ssl證書
- 更多相關文章...
- • Git 服務器搭建 - Git 教程
- • 服務器上的 XML - XML 教程
- • Docker容器實戰(七) - 容器眼光下的文件系統
- • Spring Cloud 微服務實戰(三) - 服務註冊與發現
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
最新文章
歡迎關注本站公眾號,獲取更多信息
相關文章
- 1. 搭建私有CA服務器
- 2. 搭建私有CA,並頒發證書
- 3. 建立私有CA和證書申請
- 4. 建立私有CA並簽發證書
- 5. 創建私有CA並簽發證書
- 6. 創建私有CA及頒發證書
- 7. Openssl搭建私有CA認證
- 8. 自建CA證書搭建https服務器
- 9. Linux搭建CA服務
- 10. centos7搭建CA服務器頒發ssl證書