搭建私有CA服務器

搭建私有CA服務器

CA是什麼

CA（Certificate Authority）證書頒發機構主要負責證書的頒發、管理以及歸檔和吊銷。證書內包含了擁有證書者的姓名、地址、電子郵件賬號、公鑰、證書有效期、發放證書的CA、CA的數字簽名等信息。證書主要有三大功能：加密、簽名、身份驗證。

centos6.x上有關ssl證書的目錄結構以下:

/etc/pki/CA/
├── certs
├── crl      吊銷的證書
├── newcerts 存放CA簽署（頒發）過的數字證書（證書備份目錄）
└── private  用於存放CA的私鑰

/etc/pki/tls/
├── cert.pem -> certs/ca-bundle.crt   軟連接到certs/ca-bundle.crt
├── certs     該服務器上的證書存放目錄，能夠放置本身的證書和內置證書
│   ├── ca-bundle.crt 內置信任的證書
│   ├── ca-bundle.trust.crt
│   ├── make-dummy-cert
│   └── Makefile
├── misc
│   ├── CA
│   ├── c_hash
│   ├── c_info
│   ├── c_issuer
│   └── c_name
├── openssl.cnf openssl的CA主配置文件
└── private   證書密鑰存放目錄

CA要給別人頒發證書，首先本身得有一個做爲根證書，咱們得在一切工做以前修改好CA的配置文件、序列號、索引等等。

vi /etc/pki/tls/openssl.cnf

一.創建CA服務器

1.生成根密鑰

爲了安全起見，修改cakey.pem私鑰文件權限爲600或400，也可使用子shell生成( umask 077; openssl genrsa -out private/cakey.pem 2048 )，下面再也不重複。

cd /etc/pki/CA/
openssl genrsa -out private/cakey.pem 2048
或使用命令
( umask 077; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048 )

執行結果以下：

[root@localhost CA]# ( umask 077; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048 )
Generating RSA private key, 2048 bit long modulus
..................+++
...+++
e is 65537 (0x10001)

參數說明：

（）：表示此命令在子進程中運行，其目的是爲了避免改變當前Shell中的umask值；
    genrsa：生成私鑰；
    -out：私鑰的存放路徑，cakey.pem：爲密鑰名，與配置文件中保持一致；
    2048：密鑰長度，默認爲1024。

2.生成根證書

使用req命令生成自簽證書：會提示輸入一些內容，由於是私有的，因此能夠隨便輸入（以前修改的openssl.cnf會在這裏呈現），最好記住能與後面保持一致
自簽證書cacert.pem應該生成在/etc/pki/CA下。

openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out cacert.pem -days 3650

執行結果以下：

[root@localhost CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:home
Organizational Unit Name (eg, section) []:homepart
Common Name (eg, your name or your server's hostname) []:home.home
Email Address []:home@home.home

參數說明：

req：生成證書籤署請求；
    -x509：生成自簽署證書；
    -days n：證書的有效天數；
    -new：新請求；
    -key /path/to/keyfile：指定私鑰文件；
    -out /path/to/somefile：輸出文件位置。

3.初始化工做環境

touch /etc/pki/CA/index.txt /etc/pki/CA/serial   建立index.txt,serial文件
echo 01 > /etc/pki/CA/serial
mkdir -p /etc/pki/CA/csr/ 用來存放節點上傳過來的csr證書請求目錄

index.txt：索引文件，用於匹配證書編號；
serial：證書序列號文件，只在首次生成證書時賦值。

二.節點生成證書

以上都是在CA服務器上作的操做，並且只需進行一次，如今轉到nginx服務器上執行：

1.生成密鑰對：

爲咱們的nginx web服務器生成ssl密鑰

mkdir -p /etc/nginx/ssl
cd /etc/nginx/ssl
(umask 077; openssl genrsa -out /etc/nginx/ssl/nginx.key 2048) 生成私鑰

執行結果：

[root@localhost ssl]# (umask 077; openssl genrsa -out /etc/nginx/ssl/nginx.key 2048)
Generating RSA private key, 2048 bit long modulus
..................+++
.................+++
e is 65537 (0x10001)

2.生成證書請求：

爲nginx生成證書籤署請求

openssl req -new -key /etc/nginx/ssl/nginx.key  -out /etc/nginx/ssl/nginx.csr

一樣會提示輸入一些內容，其它隨便，除了Commone Name必定要是你要授予證書的服務器域名或主機名，challenge password不填。

執行結果以下：

[root@localhost ssl]# openssl req -new -key /etc/nginx/ssl/nginx.key  -out /etc/nginx/ssl/nginx.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:shanghai
Locality Name (eg, city) [Default City]:shanghai
Organization Name (eg, company) [Default Company Ltd]:mycompany
Organizational Unit Name (eg, section) []:tech
Common Name (eg, your name or your server's hostname) []:myweb.com
Email Address []:myweb@myweb.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

3.把簽署請求文件發送給CA服務器

接下來要把上一步生成的證書請求csr文件，發到CA服務器上（其中192.168.1.80爲CA服務器）

scp /etc/nginx/ssl/nginx.csr 192.168.1.80:/etc/pki/CA/csr/nginx.csr
測試時節點和CA服務器是同一臺,故使用以下命令
cp /etc/nginx/ssl/nginx.csr /etc/pki/CA/csr/nginx.csr

三.簽署證書

1.在CA服務器上籤署證書

私有CA根據請求來簽署證書,在CA服務器上執行

openssl ca -in /etc/pki/CA/csr/nginx.csr  -out /etc/pki/CA/nginx.crt -days 3650

另外在極少數狀況下，上面的命令生成的證書不能識別，試試下面的命令：
# openssl x509 -req -in /etc/pki/CA/csr/nginx.csr -CA /etc/pki/CA/cacert.pem -CAkey /etc/pki/CA/private/cakey.pem -CAcreateserial -out /etc/pki/CA/nginx2.crt

這裏出錯了,因爲根證書是beijing而節點是shanghai

[root@localhost CA]# openssl ca -in /etc/pki/CA/csr/nginx.csr  -out /etc/pki/CA/nginx.crt -days 3650
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
The stateOrProvinceName field needed to be the same in the
CA certificate (beijing) and the request (shanghai)

從新生成節點csr證書請求，設置區域爲beijing
執行結果以下(成功)：

[root@localhost CA]# openssl ca -in /etc/pki/CA/csr/nginx.csr  -out /etc/pki/CA/nginx.crt -days 3650                                                        Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Jun  2 10:21:22 2017 GMT
            Not After : May 31 10:21:22 2027 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = beijing
            organizationName          = home
            organizationalUnitName    = home
            commonName                = *.test.com
            emailAddress              = my@test.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                96:D7:60:53:1E:52:3E:89:4F:A0:A4:3D:81:CA:97:D5:D8:67:AE:93
            X509v3 Authority Key Identifier: 
                keyid:D5:71:B2:72:16:62:03:09:BB:6D:B2:14:5F:F2:3C:B5:AE:C1:BD:08

Certificate is to be certified until May 31 10:21:22 2027 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

上面簽發過程其實默認使用了-cert cacert.pem -keyfile cakey.pem，這兩個文件就是前兩步生成的位於/etc/pki/CA下的根密鑰和根證書。

2.將crt證書發送給請求者

將生成的crt證書發回nginx服務器使用。192.168.137.61爲nginx服務器地址

scp /etc/pki/CA/csr/nginx.crt  192.168.137.61:/etc/nginx/ssl/
同一臺本機使用
cp /etc/pki/CA/nginx.crt /etc/nginx/ssl/

到此咱們已經擁有了創建ssl安全鏈接所須要的全部文件，而且服務器的crt和key都位於配置的目錄下，剩下的是如何使用證書的問題。

四.吊銷證書

1.節點請求吊銷

[root@localhost CA]#  openssl x509 -in /etc/nginx/ssl/nginx.crt  -noout -serial -subject         
serial=01
subject= /C=CN/ST=beijing/O=home/OU=home/CN=*.test.com/emailAddress=my@test.com

參數說明:

x509：證書格式
-in：要吊銷的證書
-noout：不輸出額外信息
-serial：顯示序列號
-subject：顯示subject信息

2.CA驗證信息

2.1 節點提交的serial和subject信息來驗證與index.txt文件中的信息是否一致

[root@localhost CA]# cat /etc/pki/CA/index.txt
V       270531102122Z           01      unknown /C=CN/ST=beijing/O=home/OU=home/CN=*.17coolz.com/emailAddress=my@test.com

2.2 吊銷證書

openssl ca -revoke /etc/pki/CA/newcerts/01.pem

參數說明 -revoke：刪除證書。
執行結果

[root@localhost CA]# openssl ca -revoke /etc/pki/CA/newcerts/01.pem
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 01.
Data Base Updated

2.3 查看被吊銷的證書列表

[root@localhost CA]# cat /etc/pki/CA/index.txt
R       270531102122Z   170602103652Z   01      unknown /C=CN/ST=beijing/O=home/OU=home/CN=*.17coolz.com/emailAddress=my@test.com

2.4 生成吊銷證書的編號（若是是第一次吊銷）

echo 00 > /etc/pki/CA/crlnumber

2.5 更新證書吊銷列表

openssl ca -gencrl -out /etc/pki/CA/crl/ca.crl

執行結果：

[root@localhost CA]# openssl ca -gencrl -out /etc/pki/CA/crl/ca.crl
Using configuration from /etc/pki/tls/openssl.cnf

2.6 查看吊消crl文件內容

openssl crl -in crl/ca.crl -noout -text

執行結果

[root@localhost CA]# openssl crl -in /etc/pki/CA/crl/ca.crl -noout -text
Certificate Revocation List (CRL):
        Version 2 (0x1)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: /C=CN/ST=beijing/L=beijing/O=home/OU=homepart/CN=home.home/emailAddress=home@home.home
        Last Update: Jun  2 10:41:24 2017 GMT
        Next Update: Jul  2 10:41:24 2017 GMT
        CRL extensions:
            X509v3 CRL Number: 
                0
Revoked Certificates:
    Serial Number: 01
        Revocation Date: Jun  2 10:36:52 2017 GMT
    Signature Algorithm: sha1WithRSAEncryption
         a3:fc:cf:fd:08:44:d9:c0:fd:78:75:5f:79:3a:c3:16:17:da:
         b8:b1:cc:d8:67:28:73:75:4a:e1:11:e3:04:de:0a:36:4f:d6:
         de:ec:37:3b:0b:18:0f:24:18:d1:8b:c9:6a:f8:e0:d3:c6:cc:
         42:67:5b:15:34:da:f9:49:eb:19:73:33:4e:ef:eb:cb:82:12:
         4c:27:ee:5e:9d:50:5f:8b:0c:51:3a:05:e3:0f:fb:3c:0d:0b:
         8e:af:17:5e:b2:7d:30:af:e6:60:f2:6e:7f:b5:b5:9b:b1:f7:
         5e:d4:80:73:d3:cc:30:e1:78:71:db:81:a0:ad:49:6a:dc:5c:
         12:bf:31:0f:11:59:54:80:e9:74:36:f7:98:e2:86:f2:29:3f:
         b0:69:b8:a4:32:9d:1c:61:01:ed:0f:09:b0:10:be:f4:07:ac:
         32:91:9c:cc:35:cf:c3:cb:44:6b:86:22:81:7d:7a:71:9d:5c:
         34:da:30:47:5a:ce:0f:10:bc:2a:56:8f:41:85:de:95:48:5c:
         d3:b2:90:ae:4f:7e:7c:d1:53:5c:6f:67:cb:aa:cc:78:5b:1a:
         f6:31:5b:7e:04:03:73:da:6e:8d:00:d7:bf:db:75:6a:0e:44:
         be:c1:20:0f:72:40:4c:29:fc:aa:87:30:9e:84:55:e1:76:a2:
         00:05:39:18

參數說明

-text：以文本形式顯示。

參考：

http://www.178linux.com/12742
http://www.cnblogs.com/zhaojiedi1992/p/zhaojiedi_linux_011_ca.html
http://seanlook.com/2015/01/18/openssl-self-sign-ca/