數字證書爲實現雙方安全通信提供了電子認證。在因特網、公司內部網或外部網中,使用數字證書實現身份識別和電子信息加密。數字證書中含有密鑰對(公鑰和私鑰)所有者的識別信息,通過驗證識別信息的真僞實現對證書持有者身份的認證。
證書申請及簽署步驟;
1、生成申請請求;
2、RA覈驗;
3、CA簽署;
4、獲取證書;
創建私有CA
1、在/etc/pki/CA 下面創建所需的文件
[root@xiong CA]# touch index.txt
[root@xiong CA]# echo 01 > serial
[root@xiong CA]# ls
certs crl index.txt newcerts private serial
2、生成CA自簽證書;
[root@xiong CA]# (umask 077; openssl genrsa -out /etc/pki/CA/cakey.pem 4096)
Generating RSA private key, 4096 bit long modulus
..............................++
...............................................................................++
e is 65537 (0x10001)
[root@xiong CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 365 -out cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:Dk
Organizational Unit Name (eg, section) []:Ops
Common Name (eg, your name or your server's hostname) []:ca.xiong.cn
Email Address []:[email protected]
一些選項的作用:
-new: 生成新證書籤署請求
-x509: 專用於CA生成自簽證書;
-key: 生成請求時用到的私鑰文件;
-days n: 證書的有效期限;
-out /PATH/TO/SOMECEFTFILE: 證書的保存路徑;
查看剛生成的cakey.pem、cacert.pem兩個文件
[root@xiong CA]# ls -l
總用量 28
-rw-r--r-- 1 root root 1399 6月 14 19:51 cacert.pem
-rw------- 1 root root 3247 6月 14 19:06 cakey.pem
drwxr-xr-x. 2 root root 4096 6月 14 18:50 certs
drwxr-xr-x. 2 root root 4096 2月 20 23:49 crl
-rw-r--r-- 1 root root 0 6月 14 19:03 index.txt
drwxr-xr-x. 2 root root 4096 6月 14 18:48 newcerts
drwx------. 2 root root 4096 6月 14 18:17 private
-rw-r--r-- 1 root root 3 6月 14 19:03 serial
在客戶端上主機生成證書請求
[root@hl ssl]# (umask 077; openssl genrsa -out /etc/httpd/ssl/httpd.key 4096)
Generating RSA private key, 4096 bit long modulus
..................................................................................++
............................................................................................................++
e is 65537 (0x10001)
[root@hl ssl]# openssl req -new -key /etc/httpd/ssl/httpd.key -days 369 -out /etc/httpd/ssl/httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:Dk
Organizational Unit Name (eg, section) []:Ops
Common Name (eg, your name or your server's hostname) []:www.xiong.cn
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:centos
查看客戶端生成的兩個文件
[root@hl ssl]# ls
httpd.csr httpd.key
把httpd.csr這個文件傳給CA,然後CA進行授權。實驗的話 就上傳到CA下的/tmp目錄下,按照規範的話 都是傳到相對應的文件夾裏頭去,這裏爲了方便就放到了/tmp下
[root@hl ssl]# scp httpd.csr [email protected]:/tmp/
The authenticity of host '192.168.2.30 (192.168.2.32)' can't be established.
ECDSA key fingerprint is 62:d9:92:9a:3a:be:c1:82:6a:96:36:da:b7:9d:e3:a9.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.2.32' (ECDSA) to the list of known hosts.
[email protected]'s password:
httpd.csr 100% 1801 1.8KB/s 00:00
[root@hl ssl]#
然後在CA上進行授權並同意
[root@xiong CA]# openssl ca -in /tmp/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jun 14 15:20:46 2017 GMT
Not After : Jun 14 15:20:46 2018 GMT
Subject:
countryName = CN
stateOrProvinceName = Beijing
organizationName = Dk
organizationalUnitName = Ops
commonName = www.xiong.cn
emailAddress = [email protected]
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
37:6B:FF:B5:74:93:4F:ED:36:BC:23:2F:77:66:4D:31:48:BF:23:A6
X509v3 Authority Key Identifier:
keyid:8C:D9:52:FD:D6:EC:86:99:DE:14:D4:A8:D9:C5:01:CF:69:DA:E2:D1
Certificate is to be certified until Jun 14 15:20:46 2018 GMT (365 days)
這塊的話它是問你確定要給它授權嗎,咱輸入y同意即可
Sign the certificate? [y/n]: y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
查看授權證書裏頭的信息,有點長就複製一丟丟過來了
[root@xiong CA]# openssl x509 -in /etc/pki/CA/certs/httpd.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=CN, ST=Beijing, L=Beijing, O=Dk, OU=Ops, CN=ca.xiong.cn/[email protected]
Validity
Not Before: Jun 14 15:20:46 2017 GMT
Not After : Jun 14 15:20:46 2018 GMT
Subject: C=CN, ST=Beijing, O=Dk, OU=Ops, CN=www.xiong.cn/[email protected]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
再次從CA服務器上把已授權的證書發放到客戶端的指定目錄下即可
[root@xiong CA]# scp certs/httpd.crt [email protected]:/etc/httpd/ssl/
Address 192.168.2.30 maps to bogon, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
[email protected]'s password:
httpd.crt 100% 6051 5.9KB/s 00:00
在客戶端指定文件夾查看證書
[root@hl ~]# ls /etc/httpd/ssl/
httpd.crt httpd.csr httpd.key
小白第一次寫博客 裏頭肯定有很多問題,文章裏頭有什麼問題大神們可以幫忙指出來!!十分感謝。