openssl命令:配置文件:/etc/pki/tls/openssl.cnf
构建私有CA:
在确定配置为CA的服务上生成一个自签证书,并为CA提供所需要的目录及文件即可
步骤:
(1) 生成私钥;
[root@localhost ~]# (umask 077; openssl genrsa -out /etc/pki/CA/private/cakey.pem 4096)
(2) 生成自签证书;
[root@localhost ~]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3655
/*-new:生成新证书签署请求;
-x509:生成自签格式证书,专用于创建私有CA时;
-key:生成请求时用到的私有文件路径;
-out:生成的请求文件路径;如果自签操作将直接生成签署过的证书;
-days:证书的有效时长,单位是day;*/
You are about to be asked to enter information that will be incorporatedinto your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:ME
Organizational Unit Name (eg, section) []:Ops
Common Name (eg, your name or your server's hostname) []:ca.me.com
Email Address []:[email protected]
(3) 为CA提供所需的目录及文件;
[root@localhost /]# mkdir -pv /etc/pki/CA/{certs,crl,newcerts}
[root@localhost /]# touch /etc/pki/CA/{serial,index.txt}
[root@localhost /]# echo 01 > /etc/pki/CA/serial
要用到证书进行安全通信的服务器,需要向CA请求签署证书:
步骤:(以httpd为例)
(1) 用到证书的主机生成私钥;
[root@localhost httpd]# mkdir /etc/httpd/ssl
[root@localhost httpd]# cd /etc/httpd/ssl
[root@localhost ssl]# (umask 077; openssl genrsa -out /etc/httpd/ssl/httpd.key 2048)
Generating RSA private key, 2048 bit long modulus
........+++
..+++
e is 65537 (0x10001)
(2) 生成证书签署请求
[root@localhost ssl]# openssl req -new -key /etc/httpd/ssl/httpd.key -out /etc/httpd/ssl/httpd.csr -days 365
You are about to be asked to enter information that will be incorporatedinto your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:ME
Organizational Unit Name (eg, section) []:Ops
Common Name (eg, your name or your server's hostname) []:www.me.com
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
(3) 将请求通过可靠方式发送给CA主机;
测试使用scp命令将请求发送至CA主机
[root@localhost ssl]# scp http.csr [email protected]:/tmp/
The authenticity of host '192.168.0.104 (192.168.0.104)' can't be established.
ECDSA key fingerprint is f6:80:c9:d6:5a:68:10:a0:95:49:a5:1c:48:f8:65:68.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.0.104' (ECDSA) to the list of known hosts.
[email protected]'s password:
http.csr 100% 1041 1.0KB/s 00:00
(4) 在CA主机上签署证书;
[root@localhost /]# openssl ca -in /tmp/http.csr -out /etc/pki/CA/certs/httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jun 3 14:05:39 2017 GMT
Not After : Jun 3 14:05:39 2018 GMT
Subject:
countryName = CN
stateOrProvinceName = Beijing
organizationName = ME
organizationalUnitName = Ops
commonName = www.me.com
emailAddress = [email protected]
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
5A:FA:98:3F:D1:96:7B:F0:FF:83:BC:F5:2A:41:85:3E:DF:20:81:3E
X509v3 Authority Key Identifier:
keyid:74:46:21:24:27:6E:85:46:7E:37:6F:44:E9:97:76:3C:65:EB:6C:F8
Certificate is to be certified until Jun 3 14:05:39 2018 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
查看证书序列号:
[root@localhost CA]# cat /etc/pki/CA/index.txt
V 180603140539Z 01 unknown /C=CN/ST=Beijing/O=ME/OU=Ops/CN=www.me.com
将证书发给请求者:
[root@localhost CA]# scp /etc/pki/CA/certs/httpd.crt [email protected]:/etc/httpd/ssl/
The authenticity of host '192.168.0.150 (192.168.0.150)' can't be established.
ECDSA key fingerprint is 3b:89:4b:0b:f3:88:e8:9f:ab:8b:d0:d8:7a:83:6c:f2.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.0.150' (ECDSA) to the list of known hosts.
[email protected]'s password:
httpd.crt
100% 5819 5.7KB/s 00:00
查看证书中的信息:
[root@localhost CA]# openssl x509 -in /etc/pki/CA/certs/httpd.crt -noout -serial -subjectserial=01
subject= /C=CN/ST=Beijing/O=ME/OU=Ops/CN=www.me.com/[email protected]
或者:在客户机查看
[root@localhost ssl]# openssl x509 -in /etc/httpd/ssl/httpd.crt -noout -serial -subjectserial=01
subject= /C=CN/ST=Beijing/O=ME/OU=Ops/CN=www.me.com/[email protected]
吊销证书:
步骤:
(1) 客户端获取要吊销的证书的serial(在使用证书的主机执行):
~]# openssl x509 -in /etc/pki/CA/certs/httpd.crt -noout -serial -subject
(2) CA主机吊销证书
先根据客户提交的serial和subject信息,对比其与本机数据库index.txt中存储的是否一致;
吊销:
# openssl ca -revoke /etc/pki/CA/newcerts/SERIAL.pem
其中的SERIAL要换成证书真正的序列号;
(3) 生成吊销证书的吊销编号(第一次吊销证书时执行)
# echo 01 > /etc/pki/CA/crlnumber
(4) 更新证书吊销列表
# openssl ca -gencrl -out thisca.crl
查看crl文件:
# openssl crl -in /PATH/FROM/CRL_FILE.crl -noout -text