中小型企業證書認證服務器的搭建詳解

原創 菜鳥小敗 2018-09-12 06:37
一、準備工作
  調試好一臺Red Hat 5.8的服務器一臺、安裝好openssl,openssl-devel兩個軟件包
二、設定好需要認證的單位信息
  國家:中國
  省份:河南
  城市:鄭州
  公司:網E家
  部門:技術部
  服務器的主機名:ca.wangej.com
  管理員郵箱:[email protected]
三、關鍵字和命令分析
目前最通行的標準CA存儲格式爲x509格式。
 
一個完整意義上的證書:
x509:   
公鑰及其過期時間
證書的合法擁有者
證書該如何被使用
CA認證機構的信息
CA簽名的校驗碼(CA的簽名)
互聯網上著名的安全機制TLS/SSL使用的就是x509的格式,除此之外還有OpenGPGA的機制,這些都屬於PKI的實現架構。
PS:如有錯誤歡迎指出,謝謝!
 
openssl version  查看openssl版本
  1. openssl speed:測試openssl對各種加密算法的速度 
  2. openssl enc: 
  3.     -e:加密 
  4.     -d:解密 
  5.     -k:指定加密密鑰 
  6.     -a:基於base64機制處理 
  7.     openssl enc -des3(指定加密算法) -salt -a -in(對哪個文件) inittab(文件) -out(放到哪個文件中) inittab.des3 
  8. openssl提取特徵碼: 
  9.     openssl dgst -sha1 passwd  使用sha1方式 
  10.     openssl dgst -md5 passwd   使用md5方式 
  11. openssl passwd: 
  12.     openssl passwd -1(指定md5格式)  
  13.                     -salt(指定雜質) 
  14.             openssl passwd -1 -salt 1234567 
  15.              
  16. openssl rand -base64 長度  用來生成隨機數 
四、搭建操作
openssl實現私有CA:
1、爲服務創建必須的目錄及文件
在/etc/pki/CA目錄下創建 certs, crl, newcerts三個目錄和serial, index.txt兩個文件並給serial創建擡頭。
  1. [root@www CA]# mkdir crl newcerts certs  
  2. [root@www CA]# touch serial  
  3. [root@www CA]# touch index.txt  
  4. [root@www CA]# ls  
  5. cacert.pem  crl  index.txt.attr  newcerts  serial  certs  index.txt  private   
2、生成一對密鑰
[root@www CA]# (umask 077; openssl genrsa -out private/cakey.pem 2048 ) #直接指定600權限並保存在private/cakey.pem
  1. [root@www private]# cat cakey.pem  
  2. -----BEGIN RSA PRIVATE KEY----- 
  3. MIIEowIBAAKCAQEA0SBIoqQIrTCIaAUUta9mhEz/CSotVj214Iv8xgiLl8Z0ElU+ 
  4. mgipTVhCS6e9KV3IaKymUoAxKbW1zntCe7OBVMOPoPEAip1qTxohkIIF9K+8lC94 
  5. rbLJPORVMDd8l2MeqoK9gSt57aWbxJspG50T8egxjK5gL5gLRdSUqcmpsuWkdZP8 
  6. znR/AhEH+zpT6bmg1ds99yl5Yg42hFeiulUwddlZmVvneZVDduuovOmGX2dtwqQM 
  7. rympbdRt2FzP6LWdQBykVstw1SVN0p6cnbxTPTCZTRFD0AgRoMPSsYxh2cpYC5Gs 
  8. bydXiToi50VLy8M/AGz1eOE+xgquD5jVpcr2OQIDAQABAoIBAF7SmJzGa/i7jN49 
  9. j4piIcXTc8CgEzaLfLB4SQEyVrlXDsJRTLVjQAEGB+luAWOEVp6/yhqWbbRP5EPf 
  10. t+GHHxlkIvgCzxALGG0NmDKCAllUZdl7POjlrEGj9syKHEA4fWsrJOow4HRVJzAa 
  11. eqU+sBB8DBuR5aMu+c2L+mySOBQZInJoMZTwoXMHquV1UUJuFwSzuRTe6z5lLxnH 
  12. 50qAYFxReepSPq+cdRM3f8mJwaxU4xmx3vIF98Je1o+fg7bZJEUYTHI44TylqLnn 
  13. 3PLzR/gqgdcMUilM+2iMwORKpXYT722m0ZoJicRISW9jmrZYrskBzN2n/+ANBIg6 
  14. upjfJkECgYEA7ivEThNhFcb06iDrKdjtCUc1s8gqSZ+O7Aw+Avd1vtBxIxNL6ISt 
  15. tyNxuy86yOraBrlZpt8uvRNXiLnKykmsEHRTm+I6f0yAcUtDtcciShUiBUb3IGt4 
  16. SinR9TGqAxJaqzxQGEKiS3W736kV+9uTYyTpvrVADwmCzAbXjz3pLv0CgYEA4Mfp 
  17. FE7I7GMJ8JkBrQObVjt43WX1tY4LzdZ+Tj5g8+WxWfMo+G2FMdaOMuCLZC/jChOe 
  18. v8mHQvtbbT92HYzep8sFs/kntWxT53TGvEp8uFGyfCoX/ciSFPNyHHuL3JWqI9G3 
  19. yBAHcZzdocSr5l8vthNDWCAuN1oA1LjZgpwtLu0CgYAfqDOciRjjcyGEqUF4u3uu 
  20. OwfZUKbGSG4P1AS+EjRVW5FeLydszY3lhNGOJtXydLzsHeDbvFiTCyocY02gG7DC 
  21. MyQV2TkbSIjeBjoGxGQ7Ypm2B9u7NG21td9RbvuBEwR4NDkVMG4wB4MkVG42ntX1 
  22. XKexEJhmJ0Z6ZgJq6LjA5QKBgEdWSpt+UXfsCpiIBqchEOhyIW6qUCuZdBeUbito 
  23. 0p41FG8Go8cMAwyJGkH9T1+xbu2gwm39iGbynNZ0IIlKTtOTtDCk7zw9r/cx8WyK 
  24. e0CH9QxA07JgODRb+qgdcYrFGOUbRqdApwwgi5oub5vCM8MmI+ZQ+Dnq336jV6yC 
  25. 4jgVAoGBAKDdoyPEUHyszUVf9MWNAQCeJNiH3Wpj6dY+e66bpkShrQ7JFRpw+fXt 
  26. icy4xC6lhd4tD9M9ODCC/n9906ySurij9lOCO0X00coSlE9/44lrRwz9hD5KTYKJ 
  27. zeGNRLJixgIFnMzbanzmvr4+zgJz9G1RW9BtDm1Pmdo+TrZDg2kK 
  28. -----END RSA PRIVATE KEY----- 
3、生成自簽署證書
openssl req -new -x509(生成自簽證書) -key(指定密鑰文件) siyaoa -out(指定存儲)  cakey.pem 
  1. [root@www CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem 
  2. You are about to be asked to enter information that will be incorporated 
  3. into your certificate request. 
  4. What you are about to enter is what is called a Distinguished Name or a DN. 
  5. There are quite a few fields but you can leave some blank 
  6. For some fields there will be a default value, 
  7. If you enter '.', the field will be left blank. 
  8. ----- 
  9. Country Name (2 letter code) [GB]:CN                                        #國家 
  10. State or Province Name (full name) [Berkshire]:Henan                        #省份 
  11. Locality Name (eg, city) [Newbury]:zhengzhou                                #城市 
  12. Organization Name (eg, company) [My Company Ltd]:wangej                     #公司 
  13. Organizational Unit Name (eg, section) []:jishubu                           #部門 
  14. Common Name (eg, your name or your server's hostname) []:ca.wangej.com      #服務器的主機名 
  15. Email Address []:[email protected]                                         #管理員郵箱 
4、查看證書信息
openssl x509 -text(輸出成文本格式) -in(讀取證書信息) 
  1. [root@www CA]# openssl x509 -text -in cacert.pem  
  2. Certificate: 
  3.     Data: 
  4.         Version: 3 (0x2
  5.         Serial Number: 
  6.             b5:4a:6d:18:6c:ac:eb:b5 
  7.         Signature Algorithm: sha1WithRSAEncryption 
  8.         Issuer: C=CN, ST=Henan, L=Zhengzhou, O=Wangej, OU=jishubu, CN=ca.wangej.com/[email protected] 
  9.         Validity 
  10.             Not Before: Apr  7 06:26:56 2013 GMT 
  11.             Not After : May  7 06:26:56 2013 GMT 
  12.         Subject: C=CN, ST=Henan, L=Zhengzhou, O=Wangej, OU=jishubu, CN=ca.wangej.com/[email protected] 
  13.         Subject Public Key Info: 
  14.             Public Key Algorithm: rsaEncryption 
  15.             RSA Public Key: (2048 bit) 
  16.                 Modulus (2048 bit): 
  17.                     00:d1:20:48:a2:a4:08:ad:30:88:68:05:14:b5:af: 
  18.                     66:84:4c:ff:09:2a:2d:56:3d:b5:e0:8b:fc:c6:08
  19.                     8b:97:c6:74:12:55:3e:9a:08:a9:4d:58:42:4b:a7: 
  20.                     bd:29:5d:c8:68:ac:a6:52:80:31:29:b5:b5:ce:7b
  21.                     42:7b:b3:81:54:c3:8f:a0:f1:00:8a:9d:6a:4f:1a
  22.                     21:90:82:05:f4:af:bc:94:2f:78:ad:b2:c9:3c:e4: 
  23.                     55:30:37:7c:97:63:1e:aa:82:bd:81:2b:79:ed:a5: 
  24.                     9b:c4:9b:29:1b:9d:13:f1:e8:31:8c:ae:60:2f:98
  25.                     0b:45:d4:94:a9:c9:a9:b2:e5:a4:75:93:fc:ce:74
  26.                     7f:02:11:07:fb:3a:53:e9:b9:a0:d5:db:3d:f7:29
  27.                     79:62:0e:36:84:57:a2:ba:55:30:75:d9:59:99:5b
  28.                     e7:79:95:43:76:eb:a8:bc:e9:86:5f:67:6d:c2:a4: 
  29.                     0c:af:29:a9:6d:d4:6d:d8:5c:cf:e8:b5:9d:40:1c
  30.                     a4:56:cb:70:d5:25:4d:d2:9e:9c:9d:bc:53:3d:30
  31.                     99:4d:11:43:d0:08:11:a0:c3:d2:b1:8c:61:d9:ca: 
  32.                     58:0b:91:ac:6f:27:57:89:3a:22:e7:45:4b:cb:c3: 
  33.                     3f:00:6c:f5:78:e1:3e:c6:0a:ae:0f:98:d5:a5:ca: 
  34.                     f6:39 
  35.                 Exponent: 65537 (0x10001
  36.         X509v3 extensions: 
  37.             X509v3 Subject Key Identifier:  
  38.                 9A:78:03:D5:26:0E:2D:11:6D:FD:57:22:6E:09:E4:62:DA:37:19:9A 
  39.             X509v3 Authority Key Identifier:  
  40.                 keyid:9A:78:03:D5:26:0E:2D:11:6D:FD:57:22:6E:09:E4:62:DA:37:19:9A 
  41.                 DirName:/C=CN/ST=Henan/L=Zhengzhou/O=Wangej/OU=jishubu/CN=ca.wangej.com/[email protected] 
  42.                 serial:B5:4A:6D:18:6C:AC:EB:B5 
  43.  
  44.             X509v3 Basic Constraints:  
  45.                 CA:TRUE 
  46.     Signature Algorithm: sha1WithRSAEncryption 
  47.         a6:57:5d:59:76:60:27:88:3b:14:3a:91:43:7a:f3:c7:50:d9: 
  48.         ba:0e:9f:83:b5:c9:4e:a3:fa:85:72:3c:73:d5:2e:e1:cd:fd: 
  49.         6c:ed:41:db:3e:52:00:4a:0a:dc:bc:a2:7a:c1:25:7b:39:ad: 
  50.         94:4a:8b:c6:15:1b:df:1c:1d:c7:1c:e3:96:c5:75:f8:9c:9c
  51.         49:0b:fb:00:76:16:77:e9:f6:7d:87:53:46:e8:af:7f:c1:6d
  52.         8e:9d:28:bc:57:ec:35:af:29:fc:51:a8:81:50:6f:a7:b8:e6: 
  53.         f1:d7:23:ad:98:8f:e0:28:a0:b5:d8:5d:2b:5a:94:a3:1b:74
  54.         ee:8e:30:42:05:f4:1c:89:d8:f9:fd:64:c4:98:f5:1c:88:39
  55.         b6:c4:2c:a7:2f:9f:59:5d:29:4d:6b:0a:1b:cc:a2:dd:6d:82
  56.         2a:cf:dd:23:fa:5b:b2:e5:0b:07:fc:c7:25:ea:8d:40:16:3c
  57.         8d:15:f7:6a:bb:3e:08:d3:3c:3d:b8:f4:fc:36:42:11:80:ad: 
  58.         79:29:bf:70:90:e6:e9:a9:75:f6:2b:dc:cc:e4:18:5b:fc:79
  59.         5d:74:17:39:6c:a8:ac:8d:2a:9f:b4:ac:cc:30:a7:fd:10:63
  60.         b2:78:f0:24:f7:8b:71:02:55:87:ad:ed:ee:23:e0:60:31:03
  61.         81:31:e8:7e 
  62. -----BEGIN CERTIFICATE----- 
  63. MIIEmzCCA4OgAwIBAgIJALVKbRhsrOu1MA0GCSqGSIb3DQEBBQUAMIGPMQswCQYD 
  64. VQQGEwJDTjEOMAwGA1UECBMFSGVuYW4xEjAQBgNVBAcTCVpoZW5nemhvdTEPMA0G 
  65. A1UEChMGV2FuZ2VqMRAwDgYDVQQLEwdqaXNodWJ1MRYwFAYDVQQDEw1jYS53YW5n 
  66. ZWouY29tMSEwHwYJKoZIhvcNAQkBFhJjYWFkbWluQHdhbmdlai5jb20wHhcNMTMw 
  67. NDA3MDYyNjU2WhcNMTMwNTA3MDYyNjU2WjCBjzELMAkGA1UEBhMCQ04xDjAMBgNV 
  68. BAgTBUhlbmFuMRIwEAYDVQQHEwlaaGVuZ3pob3UxDzANBgNVBAoTBldhbmdlajEQ 
  69. MA4GA1UECxMHamlzaHVidTEWMBQGA1UEAxMNY2Eud2FuZ2VqLmNvbTEhMB8GCSqG 
  70. SIb3DQEJARYSY2FhZG1pbkB3YW5nZWouY29tMIIBIjANBgkqhkiG9w0BAQEFAAOC 
  71. AQ8AMIIBCgKCAQEA0SBIoqQIrTCIaAUUta9mhEz/CSotVj214Iv8xgiLl8Z0ElU+ 
  72. mgipTVhCS6e9KV3IaKymUoAxKbW1zntCe7OBVMOPoPEAip1qTxohkIIF9K+8lC94 
  73. rbLJPORVMDd8l2MeqoK9gSt57aWbxJspG50T8egxjK5gL5gLRdSUqcmpsuWkdZP8 
  74. znR/AhEH+zpT6bmg1ds99yl5Yg42hFeiulUwddlZmVvneZVDduuovOmGX2dtwqQM 
  75. rympbdRt2FzP6LWdQBykVstw1SVN0p6cnbxTPTCZTRFD0AgRoMPSsYxh2cpYC5Gs 
  76. bydXiToi50VLy8M/AGz1eOE+xgquD5jVpcr2OQIDAQABo4H3MIH0MB0GA1UdDgQW 
  77. BBSaeAPVJg4tEW39VyJuCeRi2jcZmjCBxAYDVR0jBIG8MIG5gBSaeAPVJg4tEW39 
  78. VyJuCeRi2jcZmqGBlaSBkjCBjzELMAkGA1UEBhMCQ04xDjAMBgNVBAgTBUhlbmFu 
  79. MRIwEAYDVQQHEwlaaGVuZ3pob3UxDzANBgNVBAoTBldhbmdlajEQMA4GA1UECxMH 
  80. amlzaHVidTEWMBQGA1UEAxMNY2Eud2FuZ2VqLmNvbTEhMB8GCSqGSIb3DQEJARYS 
  81. Y2FhZG1pbkB3YW5nZWouY29tggkAtUptGGys67UwDAYDVR0TBAUwAwEB/zANBgkq 
  82. hkiG9w0BAQUFAAOCAQEAplddWXZgJ4g7FDqRQ3rzx1DZug6fg7XJTqP6hXI8c9Uu 
  83. 4c39bO1B2z5SAEoK3LyiesElezmtlEqLxhUb3xwdxxzjlsV1+JycSQv7AHYWd+n2 
  84. fYdTRuivf8Ftjp0ovFfsNa8p/FGogVBvp7jm8dcjrZiP4CigtdhdK1qUoxt07o4w 
  85. QgX0HInY+f1kxJj1HIg5tsQspy+fWV0pTWsKG8yi3W2CKs/dI/pbsuULB/zHJeqN 
  86. QBY8jRX3ars+CNM8Pbj0/DZCEYCteSm/cJDm6al19ivczOQYW/x5XXQXOWyorI0q 
  87. n7SszDCn/RBjsnjwJPeLcQJVh63t7iPgYDEDgTHofg== 
  88. -----END CERTIFICATE----- 
5、在另外一臺主機中生成密鑰,然後申請一個CA認證
(umask 077; openssl genrsa -out httpd.key 1024)                #生成 主機私鑰
openssl req -new -key httpd.key -out httpd.csr                 #向服務器申請認證
openssl ca -in httpd.csr -out httpd.crt -days 365 #服務器簽署確認
  1. [root@www ssl]# openssl ca -in httpd.csr -out httpd.crt -days 365 
  2. Using configuration from /etc/pki/tls/openssl.cnf 
  3. Check that the request matches the signature 
  4. Signature ok 
  5. Certificate Details: 
  6.         Serial Number: 1 (0x1
  7.         Validity 
  8.             Not Before: Apr  7 06:41:12 2013 GMT 
  9.             Not After : Apr  7 06:41:12 2014 GMT 
  10.         Subject: 
  11.             countryName               = CN 
  12.             stateOrProvinceName       = Henan 
  13.             organizationName          = Wangej 
  14.             organizationalUnitName    = jishubu 
  15.             commonName                = www.wangej.com 
  16.             emailAddress              = [email protected] 
  17.         X509v3 extensions: 
  18.             X509v3 Basic Constraints:  
  19.                 CA:FALSE 
  20.             Netscape Comment:  
  21.                 OpenSSL Generated Certificate 
  22.             X509v3 Subject Key Identifier:  
  23.                 17:C6:85:DB:34:DC:AE:21:79:CA:22:90:C9:E2:14:7B:C3:3B:02:7D 
  24.             X509v3 Authority Key Identifier:  
  25.                 keyid:9A:78:03:D5:26:0E:2D:11:6D:FD:57:22:6E:09:E4:62:DA:37:19:9A 
  26.  
  27. Certificate is to be certified until Apr  7 06:41:12 2014 GMT (365 days) 
  28. Sign the certificate? [y/n]:y 
  29.  
  30.  
  31. 1 out of 1 certificate requests certified, commit? [y/n]y 
  32. Write out database with 1 new entries 
  33. Data Base Updated 
如此一個完整的認證過程就已經實現了,此時將httpd.crt的認證證書發送給請求認證的服務器即可。
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章

bat記錄遠程桌面連接登錄信息

jason1982 2019-02-24 12:57:09

Exchange Server 2010 POP3&IMAP設置詳解

lingping 2019-02-23 14:05:54

虛擬化技術--服務器虛擬化

dawei818 2019-02-23 14:05:39

windows 2008 全新仲裁模式

qyh282110204 2019-02-23 14:05:36

軟路由建立PPPOE服務器

ct19871125 2019-02-23 14:04:24

MySQL性能優化的21個最佳實踐

fdb2b 2019-02-23 14:01:03

centos下簡單實現日誌切割,並上傳至日誌服務器。

隨風上升 2019-02-23 13:59:02

遠程訪問及控制

曉晶 2019-02-23 13:58:40

web網站服務1

曉晶 2019-02-23 13:58:27

郵件服務器

曉晶 2019-02-23 13:58:27

web網站服務2

曉晶 2019-02-23 13:58:27

iscsi存儲

samplelife 2019-02-23 13:57:35

Nagios 3.2 監控部署(一)

samplelife 2019-02-23 13:57:35

50元打造雙網卡負載均衡服務器

138web 2019-02-23 13:55:58

網絡打印機的一般故障

zhongqijian916 2019-02-23 13:54:50