一、準備工作
調試好一臺Red Hat 5.8的服務器一臺、安裝好openssl,openssl-devel兩個軟件包
二、設定好需要認證的單位信息
國家:中國
省份:河南
城市:鄭州
公司:網E家
部門:技術部
服務器的主機名:ca.wangej.com
管理員郵箱:[email protected]
三、關鍵字和命令分析
目前最通行的標準CA存儲格式爲x509格式。
一個完整意義上的證書:
x509:
公鑰及其過期時間
證書的合法擁有者
證書該如何被使用
CA認證機構的信息
CA簽名的校驗碼(CA的簽名)
互聯網上著名的安全機制TLS/SSL使用的就是x509的格式,除此之外還有OpenGPGA的機制,這些都屬於PKI的實現架構。
PS:如有錯誤歡迎指出,謝謝!
openssl version 查看openssl版本
- openssl speed:測試openssl對各種加密算法的速度
- openssl enc:
- -e:加密
- -d:解密
- -k:指定加密密鑰
- -a:基於base64機制處理
- openssl enc -des3(指定加密算法) -salt -a -in(對哪個文件) inittab(文件) -out(放到哪個文件中) inittab.des3
- openssl提取特徵碼:
- openssl dgst -sha1 passwd 使用sha1方式
- openssl dgst -md5 passwd 使用md5方式
- openssl passwd:
- openssl passwd -1(指定md5格式)
- -salt(指定雜質)
- openssl passwd -1 -salt 1234567
- openssl rand -base64 長度 用來生成隨機數
四、搭建操作
openssl實現私有CA:
1、爲服務創建必須的目錄及文件
在/etc/pki/CA目錄下創建 certs, crl, newcerts三個目錄和serial, index.txt兩個文件並給serial創建擡頭。
- [root@www CA]# mkdir crl newcerts certs
- [root@www CA]# touch serial
- [root@www CA]# touch index.txt
- [root@www CA]# ls
- cacert.pem crl index.txt.attr newcerts serial certs index.txt private
2、生成一對密鑰
[root@www CA]# (umask 077; openssl genrsa -out private/cakey.pem 2048 ) #直接指定600權限並保存在private/cakey.pem
- [root@www private]# cat cakey.pem
- -----BEGIN RSA PRIVATE KEY-----
- MIIEowIBAAKCAQEA0SBIoqQIrTCIaAUUta9mhEz/CSotVj214Iv8xgiLl8Z0ElU+
- mgipTVhCS6e9KV3IaKymUoAxKbW1zntCe7OBVMOPoPEAip1qTxohkIIF9K+8lC94
- rbLJPORVMDd8l2MeqoK9gSt57aWbxJspG50T8egxjK5gL5gLRdSUqcmpsuWkdZP8
- znR/AhEH+zpT6bmg1ds99yl5Yg42hFeiulUwddlZmVvneZVDduuovOmGX2dtwqQM
- rympbdRt2FzP6LWdQBykVstw1SVN0p6cnbxTPTCZTRFD0AgRoMPSsYxh2cpYC5Gs
- bydXiToi50VLy8M/AGz1eOE+xgquD5jVpcr2OQIDAQABAoIBAF7SmJzGa/i7jN49
- j4piIcXTc8CgEzaLfLB4SQEyVrlXDsJRTLVjQAEGB+luAWOEVp6/yhqWbbRP5EPf
- t+GHHxlkIvgCzxALGG0NmDKCAllUZdl7POjlrEGj9syKHEA4fWsrJOow4HRVJzAa
- eqU+sBB8DBuR5aMu+c2L+mySOBQZInJoMZTwoXMHquV1UUJuFwSzuRTe6z5lLxnH
- 50qAYFxReepSPq+cdRM3f8mJwaxU4xmx3vIF98Je1o+fg7bZJEUYTHI44TylqLnn
- 3PLzR/gqgdcMUilM+2iMwORKpXYT722m0ZoJicRISW9jmrZYrskBzN2n/+ANBIg6
- upjfJkECgYEA7ivEThNhFcb06iDrKdjtCUc1s8gqSZ+O7Aw+Avd1vtBxIxNL6ISt
- tyNxuy86yOraBrlZpt8uvRNXiLnKykmsEHRTm+I6f0yAcUtDtcciShUiBUb3IGt4
- SinR9TGqAxJaqzxQGEKiS3W736kV+9uTYyTpvrVADwmCzAbXjz3pLv0CgYEA4Mfp
- FE7I7GMJ8JkBrQObVjt43WX1tY4LzdZ+Tj5g8+WxWfMo+G2FMdaOMuCLZC/jChOe
- v8mHQvtbbT92HYzep8sFs/kntWxT53TGvEp8uFGyfCoX/ciSFPNyHHuL3JWqI9G3
- yBAHcZzdocSr5l8vthNDWCAuN1oA1LjZgpwtLu0CgYAfqDOciRjjcyGEqUF4u3uu
- OwfZUKbGSG4P1AS+EjRVW5FeLydszY3lhNGOJtXydLzsHeDbvFiTCyocY02gG7DC
- MyQV2TkbSIjeBjoGxGQ7Ypm2B9u7NG21td9RbvuBEwR4NDkVMG4wB4MkVG42ntX1
- XKexEJhmJ0Z6ZgJq6LjA5QKBgEdWSpt+UXfsCpiIBqchEOhyIW6qUCuZdBeUbito
- 0p41FG8Go8cMAwyJGkH9T1+xbu2gwm39iGbynNZ0IIlKTtOTtDCk7zw9r/cx8WyK
- e0CH9QxA07JgODRb+qgdcYrFGOUbRqdApwwgi5oub5vCM8MmI+ZQ+Dnq336jV6yC
- 4jgVAoGBAKDdoyPEUHyszUVf9MWNAQCeJNiH3Wpj6dY+e66bpkShrQ7JFRpw+fXt
- icy4xC6lhd4tD9M9ODCC/n9906ySurij9lOCO0X00coSlE9/44lrRwz9hD5KTYKJ
- zeGNRLJixgIFnMzbanzmvr4+zgJz9G1RW9BtDm1Pmdo+TrZDg2kK
- -----END RSA PRIVATE KEY-----
3、生成自簽署證書
openssl req -new -x509(生成自簽證書) -key(指定密鑰文件) siyaoa -out(指定存儲) cakey.pem
- [root@www CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem
- You are about to be asked to enter information that will be incorporated
- into your certificate request.
- What you are about to enter is what is called a Distinguished Name or a DN.
- There are quite a few fields but you can leave some blank
- For some fields there will be a default value,
- If you enter '.', the field will be left blank.
- -----
- Country Name (2 letter code) [GB]:CN #國家
- State or Province Name (full name) [Berkshire]:Henan #省份
- Locality Name (eg, city) [Newbury]:zhengzhou #城市
- Organization Name (eg, company) [My Company Ltd]:wangej #公司
- Organizational Unit Name (eg, section) []:jishubu #部門
- Common Name (eg, your name or your server's hostname) []:ca.wangej.com #服務器的主機名
- Email Address []:[email protected] #管理員郵箱
4、查看證書信息
openssl x509 -text(輸出成文本格式) -in(讀取證書信息)
- [root@www CA]# openssl x509 -text -in cacert.pem
- Certificate:
- Data:
- Version: 3 (0x2)
- Serial Number:
- b5:4a:6d:18:6c:ac:eb:b5
- Signature Algorithm: sha1WithRSAEncryption
- Issuer: C=CN, ST=Henan, L=Zhengzhou, O=Wangej, OU=jishubu, CN=ca.wangej.com/[email protected]
- Validity
- Not Before: Apr 7 06:26:56 2013 GMT
- Not After : May 7 06:26:56 2013 GMT
- Subject: C=CN, ST=Henan, L=Zhengzhou, O=Wangej, OU=jishubu, CN=ca.wangej.com/[email protected]
- Subject Public Key Info:
- Public Key Algorithm: rsaEncryption
- RSA Public Key: (2048 bit)
- Modulus (2048 bit):
- 00:d1:20:48:a2:a4:08:ad:30:88:68:05:14:b5:af:
- 66:84:4c:ff:09:2a:2d:56:3d:b5:e0:8b:fc:c6:08:
- 8b:97:c6:74:12:55:3e:9a:08:a9:4d:58:42:4b:a7:
- bd:29:5d:c8:68:ac:a6:52:80:31:29:b5:b5:ce:7b:
- 42:7b:b3:81:54:c3:8f:a0:f1:00:8a:9d:6a:4f:1a:
- 21:90:82:05:f4:af:bc:94:2f:78:ad:b2:c9:3c:e4:
- 55:30:37:7c:97:63:1e:aa:82:bd:81:2b:79:ed:a5:
- 9b:c4:9b:29:1b:9d:13:f1:e8:31:8c:ae:60:2f:98:
- 0b:45:d4:94:a9:c9:a9:b2:e5:a4:75:93:fc:ce:74:
- 7f:02:11:07:fb:3a:53:e9:b9:a0:d5:db:3d:f7:29:
- 79:62:0e:36:84:57:a2:ba:55:30:75:d9:59:99:5b:
- e7:79:95:43:76:eb:a8:bc:e9:86:5f:67:6d:c2:a4:
- 0c:af:29:a9:6d:d4:6d:d8:5c:cf:e8:b5:9d:40:1c:
- a4:56:cb:70:d5:25:4d:d2:9e:9c:9d:bc:53:3d:30:
- 99:4d:11:43:d0:08:11:a0:c3:d2:b1:8c:61:d9:ca:
- 58:0b:91:ac:6f:27:57:89:3a:22:e7:45:4b:cb:c3:
- 3f:00:6c:f5:78:e1:3e:c6:0a:ae:0f:98:d5:a5:ca:
- f6:39
- Exponent: 65537 (0x10001)
- X509v3 extensions:
- X509v3 Subject Key Identifier:
- 9A:78:03:D5:26:0E:2D:11:6D:FD:57:22:6E:09:E4:62:DA:37:19:9A
- X509v3 Authority Key Identifier:
- keyid:9A:78:03:D5:26:0E:2D:11:6D:FD:57:22:6E:09:E4:62:DA:37:19:9A
- DirName:/C=CN/ST=Henan/L=Zhengzhou/O=Wangej/OU=jishubu/CN=ca.wangej.com/[email protected]
- serial:B5:4A:6D:18:6C:AC:EB:B5
- X509v3 Basic Constraints:
- CA:TRUE
- Signature Algorithm: sha1WithRSAEncryption
- a6:57:5d:59:76:60:27:88:3b:14:3a:91:43:7a:f3:c7:50:d9:
- ba:0e:9f:83:b5:c9:4e:a3:fa:85:72:3c:73:d5:2e:e1:cd:fd:
- 6c:ed:41:db:3e:52:00:4a:0a:dc:bc:a2:7a:c1:25:7b:39:ad:
- 94:4a:8b:c6:15:1b:df:1c:1d:c7:1c:e3:96:c5:75:f8:9c:9c:
- 49:0b:fb:00:76:16:77:e9:f6:7d:87:53:46:e8:af:7f:c1:6d:
- 8e:9d:28:bc:57:ec:35:af:29:fc:51:a8:81:50:6f:a7:b8:e6:
- f1:d7:23:ad:98:8f:e0:28:a0:b5:d8:5d:2b:5a:94:a3:1b:74:
- ee:8e:30:42:05:f4:1c:89:d8:f9:fd:64:c4:98:f5:1c:88:39:
- b6:c4:2c:a7:2f:9f:59:5d:29:4d:6b:0a:1b:cc:a2:dd:6d:82:
- 2a:cf:dd:23:fa:5b:b2:e5:0b:07:fc:c7:25:ea:8d:40:16:3c:
- 8d:15:f7:6a:bb:3e:08:d3:3c:3d:b8:f4:fc:36:42:11:80:ad:
- 79:29:bf:70:90:e6:e9:a9:75:f6:2b:dc:cc:e4:18:5b:fc:79:
- 5d:74:17:39:6c:a8:ac:8d:2a:9f:b4:ac:cc:30:a7:fd:10:63:
- b2:78:f0:24:f7:8b:71:02:55:87:ad:ed:ee:23:e0:60:31:03:
- 81:31:e8:7e
- -----BEGIN CERTIFICATE-----
- MIIEmzCCA4OgAwIBAgIJALVKbRhsrOu1MA0GCSqGSIb3DQEBBQUAMIGPMQswCQYD
- VQQGEwJDTjEOMAwGA1UECBMFSGVuYW4xEjAQBgNVBAcTCVpoZW5nemhvdTEPMA0G
- A1UEChMGV2FuZ2VqMRAwDgYDVQQLEwdqaXNodWJ1MRYwFAYDVQQDEw1jYS53YW5n
- ZWouY29tMSEwHwYJKoZIhvcNAQkBFhJjYWFkbWluQHdhbmdlai5jb20wHhcNMTMw
- NDA3MDYyNjU2WhcNMTMwNTA3MDYyNjU2WjCBjzELMAkGA1UEBhMCQ04xDjAMBgNV
- BAgTBUhlbmFuMRIwEAYDVQQHEwlaaGVuZ3pob3UxDzANBgNVBAoTBldhbmdlajEQ
- MA4GA1UECxMHamlzaHVidTEWMBQGA1UEAxMNY2Eud2FuZ2VqLmNvbTEhMB8GCSqG
- SIb3DQEJARYSY2FhZG1pbkB3YW5nZWouY29tMIIBIjANBgkqhkiG9w0BAQEFAAOC
- AQ8AMIIBCgKCAQEA0SBIoqQIrTCIaAUUta9mhEz/CSotVj214Iv8xgiLl8Z0ElU+
- mgipTVhCS6e9KV3IaKymUoAxKbW1zntCe7OBVMOPoPEAip1qTxohkIIF9K+8lC94
- rbLJPORVMDd8l2MeqoK9gSt57aWbxJspG50T8egxjK5gL5gLRdSUqcmpsuWkdZP8
- znR/AhEH+zpT6bmg1ds99yl5Yg42hFeiulUwddlZmVvneZVDduuovOmGX2dtwqQM
- rympbdRt2FzP6LWdQBykVstw1SVN0p6cnbxTPTCZTRFD0AgRoMPSsYxh2cpYC5Gs
- bydXiToi50VLy8M/AGz1eOE+xgquD5jVpcr2OQIDAQABo4H3MIH0MB0GA1UdDgQW
- BBSaeAPVJg4tEW39VyJuCeRi2jcZmjCBxAYDVR0jBIG8MIG5gBSaeAPVJg4tEW39
- VyJuCeRi2jcZmqGBlaSBkjCBjzELMAkGA1UEBhMCQ04xDjAMBgNVBAgTBUhlbmFu
- MRIwEAYDVQQHEwlaaGVuZ3pob3UxDzANBgNVBAoTBldhbmdlajEQMA4GA1UECxMH
- amlzaHVidTEWMBQGA1UEAxMNY2Eud2FuZ2VqLmNvbTEhMB8GCSqGSIb3DQEJARYS
- Y2FhZG1pbkB3YW5nZWouY29tggkAtUptGGys67UwDAYDVR0TBAUwAwEB/zANBgkq
- hkiG9w0BAQUFAAOCAQEAplddWXZgJ4g7FDqRQ3rzx1DZug6fg7XJTqP6hXI8c9Uu
- 4c39bO1B2z5SAEoK3LyiesElezmtlEqLxhUb3xwdxxzjlsV1+JycSQv7AHYWd+n2
- fYdTRuivf8Ftjp0ovFfsNa8p/FGogVBvp7jm8dcjrZiP4CigtdhdK1qUoxt07o4w
- QgX0HInY+f1kxJj1HIg5tsQspy+fWV0pTWsKG8yi3W2CKs/dI/pbsuULB/zHJeqN
- QBY8jRX3ars+CNM8Pbj0/DZCEYCteSm/cJDm6al19ivczOQYW/x5XXQXOWyorI0q
- n7SszDCn/RBjsnjwJPeLcQJVh63t7iPgYDEDgTHofg==
- -----END CERTIFICATE-----
5、在另外一臺主機中生成密鑰,然後申請一個CA認證
(umask 077; openssl genrsa -out httpd.key 1024) #生成 主機私鑰
openssl req -new -key httpd.key -out httpd.csr #向服務器申請認證
openssl ca -in httpd.csr -out httpd.crt -days 365 #服務器簽署確認
- [root@www ssl]# openssl ca -in httpd.csr -out httpd.crt -days 365
- Using configuration from /etc/pki/tls/openssl.cnf
- Check that the request matches the signature
- Signature ok
- Certificate Details:
- Serial Number: 1 (0x1)
- Validity
- Not Before: Apr 7 06:41:12 2013 GMT
- Not After : Apr 7 06:41:12 2014 GMT
- Subject:
- countryName = CN
- stateOrProvinceName = Henan
- organizationName = Wangej
- organizationalUnitName = jishubu
- commonName = www.wangej.com
- emailAddress = [email protected]
- X509v3 extensions:
- X509v3 Basic Constraints:
- CA:FALSE
- Netscape Comment:
- OpenSSL Generated Certificate
- X509v3 Subject Key Identifier:
- 17:C6:85:DB:34:DC:AE:21:79:CA:22:90:C9:E2:14:7B:C3:3B:02:7D
- X509v3 Authority Key Identifier:
- keyid:9A:78:03:D5:26:0E:2D:11:6D:FD:57:22:6E:09:E4:62:DA:37:19:9A
- Certificate is to be certified until Apr 7 06:41:12 2014 GMT (365 days)
- Sign the certificate? [y/n]:y
- 1 out of 1 certificate requests certified, commit? [y/n]y
- Write out database with 1 new entries
- Data Base Updated
如此一個完整的認證過程就已經實現了,此時將httpd.crt的認證證書發送給請求認證的服務器即可。