CA機構的搭建
1、CA簡介:
ca:Certificate Authority,證書頒發機構,也叫證書授權中心。CA主要職責是頒發和管理數字證書。其中心任務是頒發數字證書,並履行用戶身份認證的責任。現階段主要作爲電子商務交易中受信任的第三方,承擔公鑰體系中公鑰的合法性檢驗的責任。
2、公司自建CA實現架構:
1、使用openssl程序完成搭建;
2、需要構建角色:
1、CA服務器;
2、客戶端pc;
3、電商web服務器;
3、構建CA的過程:
CA服務器上操作:
[root@localhost ~]# yum -y install openssl :安裝openssl,這是搭建的核心命令;
[root@localhost ~]# vim /etc/pki/tls/openssl.cnf
[CA_default]
dir :ca的工作目錄變量。被下方參數引用(注意:centos5上,此參數要改成絕對路徑,不能用相對路徑);
certs :證書存放位置;
crl_dir :吊銷證書的存放位置;
database :索引文件數據庫。簽署的所有證書索引文件。自動生成;
new_certs_dir :剛簽署的證書存放位置;
certificate :ca自己的證書位置;
serial :下一個證書的編號;
crlnumber :已吊銷證書的證書編號;
crl :當前正在使用的證書吊銷列表文件;
private_key :ca自己的私鑰,安全性很高(可以加密私鑰位置文件,讓別人拿到也看不了。但是每次使用都得解密);
RANDFILE :隨機種子數據文件;
x509_extensions :用戶證書;
name_opt :
cert_opt :
.........
自簽證書默認使用期限
吊銷期限
自簽證書需要的交互式信息,如國家代碼..
..........
:查看CA主配置文件,瞭解部分參數內容;
[root@localhost ~]# cd /etc/pki/CA/ :進入CA的工作目錄;
[root@localhost CA]# (umask 077; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
................................................+++
....................................+++
e is 65537 (0x10001) : 生成CA自己的私鑰文件,cakey.pem。默認權限爲600;
[root@localhost CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki /CA/cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn :國家代碼;
State or Province Name (full name) []:beijing :所在省份;
Locality Name (eg, city) [Default City]:beijing :所在城市;
Organization Name (eg, company) [Default Company Ltd]:CA :機構名稱;
Organizational Unit Name (eg, section) []:manager :部門名稱;
Common Name (eg, your name or your server's hostname) []:ca.manager.com :主機名稱(重要);
Email Address []:[email protected] :郵箱地址;
[root@localhost CA]#
:根據私鑰文件生成CA自簽證書。CA給自己簽發一個證書;
[root@localhost CA]# pwd
/etc/pki/CA
[root@localhost CA]# touch index.txt :創建索引文件;
[root@localhost CA]# touch serial :證書編號位置;
[root@localhost CA]# echo 01 > serial :自定義開始證書編號;
[root@localhost CA]# touch crlnumber :已吊銷證書編號文件;
[root@localhost CA]# ll
:以上的三個文件,是CA配置文件中定義的文件名,必須手動創建出來;
ok,以上簡單自建CA機構配置完畢;
4、爲httpd服務簽發證書:
有了自己的CA證書機構,現在測試給httpd服務器頒發一次證書;
操作位置:
CA服務器---192.168.57.172;
httpd服務器---192.168.57.175;
httpd服務器上操作:
[root@localhost ~]# cd /etc/httpd/
[root@localhost httpd]# mkdir ssl
[root@localhost httpd]# (umask 077; openssl genrsa -out httpd.key 1024)
Generating RSA private key, 1024 bit long modulus
......................++++++
..++++++
e is 65537 (0x10001) :生成httpd私鑰;
[root@localhost httpd]# mv httpd.key ssl/
[root@localhost httpd]# openssl req -new -key /etc/httpd/ssl/httpd.key -out /etc/httpd/ssl/httpd.csr -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:test
Organizational Unit Name (eg, section) []:test
Common Name (eg, your name or your server's hostname) []:www.test.com
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: 空
An optional company name []: 空
[root@localhost httpd]# :根據私鑰,創建證書申請文件httpd.csr;
[root@localhost httpd]# scp /etc/httpd/ssl/httpd.csr 192.168.57.172:/tmp/
The authenticity of host '192.168.57.172 (192.168.57.172)' can't be established.
RSA key fingerprint is f3:c6:fd:6b:c8:66:56:15:c7:2e:88:07:b3:ff:4b:48.
Are you sure you want to continue connecting (yes/no)? y
Please type 'yes' or 'no': yes
Warning: Permanently added '192.168.57.172' (RSA) to the list of known hosts.
[email protected]'s password:
httpd.csr 100% 688 0.7KB/s 00:00
[root@localhost httpd]# :利用scp命令,將httpd證書申請文件複製到CA服務器上,有CA進行數字簽名;
CA服務器上操作:
[root@localhost tmp]# openssl ca -in /tmp/httpd.csr -out /tmp/httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
The organizationName field needed to be the same in the
CA certificate (CA) and the request (test)
[root@localhost tmp]# :報錯了,這裏說httpd申請裏的機構名字跟CA證書裏的機構名字不一樣。原因就是CA配置文件中有策略定義必須要一樣,編輯配置文件,關閉這些策略即可;
[root@localhost tmp]# vim /etc/pki/tls/openssl.cnf
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
:將match改成optional即可,如下:
[ policy_match ]
countryName = optional
stateOrProvinceName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[root@localhost tmp]# openssl ca -in /tmp/httpd.csr -out /tmp/httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Mar 31 12:11:08 2015 GMT
Not After : Mar 30 12:11:08 2016 GMT
Subject:
countryName = cn
stateOrProvinceName = beijing
organizationName = test
organizationalUnitName = test
commonName = www.test.com
emailAddress = [email protected]
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
7E:01:A5:A2:66:F4:5A:8C:D5:A1:2F:6A:B1:86:B2:89:28:D4:24:4D
X509v3 Authority Key Identifier:
keyid:25:CE:A2:A1:00:A7:19:69:94:96:7C:4F:32:1C:C8:7E:2D:E1:85:0B
Certificate is to be certified until Mar 30 12:11:08 2016 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@localhost tmp]# :再次執行證書籤發,生成httpd.crt證書文件。ok,沒問題了;
[root@localhost tmp]# cat /etc/pki/CA/serial
02
[root@localhost tmp]# ll /etc/pki/CA/newcerts/
總用量 4
-rw-r--r--. 1 root root 3830 3月 31 20:11 01.pem
[root@localhost tmp]# :查看CA證書編號和已頒發的證書;
[root@localhost tmp]# pwd
/tmp
[root@localhost tmp]# scp httpd.crt 192.168.57.175:/etc/httpd/ssl/
The authenticity of host '192.168.57.175 (192.168.57.175)' can't be established.
RSA key fingerprint is f3:c6:fd:6b:c8:66:56:15:c7:2e:88:07:b3:ff:4b:48.
Are you sure you want to continue connecting (yes/no)? y
Please type 'yes' or 'no': yes
Warning: Permanently added '192.168.57.175' (RSA) to the list of known hosts.
[email protected]'s password:
httpd.crt 100% 3830 3.7KB/s 00:00
[root@localhost tmp]# :將證書文件複製到httpd服務器的指定目錄下面;
[root@localhost ssl]# pwd
/etc/httpd/ssl
[root@localhost ssl]#
[root@localhost ssl]#
[root@localhost ssl]# ll
總用量 12
-rw-r--r--. 1 root root 3830 3月 31 20:15 httpd.crt
-rw-r--r--. 1 root root 688 3月 31 19:23 httpd.csr
-rw-------. 1 root root 887 3月 31 19:20 httpd.key
[root@localhost ssl]# :來到httpd服務器上,查看自己成功申請的證書;
ok,至此,簡單的CA搭建和簽證過程完成了。