構建私有CA:
在確定配置爲CA的服務上生成一個自簽證書,併爲CA提供所需要的目錄及文件即可;
步驟:
(1) 生成私鑰;
[root@centos7 ~]# (umask 077; openssl genrsa -out /etc/pki/CA/private/cakey.pem 4096)
Generating RSA private key, 4096 bit long modulus
........++
..........................++
e is 65537 (0x10001)
(2) 生成自簽證書;
-new:生成新證書籤署請求;
-x509:生成自籤格式證書,專用於創建私有CA時;
-key:生成請求時用到的私有文件路徑;
-out:生成的請求文件路徑;如果自籤操作將直接生成簽署過的書;
-days:證書的有效時長,單位是day;
[root@centos7 ~]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3655
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Shenzhen
Locality Name (eg, city) [Default City]:Shenzhen
Organization Name (eg, company) [Default Company Ltd]:ctc
Organizational Unit Name (eg, section) []:It
Common Name (eg, your name or your server's hostname) []:ca.ctc.com
Email Address []:[email protected]
檢查生成文件
[root@centos7 ~]# ls /etc/pki/CA
cacert.pem certs crl newcerts private
(3) 爲CA提供所需的目錄及文件;
[root@centos7 ~]# mkdir -pv /etc/pki/CA/{certs,crl,newcerts}
[root@centos7 ~]# touch /etc/pki/CA/{serial,index.txt}
[root@centos7 ~]# echo 01 > /etc/pki/CA/serial
CA Client端
步驟:(以httpd爲例)CA Client端
(1) 用到證書的主機生成私鑰;
[root@Centos6 ~]# mkdir /etc/httpd/ssl
[root@Centos6 ~]# cd /etc/httpd/ssl
[root@Centos6 ssl]# (umask 077; openssl genrsa -out /etc/httpd/ssl/httpd.key 2048)
Generating RSA private key, 2048 bit long modulus
..........................+++
................+++
e is 65537 (0x10001)
(2) 生成證書籤署請求
[root@Centos6 ssl]# openssl req -new -key /etc/httpd/ssl/httpd.key -out /etc/httpd/ssl/httpd.csr -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Shenzhen
Locality Name (eg, city) [Default City]:Shenzhen
Organization Name (eg, company) [Default Company Ltd]:ctc
Organizational Unit Name (eg, section) []:It
Common Name (eg, your name or your server's hostname) []:Centos6
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
(3) 將請求通過可靠方式發送給CA主機;
[root@Centos6 ssl]# scp httpd.csr [email protected]:/tmp
The authenticity of host '172.16.100.67 (172.16.100.67)' can't be established.
RSA key fingerprint is 00:cb:11:7a:1f:0f:8f:74:38:3e:70:b6:bd:76:74:cf.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.16.100.67' (RSA) to the list of known hosts.
[email protected]'s password:
httpd.csr 100% 1037 1.0KB/s 00:00
(4) 在CA主機上籤署證書;
[root@centos7 ~] openssl ca -in /tmp/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Oct 31 15:16:22 2018 GMT
Not After : Oct 31 15:16:22 2019 GMT
Subject:
countryName = CN
stateOrProvinceName = Shenzhen
organizationName = ctc
organizationalUnitName = It
commonName = Centos6
emailAddress = [email protected]
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
08:EB:D4:55:82:32:4E:B1:A1:88:72:2C:2E:46:36:62:59:BB:34:EB
X509v3 Authority Key Identifier:
keyid:C7:20:00:DA:3D:8D:A0:E1:65:6F:1C:CA:35:EA:62:2F:30:A9:9F:F9
Certificate is to be certified until Oct 31 15:16:22 2019 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
(5) 發送密鑰給CA clinet端
[root@centos7 ~]# cd /etc/pki/CA
[root@centos7 CA]# scp certs/httpd.crt [email protected]:/etc/httpd/ssl/
The authenticity of host '172.16.100.65 (172.16.100.65)' can't be established.
RSA key fingerprint is 8b:8c:c9:e6:1f:74:36:3e:a5:0a:ba:14:9d:d5:ab:04.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.16.100.65' (RSA) to the list of known hosts.
[email protected]'s password:
httpd.crt 100% 5811 5.7KB/s 00:00
查看證書中的信息:
[root@centos7 CA]# openssl x509 -in /etc/pki/CA/certs/httpd.crt -noout -serial -subject
serial=01
subject= /C=CN/ST=Shenzhen/O=ctc/OU=It/CN=Centos6/[email protected]
吊銷證書::步驟:
(1) 客戶端獲取要吊銷的證書的serial(在使用證書的主機執行):
[root@Centos6 ~]# openssl x509 -in /etc/httpd/ssl/httpd.crt -noout -serial -subject
serial=01
subject= /C=CN/ST=Shenzhen/O=ctc/OU=It/CN=Centos6/[email protected]
(2) CA主機吊銷證書
先根據客戶提交的serial和subject信息,對比其與本機數據庫index.txt中存儲的是否一致;
吊銷:
查看serial對應的.pem文件
[root@centos7 ~]# ls /etc/pki/CA/newcerts/
01. pem
吊銷
[root@centos7 ~]# openssl ca -revoke /etc/pki/CA/newcerts/01.pem
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 01.
Data Base Updated
(3) 生成吊銷證書的吊銷編號(第一次吊銷證書時執行)
[root@centos7 ~]# echo 01 > /etc/pki/CA/crlnumber
(4) 更新證書吊銷列表
# openssl ca -gencrl -out thisca.crl
查看crl文件:
# openssl crl -in thisca.crl -noout -text