1 CA簡介
CA是證書的簽發機構,它是PKI的核心。CA是負責簽發證書、認證證書、管理已頒發證書的機關。它要制定政策和具體步驟來驗證、識別用戶身份,並對用戶證書進行簽名,以確保證書持有者的身份和公鑰的擁有權。比如Alice和Bob通信,中間通信萬一被***C監聽到,冒充Alice和Bob,這樣信息就會泄密,這時候通過CA來驗證雙方身份的真實性。證書內容包括1,證書的持有者的相關信息2,CA的相關信息3,證書的使用方法4,公鑰信息PKI—public key instruction 公鑰基礎設施:核心是CA。
2 CA建立的步驟
1 ),openssl 建立私有CA,其中包括生成祕鑰;自簽證書
2),節點需要:生成祕鑰對;生成證書籤署請求;把請求發送給CA
3),CA:驗證請求者的信息;簽署證書;簽好的證書發送給請求者。
3,實驗步驟
1,建立CA服務器,生成祕鑰,文件必須是400或者是600權限
[root@localhost private]# (umask 077; openssl genrsa -out /etc/pki/CA/private/ccc.pem 2048)
Generating RSA private key, 2048 bit long modulus
................................................................................................+++
.........+++
e is 65537 (0x10001)
[root@localhost private]# ls
cakey.pem ccc.pem
這裏必須是 在/etc/pki/CA/private目錄下,之前已經生成cakey.pem文件,此次用ccc.pem文件。
2 req:生成證書籤署請求
-x509 生成簽署證書
-day X 有效X天
-new 心情求
-key /path/to/keyfile:制定私鑰文件
-out /path/to/somefile 指定加密後要保存的文件名
自簽證書
[root@localhost private]# openssl req -new -x509 -key /etc/pki/CA/private/ccc.pem -out /etc/pki/CA/cace.pem -days 30
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HA
Locality Name (eg, city) [Default City]:ZZ
Organization Name (eg, company) [Default Company Ltd]:ZZC
Organizational Unit Name (eg, section) []:SI
Common Name (eg, your name or your server's hostname) []:localhost.localdomain
Email Address []:cc.ccc.com
[root@localhost private]# ls
cakey.pem ccc.pem
3,我們要初始化環境
[root@localhost private]# touch /etc/pki/CA/{index1.txt,serial1}
[root@localhost private]# echo 01 > /etc/pki/CA/serial1
4,節點申請證書
1)生成密鑰對
[root@stu31 ssl]# (umask 077; openssl genrsa -out /etc/httpd/ssl/htt.key 2048)
Generating RSA private key, 2048 bit long modulus
...................+++
.............+++
e is 65537 (0x10001)
這時是在另外一臺主機上建立生成的密鑰對
2)生成證書籤署請求
[root@stu31 ssl]# (umask 077; openssl genrsa -out /etc/httpd/ssl/htt.key 2048)
Generating RSA private key, 2048 bit long modulus
...................+++
.............+++
e is 65537 (0x10001)
[root@stu31 ssl]# openssl req -new -key /etc/httpd/ssl/htt.key -out /etc/httpd/ssl/htt.csr
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HA
Locality Name (eg, city) [Default City]:ZZ
Organization Name (eg, company) [Default Company Ltd]:ZZX
Organizational Unit Name (eg, section) []:localhost.localdomain
Common Name (eg, your name or your server's hostname) []:cc.ccc.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
3)把簽署請求發送給CA服務器
[root@stu31 ssl]# scp htt.csr 172.16.249.55:/etc/pki/CA/csr/
[email protected]'s password:
htt.csr 100% 1009 1.0KB/s 00:00
5 CA簽署證書
[root@localhost CA]# openssl ca -in csr/htt.csr -out csr/htt.crt -days 30
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
The stateOrProvinceName field needed to be the same in the
CA certificate (Henan) and the request (HA) 二者不一致的話,是不簽署的,所以要在從新生成一個openssl req -new -key /etc/httpd/ssl/htt.key -out /etc/httpd/ssl/htt.csr
[root@localhost CA]# openssl ca -in csr/htt.csr -out csr/htt.crt -days 30
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 2 (0x2)
Validity
Not Before: Aug 1 05:37:57 2014 GMT
Not After : Aug 31 05:37:57 2014 GMT
Subject:
countryName = CN
stateOrProvinceName = Henan
organizationName = MageEdu
organizationalUnitName = Ops
commonName = localhost.localdomain
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
90:AB:55:BA:57:63:2E:06:93:FD:EA:50:4B:9E:5B:40:C1:56:43:6E
X509v3 Authority Key Identifier:
keyid:59:50:01:C7:01:0A:49:70:21:71:AE:A4:26:94:25:78:1A:EA:35:14
Certificate is to be certified until Aug 31 05:37:57 2014 GMT (30 days)
Sign the certificate? [y/n]:
3 發送給請求者
[root@localhost CA]# scp csr/htt.crt 172.16.31.1:/root
[email protected]'s password:
htt.crt 100% 4556 4.5KB/s 00:00
[root@stu31 ~]# mv htt.crt /etc/httpd/ssl 驗證機在吧證書放到這個/etc/httpd/ssl目錄下
一次CA簽證結束,祝您成功~~~