您的位置:新葡亰496net > 电脑系统 > 实现创建私有CA,申请和颁发证书

实现创建私有CA,申请和颁发证书

发布时间:2019-11-16 11:27编辑:电脑系统浏览(161)

    大器晚成、创造私有CA
      1、成立所急需的公文
      新葡亰496net 1

    开创私有CA:
    openssl的配置文件:/etc/pki/tls/openssl.cnf
    二种政策:相称、扶持和可选
    相称指须求报名填写的新闻跟CA设置音信必得豆蔻梢头律,援助指必得填写那项申请音信,可选指腹背之毛
    1、创制所须求的公文
    touch /etc/pki/CA/index.txt 生成证书索引数据库文件
    echo 01 > /etc/pki/CA/serial 内定第多个公布证书的连串号
    2、CA自签证书
    生成私钥
    cd /etc/pki/CA/
    (umask 066; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
    生成自具名证书
    openssl req -new -x509 –key /etc/pki/CA/private/cakey.pem -days 7300 -out /etc/pki/CA/cacert.pem
    -new: 生成新证书签署须要
    -x509: 专项使用于CA生成自签证书
    -key: 生成伏乞时用到的私钥文件
    -days n:证书的保质期限
    -out /PATH/TO/SOMECERTFILE: 证书的保存路线
    3、颁发证书
    A 在须要利用证书的主机生成证书诉求
    给web服务器生成私钥
    (umask 066; openssl genrsa -out /etc/pki/tls/private/test.key 2048)
    转移证书申请文件
    openssl req -new -key /etc/pki/tls/private/test.key -days 365 -out /etc/pki/tls/test.csr
    B 将证件诉求文件传输给CA
    scp /etc/pki/tls/test.csr CA-IP

    搭建CA和申请证书

    连带仿照效法布局文件:/etc/pki/tls/openssl.cnf

    ####################################################################
    [ ca ]
    default_ca      = CA_default            # The default ca section
    
    ####################################################################
    [ CA_default ]
    
    dir             = /etc/pki/CA           # Where everything is kept
    certs           = $dir/certs            # Where the issued certs are kept
    crl_dir         = $dir/crl              # Where the issued crl are kept
    database        = $dir/index.txt        # database index file.
    #unique_subject = no                    # Set to 'no' to allow creation of
                                            # several ctificates with same subject.
    new_certs_dir   = $dir/newcerts         # default place for new certs.
    
    certificate     = $dir/cacert.pem       # The CA certificate
    serial          = $dir/serial           # The current serial number
    crlnumber       = $dir/crlnumber        # the current crl number
                                            # must be commented out to leave a V1 CRL
    crl             = $dir/crl.pem          # The current CRL
    private_key     = $dir/private/cakey.pem# The private key
    RANDFILE        = $dir/private/.rand    # private random number file
    
    x509_extensions = usr_cert              # The extentions to add to the cert
    
    # Comment out the following two lines for the "traditional"
    # (and highly broken) format.
    name_opt        = ca_default            # Subject Name options
    cert_opt        = ca_default            # Certificate field options
    
    # Extension copying option: use with caution.
    # copy_extensions = copy
    
    # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
    # so this is commented out by default to leave a V1 CRL.
    # crlnumber must also be commented out to leave a V1 CRL.
    # crl_extensions        = crl_ext
    
    default_days    = 365                   # how long to certify for
    default_crl_days= 30                    # how long before next CRL
    default_md      = sha256                # use SHA-256 by default
    preserve        = no                    # keep passed DN ordering
    
    # A few difference way of specifying how similar the request should look
    # For type CA, the listed attributes must be the same, and the optional
    # and supplied fields are just that :-)
    policy          = policy_match
    
    # For the CA policy
    [ policy_match ]
    countryName             = match
    stateOrProvinceName     = match
    organizationName        = match
    organizationalUnitName  = optional
    commonName              = supplied
    emailAddress            = optional
    
    # For the 'anything' policy
    # At this point in time, you must list all acceptable 'object'
    # types.
    [ policy_anything ]
    countryName             = optional
    stateOrProvinceName     = optional
    localityName            = optional
    organizationName        = optional
    organizationalUnitName  = optional
    commonName              = supplied
    emailAddress            = optional
    
    ####################################################################
    [ req ]
    default_bits            = 2048
    default_md              = sha256
    default_keyfile         = privkey.pem
    distinguished_name      = req_distinguished_name
    attributes              = req_attributes
    x509_extensions = v3_ca # The extentions to add to the self signed cert
    

    亟待运用的参阅目录

    dir             = /etc/pki/CA           # Where everything is kept
    certs           = /etc/pki/CA/certs            # Where the issued certs are kept
    database        = /etc/pki/CA/index.txt        # database index file.
    new_certs_dir   = /etc/pki/CA/newcerts         # default place for new certs.
    certificate     = /etc/pki/CA/cacert.pem       # The CA certificate
    serial          = /etc/pki/CA/serial           # The current serial number
    private_key     = /etc/pki/CA/private/cakey.pem   # The private key
    

    注意事项:暗许顾客端证书央求中华夏族民共和国家、省、公司名称三项必得和CA保持生龙活虎致,否则不能颁发证书,原因:/etc/pki/tls/openssl.cnf配置文件中policy = policy_match,将其改为policy=policy_anything,或者将[ policy_match ]下countryName 、stateOrProvinceName、organizationName 那三项的值由match改为optional将不再供给豆蔻梢头律

    OpenSSL:完毕创立私有CA、签署证书诉求详明

    生龙活虎、OpenSSL:CA暗许配置音信

        1.证书签发机构CA:公共信赖CA、私有CA

                  建构私有CA方式如下:

    小范围测验使用openssl、

    大规模维护多量评释公司运用OpenCA(对openssl实行了一回封装,越发方便使用)

     

        2.openssl 安插文件:/etc/pki/tls/openssl.cnf

         [[email protected] tmp]# cat  /etc/pki/tls/openssl.cnf

    该配置文件中以 "[配置段]",的款型安顿相关音讯

    ====================================openssl.cnf部分内容摘要=====================================

    # OpenSSL example configuration file.

    # This is mostly being used for generation of certificate requests.

    ######################################################################################

    [ ca ]        #CA相关安顿段

    default_ca        = CA_default                # The default ca section                # 默认CA在[ CA_default ]配置

    ######################################################################################

    [ CA_default ]        #  暗许充作CA的劳作条件

    dir                = /etc/pki/CA                # Where everything is kept暗许专业目录,变量格局

    certs                = $dir/certs                # Where the issued certs are kept签发的证书地点

    crl_dir                = $dir/crl                # Where the issued crl are kept吊销的证书地点

    database        = $dir/index.txt                  # database index file.颁发过的证件索引文件

    new_certs_dir        = $dir/newcerts                # default place for new certs.

    实现创建私有CA,申请和颁发证书。 

    certificate        = $dir/cacert.pem         # The CA certificate指明CA的自签证书

    serial                = $dir/serial                 # The current serial number指明当前注解体系号,第贰遍要内定

    crlnumber        = $dir/crlnumber        # the current crl number

    # must be commented out to leave a V1 CRL

    crl                = $dir/crl.pem                 # The current CRL

    private_key        = $dir/private/cakey.pem# The private key,CA本身的私钥

    RANDFILE        = $dir/private/.rand        # private random number file

     

    x509_extensions        = usr_cert                # The extentions to add to the cert

     

    # Comment out the following two lines for the "traditional"

    # (and highly broken) format.

    name_opt         = ca_default                # Subject Name options

    cert_opt         = ca_default                # Certificate field options

     

    default_days        = 365                        # how long to certify for证书的暗中认可保藏期

    default_crl_days= 30                        # how long before next CEvoqueL私下认可申明保藏期

    default_md        = sha256                # use SHA-256 by default默许的变型算法

    preserve        = no                        # keep passed DN ordering

    ####################################################################

    [ req ]        # 向CA证书签定发起注册必要相关属性

    default_bits                = 2048

    default_md                = sha256

    default_keyfile         = privkey.pem

    distinguished_name        = req_实现创建私有CA,申请和颁发证书。distinguished_name

    attributes                = req_attributes

    x509_extensions        = v3_ca        # The extentions to add to the self signed cert

    ===============================================================================================

     

     

     

     

    二、OpenSSL:成立私有证书签发机关CA步骤

    在分明布置为CA的服务器主机上生成三个自签证书,并为CA提供所急需的目录及文件;

    在真的的通讯进程中CA服务器主机不供给网络加入,只须求参加到签订合同中,无需提供劳动

          1.生成私钥;

    ~]# (umask 077; openssl genrsa -out /etc/pki/CA/private/cakey.pem 4096)

        因为在默许配置文件中暗中同意配置/etc/pki/CA/private/cakey.pem,所以钦命目录和文件名要和配备文件黄金年代律

    新葡亰496net 2

     

          2.生成CA自签证书;

                  req - PKCS#10 certificate request and certificate generating utility,证书须要及变化学工业具;

      [[email protected] tmp]# man req

    新葡亰496net 3

      ~]# openssl req  -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3655

                      /etc/pki/CA/cacert.pem:配置文件中第生龙活虎的目录及文件名称 

      -new:生成新证件签订诉求;

      -x509:生成自签格式证书,专用于创制私有CA时;

      -key:生成须要时用到的民用文件路线;

      -out:生成的呼吁文件路线;假使自签操作将平昔扭转签订过的评释;

      -days:证书的管用时间长度,单位是day;

     注意:

    1)-key /etc/pki/CA/private/cakey.pem指明的是私钥的职位,知识因为此处会自动抽出出私钥中的公钥

    2)req只可以发起签名央浼,需求加-x509参数落成团结发出乞求,自个儿签字。非自签没有必要追加此参数

    新葡亰496net 4

    [[email protected] tmp]#  openssl req  -new  -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3655

              ====================================填写证书诉求相关新闻=======================================

    You are about to be asked to enter information that will be incorporatedinto your certificate request.

    What you are about to enter is what is called a Distinguished Name or a DN.

    There are quite a few fields but you can leave some blank

    For some fields there will be a default value,

    If you enter '.', the field will be left blank.


    Country Name (2 letter code) [XX]:      # 多个字符表示的国家代码,CN为华夏

    State or Province Name (full name) []:      # 省或洲的黄金时代体化名称

    Locality Name (eg, city) [Default City]:      # 所在地点的名目(默以为都市)

    Organization Name (eg, company) [Default Company Ltd]:    # 协会机构名称(默以为集团)

    Organizational Unit Name (eg, section) []:    # 组织单位单元名称(eg.部门)

    Common Name (eg, your name or your server's hostname) []:    # 持有者名也许所在服务器主机名(即域名)

    Email Address []:    # 助理馆员邮件地址,可以大致

      2、创造私有密钥
      新葡亰496net 5

    C CA签署证书,并将证书颁发给请求者 
        openssl ca -in /tmp/test.csr –out    /etc/pki/CA/certs/test.crt -days 365 
        注意:默认国家,省,公司名称三项必须和CA一致 
    D 将证书发给请求者client
        scp    /etc/pki/CA/certs/test.crt   client-IP   
    
    
    E 查看证书中的信息: 
        openssl x509 -in /PATH/FROM/CERT_FILE -noout  -text|issuer|subject|serial|dates 
        openssl  ca -status SERIAL  查看指定编号的证书状态 
    

    服务端搭建私有CA

    1、创建所需的文本
    touch /etc/pki/CA/index.txt 生成证书索引数据库文件
    echo 01 > /etc/pki/CA/serial 钦命第多少个公布证书的连串号(可自定,但需是两位数)
    2、生成CA私钥
    (umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)

    [root@centos CA]#(umask 077; openssl genrsa -out private/cakey.pem 2048)
    Generating RSA private key, 2048 bit long modulus
    ........................................................................   
    ....................................   
    e is 65537 (0x10001)
    

    3、自签订(给本人公布证书)
    openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3650
    -new: 生成新证书签订央求
    -x509: 专项使用于CA生成自签证书
    -key: 生成须求时用到的私钥文件
    -days n:证书的保质期限
    -out /PATH/TO/SOMECERTFILE: 证书的保存路线

    [root@centos CA]#openssl req -new -x509 -key private/cakey.pem -days 7300 -out cacert.pem
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [XX]:cn
    State or Province Name (full name) []:henan
    Locality Name (eg, city) [Default City]:zhengzhou
    Organization Name (eg, company) [Default Company Ltd]:xmj
    Organizational Unit Name (eg, section) []:x
    Common Name (eg, your name or your server's hostname) []:xmj.com
    Email Address []:
    

    openssl x509 -in /etc/pki/CA/cacert.pem -noout -text 查看CA证书音讯

    [root@centos CA]#openssl x509 -in cacert.pem -noout -text
    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number: 11583334546095199587 (0xa0c045660683d563)
        Signature Algorithm: sha1WithRSAEncryption
            Issuer: C=cn, ST=henan, L=zhengzhou, O=xmj, OU=x, CN=xmj.com
            Validity
                Not Before: Jul 17 07:11:40 2017 GMT
                Not After : Jul 12 07:11:40 2037 GMT
            Subject: C=cn, ST=henan, L=zhengzhou, O=xmj, OU=x, CN=xmj.com
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                    Public-Key: (2048 bit)
                    Modulus:
                        00:c3:c1:ed:52:ee:9f:8b:52:2d:48:69:86:05:84:
                        30:8b:57:14:1f:04:23:2d:a3:3d:c5:87:5d:65:35:
                        61:65:0e:fc:74:93:88:be:2a:66:47:ea:e4:c6:e7:
                        0c:6b:74:4d:28:e9:eb:21:75:58:8a:61:83:84:d8:
                        7f:09:4a:0e:63:c9:e1:d6:26:92:46:94:79:3b:f1:
                        08:a3:f7:05:cc:f6:87:f7:74:29:67:71:f0:f4:82:
                        6a:bf:51:e9:99:01:4e:df:dc:ff:d7:88:54:22:06:
                        d4:76:e1:1b:4f:4e:8a:e4:2f:64:6e:2f:c4:0d:25:
                        2c:cd:4f:e3:d0:1f:3e:e2:2d:82:a5:12:7a:95:88:
                        10:08:36:71:59:af:3a:c5:bf:b5:1d:8c:11:79:bc:
                        d6:18:d5:cd:39:f7:66:8a:ef:19:11:22:e3:7d:3f:
                        db:2b:67:4d:e5:20:98:43:7b:a3:60:cb:da:75:65:
                        d0:e3:22:f7:d0:98:90:e5:c8:16:5b:65:c0:64:6a:
                        71:33:6a:80:5c:2d:47:b5:8a:b5:53:64:3d:70:a4:
                        77:a5:df:dc:67:53:d9:f3:55:3c:68:9c:c5:f8:61:
                        25:ff:8b:e1:9a:2c:11:0f:4f:ad:f6:da:55:e9:d8:
                        57:d3:81:6d:45:b9:f0:f3:4f:c6:bb:2c:9b:de:4e:
                        cd:a1
                    Exponent: 65537 (0x10001)
            X509v3 extensions:
                X509v3 Subject Key Identifier: 
                    04:9D:1F:51:07:F9:4B:23:D2:58:6C:89:EC:30:13:94:4D:1B:14:EF
                X509v3 Authority Key Identifier: 
                    keyid:04:9D:1F:51:07:F9:4B:23:D2:58:6C:89:EC:30:13:94:4D:1B:14:EF
    
                X509v3 Basic Constraints: 
                    CA:TRUE
        Signature Algorithm: sha1WithRSAEncryption
             c1:1f:ab:c9:3b:61:71:ff:21:b4:6f:03:0e:de:e8:f7:78:be:
             b7:1c:50:85:6d:20:5a:4f:fa:22:6b:b6:29:d0:a2:a2:dc:7e:
             95:bc:14:a4:84:49:9f:cb:cd:27:1e:c9:8f:5a:98:89:a4:1d:
             af:76:b8:13:6d:96:d3:f7:7d:8b:9a:b7:26:71:63:32:af:59:
             d2:12:0a:4f:4b:e8:55:c2:79:ef:da:bd:2d:ea:c2:7a:3d:87:
             4d:7f:51:22:48:f8:84:2e:0b:43:8c:a4:6b:e3:ea:d7:79:3b:
             f2:ee:8f:26:f6:08:97:b7:e1:b2:0a:a7:30:46:23:04:74:d8:
             75:22:77:ac:1a:88:db:41:e5:a9:e6:9d:18:a5:14:44:58:c5:
             87:4e:f0:b1:ce:01:a7:8d:c5:ed:0a:51:04:c5:a6:9a:c9:00:
             64:1b:21:96:58:69:54:05:1a:3b:14:10:d0:6a:49:db:78:34:
             69:77:c9:24:33:63:85:fc:41:0f:f8:e0:da:9e:ca:c7:10:fe:
             7e:03:8f:60:e2:bb:56:92:38:12:a4:e7:d3:6a:07:f1:c6:44:
             81:f1:68:81:d8:c4:92:91:0a:b9:28:1d:ea:17:3b:ef:91:8c:
             ab:b1:78:6d:c8:ac:63:02:3a:12:ba:d0:bb:bc:2d:28:c4:ba:
             cb:59:7a:5e
    

           

       

          3.为CA提供所需的目录及文件;

                ~]# mkdir  -pv  /etc/pki/CA/{certs,crl,newcerts}  #当空头支票时须要创设签发证书、吊销证书、新证书目录

                ~]# touch  /etc/pki/CA/{serial,index.txt}  #创立证书类别号文件、证书索引文件

                ~]# echo  01 > /etc/pki/CA/serial          # 第二遍创设的时候必要给与证书类别号

    新葡亰496net 6

     

     

     

     

    三、OpenSSL;服务申请证书签订达成SSL安全通讯

        要用到证书实行安全通讯的服务器,必要向CA央求签署证书;

        要求具名的服务无需和CA证书签定机构主机在同样台服务器上。

    新葡亰496net,        此处以httpd服务为例实行身体力行,步骤如下:

    演示境遇:

    httpd服务放置172.16.249.210主机(此处为rpm包安装)

    新葡亰496net 7

     CA私有签机构放置172.16. 249.18主机:

    新葡亰496net 8

     

          1.用到证书的劳务器生成私钥;

                ~]# mkdir  /etc/httpd/ssl  

                ~]# cd  /etc/httpd/ssl

                ~]# (umask  077; openssl  genrsa -out  /etc/httpd/ssl/httpd.key  2048)  # 生成私钥

                      生成httpd服务的私钥创制时候不要在/etc/pki/CA创设,/etc/pki/CA目录仅在成立CA主机时候

    新葡亰496net 9

     

          2.生成证书签订央求

                ~]# openssl  req  -new  -key  /etc/httpd/ssl/httpd.key  -out /etc/httpd/ssl/httpd.csr  -days  365

                        1) *.csr表示证书签定乞求文件

                        2)要保障和签约机构CA签订机构新闻相近

    新葡亰496net 10

     

          3.将号召通过保证情势发送给CA主机

                  ~]# scp  /etc/httpd/ssl/httpd.csr  [email protected]:/tmp/

    新葡亰496net 11

     

          4.在CA主机上具名证书

                ~]# openssl ca -in/tmp/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365

                              *.crt:表示证书文件

                              -days :签订证书的保藏期

     注意:此处须求自个儿去查看消息是不是科学,并规定是或不是付与签定证书

    新葡亰496net 12

     

          5.查看所签定的证书音信

                  方法一:~]# cat  /etc/pki/CA/index.txt

    新葡亰496net 13

                              V:表示曾经签订公约的

                              01:表示证书系列号

                              /C=CN/ST=Beijing/O=… ...:  表示焦点消息(主题标示)

                方法二:查看证书中的音信(CA恐怕服务端均可):

                ~]# openssl  x509  -in /etc/pki/CA/certs/httpd.crt  -noout  -serial  -subject

                              -serial :体系号  -subject:宗旨音信

    新葡亰496net 14

       

          6.将CA签定机构的.crt证书发送给服务器

              ~]#  scp  /etc/pki/CA/certs/httpd.crt  [email protected]:/etc/httpd/ssl

            注意:第三次实行主机间基于ssh的scp操作会接纳一个证件,Queue要你那表明

    新葡亰496net 15

         

        7.删减服务器和CA主机上签订前的*.csr文件,确认保障卫安全全

    httpd主机:~]# rm  -rf  /etc/httpd/ssl/httpd.csr

    CA主机:~]# rm  -rf  /tmp/httpd.csr

     

     

     

     

    四、OpenSSL:私有CA证书签订机构注销证书

        1.客商端获取要收回的证件的serial(在使用证书的主机上推行)

    ~]# openssl  x509  -in /etc/pki/CA/certs/httpd.crt  -noout  -serial  -subject

    新葡亰496net 16

       

        2.CA主机吊销证书

            先依据顾客提交的serial和subject音讯,相比其与本机数据库index.txt中蕴藏的是或不是相通;

            在/etc/pki/CA/crets/*下生成证书后,会在/etc/pki/CA/newcrets/*以对应证书命名称为SE纳瓦拉IAL.pem文件贮存

    新葡亰496net 17

         吊销:

      # openssl  ca  -revoke  /etc/pki/CA/newcerts/SE科雷傲IAL.pem  此中SE奥迪Q3IAL要换来证书真正的类别号:eg. 01.pem

    新葡亰496net 18

       

        3.生成吊销证书的吊销编号(第三次吊销证书时施行卡塔尔

    # echo  01  > /etc/pki/CA/crlnumber

    新葡亰496net 19

     

        4.校正证书吊销列表

    # openssl  ca  -gencrl  -out  thisca.crl

    新葡亰496net 20

     

        5.查看crl文件:

    # openssl  crl  -in  /PATH/FROM/CRL_FILE.crl  -noout  -text

    越来越多OpenSSL相关内容能够查看以下的有用链接: 

    行使 OpenSSL 命令行营造 CA 及证书 

    Ubuntu安装OpenSSL 

    通过OpenSSL提供FTP SSL/TLS认证成效,并贯彻安全部据传输

    Linux下使用OpenSSL生成证书

    动用OpenSSL签订多域名证书

    在OpenSSL中增多自定义加密算法 

    OpenSSL 的事必躬亲介绍:请点这里
    OpenSSL 的下载地址:请点这里

    本文恒久更新链接地址:

    风度翩翩、 OpenSSL : CA 私下认可配置音信 1. 证明签发机关 CA : 公共信赖 CA 、私有 CA 建设构造民用 CA 方式如...

      3、CA自签证书
      新葡亰496net 21
        -new: 生成新证件签定诉求;
                   -x509: 专项使用于CA生成自签证书;不自签的时候不要加该选项
                   -key: 生成央求时用到的私钥文件;
                  -days n:证书的保质期限;
                  -out /PATH/TO/SOMECERTFILE: 证书的保留路线;

    4、吊销证书
    A 在客商端获取要废除的证书的serial
    openssl x509 -in /PATH/FROM/CERT_FILE -noout -serial -subject
    B 在CA上,依据客商提交的serial与subject音信,相比核准是还是不是与index.txt文件中的消息风流罗曼蒂克致,
    收回证书:
    openssl ca -revoke /etc/pki/CA/newcerts/SERIAL.pem
    C 内定第叁个吊销证书的号子 注意:第一回纠正证书吊销列表前,才需求试行
    echo 01 > /etc/pki/CA/crlnumber
    D 更新证书吊销列表
    openssl ca -gencrl -out /etc/pki/CA/crl.pem

    客商端报名证书

    1、给web服务器生成私钥
    (umask 077;openssl genrsa -out /root/app/service.key 2048 )
    2、申请证书
    更换证书申请文件
    openssl req -new -key /root/app/service.key -out /root/app/service.csr
    3、发送申请文件至服务端
    scp /root/app/service.csr IP:/etc/pki/CA

        填写信息时,Common Name选项必须求与写成服务器名字,和DNS拆解深入分析出来的名字同样。

    查看crl文件:
    openssl crl -in /etc/pki/CA/crl.pem -noout -text

    CA签署证书,颁发证书给申请者

    服务端
    1、创设客户端证书申请目录
    mkdir /etc/pki/CA/csr
    mv /etc/pki/CA/service.csr /etc/pki/CA/csr

    [root@centos CA]#tree
    .
    ├── cacert.pem
    ├── certs
    ├── crl
    ├── index.txt
    ├── newcerts
    ├── private
    │   └── cakey.pem
    ├── serial
    └── service.csr
    
    4 directories, 5 files
    [root@centos CA]#mkdir csr
    [root@centos CA]#mv service.csr csr
    [root@centos CA]#tree
    .
    ├── cacert.pem
    ├── certs
    ├── crl
    ├── csr
    │   └── service.csr
    ├── index.txt
    ├── newcerts
    ├── private
    │   └── cakey.pem
    └── serial
    
    5 directories, 5 files
    [root@centos CA]#ll
    total 28
    -rw-r--r--. 1 root root 1294 Jul 17 15:11 cacert.pem
    drwxr-xr-x. 2 root root 4096 Mar 23 05:46 certs
    drwxr-xr-x. 2 root root 4096 Mar 23 05:46 crl
    drwxr-xr-x. 2 root root 4096 Jul 17 15:59 csr
    -rw-r--r--. 1 root root    0 Jul 17 14:55 index.txt
    drwxr-xr-x. 2 root root 4096 Mar 23 05:46 newcerts
    drwx------. 2 root root 4096 Jul 17 15:00 private
    -rw-r--r--. 1 root root    3 Jul 17 14:55 serial
    

    2、颁发证书
    openssl ca -in /etc/pki/CA/csr/service.csr -out /etc/pki/CA/certs/service.crt -days 365

    [root@centos CA]#pwd
    /etc/pki/CA
    [root@centos CA]#openssl ca -in csr/service.csr -out certs/service.crt -days 365
    Using configuration from /etc/pki/tls/openssl.cnf
    Check that the request matches the signature
    Signature ok
    Certificate Details:
            Serial Number: 1 (0x1)
            Validity
                Not Before: Jul 17 08:08:07 2017 GMT
                Not After : Jul 17 08:08:07 2018 GMT
            Subject:
                countryName               = cn
                stateOrProvinceName       = henan
                organizationName          = xmj
                organizationalUnitName    = m
                commonName                = www.xmj.com
                emailAddress              = 111111
            X509v3 extensions:
                X509v3 Basic Constraints: 
                    CA:FALSE
                Netscape Comment: 
                    OpenSSL Generated Certificate
                X509v3 Subject Key Identifier: 
                    58:C1:E6:56:07:FF:B7:FD:EC:AC:9A:DD:05:19:EA:98:D0:7F:9B:6B
                X509v3 Authority Key Identifier: 
                    keyid:04:9D:1F:51:07:F9:4B:23:D2:58:6C:89:EC:30:13:94:4D:1B:14:EF
    
    Certificate is to be certified until Jul 17 08:08:07 2018 GMT (365 days)
    Sign the certificate? [y/n]:y
    
    
    1 out of 1 certificate requests certified, commit? [y/n]y
    Write out database with 1 new entries
    Data Base Updated
    [root@centos CA]#ll
    total 40
    -rw-r--r--. 1 root root 1294 Jul 17 15:11 cacert.pem
    drwxr-xr-x. 2 root root 4096 Jul 17 16:08 certs
    drwxr-xr-x. 2 root root 4096 Mar 23 05:46 crl
    drwxr-xr-x. 2 root root 4096 Jul 17 15:59 csr
    -rw-r--r--. 1 root root   89 Jul 17 16:08 index.txt
    -rw-r--r--. 1 root root   21 Jul 17 16:08 index.txt.attr
    -rw-r--r--. 1 root root    0 Jul 17 14:55 index.txt.old
    drwxr-xr-x. 2 root root 4096 Jul 17 16:08 newcerts
    drwx------. 2 root root 4096 Jul 17 15:00 private
    -rw-r--r--. 1 root root    3 Jul 17 16:08 serial
    -rw-r--r--. 1 root root    3 Jul 17 14:55 serial.old
    [root@centos CA]#cd newcerts/
    [root@centos newcerts]#ls
    01.pem
    [root@centos newcerts]#cd ..
    ######serial文件里放的是下一个申请证书的证书编号
    [root@centos CA]#cat serial
    02
    ######此时数据库已更新,V为证书状态表示已颁发可用的
    [root@centos CA]#cat index.txt
    V       180717080807Z           01      unknown /C=cn/ST=henan/O=xmj/OU=m/CN=www.xmj.com/emailAddress=111111
    [root@centos CA]#tree
    .
    ├── cacert.pem
    ├── certs
    │   └── service.crt
    ├── crl
    ├── csr
    │   └── service.csr
    ├── index.txt
    ├── index.txt.attr
    ├── index.txt.old
    ├── newcerts
    │   └── 01.pem
    ├── private
    │   └── cakey.pem
    ├── serial
    └── serial.old
    
    5 directories, 10 files
    

    3、申请的表明的查阅
    openssl x509 -in /etc/pki/CA/certs/service.crt -noout -text|issuer|subject|serial|dates
    openssl ca -status SE景逸SUVIAL 查看钦定编号的证书情状

    [root@centos CA]#openssl x509 -in certs/service.crt -noout -text
    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number: 1 (0x1)
        Signature Algorithm: sha1WithRSAEncryption
            Issuer: C=cn, ST=henan, L=zhengzhou, O=xmj, OU=x, CN=xmj.com
            Validity
                Not Before: Jul 17 08:08:07 2017 GMT
                Not After : Jul 17 08:08:07 2018 GMT
            Subject: C=cn, ST=henan, O=xmj, OU=m, CN=www.xmj.com/emailAddress=111111
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                    Public-Key: (2048 bit)
                    Modulus:
                        00:bd:a1:a2:49:f0:e5:9a:fd:3f:e6:87:24:0e:79:
                        6b:3e:05:db:52:06:d7:34:15:4a:2c:92:48:1f:c1:
                        0f:c6:7d:18:4b:fd:d0:82:10:c1:a4:9e:ae:65:05:
                        6a:2c:e4:53:cd:0d:07:cf:ff:77:1a:b6:3d:87:0f:
                        c5:b9:81:82:bb:7c:ef:9b:1b:24:82:f1:1e:2a:4d:
                        0c:a1:a5:1b:43:ad:33:01:e3:a4:ee:4f:d8:28:7a:
                        e7:fa:e4:fc:08:f4:89:13:e7:ca:85:77:00:34:15:
                        3d:61:02:74:bc:7d:af:13:de:02:4e:c2:ac:60:7d:
                        ff:2b:70:ed:06:66:6a:1f:63:c0:a2:bf:87:6d:d8:
                        dc:dc:14:70:3c:e3:14:72:75:b4:6d:d1:e8:28:72:
                        f5:f5:0f:9c:32:c5:cb:04:54:e9:51:32:5d:d9:5e:
                        71:54:3a:da:d4:33:ed:ac:14:25:6d:4b:c8:08:33:
                        11:f5:9f:ba:04:95:8b:d3:c9:11:e3:16:ae:c3:23:
                        d1:12:f0:80:cb:e9:d6:5b:03:d5:9e:1e:11:e2:4a:
                        ec:7a:c8:fd:69:ab:56:2d:3e:f3:db:48:a0:a6:b3:
                        0a:17:20:f0:bb:f8:e9:3d:a1:f3:87:a3:13:a6:93:
                        f9:9c:cd:88:cc:73:af:43:6a:ce:2f:5f:f6:08:a1:
                        31:3d
                    Exponent: 65537 (0x10001)
            X509v3 extensions:
                X509v3 Basic Constraints: 
                    CA:FALSE
                Netscape Comment: 
                    OpenSSL Generated Certificate
                X509v3 Subject Key Identifier: 
                    58:C1:E6:56:07:FF:B7:FD:EC:AC:9A:DD:05:19:EA:98:D0:7F:9B:6B
                X509v3 Authority Key Identifier: 
                    keyid:04:9D:1F:51:07:F9:4B:23:D2:58:6C:89:EC:30:13:94:4D:1B:14:EF
    
        Signature Algorithm: sha1WithRSAEncryption
             2e:a5:ed:ab:b7:b1:e5:fb:03:e7:dd:4e:15:61:25:81:c3:ee:
             a6:e4:60:e2:74:36:61:8b:39:e4:25:fd:12:12:ce:37:28:fe:
             7d:1f:c4:c7:fa:fc:60:a9:e9:36:1d:b9:23:e9:d9:91:e3:e0:
             b2:e2:32:41:a7:4e:8d:a4:9e:33:0d:66:b9:cb:1a:7c:31:61:
             78:18:ce:03:50:b1:e1:07:b9:39:0d:f5:c8:80:b9:d6:06:0f:
             4c:5a:67:29:3c:34:70:c6:d5:2d:d8:5f:0b:4d:ba:0e:8c:cb:
             56:b9:fb:df:5f:58:df:ab:7e:ac:41:9e:32:74:65:b3:2d:70:
             d2:f7:78:05:17:47:bb:ef:de:44:b3:8b:70:03:11:da:79:eb:
             e9:57:9d:e8:c2:43:43:73:72:b6:ff:e4:bc:0f:41:38:b7:af:
             7a:74:b2:17:57:c5:8a:8d:b5:d1:ba:aa:42:bf:3f:17:f3:54:
             8e:54:86:3c:95:0a:d1:27:d6:a7:ce:f6:c5:2b:e6:79:68:76:
             6a:5b:bb:d9:6a:23:7a:f2:3d:41:bb:f5:ec:29:fc:0a:46:e5:
             11:8b:04:39:86:6e:7d:59:50:7e:2c:47:f2:9f:20:31:54:07:
             87:1e:39:af:28:dd:c0:c2:6f:2a:89:91:c6:25:2a:35:0e:f9:
             a6:2e:51:62
    [root@centos CA]#openssl x509 -in certs/service.crt -noout -issuer
    issuer= /C=cn/ST=henan/L=zhengzhou/O=xmj/OU=x/CN=xmj.com
    [root@centos CA]#openssl x509 -in certs/service.crt -noout -subject
    subject= /C=cn/ST=henan/O=xmj/OU=m/CN=www.xmj.com/emailAddress=111111
    [root@centos CA]#openssl x509 -in certs/service.crt -noout -serial
    serial=01
    [root@centos CA]#openssl x509 -in certs/service.crt -noout -dates
    notBefore=Jul 17 08:08:07 2017 GMT
    notAfter=Jul 17 08:08:07 2018 GMT
    [root@centos CA]#openssl ca -status 01
    Using configuration from /etc/pki/tls/openssl.cnf
    01=Valid (V)
    

    4、把证件复制发送给客商端

        哪个人访谈本人就把CA证书给顾客端风姿罗曼蒂克份,就足以相信自身这几个表明颁发机构了

    裁撤证书

    1、在顾客端获取要打消的注解的serial
    openssl x509 -in /PATH/FROM/CERT_FILE -noout -serial -subject

    [root@centos app]#pwd
    /root/app
    [root@centos app]#openssl x509 -in service.crt -noout -serial -subject
    serial=01
    subject= /C=cn/ST=henan/O=xmj/OU=m/CN=www.xmj.com/emailAddress=111111
    

    2、在CA上,依照客户提交的serial与subject音讯,相比核算是否与index.txt文件中的消息相像,吊销证书:
    openssl ca -revoke /etc/pki/CA/newcerts/*.pem
    创制吊销列表数据库(起始值01可自定卡塔 尔(英语:State of Qatar)
    echo 01 > /etc/pki/CA/crlnumber
    更新证书吊销列表
    openssl ca -gencrl -out crl.pem
    翻开始吊唁销列表
    openssl crl -in crl.pem -noout -text

    [root@centos CA]#pwd
    /etc/pki/CA
    [root@centos CA]#cat index.txt
    V       180717080807Z           01      unknown /C=cn/ST=henan/O=xmj/OU=m/CN=www.xmj.com/emailAddress=111111
    ######吊销证书
    [root@centos CA]#openssl ca -revoke newcerts/01.pem
    Using configuration from /etc/pki/tls/openssl.cnf
    Revoking Certificate 01.
    Data Base Updated
    ######数据库更新,证书状态由V变为R(吊销)
    [root@centos CA]#cat index.txt                     
    R       180717080807Z   170717090033Z   01      unknown /C=cn/ST=henan/O=xmj/OU=m/CN=www.xmj.com/emailAddress=111111
    ######创建吊销列表数据库(初始值01可自定)
    [root@centos CA]#echo 01 > crlnumber
    [root@centos CA]#tree
    .
    ├── cacert.pem
    ├── certs
    │   └── service.crt
    ├── crl
    ├── crlnumber
    ├── csr
    │   └── service.csr
    ├── index.txt
    ├── index.txt.attr
    ├── index.txt.attr.old
    ├── index.txt.old
    ├── newcerts
    │   └── 01.pem
    ├── private
    │   └── cakey.pem
    ├── serial
    └── serial.old
    
    5 directories, 12 
    ######更新证书吊销列表
    [root@centos CA]#openssl ca -gencrl -out crl/crl.pem
    Using configuration from /etc/pki/tls/openssl.cnf
    [root@centos CA]#tree
    .
    ├── cacert.pem
    ├── certs
    │   └── service.crt
    ├── crl
    │   └── crl.pem
    ├── crlnumber
    ├── crlnumber.old
    ├── csr
    │   └── service.csr
    ├── index.txt
    ├── index.txt.attr
    ├── index.txt.attr.old
    ├── index.txt.old
    ├── newcerts
    │   └── 01.pem
    ├── private
    │   └── cakey.pem
    ├── serial
    └── serial.old
    
    5 directories, 14 files
    ######crlnumber文件中存放的是下一个被吊销证书的编号
    [root@centos CA]#cat crlnumber
    02
    [root@centos CA]#cat crlnumber.old 
    01
    ######查看吊销列表
    [root@centos CA]#openssl crl -in crl/crl.pem -noout -text
    Certificate Revocation List (CRL):
            Version 2 (0x1)
        Signature Algorithm: sha1WithRSAEncryption
            Issuer: /C=cn/ST=henan/L=zhengzhou/O=xmj/OU=x/CN=xmj.com
            Last Update: Jul 17 09:02:34 2017 GMT
            Next Update: Aug 16 09:02:34 2017 GMT
            CRL extensions:
                X509v3 CRL Number: 
                    1
    Revoked Certificates:
        Serial Number: 01
            Revocation Date: Jul 17 09:00:33 2017 GMT
        Signature Algorithm: sha1WithRSAEncryption
             5c:87:ce:3e:52:da:f3:6f:5f:d9:4a:f2:20:73:d1:22:d6:85:
             34:2d:0d:5a:99:6a:90:13:ec:ff:3c:b1:b2:ad:d9:c1:00:f3:
             29:0c:21:22:c6:76:2d:0a:8e:b1:23:76:70:c8:38:ae:28:2d:
             2a:b6:df:8e:87:cf:db:dd:79:db:17:ba:aa:73:1f:3c:b9:8e:
             69:e3:1b:24:30:56:f3:36:50:57:83:a5:ee:3e:c5:15:44:de:
             6d:38:b3:47:29:c6:e8:7a:6b:66:0e:4a:c7:23:c1:ef:d6:2b:
             fd:5a:c0:48:04:c1:33:b8:fb:78:3b:27:30:f8:76:0f:4d:44:
             35:13:0d:af:67:14:03:63:38:00:44:db:79:1c:0e:27:4d:5f:
             27:0b:2b:79:b2:94:75:19:1b:a9:79:1c:00:62:41:ad:28:ec:
             78:06:eb:04:0f:92:4d:01:42:e7:b3:a2:d5:82:6d:f2:4d:b6:
             00:1e:45:35:ab:ac:50:15:6d:1e:60:74:84:a3:d6:17:f4:21:
             b4:d7:5d:1e:ed:69:82:22:13:34:a8:60:5a:9e:70:cc:58:26:
             68:5d:92:dd:78:87:47:91:c8:94:12:89:43:fc:eb:1f:9f:8e:
             22:1e:19:4b:ea:6d:2d:0b:1c:e7:17:e7:e9:33:e6:19:37:6f:
             70:03:25:51
    

    二、证书颁发
      1、在web服务器生成证书恳求
        # mkdir -v /etc/httpd/ssl
        # cd /etc/httpd/ssl
        新葡亰496net 22

        2、将证书诉求发送给CA服务器。
        新葡亰496net 23

        3、在CA服务器上签名证书
        新葡亰496net 24

        4、将证件发送给web服务器
        新葡亰496net 25

        查看证书消息:
                        openssl x509 -in /PATH/FROM/CERT_FILE -noout -text|-subject|-serial

    三、吊销证书:   

       (a) 客户端获取要吊销的阐明的serial

                    # openssl x509 -in /PATH/FROM/CERT_FILE -noout -serial -subject

     

                (b) CA端

                    先依照顾客提交的serial与subject音讯,相比核实是还是不是与index.txt文件中的音讯风姿罗曼蒂克致;

     

                    吊销证书:

                        # openssl ca -revoke /etc/pki/CA/newcerts/SERIAL.pem

     

                (c) 生成吊销证书的号子(第二次撤销多少个注脚)

                    # echo 01 > /etc/pki/CA/crlnumber

     

                (d) 更新证书吊销列表

                    # openssl ca -gencrl -out thisca.crl

     

                    查看crl文件:

                        # openssl crl -in /PATH/FROM/CRL_FILE.crl -noout -text

        

     

    本文由新葡亰496net发布于电脑系统,转载请注明出处:实现创建私有CA,申请和颁发证书

    关键词:

上一篇:分布式系统,分布式系统学习1

下一篇:没有了