如何利用 OpenSSL 来实现自制 CA 服务器呢? 这种情况下一般在一个公司内部可用到这种机制。
一、实现自建 CA 的大致流程
大致操作流程如上图所示。
二、自建 CA 的详细操作流程
第一步:自建 CA 服务器
1、生成秘钥
1
2
3
4
5
6
7
8
|
[root@centos6-5 ~]
# (umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 4096)
Generating RSA private key, 4096 bit long modulus
....................................................................................................++
.........................................................................................................++
e is 65537 (0x10001)
[root@centos6-5 ~]
#
# 秘钥文件的名称不能自己改动
|
2、自签证书
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
|
[root@centos6-5 ~]
# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 360
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter
'.'
, the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Henan
Locality Name (eg, city) [Default City]:ZZ
Organization Name (eg, company) [Default Company Ltd]:MageEdu
Organizational Unit Name (eg, section) []:Ops
Common Name (eg, your name or your server's
hostname
) []:ca.magedu.com
Email Address []:root@magedu.com
[root@centos6-5 ~]
#
# req 生成证书签署请求
# -news 新请求
# -key 指定私钥文件
# -out 签署文件的存放地方
# -x509 生成字签署文件
# -days 有效天数
|
对于秘钥文件的名称和自签署文件的名称不能自己指定的原因是:
在/etc/pki/tls/openssl.cnf 配置文件中:
这些文件名称在配置文件里里面指定好了。发现还需要有 index.txt 和 serial 俩个文件。
3、创建必要文件,初始化工作环境
1
2
|
[root@centos6-5 ~]
# touch /etc/pki/CA/index.txt
[root@centos6-5 ~]
# echo "00" > /etc/pki/CA/serial
|
第二步:节点申请证书
1、生成密钥对儿
1
2
3
4
5
6
7
|
[root@centos6-5 ~]
# mkdir /etc/httpd/ssl;(umask 077;openssl genrsa -out /etc/httpd/ssl/httpd.key 4096)
mkdir
: cannot create directory `
/etc/httpd/ssl
': File exists
Generating RSA private key, 4096 bit long modulus
.................................................................................................................................................................++
...............................++
e is 65537 (0x10001)
[root@centos6-5 ~]
#
|
2、生成证书签署请求
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
|
[root@centos6-5 ~]
# openssl req -new -key /etc/httpd/ssl/httpd.key -out /etc/httpd/ssl/httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter
'.'
, the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Henan]:
Locality Name (eg, city) [ZZ]:
Organization Name (eg, company) [MageEdu]:
Organizational Unit Name (eg, section) [Ops]:
Common Name (eg, your name or your server's
hostname
) []:www.magedu.com
Email Address []:www@magedu.com
Please enter the following
'extra'
attributes
to be sent with your certificate request
A challenge password []:
# 请求证书是否加密,此时设定密码,CA签名时需要输入密码
An optional company name []:
[root@centos6-5 ~]
#
|
# 这里再输入相关名称时,如何修改默认值:
3、把签署请求文件发送给 CA 服务
1
2
3
|
# 由于这里请求签署的节点和 CA 服务器是同一台机器,所以在这里不需要这一步。
# 如果不是在同一台机器上,需要拷贝到 CA 服务器上。通常使用 scp 命令完成。
# 例如:scp /path/to/secert.crs root@CA_HOST_NAME:/path/to/somewhere/
|
第三步:CA签署证书
1、验正证书中的信息,签署证书
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
|
[root@centos6-5 ~]
# openssl ca -in /etc/httpd/ssl/httpd.csr -out /etc/httpd/ssl/httpd.crt -days 300
Using configuration from
/etc/pki/tls/openssl
.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Aug 1 15:37:48 2014 GMT
Not After : May 28 15:37:48 2015 GMT
Subject:
countryName = CN
stateOrProvinceName = Henan
organizationName = MageEdu
organizationalUnitName = Ops
commonName = www.magedu.com
emailAddress = www@magedu.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
04:5E:41:F4:DF:77:DE:64:D3:C0:AC:3C:2E:69:C1:01:E5:80:30:4B
X509v3 Authority Key Identifier:
keyid:AF:D8:63:8A:94:87:40:2A:EA:15:FB:D4:E2:61:23:D7:E8:96:40:3B
Certificate is to be certified
until
May 28 15:37:48 2015 GMT (300 days)
Sign the certificate? [y
/n
]:y
1 out of 1 certificate requests certified, commit? [y
/n
]y
Write out database with 1 new entries
Data Base Updated
[root@centos6-5 ~]
#
|
2、发送给请求者
1
|
# 使用 scp 发送给请求者
|
至此签名完成,如下:
1
2
3
4
5
|
[root@centos6-5 ~]
# cat /etc/pki/CA/index.txt
V 150528153748Z 00 unknown
/C
=CN
/ST
=Henan
/O
=MageEdu
/OU
=Ops
/CN
=www.magedu.com
/emailAddress
=www@magedu.com
[root@centos6-5 ~]
# cat /etc/pki/CA/serial
01
[root@centos6-5 ~]
#
|
三、证书的吊销
有时候我们的的节点秘钥丢了,此时就需要向 CA 申请吊销。
在节点:此时首先要在节点获取证书的serial
1
2
3
4
5
6
7
8
|
[root@server ssl]
# openssl x509 -in /etc/httpd/ssl/httpd.crt -noout -serial -subject
serial=01
subject=
/C
=CN
/ST
=Henan
/O
=MageEdu
/OU
=Ops
/CN
=www2.magedu.com
/emailAddress
=www2@magedu.com
[root@server ssl]
#
# noout 不输出额外信息
# serial 输出 serial 信息,在 serial 文件中
# 输出 subject 信息,在 index.txt 文件中
|
在CA:
1、验证信息
根据节点提交的serial和subject信息来验正与index.txt文件中的信息是否一致
1
2
3
|
[root@centos6-5 ~]
# cat /etc/pki/CA/index.txt
V150528153748Z00unknown
/C
=CN
/ST
=Henan
/O
=MageEdu
/OU
=Ops
/CN
=www.magedu.com
/emailAddress
=www@magedu.com
V140831155108Z01unknown
/C
=CN
/ST
=Henan
/O
=MageEdu
/OU
=Ops
/CN
=www2.magedu.com
/emailAddress
=www2@magedu.com
|
2、吊销证书
1)吊销证书
1
2
3
4
5
6
7
8
9
10
|
# 要吊销的证书一般在 /etc/pki/CA/newcerts 目录下,名称是 序列号.pem
[root@centos6-5 ~]
# openssl ca -revoke /etc/pki/CA/newcerts/01.pem
Using configuration from
/etc/pki/tls/openssl
.cnf
Revoking Certificate 01.
Data Base Updated
[root@centos6-5 ~]
# cat /etc/pki/CA/index.txt
V 150528153748Z 00 unknown
/C
=CN
/ST
=Henan
/O
=MageEdu
/OU
=Ops
/CN
=www.magedu.com
/emailAddress
=www@magedu.com
R 140831155108Z 140801160733Z 01 unknown
/C
=CN
/ST
=Henan
/O
=MageEdu
/OU
=Ops
/CN
=www2.magedu.com
/emailAddress
=www2@magedu.com
[root@centos6-5 ~]
#
|
2)生成吊销列表(第一次吊销是需要)
1
2
3
4
|
[root@centos6-5 ~]
# echo 00 > /etc/pki/CA/crlnumber
[root@centos6-5 ~]
#
# 吊销列表文件也在/etc/pki/tls/openssl.cnf 里面定义的。
|
3)更新证书吊销列表
1
2
|
[root@centos6-5 ~]
# openssl ca -gencrl -out /etc/pki/CA/crl/01.crl
Using configuration from
/etc/pki/tls/openssl
.cnf
|
查看 crl 里的内容:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
|
[root@centos6-5 ~]
# openssl crl -in /etc/pki/CA/crl/01.crl -noout -text
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer:
/C
=CN
/ST
=Henan
/L
=ZZ
/O
=MageEdu
/OU
=Ops
/CN
=ca.magedu.com
/emailAddress
=root@magedu.com
Last Update: Aug 1 16:15:12 2014 GMT
Next Update: Aug 31 16:15:12 2014 GMT
CRL extensions:
X509v3 CRL Number:
0
Revoked Certificates:
Serial Number: 01
Revocation Date: Aug 1 16:07:33 2014 GMT
Signature Algorithm: sha1WithRSAEncryption
75:29:0d:44:97:a7:8d:a0:2c:30:a7:97:9c:b1:30:9b:ef:c7:
d4:53:d2:39:2e:5e:9d:5e:28:97:92:1a:04:ec:78:5d:8d:db:
85:44:d3:
bc
:fa:db:d2:76:16:d5:79:20:3a:10:db:18:d3:e7:
8e:3d:80:04:8c:92:6a:ae:ac:61:a5:
dc
:2d:9d:1f:ca:b3:03:
db:c1:ce:41:5f:91:f3:8b:7a:ff:c6:5b:5a:1f:fa:69:68:a3:
b0:2b:e8:22:58:53:57:c0:20:ec:be:21:bf:36:20:c2:a9:77:
85:21:f7:7f:87:a9:43:d3:01:45:c1:fd:1b:45:8d:8b:af:88:
83:17:2e:a0:8b:85:b6:cc:b4:54:9b:50:fa:e2:8a:7e:d4:6c:
a6:02:8a:e3:7e:11:03:0c:64:1e:13:07:10:b1:54:97:af:5a:
d8:ec:
cd
:62:02:1a:2d:a4:c8:b4:09:ef:d6:e1:c0:cb:f1:10:
ba:c1:12:3d:a6:8f:5a:5e:81:77:5a:58:52:47:ab:96:84:b3:
b8:2a:0e:cf:89:63:00:e3:90:
df
:c3:f6:f0:e5:d2:cc:9f:38:
31:e4:88:ad:55:1a:e1:83:0b:a3:32:28:2a:8e:1b:b7:2b:12:
01:0a:11:
df
:10:0e:34:ce:84:24:9e:5e:fa:f9:43:c9:c7:a4:
a4:a1:07:53:b1:74:9f:20:ba:a2:f7:30:11:1f:20:38:be:a7:
d9:1f:c1:12:21:71:e3:78:20:80:ec:46:d9:92:95:34:f5:ea:
da:6f:d8:e4:0f:f4:c1:09:6c:e6:55:fe:f6:ef:62:73:96:94:
4e:30:94:1c:e0:5f:ec:5e:13:ce:0a:5e:5e:88:3f:49:61:0c:
e2:c7:5a:33:72:1d:a3:84:5b:a8:e5:31:05:f2:5a:ac:0b:7d:
29:5a:60:b4:53:
dd
:33:f1:e2:e8:de:66:3b:da:4d:c9:56:eb:
85:08:f9:6b:5b:11:cc:c9:32:ec:5a:7a:4c:26:42:8f:fe:25:
a7:b9:31:6f:42:60:6d:8a:59:15:2e:b2:e0:7b:a3:b2:b6:d6:
93:c8:4d:b8:70:b3:54:78:c1:ac:8a:f8:a4:cb:6f:95:51:2d:
2b:64:90:b2:ed:51:01:5c:d2:2a:a2:9a:60:45:bb:c1:d3:87:
5c:aa:9f:0b:05:55:cf:3a:e9:d9:b5:23:80:6a:e4:9c:f6:90:
f5:af:24:94:00:88:67:d2:61:4d:66:b9:38:a7:d4:87:04:e1:
ad:11:4e:07:0d:88:33:96:34:25:e9:29:77:4e:61:b5:
dd
:1a:
15:d6:62:77:a3:f8:95:43:a0:52:f7:09:40:58:6b:5a:a3:88:
d8:0d:7b:6b:6e:ab:3a:65
[root@centos6-5 ~]
#
|
至此如何如何自建 CA,签名证书和吊销证书构建完毕。至于,如何将获得签名的证书导入我们需要的应用程序中,在后续博客中讲解。
本文转自 羊木狼 51CTO博客,原文链接:http://blog.51cto.com/guoting/1535032,如需转载请自行联系原作者