CA服务器的简单搭建
一、简单介绍
CA 也拥有一个证书(内含公钥和私钥)。网上的公众用户通过验证 CA 的签字从而信任 CA ,任何人都可以得到 CA 的证书(含公钥),用以验证它所签发的证书。
如果用户想得到一份属于自己的证书,他应先向 CA 提出申请。在 CA 判明申请者的身份后,便为他分配一个公钥,并且 CA 将该公钥与申请者的身份信息绑在一起,并为之签字后,便形成证书发给申请者。
二、环境描述
|
1
2
3
4
5
|
ip:192.168.151.204
# cat /etc/redhat-release
CentOS release 6.7 (Final)
# uname -i
x86_64
|
三、所需软件
|
1
2
|
openssl openssl-devel
# yum install openssl openssl-devel -y
|
四、安装过程
1、
cd /etc/pki/CA
#如果没有 certs crl(过期证书) newcerts目录请创建
|
1
|
# mkdir {certs,crl,newcerts}
|
2、创建两个空文件,索引文件和序列号文件
|
1
2
3
4
|
# touch index.txt
# touch serial
# vim /etc/hosts
192.168.151.204 ca.10fei3.
top
|
3、创建根证书
|
1
|
# echo 01 > serial (第一次创建根证书需此命令)
|
生成证书所使用的RSA秘钥,保存到private目录下
|
1
|
# openssl genrsa 1024 > private/hunk-ca.key
|
利用hunk-ca.key生成自签名的电子证书
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
|
# cat private/hunk-ca.key
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQDSUxptT8nWMmKunlO+b5dlTPKAEFjevnT3T4w1dScOBCWQ4rv6
sWcLXIgKn8nhn3hW5PuYaOCd7n9zLuqvsK
/o5u/gE4njhsDw1xLi1JNvftPm8YKn
9K0qQqz76nl7y0RBgGxfB+a4jgfb27OII2Oj1+B66pYvanIoRU3FWHQtcQIDAQAB
AoGAHwliYfUfPLuMsmXsx7Jh7fHv6xP+eUgzrHcRoqXaEIhuHrZGtRTOtu99p8uy
l9fXg0MhGXmIg+W46v9mZGy3WGuCVtmEvI
/sI39pV0mTLYz
+BhayOOX
/YkOrW1
+D
Pu6GJ6yNv+OQS8psUE8b1XYg854iumsHYlvRppn1Ok+bmq0CQQDz235ONq50po2v
kx7
/IRKf1iqaFMykPrDfWPgxfMnyWNqjGoM3
+jfvakL+RL2GZB6OVUoL8G20Vu0W
axFblZybAkEA3Mwo6kNL0XgVSfEl1MySfx
/13sQ98Fx3j2LB
+OykP1VHt0vdUBCF
GcFkkuMQIHfWaxK70mWN9JPSShNgPPvw4wJBAIVCv4UycKeilO8LsPavNiROvz0w
fJyM
/c8wKYGxthJP6DsVs/uVK5gUM8QMAJ4
+fEw
/45UesHTKxAlqPTQVUF0CQFRF
I5SNjMFs2Is5G5xFW+BjHV8hfRZg5Ez4f1n3T5TQgqelr9kgBPzYf
/9D5GLP
+ikx
pDfgBLcFOCyHiqKb8csCQB6+A
/SracoSaIcBu5NEikpFpf068y785FM2qbo/nBBP
/M8QAgfEbrmOXaBCmMleexmyLmyCNqEBG8Gb6vvLd1I
=
-----END RSA PRIVATE KEY-----
[root@localhost CA]
# openssl req -new -x509 -key private/hunk-ca.key -days 365 -out hunk-ca.crt
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter
'.'
, the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Shanghai
Locality Name (eg, city) [Default City]:Shanghai
Organization Name (eg, company) [Default Company Ltd]:etnet
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's
hostname
) []:ca.10fei3.
top
Email Address []:hunkz.gmail.com
|
4、修改openssl.conf
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
|
[root@localhost CA]
# cd ../tls/
[root@localhost tls]
# vim openssl.cnf
[ CA_default ]
dir
=
/etc/pki/CA
# Where everything is kept
certs = $
dir
/certs
# Where the issued certs are kept
crl_dir = $
dir
/crl
# Where the issued crl are kept
database = $
dir
/index
.txt
# database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $
dir
/newcerts
# default place for new certs.
#certificate = $dir/cacert.pem # The CA certificate
certificate = $
dir
/hunk-ca
.crt
# The CA certificate
serial = $
dir
/serial
# The current serial number
crlnumber = $
dir
/crlnumber
# the current crl number
# must be commented out to leave a V1 CRL
crl = $
dir
/crl
.pem
# The current CRL
private_key = $
dir
/private/hunk-ca
.key
# The private key
RANDFILE = $
dir
/private/
.rand
# private random number file
x509_extensions = usr_cert
# The extentions to add to the cert
[ policy_match ]
countryName = optional
stateOrProvinceName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
|
5.dovecot 生成证书请求
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
|
[root@localhost tmp]
# openssl genrsa 1024 > dovecot.key
Generating RSA private key, 1024 bit long modulus
.............++++++
.......++++++
e is 65537 (0x10001)
[root@localhost tmp]
# openssl req -key dovecot.key -out dovecot.csr
^C
[root@localhost tmp]
# openssl req -new -key dovecot.key -out dovecot.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter
'.'
, the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Shanghai
Locality Name (eg, city) [Default City]:Shanghai
Organization Name (eg, company) [Default Company Ltd]:etnet
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's
hostname
) []:www.abc.com
Email Address []:hunkz@126.com
Please enter the following
'extra'
attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
|
6.签名证书
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
|
[root@localhost tmp]
# openssl ca -in dovecot.csr -out dovecot.crt
Using configuration from
/etc/pki/tls/openssl
.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jun 23 03:29:48 2016 GMT
Not After : Jun 23 03:29:48 2017 GMT
Subject:
countryName = CN
stateOrProvinceName = Shanghai
organizationName = etnet
organizationalUnitName = IT
commonName = www.abc.com
emailAddress = hunkz@126.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
9D:1D:A6:54:5A:A9:55:1A:10:1A:CA:8E:AF:A9:00:82:44:1E:A2:E9
X509v3 Authority Key Identifier:
keyid:A6:85:80:4E:AE:B7:E6:DE:EA:35:88:63:2D:8A:AB:4E:FD:09:D8:3F
Certificate is to be certified
until
Jun 23 03:29:48 2017 GMT (365 days)
Sign the certificate? [y
/n
]:y
1 out of 1 certificate requests certified, commit? [y
/n
]y
Write out database with 1 new entries
Data Base Updated
|
7、有用的文件
|
1
|
dovecot.crt dovecot.key
|
8、用mutt测试证书
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
|
# mutt -f pops://hunk@10fei3.top@mail.10fei3.top
q:退出 ?:帮助
此证书属于:
www.abc.com hunkz@126.com
etnet
IT
Shanghai CN
此证书发布自:
ca.10fei3.
top
hunkz.gmail.com
etnet
IT
Shanghai Shanghai CN
此证书有效
来自 Thu, 23 Jun 2016 03:29:48 UTC
发往 Fri, 23 Jun 2017 03:29:48 UTC
SHA1 指纹:ACEC 40BC 4101 4E3A 7FB1 D1E0 23C5 7200 5BE9 994E
MD5 指纹:FF9F 4BE0 BB97 CEBF 499B CE5D D4D6 F95D
警告:服务器主机名与证书不匹配
-- Mutt: SSL 证书检查 (检查链中有 1 个证书,共 1 个)
拒绝(r),接受一次(o),总是接受(a)
|
五、文章小结
|
1
2
|
1. ca.10fei3.
top
要能解析到,不然可能有问题。
2. 本文生成ca证书是为了搭建安全的邮件收件服务器。经测试可以访问。
|
本文转自独弹古调 51CTO博客,原文链接:http://blog.51cto.com/hunkz/1793237,如需转载请自行联系原作者
