使用OpenSSL自建CA及颁发证书、吊销证书

一、实验说明

OpenSSL 是一个安全套接字层密码库，囊括主要的密码算法、常用的密钥和证书封装管理功能及SSL协议，并提供丰富的应用程序供测试或其它目的使用。

OpenSSL是一个开源程序的套件、这个套件有三个部分组成：一是libcryto，这是一个具有通用功能的加密库，里面实现了众多的加密库；二是libssl，这个是实现ssl机制的，它是用于实现TLS/SSL的功能；三是openssl，是个多功能命令行工具，它可以实现加密解密，甚至还可以当CA来用，可以让你创建证书、吊销证书。

二、实验环境

Centos 6.9 x86_64位(申请签名机器）、Centos 7.3 x86_64位（自建CA的机器）、VMware workstaton 12.

三、实验正文

1、查看自建CA的主机是否安装OpenSSL

[root@centos7 ~]# rpm -qa openssl  # 查看openssl是否安装
openssl-1.0.1e-60.el7.x86_64
[root@centos7 ~]# rpm -ql openssl  # 列出openssl安装包下有哪些文件，等下会用到下面的一些目录
/etc/pki/CA
/etc/pki/CA/certs
/etc/pki/CA/crl    # 吊销的证书存放目录
/etc/pki/CA/newcerts # 存放CA签署（颁发）过的数字证书（证书备份目录）
/etc/pki/CA/private  # 用于存放CA的私钥
/etc/pki/tls/certs/Makefile
/etc/pki/tls/certs/make-dummy-cert
/etc/pki/tls/certs/renew-dummy-cert
/etc/pki/tls/misc/CA
/etc/pki/tls/misc/c_hash
/etc/pki/tls/misc/c_info
/etc/pki/tls/misc/c_issuer
/etc/pki/tls/misc/c_name
/usr/bin/openssl
...(以下省略)...
[root@centos7 ~]# yum install openssl -y  # 若没有安装使用此条命令安装

2、创建私有CA服务器

a、创建所需要的文件，只有第一次使用CA时才需要

[root@centos7 ~]# touch /etc/pki/CA/index.txt   # 生成证书索引数据库
[root@centos7 ~]# echo 01 > /etc/pki/CA/serial  # 指定第一个颁发证书的序列号

b、CA生成私钥

[root@centos7 ~]# cd /etc/pki/CA/  # 切换至此目录
[root@centos7 CA]# (umask 006; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)  # 生成私钥
Generating RSA private key, 2048 bit long modulus
.........+++
......................................+++
e is 65537 (0x10001)
[root@centos7 CA]# ls -l private/cakey.pem
-rw-rw----. 1 root root 1675 Jul 17 17:22 cakey.pem

c、CA生成自签名证书

[root@centos7 CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days \3650 -out /etc/pki/CA/cacert.pem   # CA生成自签名
...(中间省略)...
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:Hxt
Organizational Unit Name (eg, section) []:Ops
Common Name (eg, your name or your server's hostname) []:www.hengxia.top
Email Address []:miouqi@qq.com
[root@centos7 CA]# ls -l
total 12
-rw-r--r--. 1 root root 1403 Jul 17 17:59 cacert.pem
drwxr-xr-x. 2 root root    6 Nov  6  2016 certs
drwxr-xr-x. 2 root root    6 Nov  6  2016 crl
-rw-r--r--. 1 root root    0 Jul 17 16:47 index.txt
drwxr-xr-x. 2 root root    6 Nov  6  2016 newcerts
drwx------. 2 root root   23 Jul 17 17:22 private
-rw-rw----. 1 root root 1675 Jul 17 17:18 privatecakey.pem
-rw-r--r--. 1 root root    3 Jul 17 16:48 serial

3、颁发证书

a、在需要使用证书的主机上给web服务器生成私钥

[root@centos6 ~]# (umask 066; openssl genrsa -out /etc/pki/tls/ private/test.key 2048)
Generating RSA private key, 2048 bit long modulus
.........+++
................................................+++
e is 65537 (0x10001)

b、在需要使用证书的主机上给web服务器生成证书请求

[root@centos6 ~]# openssl req -new -key /etc/pki/tls/private/test.key   -days 365 -out /etc/pki/tls/test.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN  # 默认国家要与CA一致
State or Province Name (full name) []:Beijing  # 默认省要与CA一致
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:Hxt # 公司名称默认要与CA一致
Organizational Unit Name (eg, section) []:Ops
Common Name (eg, your name or your server's hostname) []:*.testweb.com
Email Address []:test@qq.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

c、将证书文件传输给CA

[root@centos6 ~]# scp /etc/pki/tls/test.csr 172.16.251.124:/tmp
The authenticity of host '172.16.251.124 (172.16.251.124)' can't be established.
RSA key fingerprint is 8e:d7:ac:fd:71:70:22:e7:ff:98:ed:61:96:85:5f:b7.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.16.251.124' (RSA) to the list of known hosts.
root@172.16.251.124's password:
test.csr                                          100% 1050     1.0KB/s   00:00

d、CA签署证书，并将证书颁发给请求者

[root@centos7 ~]# openssl ca -in  /tmp/test.csr -out /etc/pki/CA/certs/test.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jul 17 11:57:46 2017 GMT
Not After : Jul 17 11:57:46 2018 GMT
Subject:
countryName               = CN
stateOrProvinceName       = Beijing
organizationName          = Hxt
organizationalUnitName    = Ops
commonName                = *.testweb.com
emailAddress              = test@qq.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
58:6B:86:66:B0:41:9D:E7:C0:43:65:B4:85:51:BC:62:82:1F:91:A8
X509v3 Authority Key Identifier:
keyid:1A:FC:24:EA:FA:D8:03:E4:4E:2D:19:04:3D:DB:2A:30:43:88:F7:D8
Certificate is to be certified until Jul 17 11:57:46 2018 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

e、查看证书中的信息

[root@centos7 ~]# openssl x509 -in /etc/pki/CA/certs/test.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=Beijing, L=Beijing, O=Hxt, OU=Ops, CN=www.hengxia.top/emailAddress=miouqi@qq.com
Validity
Not Before: Jul 17 11:57:46 2017 GMT
Not After : Jul 17 11:57:46 2018 GMT
Subject: C=CN, ST=Beijing, O=Hxt, OU=Ops ,
CN=*.testweb.com/emailAddress=test@qq.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:e3:84:72:59:14:c2:00:91:6c:d0:b4:f1:b4:6b:
72:bb:a4:05:6c:ae:00:bf:b0:4b:e1:b0:1f:9a:a7:
05:68:b7:73:60:ca:f5:95:59:90:cd:a3:ef:da:29:
fd:83:5d:fc:bc:53:9d:4b:cb:87:c6:d9:00:1f:36:
06:26:a4:15:ac:7f:01:67:4b:60:ee:af:40:30:5c:
60:1c:fb:7c:33:8e:aa:45:f7:5b:55:e8:57:07:40:
05:ab:4a:9e:25:ec:2c:ce:f3:6d:fb:e9:a2:eb:c0:
59:49:84:5f:f7:68:98:16:c2:4e:db:ab:43:50:80:
f0:71:f6:d4:9d:57:1b:a4:4d:89:e3:2f:fa:fe:48:
5e:da:84:d6:64:64:36:fd:2d:03:38:0e:fe:0d:65:
9a:0e:37:66:52:d3:60:ea:5d:dc:5b:36:2c:d1:25:
ef:0b:e6:50:5a:81:78:00:b4:f4:c7:68:ca:d1:d0:
21:d1:37:49:7a:99:1d:2d:2d:3d:7f:9e:4a:5b:87:
83:d6:96:8d:84:d9:88:b7:c0:c9:63:43:4c:06:d9:
19:d7:b9:5a:99:8a:7c:1b:52:04:d7:a1:e0:bb:87:
bc:bd:77:1c:c9:ea:19:2e:97:f2:86:2c:fe:37:95:
1a:df:e1:bb:4a:9e:26:c7:d1:1e:21:d8:1b:cd:ae:
8d:11
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
58:6B:86:66:B0:41:9D:E7:C0:43:65:B4:85:51:BC:62:82:1F:91:A8
X509v3 Authority Key Identifier:
keyid:1A:FC:24:EA:FA:D8:03:E4:4E:2D:19:04:3D:DB:2A:30:43:88:F7:D8

Signature Algorithm: sha256WithRSAEncryption
26:21:51:45:0d:8c:f4:75:25:3e:e2:13:fa:d4:7a:60:ea:ba:
78:b7:aa:61:57:a5:80:9d:09:95:0a:e8:09:1d:69:20:43:1c:
ee:54:b2:65:cb:0c:13:5a:e1:59:61:2d:95:ee:c6:09:f3:7d:
cf:e0:dc:7c:5e:11:22:bc:7b:cc:aa:e5:3e:4a:ed:56:5a:9d:
8b:8f:9b:6d:34:85:b1:f6:9e:87:07:c4:b0:5a:61:92:ca:30:
66:29:fb:ea:7d:68:90:ca:30:a9:85:64:8b:90:99:01:7c:27:
d6:62:c7:de:e0:f8:9d:00:6b:7b:39:d3:01:eb:32:9e:71:89:
f6:17:d4:7b:08:8f:9d:48:11:e1:c5:91:91:73:fd:f5:19:b6:
35:a1:15:ad:6c:78:fc:ba:e9:ea:d1:9a:8f:13:8a:bb:ec:cc:
79:c8:c9:f4:0d:a1:a7:c5:f5:90:e8:3b:46:d2:9f:55:85:41:
e6:36:8e:fe:3f:59:33:77:37:95:51:2e:68:cd:93:79:fd:11:
db:71:d0:e7:2c:61:34:bc:db:ef:89:68:f5:ae:42:5f:df:79:
ed:f7:e5:2f:9a:a7:ef:a9:8b:81:d7:32:21:13:59:91:06:4b:
8f:65:82:1a:b6:7c:e6:dc:9c:98:b5:dd:79:c7:9e:49:39:1d:
20:b6:d8:e6
[root@centos7 ~]# openssl ca -status 01 # 查看指定编号的证书状态
Using configuration from /etc/pki/tls/openssl.cnf
01=Valid (V)

f、CA将已签名证书传输给申请者

[root@centos7 ~]# scp /etc/pki/CA/certs/test.crt 172.16.250.164:/tmp
The authenticity of host '172.16.250.164 (172.16.250.164)' can't be established.
RSA key fingerprint is 46:78:bc:dd:e2:7d:a8:b6:b7:f0:60:53:c4:72:30:f7.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.16.250.164' (RSA) to the list of known hosts.
root@172.16.250.164's password:
test.crt                                          100% 4592     4.5KB/s   00:00

g、CA删除申请者证书申请文件

[root@centos7 ~]# rm  -f /tmp/test.csr

4、吊销证书

a、在客户端获取要吊销的证书的serial

[root@centos6 ~]# openssl x509 -in /tmp/test.crt -noout -serial -subject
serial=01
subject= /C=CN/ST=Beijing/O=Hxt/OU=Ops /CN=www.testweb.com/emailAddress=*.testweb.com

b、在CA上，根据客户提交的serial与subject信息，对比检验是否与index.txt文件中的信息一致，一致吊销证书

[root@centos7 ~]# openssl ca -revoke /etc/pki/CA/newcerts/01.pem
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 01.
Data Base Updated

c、CA指定第一个吊销证书的编号，注意：第一次更新吊销证书列表前，才需要执行

[root@centos7 ~]# echo 01 > /etc/pki/CA/crlnumber

d、CA更新证书吊销列表

[root@centos7 ~]# openssl ca -gencrl -out /etc/pki/CA/crl/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf
[root@centos7 ~]# openssl crl -in /etc/pki/CA/crl/crl.pem -noout -text # 查看crl文件
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: /C=CN/ST=Beijing/L=Beijing/O=Hxt/OU=Ops/CN=www.hengxia.top/emailAddress=miouqi@qq.com
Last Update: Jul 17 12:23:07 2017 GMT
Next Update: Aug 16 12:23:07 2017 GMT
CRL extensions:
X509v3 CRL Number:
1
Revoked Certificates:
Serial Number: 01
Revocation Date: Jul 17 12:21:16 2017 GMT
Signature Algorithm: sha256WithRSAEncryption
90:a6:22:84:bf:eb:98:d7:58:bd:22:8d:5c:41:e1:1e:2f:70:
6c:e2:40:68:ce:c4:06:e1:2d:70:59:98:d9:27:6f:24:d4:63:
4c:d6:81:25:ab:ac:70:1b:89:65:4c:cc:2e:20:12:66:78:bc:
3e:60:4f:6d:28:72:53:7f:e0:65:92:c3:86:b2:7c:1f:dc:46:
2b:f6:ba:c1:2e:73:36:4b:60:08:8f:e1:bb:0d:f9:fe:11:bb:
8a:4c:92:1f:aa:a8:9f:ec:f6:45:b9:a4:1e:60:ab:70:4e:f9:
09:23:83:6e:12:ed:42:bd:dd:33:99:e9:ee:a6:44:2b:89:7c:
60:70:0a:1f:0f:ca:0a:62:5a:b9:5c:f9:ea:46:30:f3:1d:2e:
a0:89:c1:85:a8:0f:de:3a:3a:0a:1a:c3:76:99:0b:9f:55:d5:
57:52:65:bc:2e:ff:ee:a6:d0:71:24:02:56:6d:a7:fa:5a:f1:
88:92:53:35:66:46:ab:59:fa:cf:09:6b:37:b6:39:7a:9d:ba:
b2:8d:d5:dc:a0:38:39:76:81:85:16:72:22:39:1d:ae:fd:22:
21:61:00:e9:f2:7e:71:43:e9:a3:f9:44:5b:44:83:a2:1a:82:
82:8f:e1:0f:f6:57:d5:b4:62:3a:c1:5e:35:21:6f:2f:ff:11:
fb:98:95:23

四、备注

1、CA生成自签名命令解析： openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days \3650 -out /etc/pki/CA/cacert.pem

-new: 生成新证书签署请求

-x509: 专用于CA生成自签证书

-key: 生成请求时用到的私钥文件

-days n: 证书的有效期限

-out /PATH/TO/SOMECRIPTFILE: 证书的保存路径

2、CA的配置文件在/etc/pki/tls/opnenssl.cof,例如CA的三种策略：匹配、支持和可选即在此文件配置；匹配指要求申请填写的信息跟CA设置信息必须一致，支持指必须填写这项申请信息，可选指可有可无。