使用OpenSSL自建CA及颁发证书、吊销证书
2017-07-17 21:33
726 查看
一、实验说明
OpenSSL 是一个安全套接字层密码库,囊括主要的密码算法、常用的密钥和证书封装管理功能及SSL协议,并提供丰富的应用程序供测试或其它目的使用。OpenSSL是一个开源程序的套件、这个套件有三个部分组成:一是libcryto,这是一个具有通用功能的加密库,里面实现了众多的加密库;二是libssl,这个是实现ssl机制的,它是用于实现TLS/SSL的功能;三是openssl,是个多功能命令行工具,它可以实现加密解密,甚至还可以当CA来用,可以让你创建证书、吊销证书。
二、实验环境
Centos 6.9 x86_64位(申请签名机器)、Centos 7.3 x86_64位(自建CA的机器)、VMware workstaton 12.三、实验正文
1、查看自建CA的主机是否安装OpenSSL
[root@centos7 ~]# rpm -qa openssl # 查看openssl是否安装 openssl-1.0.1e-60.el7.x86_64 [root@centos7 ~]# rpm -ql openssl # 列出openssl安装包下有哪些文件,等下会用到下面的一些目录 /etc/pki/CA /etc/pki/CA/certs /etc/pki/CA/crl # 吊销的证书存放目录 /etc/pki/CA/newcerts # 存放CA签署(颁发)过的数字证书(证书备份目录) /etc/pki/CA/private # 用于存放CA的私钥 /etc/pki/tls/certs/Makefile /etc/pki/tls/certs/make-dummy-cert /etc/pki/tls/certs/renew-dummy-cert /etc/pki/tls/misc/CA /etc/pki/tls/misc/c_hash /etc/pki/tls/misc/c_info /etc/pki/tls/misc/c_issuer /etc/pki/tls/misc/c_name /usr/bin/openssl ...(以下省略)... [root@centos7 ~]# yum install openssl -y # 若没有安装使用此条命令安装
2、创建私有CA服务器
a、创建所需要的文件,只有第一次使用CA时才需要
[root@centos7 ~]# touch /etc/pki/CA/index.txt # 生成证书索引数据库 [root@centos7 ~]# echo 01 > /etc/pki/CA/serial # 指定第一个颁发证书的序列号
b、CA生成私钥
[root@centos7 ~]# cd /etc/pki/CA/ # 切换至此目录 [root@centos7 CA]# (umask 006; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048) # 生成私钥 Generating RSA private key, 2048 bit long modulus .........+++ ......................................+++ e is 65537 (0x10001) [root@centos7 CA]# ls -l private/cakey.pem -rw-rw----. 1 root root 1675 Jul 17 17:22 cakey.pem
c、CA生成自签名证书
[root@centos7 CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days \3650 -out /etc/pki/CA/cacert.pem # CA生成自签名 ...(中间省略)... ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:Beijing Locality Name (eg, city) [Default City]:Beijing Organization Name (eg, company) [Default Company Ltd]:Hxt Organizational Unit Name (eg, section) []:Ops Common Name (eg, your name or your server's hostname) []:www.hengxia.top Email Address []:miouqi@qq.com [root@centos7 CA]# ls -l total 12 -rw-r--r--. 1 root root 1403 Jul 17 17:59 cacert.pem drwxr-xr-x. 2 root root 6 Nov 6 2016 certs drwxr-xr-x. 2 root root 6 Nov 6 2016 crl -rw-r--r--. 1 root root 0 Jul 17 16:47 index.txt drwxr-xr-x. 2 root root 6 Nov 6 2016 newcerts drwx------. 2 root root 23 Jul 17 17:22 private -rw-rw----. 1 root root 1675 Jul 17 17:18 privatecakey.pem -rw-r--r--. 1 root root 3 Jul 17 16:48 serial
3、颁发证书
a、在需要使用证书的主机上给web服务器生成私钥
[root@centos6 ~]# (umask 066; openssl genrsa -out /etc/pki/tls/ private/test.key 2048) Generating RSA private key, 2048 bit long modulus .........+++ ................................................+++ e is 65537 (0x10001)
b、在需要使用证书的主机上给web服务器生成证书请求
[root@centos6 ~]# openssl req -new -key /etc/pki/tls/private/test.key -days 365 -out /etc/pki/tls/test.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN # 默认国家要与CA一致 State or Province Name (full name) []:Beijing # 默认省要与CA一致 Locality Name (eg, city) [Default City]:Beijing Organization Name (eg, company) [Default Company Ltd]:Hxt # 公司名称默认要与CA一致 Organizational Unit Name (eg, section) []:Ops Common Name (eg, your name or your server's hostname) []:*.testweb.com Email Address []:test@qq.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
c、将证书文件传输给CA
[root@centos6 ~]# scp /etc/pki/tls/test.csr 172.16.251.124:/tmp The authenticity of host '172.16.251.124 (172.16.251.124)' can't be established. RSA key fingerprint is 8e:d7:ac:fd:71:70:22:e7:ff:98:ed:61:96:85:5f:b7. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '172.16.251.124' (RSA) to the list of known hosts. root@172.16.251.124's password: test.csr 100% 1050 1.0KB/s 00:00
d、CA签署证书,并将证书颁发给请求者
[root@centos7 ~]# openssl ca -in /tmp/test.csr -out /etc/pki/CA/certs/test.crt -days 365 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Jul 17 11:57:46 2017 GMT Not After : Jul 17 11:57:46 2018 GMT Subject: countryName = CN stateOrProvinceName = Beijing organizationName = Hxt organizationalUnitName = Ops commonName = *.testweb.com emailAddress = test@qq.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 58:6B:86:66:B0:41:9D:E7:C0:43:65:B4:85:51:BC:62:82:1F:91:A8 X509v3 Authority Key Identifier: keyid:1A:FC:24:EA:FA:D8:03:E4:4E:2D:19:04:3D:DB:2A:30:43:88:F7:D8 Certificate is to be certified until Jul 17 11:57:46 2018 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
e、查看证书中的信息
[root@centos7 ~]# openssl x509 -in /etc/pki/CA/certs/test.crt -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, ST=Beijing, L=Beijing, O=Hxt, OU=Ops, CN=www.hengxia.top/emailAddress=miouqi@qq.com Validity Not Before: Jul 17 11:57:46 2017 GMT Not After : Jul 17 11:57:46 2018 GMT Subject: C=CN, ST=Beijing, O=Hxt, OU=Ops , CN=*.testweb.com/emailAddress=test@qq.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:e3:84:72:59:14:c2:00:91:6c:d0:b4:f1:b4:6b: 72:bb:a4:05:6c:ae:00:bf:b0:4b:e1:b0:1f:9a:a7: 05:68:b7:73:60:ca:f5:95:59:90:cd:a3:ef:da:29: fd:83:5d:fc:bc:53:9d:4b:cb:87:c6:d9:00:1f:36: 06:26:a4:15:ac:7f:01:67:4b:60:ee:af:40:30:5c: 60:1c:fb:7c:33:8e:aa:45:f7:5b:55:e8:57:07:40: 05:ab:4a:9e:25:ec:2c:ce:f3:6d:fb:e9:a2:eb:c0: 59:49:84:5f:f7:68:98:16:c2:4e:db:ab:43:50:80: f0:71:f6:d4:9d:57:1b:a4:4d:89:e3:2f:fa:fe:48: 5e:da:84:d6:64:64:36:fd:2d:03:38:0e:fe:0d:65: 9a:0e:37:66:52:d3:60:ea:5d:dc:5b:36:2c:d1:25: ef:0b:e6:50:5a:81:78:00:b4:f4:c7:68:ca:d1:d0: 21:d1:37:49:7a:99:1d:2d:2d:3d:7f:9e:4a:5b:87: 83:d6:96:8d:84:d9:88:b7:c0:c9:63:43:4c:06:d9: 19:d7:b9:5a:99:8a:7c:1b:52:04:d7:a1:e0:bb:87: bc:bd:77:1c:c9:ea:19:2e:97:f2:86:2c:fe:37:95: 1a:df:e1:bb:4a:9e:26:c7:d1:1e:21:d8:1b:cd:ae: 8d:11 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 58:6B:86:66:B0:41:9D:E7:C0:43:65:B4:85:51:BC:62:82:1F:91:A8 X509v3 Authority Key Identifier: keyid:1A:FC:24:EA:FA:D8:03:E4:4E:2D:19:04:3D:DB:2A:30:43:88:F7:D8 Signature Algorithm: sha256WithRSAEncryption 26:21:51:45:0d:8c:f4:75:25:3e:e2:13:fa:d4:7a:60:ea:ba: 78:b7:aa:61:57:a5:80:9d:09:95:0a:e8:09:1d:69:20:43:1c: ee:54:b2:65:cb:0c:13:5a:e1:59:61:2d:95:ee:c6:09:f3:7d: cf:e0:dc:7c:5e:11:22:bc:7b:cc:aa:e5:3e:4a:ed:56:5a:9d: 8b:8f:9b:6d:34:85:b1:f6:9e:87:07:c4:b0:5a:61:92:ca:30: 66:29:fb:ea:7d:68:90:ca:30:a9:85:64:8b:90:99:01:7c:27: d6:62:c7:de:e0:f8:9d:00:6b:7b:39:d3:01:eb:32:9e:71:89: f6:17:d4:7b:08:8f:9d:48:11:e1:c5:91:91:73:fd:f5:19:b6: 35:a1:15:ad:6c:78:fc:ba:e9:ea:d1:9a:8f:13:8a:bb:ec:cc: 79:c8:c9:f4:0d:a1:a7:c5:f5:90:e8:3b:46:d2:9f:55:85:41: e6:36:8e:fe:3f:59:33:77:37:95:51:2e:68:cd:93:79:fd:11: db:71:d0:e7:2c:61:34:bc:db:ef:89:68:f5:ae:42:5f:df:79: ed:f7:e5:2f:9a:a7:ef:a9:8b:81:d7:32:21:13:59:91:06:4b: 8f:65:82:1a:b6:7c:e6:dc:9c:98:b5:dd:79:c7:9e:49:39:1d: 20:b6:d8:e6 [root@centos7 ~]# openssl ca -status 01 # 查看指定编号的证书状态 Using configuration from /etc/pki/tls/openssl.cnf 01=Valid (V)
f、CA将已签名证书传输给申请者
[root@centos7 ~]# scp /etc/pki/CA/certs/test.crt 172.16.250.164:/tmp The authenticity of host '172.16.250.164 (172.16.250.164)' can't be established. RSA key fingerprint is 46:78:bc:dd:e2:7d:a8:b6:b7:f0:60:53:c4:72:30:f7. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '172.16.250.164' (RSA) to the list of known hosts. root@172.16.250.164's password: test.crt 100% 4592 4.5KB/s 00:00
g、CA删除申请者证书申请文件
[root@centos7 ~]# rm -f /tmp/test.csr
4、吊销证书
a、在客户端获取要吊销的证书的serial
[root@centos6 ~]# openssl x509 -in /tmp/test.crt -noout -serial -subject serial=01 subject= /C=CN/ST=Beijing/O=Hxt/OU=Ops /CN=www.testweb.com/emailAddress=*.testweb.com
b、在CA上,根据客户提交的serial与subject信息,对比检验是否与index.txt文件中的信息一致,一致吊销证书
[root@centos7 ~]# openssl ca -revoke /etc/pki/CA/newcerts/01.pem Using configuration from /etc/pki/tls/openssl.cnf Revoking Certificate 01. Data Base Updated
c、CA指定第一个吊销证书的编号,注意:第一次更新吊销证书列表前,才需要执行
[root@centos7 ~]# echo 01 > /etc/pki/CA/crlnumber
d、CA更新证书吊销列表
[root@centos7 ~]# openssl ca -gencrl -out /etc/pki/CA/crl/crl.pem Using configuration from /etc/pki/tls/openssl.cnf [root@centos7 ~]# openssl crl -in /etc/pki/CA/crl/crl.pem -noout -text # 查看crl文件 Certificate Revocation List (CRL): Version 2 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: /C=CN/ST=Beijing/L=Beijing/O=Hxt/OU=Ops/CN=www.hengxia.top/emailAddress=miouqi@qq.com Last Update: Jul 17 12:23:07 2017 GMT Next Update: Aug 16 12:23:07 2017 GMT CRL extensions: X509v3 CRL Number: 1 Revoked Certificates: Serial Number: 01 Revocation Date: Jul 17 12:21:16 2017 GMT Signature Algorithm: sha256WithRSAEncryption 90:a6:22:84:bf:eb:98:d7:58:bd:22:8d:5c:41:e1:1e:2f:70: 6c:e2:40:68:ce:c4:06:e1:2d:70:59:98:d9:27:6f:24:d4:63: 4c:d6:81:25:ab:ac:70:1b:89:65:4c:cc:2e:20:12:66:78:bc: 3e:60:4f:6d:28:72:53:7f:e0:65:92:c3:86:b2:7c:1f:dc:46: 2b:f6:ba:c1:2e:73:36:4b:60:08:8f:e1:bb:0d:f9:fe:11:bb: 8a:4c:92:1f:aa:a8:9f:ec:f6:45:b9:a4:1e:60:ab:70:4e:f9: 09:23:83:6e:12:ed:42:bd:dd:33:99:e9:ee:a6:44:2b:89:7c: 60:70:0a:1f:0f:ca:0a:62:5a:b9:5c:f9:ea:46:30:f3:1d:2e: a0:89:c1:85:a8:0f:de:3a:3a:0a:1a:c3:76:99:0b:9f:55:d5: 57:52:65:bc:2e:ff:ee:a6:d0:71:24:02:56:6d:a7:fa:5a:f1: 88:92:53:35:66:46:ab:59:fa:cf:09:6b:37:b6:39:7a:9d:ba: b2:8d:d5:dc:a0:38:39:76:81:85:16:72:22:39:1d:ae:fd:22: 21:61:00:e9:f2:7e:71:43:e9:a3:f9:44:5b:44:83:a2:1a:82: 82:8f:e1:0f:f6:57:d5:b4:62:3a:c1:5e:35:21:6f:2f:ff:11: fb:98:95:23
四、备注
1、CA生成自签名命令解析: openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days \3650 -out /etc/pki/CA/cacert.pem
-new: 生成新证书签署请求-x509: 专用于CA生成自签证书
-key: 生成请求时用到的私钥文件
-days n: 证书的有效期限
-out /PATH/TO/SOMECRIPTFILE: 证书的保存路径
2、CA的配置文件在/etc/pki/tls/opnenssl.cof,例如CA的三种策略:匹配、支持和可选即在此文件配置;匹配指要求申请填写的信息跟CA设置信息必须一致,支持指必须填写这项申请信息,可选指可有可无。
相关文章推荐
- 使用OpenSSL 自建CA 以及颁发证书
- PKI架构的简介,如何使用OPENSSL完成加密与解密,如何自建CA完成证书的签署。
- Linux下如何颁发证书:学习使用openssl搭建一个CA
- 基于 OpenSSL 自建 CA 和颁发 SSL 证书
- Linux下如何颁发证书:学习使用openssl搭建一个CA
- Linux下如何颁发证书:学习使用openssl搭建一个CA
- 使用OpenSSL创建CA颁发证书
- linux学习之路之使用openssl创建私钥CA及使用CA为客户端颁发证书
- Linux下使用openssl制作CA及证书颁发
- openssl 自建ca,颁发客户端证书
- 总结之:CentOS6.5下openssl加密解密及CA自签颁发证书详解
- 使用openssl来生成CA证书、申请证书、颁发证书以及撤销证书的过程
- OpenSSL 自建CA及签发证书
- 使用Openssl生成CA及签发证书方法
- openssl创建CA、申请证书及其给web服务颁发证书
- 使用openssl来生成CA证书、证书申请、颁发证书以及撤销证书的过程
- Weblogic HTTPS SSL证书制作(自己使用openssl来制作CA证书和服务器证书,自己充当CA的角色)
- 用openssl生成SSL使用的私钥和证书,并自己做CA签名(转)
- rhel6.3下使用openssl来生成CA证书并颁发证书实例解