Linux系统搭建私有CA证书服务器
一、CA简介
CA是什么?CA是Certificate Authority的简写,从字面意思翻译过来是凭证管理中心,认证授权。它有点类似我们生活中的身份证颁发机构,这里的CA就相当于生活中颁发身份证的机构。不同于生活中的颁发机构,这里的CA是给服务器颁发证书。颁发证书的目的同生活中的办理身份证的目的类似,都是为了证明一件事,生活中的身份证可以证明我们是一个合法的公民,而服务器颁发证书的目的也是证明我们服务是一个合法的服务器,换句话说就是有了证书我们就可以清楚知道我们访问的服务器到底是不是我们真正想访问的服务器。从而识别我们访问的服务器的真假。
二、中间人攻击原理
如上图所示,我们在和对方服务器通信的过程,存在着中间人攻击的情况。所谓中间人攻击,就是攻击者站在通讯双方的中间,对于客户端它充当着服务器的角色,对于服务器端它又充当着客户端的角色。简单说它就是两边欺骗。当我们向服务器发起通信请求时,中间人会截获我们发向服务器端的报文,从而进行修改,然后把修改后的报文发送给服务端,服务端收到中间人篡改的数据报文,进行响应,把响应报文发送给中间人,然后中间人再发给客户端。这样一个过程就是中间人攻击的过程。可以看到客户端服务端双方直接通信是不安全的。如上图所示,通信双方交换密钥,直接交换就存在中间人欺骗,因为我们不能够确定远端服务器的真伪和客户端的真伪。为了解决这一问题,由此衍生出CA。CA在这里的充当的角色相当于中间人角色,不同的是CA是一个权威的中间人。它可以证明客户端和服务端的真伪。
三、加密解密以及获取公钥过程
众所周知常用的加密方式有三种,单向加密,对称加密,和非对称加密。单向加密从字面意思理解就是一方加密,在加密过程中不使用密钥,我们把单向加密也叫不可逆加密,通常用于验证文件的真假,或者验证文件是否改动,从而验证文件的完整性。常用的单向加密算法有md5,sha。对称加密讲的是加密和解密用的同一密钥。换句话说对称加密只有一个密钥,只要拿到对应的密钥就可以解密。常用的对称加密有des。非对称加密讲的是公钥加密私钥解密,私钥加密公钥解密,且公钥和私钥是一对,加密解密都需要的是一对密钥里的任意一个。这种加密比前两种更加安全和适用,缺点是加解密大文件速度慢。
了解了非对称加密的特性,我们再来说说它的过程。通信双方要进行非对称加密通信,前提是需要拿到对方的公钥,私钥放在各自手里,各自的公钥则存放在对方的手上。换句话讲,客户端需要拿到服务端的公钥,才能和服务端通信,服务端需要拿到客户端的公钥,才能主动和客户端通信。从而才可以实现非对称加密通信。那么客户端怎么得到服务端的公钥呢?如果客户端直接向服务端发送公钥,上面我们说过,这种方式存在中间人攻击,因为直接交换公钥是不都能确定对方身份的。这个时候就需要说说CA证书的作用了。
证书里面存放了申请证书机构服务器的公钥和CA的信息以及有效期。通讯双方在建立加密通信的时候,需要验证证书的合法性,从而实现验证身份的目的。通常情况我们要验证证书的合法性就需要证书颁发机构的公钥来对证书解密,因为证书在颁发的时候,里面的公钥是通过颁发机构的私钥对其进行加密的。只要我们能够用颁发机构的公钥解开证书,那么就说明这个证书就是一个合法的证书,至少它证明了这个证书是权威机构(我们信任的)CA颁发的。同理通信双方要进行加密通信也是通过证书来获取密钥的。具体过程是这样的,客户端向服务端发起通信请求,服务端发送证书给客户端,客户端拿到证书进行解密,如果能够用信任CA机构的公钥解开,说明服务器发送过来的证书没有问题,然后把服务端公钥给存起来。客户端有了服务端的公钥后就可以向服务端发送用服务端的公钥加密的数据了,但是服务端没有客户端的公钥,它不能够用自己的私钥来加密数据发送给客户端,因为它的公钥是公开的,不光客户端上有服务端的公钥,中间人也有。所以为了确保数据的安全,客户端需要随机生成一个密码,然后通过服务器的公钥,把随机生成的密码加密后发送给服务端,服务端收到客户端发来的加密数据后,用自己的私钥解开,从而拿到客户端发来的随机密码,有了这个随机密码后,服务端就拿这个随机密码对称加密数据,然后发送给客户端。客户端收到服务端发送过来的加密报文,用刚才发送给服务端的随机密码解密,从而得到真正的数据。后续双方就是通过这个随机密码来加密解密传输数据。这里还需要说明的是,这个随机密码不是一直不变的,每隔一段时间后,客户端和服务端就会协商,重复上面的过程,生成新的随机密码进行加密解密通信。
从上面的通信过程我们可以知道,证书的作用就是为了验证其服务器的真实合法性,以及传输服务端的公钥的作用。而服务器的公钥就是用来客户端向服务端发送随机密码,用来加密随机密码的作用,从而实现,只有服务端可以拿到这个随机密码的作用,实现安全加密通信。
四、CA服务器的实现
1、安装openssl软件
[ ~]# yum install openssl -y
说明:通常情况下openssl是系统默认安装的有,如果没有需要安装。
2、查看配置文件,以及匹配策略
[ ca ] default_ca = CA_default # The default ca section #################################################################### [ CA_default ] dir = /etc/pki/CA # Where everything is kept certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. #unique_subject = no # Set to ‘no‘ to allow creation of # several ctificates with same subject. new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/cacert.pem # The CA certificate serial = $dir/serial # The current serial number crlnumber = $dir/crlnumber # the current crl number # must be commented out to leave a V1 CRL crl = $dir/crl.pem # The current CRL private_key = $dir/private/cakey.pem# The private key RANDFILE = $dir/private/.rand # private random number file x509_extensions = usr_cert # The extentions to add to the cert # Comment out the following two lines for the "traditional" # (and highly broken) format. name_opt = ca_default # Subject Name options cert_opt = ca_default # Certificate field options # Extension copying option: use with caution. # copy_extensions = copy # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs # so this is commented out by default to leave a V1 CRL. # crlnumber must also be commented out to leave a V1 CRL. # crl_extensions = crl_ext default_days = 365 # how long to certify for default_crl_days= 30 # how long before next CRL default_md = sha256 # use SHA-256 by default preserve = no # keep passed DN ordering # A few difference way of specifying how similar the request should look # For type CA, the listed attributes must be the same, and the optional # and supplied fields are just that :-) policy = policy_match # For the CA policy [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional # For the ‘anything‘ policy # At this point in time, you must list all acceptable ‘object‘ # types. [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional ####################################################################
说明:可看到openssl默认配置里面指定了证书存放相关文件的路径,和CA默认匹配策略,其中国家名称、省州名称、组织名称是必须同CA设置的信息一致,当然这些匹配是否和CA设置的一样,是通过配置文件来判断的可自行设置。通用名称是必须要填写的,其他都是可选。
3、创建CA自签名证书
3.1、生成私钥
[ ~]# cd /etc/pki/CA/ [ CA]# tree . ├── certs ├── crl ├── newcerts └── private 4 directories, 0 files [ CA]# (umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048) Generating RSA private key, 2048 bit long modulus ..............................+++ ............+++ e is 65537 (0x10001) [ CA]# tree . ├── certs ├── crl ├── newcerts └── private └── cakey.pem 4 directories, 1 file [ CA]# cat private/cakey.pem -----BEGIN RSA PRIVATE KEY----- MIIEogIBAAKCAQEAmM8gDY90zksYI2myhqsGgMBGAPnlLbIBwiqYnte2PJZRnEJv aYRzCgw9wSca9oI5rUGu1wLOk8NlAkE6W4hXu6JaAp/eMZcqzYVU2a6VhxPQLBP3 5dvfZT4vps737OR+l8gcJRX2VPcfJuMU+r4KbBT4F3gP79hz/JxwK0yShlIGCnPP cCK5xS6jKBH3ezdLsRy0ZCRUwX+ivlAJ8zJ/bV4m2OesiDW1LFPrvotRo+aBwexI 1vk01Yww1x/DUnxiYCrOPS0V3wWpSS6r2qXVv0FyZGS1ZP/+Jf1ZfbvL2w9kcmlQ 0wadHkx3M4HJyvWinOEpMsrTr3p9RK67oNs48QIDAQABAoIBADUWQBx16i6BCDHF VrBSWkAAjFFqf6QQY2wBQGRurHEAB/oxWmNeEFk9R3cDDur08vSuDP/Fid7r0vul jZCfHVuiW4Lt51NzIPulhoTZkjkLORcXGNhSOpoBsKxS2u8BsrkoXB7GMn3yHHB2 E6PIwfYqksYUf/TjTehEsPNZ9s2Sx/ioscHfnIRd7Uct0Gu5mI5C6qP/7BhEyNRb bnFGGB0dSFDtFPqGUIfTeWApJUH1/vUTUXrrZLH4FEubMuf4k0ZIV3cGyvdZVVQ+ iyoWTTetPOhFbRMnKtqgJ+yVhck7uEAgIB/JrMI3x768JoJpyAgxGlZFmxS86mdr TzDzZcECgYEAxwv/Jcrb3E5gGC77qSEWlq+IVomAgHRVU4M81byw6YV7wAssW10t X8pm84H3G8yJMuxGYdHdXpl9PzxwXaS7Qh82uZVQbGALiWyhHloEIoI+oH9pGtXf uWqQKmrYURtq8AoULhALn03zCjJINGfY9/WlYX6qi32UpnKg6snmDD8CgYEAxIhA u+By9YazW/YVgEHoh5UmWL0yfX8rBEn1fRwwhjfhQtfs50zoL83SVKpKY8VtfR/r /YcIaWx8+R5g+g/aAYDeKHO1x+uW2yqWMdXjdkY/kzoM0G7gPvSC7F3vr6dWuHUC 6v4839EElIKHyCK0NMumnPvoUUDrbP1YlJ1cLs8CgYBsGU/QLoOI+eemOp3iFF44 J8xbcwGewY81c6iuS3Oo3x1+BpNoawohY8LVrFePeV1pkngG1/rpTWJ/3UsJEFXC a0FFOJocwWyCjcRSv4BPXXy1nXxvXofKIt14q94e7kz9X/vlqEEnmyXK+9PK4jsr LvVKJYhpiSIZ41cRK+UL8QKBgF0S3f1b3XWTtkt97k7QZ8wWAZQS/d9bI0cjs4Pt nrlhq2eZlNMxo+BHzC1WfGZlsGWKgZuOoJg0zba5AVpLuYXuvsdPjS5Bzy66K2ks j02LFT6nRjxL1h1adMp17jY0vKgcmiYqAzBH77BZZO6OKOO78orz7eDVKulxzcqL /4UXAoGAKk1Yfa8ZVJGlzjZHl/imvce2B+78ALJItw8hUAOxjU3780vzuppyG5o/ Zg25XbW9FbOUXt+8Tyd3/yFBBGdZ1OvL9YSngtGyLX7X3aWbg9xwR7fz8bheI+J7 QcLouNuHoUis+3EHbQIcQM9CTrP7sjFMM2LxPzxz7qPuV0ru2bg= -----END RSA PRIVATE KEY----- [ CA]#
说明:为了创建的私钥的安全,建议把其权限修改成600。当然创建私钥的时候也可以用对称加密算法对其私钥加密,这样更加安全。需要注意的是加密后的私钥,我们要用的时候就需要对其输入对称加密的口令。如果需要把私钥用对称加密算法加密,需要指定其加密算法即可。生成的私钥名称必须同配置文件中的名称相同。
3.2、签发自签名证书
[ CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 1000You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.‘, the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:SICHUAN Locality Name (eg, city) [Default City]:GUANGYUAN Organization Name (eg, company) [Default Company Ltd]:TEST Organizational Unit Name (eg, section) []:DEVOPS Common Name (eg, your name or your server‘s hostname) []:ca.test.com Email Address []: [ CA]# tree . ├── cacert.pem ├── certs ├── crl ├── newcerts └── private └── cakey.pem 4 directories, 2 files [ CA]# cat cacert.pem -----BEGIN CERTIFICATE----- MIIDpTCCAo2gAwIBAgIJANCoyQ6AYK/SMA0GCSqGSIb3DQEBCwUAMGkxCzAJBgNV BAYTAkNOMRAwDgYDVQQIDAdTSUNIVUFOMRIwEAYDVQQHDAlHVUFOR1lVQU4xDTAL BgNVBAoMBFRFU1QxDzANBgNVBAsMBkRFVk9QUzEUMBIGA1UEAwwLY2EudGVzdC5j b20wHhcNMjAwMTI5MTAzNjM2WhcNMjIxMDI1MTAzNjM2WjBpMQswCQYDVQQGEwJD TjEQMA4GA1UECAwHU0lDSFVBTjESMBAGA1UEBwwJR1VBTkdZVUFOMQ0wCwYDVQQK DARURVNUMQ8wDQYDVQQLDAZERVZPUFMxFDASBgNVBAMMC2NhLnRlc3QuY29tMIIB IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmM8gDY90zksYI2myhqsGgMBG APnlLbIBwiqYnte2PJZRnEJvaYRzCgw9wSca9oI5rUGu1wLOk8NlAkE6W4hXu6Ja Ap/eMZcqzYVU2a6VhxPQLBP35dvfZT4vps737OR+l8gcJRX2VPcfJuMU+r4KbBT4 F3gP79hz/JxwK0yShlIGCnPPcCK5xS6jKBH3ezdLsRy0ZCRUwX+ivlAJ8zJ/bV4m 2OesiDW1LFPrvotRo+aBwexI1vk01Yww1x/DUnxiYCrOPS0V3wWpSS6r2qXVv0Fy ZGS1ZP/+Jf1ZfbvL2w9kcmlQ0wadHkx3M4HJyvWinOEpMsrTr3p9RK67oNs48QID AQABo1AwTjAdBgNVHQ4EFgQUQ/0tcuVAvzoOA13SD2x8W9Brx0EwHwYDVR0jBBgw FoAUQ/0tcuVAvzoOA13SD2x8W9Brx0EwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0B AQsFAAOCAQEAAl/gUsSCgKjeSq5K2TyLc3VUP2KN1m+Wu9qWKAgXiaMxY8iWj3I8 AxfNkTAqNGz66BpXh9G4hDL844spvnomjdUbCufFlNLnrkxCIyWPNVKk69fCa61T ANzgvTbIfh/xfdfyctZpU3q9Ptcra9ksYUg7mY7209xJ+emqsBnKwYKigCCrQTT3 dxvRHFOV3Z0wJgHCtTetMI25OcpEXk3Tk75k+ayEmiTdMp2Zdk00qmOtZfCmtHO9 KdHVTAOCAOaQtd4aOZMsgADBWXVP2NPmosUm2onvrKTFB6tYXXhj5j6tPVFunCZE R2w2VMa+Q+Pgmmt5AeqoALQaBdR31IFj0Q== -----END CERTIFICATE----- [ CA]#
说明:颁发的证书默认是没法用cat命令来查看证书里面的信息的,我们可以通过把证书导出到windows上查看,也可以通过openssl来查看。ca的私钥和证书存放路径需要参考其配置文件中的定义来指定存放。
在windows上查看办法的证书
说明:在Windows上查看,需要把其后缀更改为.crt才可以双击查看。之所以它提示我们说此CA根目录证书不受信用,是因为windows上没有将其证书导入,没有改根CA的信息。默认情况下,Windows里面内置了一些权威CA的证书,所以我们在权威的CA下申请的证书,放在windows上就不会报不信任的CA证书了。
用openssl查看证书
[ CA]# openssl x509 -in cacert.pem -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: d0:a8:c9:0e:80:60:af:d2 Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, ST=SICHUAN, L=GUANGYUAN, O=TEST, OU=DEVOPS, CN=ca.test.com Validity Not Before: Jan 29 10:36:36 2020 GMT Not After : Oct 25 10:36:36 2022 GMT Subject: C=CN, ST=SICHUAN, L=GUANGYUAN, O=TEST, OU=DEVOPS, CN=ca.test.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:98:cf:20:0d:8f:74:ce:4b:18:23:69:b2:86:ab: 06:80:c0:46:00:f9:e5:2d:b2:01:c2:2a:98:9e:d7: b6:3c:96:51:9c:42:6f:69:84:73:0a:0c:3d:c1:27: 1a:f6:82:39:ad:41:ae:d7:02:ce:93:c3:65:02:41: 3a:5b:88:57:bb:a2:5a:02:9f:de:31:97:2a:cd:85: 54:d9:ae:95:87:13:d0:2c:13:f7:e5:db:df:65:3e: 2f:a6:ce:f7:ec:e4:7e:97:c8:1c:25:15:f6:54:f7: 1f:26:e3:14:fa:be:0a:6c:14:f8:17:78:0f:ef:d8: 73:fc:9c:70:2b:4c:92:86:52:06:0a:73:cf:70:22: b9:c5:2e:a3:28:11:f7:7b:37:4b:b1:1c:b4:64:24: 54:c1:7f:a2:be:50:09:f3:32:7f:6d:5e:26:d8:e7: ac:88:35:b5:2c:53:eb:be:8b:51:a3:e6:81:c1:ec: 48:d6:f9:34:d5:8c:30:d7:1f:c3:52:7c:62:60:2a: ce:3d:2d:15:df:05:a9:49:2e:ab:da:a5:d5:bf:41: 72:64:64:b5:64:ff:fe:25:fd:59:7d:bb:cb:db:0f: 64:72:69:50:d3:06:9d:1e:4c:77:33:81:c9:ca:f5: a2:9c:e1:29:32:ca:d3:af:7a:7d:44:ae:bb:a0:db: 38:f1 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 43:FD:2D:72:E5:40:BF:3A:0E:03:5D:D2:0F:6C:7C:5B:D0:6B:C7:41 X509v3 Authority Key Identifier: keyid:43:FD:2D:72:E5:40:BF:3A:0E:03:5D:D2:0F:6C:7C:5B:D0:6B:C7:41 X509v3 Basic Constraints: CA:TRUE Signature Algorithm: sha256WithRSAEncryption 02:5f:e0:52:c4:82:80:a8:de:4a:ae:4a:d9:3c:8b:73:75:54: 3f:62:8d:d6:6f:96:bb:da:96:28:08:17:89:a3:31:63:c8:96: 8f:72:3c:03:17:cd:91:30:2a:34:6c:fa:e8:1a:57:87:d1:b8: 84:32:fc:e3:8b:29:be:7a:26:8d:d5:1b:0a:e7:c5:94:d2:e7: ae:4c:42:23:25:8f:35:52:a4:eb:d7:c2:6b:ad:53:00:dc:e0: bd:36:c8:7e:1f:f1:7d:d7:f2:72:d6:69:53:7a:bd:3e:d7:2b: 6b:d9:2c:61:48:3b:99:8e:f6:d3:dc:49:f9:e9:aa:b0:19:ca: c1:82:a2:80:20:ab:41:34:f7:77:1b:d1:1c:53:95:dd:9d:30: 26:01:c2:b5:37:ad:30:8d:b9:39:ca:44:5e:4d:d3:93:be:64: f9:ac:84:9a:24:dd:32:9d:99:76:4d:34:aa:63:ad:65:f0:a6: b4:73:bd:29:d1:d5:4c:03:82:00:e6:90:b5:de:1a:39:93:2c: 80:00:c1:59:75:4f:d8:d3:e6:a2:c5:26:da:89:ef:ac:a4:c5: 07:ab:58:5d:78:63:e6:3e:ad:3d:51:6e:9c:26:44:47:6c:36: 54:c6:be:43:e3:e0:9a:6b:79:01:ea:a8:00:b4:1a:05:d4:77: d4:81:63:d1 [ CA]#
4、在客户端创建证书申请
4.1、生成私钥信息
[ ~]# mkdir ssl [ ~]# cd ssl/ [ ssl]# (umask 077;openssl genrsa -out /root/ssl/app.key 2048) Generating RSA private key, 2048 bit long modulus .............................................................+++ .........................+++ e is 65537 (0x10001) [ ssl]# ls app.key [ ssl]# cat app.key -----BEGIN RSA PRIVATE KEY----- MIIEpQIBAAKCAQEA6XtScxyxgI7gC+1xYQFSXIF9RqCTAZ4WpWGQYzs30XLT1cxl /hJ8McxMQ137H1g+PeEFbNV3oyBjEt3feCck5sb9TP4tsIhT6Lt3Zt6PIqOfDZ8k OxWDJp/DNXHwuC8ME/mfv3CleJbL5Clyb9ovYeZkEQPK9TgG7pCHU0AxTw0r7ELP A29Ugd/lFGQNTJt39Kmy7uBOPhKEQ+fHVaMqtmy1q/SpnM92vGvR40xRgl+HJ17A 0ACAEjbf3wK+qoQ/WBCCpMkeTLoFEn/Sa7SmZZt2F0k2cTyxSzVKadPQUlrpWVHb zX4IDI/ssS9weiDsLL5eScj/CWWRFhKu7z98YQIDAQABAoIBAQDKu6RqA741DNqK QNC0FHu5i06GJyO+wdCUJdVD9MWQ/o3mFSdyqAZjDywhStek7fCNtngJeon5gUPF vBYwtHycTqjfU83EfXuumCkjj5jl0QFoyIijLRjGTu8n1xnYNDHenmAR0PQ9c2Lz aPHPIbsG3RCCnbJ7nvyV5bU7mn+2TOb41csMVjLJoK2N91QEljkAn+4oqpTVJgJa TnUKvafBjCn+ctZDKcsZ0H/yFhGbt0ZFEXql3WFM5AOE5tBmlmqrQY/4CzeqlPCX zYpuUCHQBj9UYj58SfVUEoaN+gNX82amUqBOablJMpGR0vDh0CxsAxnPYF7O1o6P hXIjjmPJAoGBAPg74aMUMoG3o91NpoedLdRrMOYcYBdd3H7KwPyXzHMoYHQjfHEm hJKqZgE53U+TfxdFr8EJcR8aoDzDLp3+5F1ANCZD2FgvWptAyABx+I09J0OES0VB M3hhp0pOYot1ylBbFrvGGANFa8WAnO+yyNU91CFUhp7kmQ5TuUUHt2kzAoGBAPDJ SiXn30hQO8zVCHXzCrcltKfSnU4LiceI0jhneHfW8b42/tEegXVTEOIBiPmhLA8x 8xeIC/fS1B0ih7Uus9MUBJUN7RhlWSxGPcxA//JAxffGJwmxoYxYFkwvoTyTQrJE igBmE6+PdSb7JOB4c3nt/YwPYvjQOieNolRMIwwbAoGBAOoNhA2AwLKAVVgXnBoo QIsV2pBNVukRThKa1+YStuopuvAmeXIysDOdyPoE9j/OwblOso2fenKqZ0WDf1Pn fqjSHZmqxLU5SQQzy6Bn1cROUdQeS95rwL0TzmmIiPAXyv+DM2cvO3ryHNCnGNIF T8mIN5iJmzj8L7hLhteok+3zAoGAbot7RzvU/tYXHksPv1b9rGfbMNE49wPFFZ5z JQIcBKjiA3osMsXWmY6xSZF62WBtYeyEtmD3XaelSlr4Au6WEGo4UFY8a97bub/l z0hoOUgTm1WVxpWOnWgzlHaph630CPP+h4BVuVwbZPIYVBX4rhndNdg6kBDJIi+c PydVT9ECgYEAwF5U/YS9IIb8n1NXARXA3nWmfqdJM2JcYwh33ILFB0+2gm4nr4Ie xb14BlFMl8mYVKqykHpdE73/LYZWu/inkti8APmHyP3+7QHMWagpCucCHxGzagWy sdo8HSqbkcQJoB0pTLPZGHEGuLMzzAII6fc+sZsHPi2NLbZZFPGdWjk= -----END RSA PRIVATE KEY----- [ ssl]#
4.2、生成证书申请文件
[ ssl]# ll total 4 -rw------- 1 root root 1679 Jan 29 18:55 app.key [ ssl]# openssl req -new -key app.key -out app.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.‘, the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:SICHUAN Locality Name (eg, city) [Default City]:CHENGDU Organization Name (eg, company) [Default Company Ltd]:TEST Organizational Unit Name (eg, section) []:DEVOPS Common Name (eg, your name or your server‘s hostname) []:www.test.org Email Address []: Please enter the following ‘extra‘ attributes to be sent with your certificate request A challenge password []: An optional company name []: [ ssl]# ll total 8 -rw-r--r-- 1 root root 1005 Jan 29 19:02 app.csr -rw------- 1 root root 1679 Jan 29 18:55 app.key [ ssl]
4.3、把文件传给CA,在CA上进行证书颁发
[ CA]# rz rz waiting to receive. zmodem trl+C ? 100% 1005 bytes 1005 bytes/s 00:00:01 0 Errors [ CA]# ls app.csr cacert.pem certs crl newcerts private [ CA]# openssl ca -in app.csr -out /etc/pki/CA/certs/app.crt -days 365 Using configuration from /etc/pki/tls/openssl.cnf /etc/pki/CA/index.txt: No such file or directory unable to open ‘/etc/pki/CA/index.txt‘ 140645247747984:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen(‘/etc/pki/CA/index.txt‘,‘r‘) 140645247747984:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404: [ CA]# touch /etc/pki/CA/index.txt [ CA]# openssl ca -in app.csr -out /etc/pki/CA/certs/app.crt -days 365 Using configuration from /etc/pki/tls/openssl.cnf /etc/pki/CA/serial: No such file or directory error while loading serial number 140572255938448:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen(‘/etc/pki/CA/serial‘,‘r‘) 140572255938448:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404: [ CA]# echo 00 > /etc/pki/CA/serial [ CA]# openssl ca -in app.csr -out /etc/pki/CA/certs/app.crt -days 365 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 0 (0x0) Validity Not Before: Jan 29 11:06:08 2020 GMT Not After : Jan 28 11:06:08 2021 GMT Subject: countryName = CN stateOrProvinceName = SICHUAN organizationName = TEST organizationalUnitName = DEVOPS commonName = www.test.org X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: AE:E9:31:DE:B1:86:4F:68:AB:D7:BB:E3:1B:74:AD:7A:44:D2:60:BB X509v3 Authority Key Identifier: keyid:43:FD:2D:72:E5:40:BF:3A:0E:03:5D:D2:0F:6C:7C:5B:D0:6B:C7:41 Certificate is to be certified until Jan 28 11:06:08 2021 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated [ CA]# tree . ├── app.crs ├── cacert.pem ├── certs │ └── app.crt ├── crl ├── index.txt ├── index.txt.attr ├── index.txt.old ├── newcerts │ └── 00.pem ├── private │ └── cakey.pem ├── serial └── serial.old 4 directories, 10 files [ CA]#
说明:在跟客户端颁发证书的时候需要依赖两个文件/etc/pki/CA/index.txt和/etc/pki/CA/serial,前者文件主要存放已经颁发的证书信息,后者存放下一个将要颁发的证书的序列号。这里说一下/etc/pki/CA下的各个文件和目录的作用吧,certs目录存放颁发证书的目录,crl存放吊销证书列表文件的目录,index.txt.attr存放证书subject信息是否唯一的配置信息,index.txt.old存放上一次颁发证书的信息,newcerts目录存放已经颁发的证书,并且以序列号命名的证书,每颁发一次证书,在我们指定的路径下生成指定名称的证书后,newcerts目录下会自动生成一个以序列号为名称的证书,这个证书同我们指定路径下存放的证书信息一模一样。private目录存放私钥文件。serial.old存放上一次颁发证书的序列号。
4.4、查看颁发证书的信息
Windows上查看
Linux上查看
[ CA]# openssl x509 -in certs/app.crt -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 0 (0x0) Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, ST=SICHUAN, L=GUANGYUAN, O=TEST, OU=DEVOPS, CN=ca.test.com Validity Not Before: Jan 29 11:06:08 2020 GMT Not After : Jan 28 11:06:08 2021 GMT Subject: C=CN, ST=SICHUAN, O=TEST, OU=DEVOPS, CN=www.test.org Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:e9:7b:52:73:1c:b1:80:8e:e0:0b:ed:71:61:01: 52:5c:81:7d:46:a0:93:01:9e:16:a5:61:90:63:3b: 37:d1:72:d3:d5:cc:65:fe:12:7c:31:cc:4c:43:5d: fb:1f:58:3e:3d:e1:05:6c:d5:77:a3:20:63:12:dd: df:78:27:24:e6:c6:fd:4c:fe:2d:b0:88:53:e8:bb: 77:66:de:8f:22:a3:9f:0d:9f:24:3b:15:83:26:9f: c3:35:71:f0:b8:2f:0c:13:f9:9f:bf:70:a5:78:96: cb:e4:29:72:6f:da:2f:61:e6:64:11:03:ca:f5:38: 06:ee:90:87:53:40:31:4f:0d:2b:ec:42:cf:03:6f: 54:81:df:e5:14:64:0d:4c:9b:77:f4:a9:b2:ee:e0: 4e:3e:12:84:43:e7:c7:55:a3:2a:b6:6c:b5:ab:f4: a9:9c:cf:76:bc:6b:d1:e3:4c:51:82:5f:87:27:5e: c0:d0:00:80:12:36:df:df:02:be:aa:84:3f:58:10: 82:a4:c9:1e:4c:ba:05:12:7f:d2:6b:b4:a6:65:9b: 76:17:49:36:71:3c:b1:4b:35:4a:69:d3:d0:52:5a: e9:59:51:db:cd:7e:08:0c:8f:ec:b1:2f:70:7a:20: ec:2c:be:5e:49:c8:ff:09:65:91:16:12:ae:ef:3f: 7c:61 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: AE:E9:31:DE:B1:86:4F:68:AB:D7:BB:E3:1B:74:AD:7A:44:D2:60:BB X509v3 Authority Key Identifier: keyid:43:FD:2D:72:E5:40:BF:3A:0E:03:5D:D2:0F:6C:7C:5B:D0:6B:C7:41 Signature Algorithm: sha256WithRSAEncryption 46:94:4f:ab:6f:43:43:fb:0d:d1:e2:71:ff:5d:5b:0e:39:59: c2:3f:92:47:88:84:2f:80:e4:00:a1:94:86:9a:bc:19:bb:22: 22:e1:2f:93:d1:1b:19:92:5f:de:46:47:30:e4:f5:b7:d8:b4: e7:62:37:9c:17:cc:e7:8c:f4:b7:8a:cc:09:62:fd:6f:56:e3: a3:22:1d:d8:01:e2:34:87:45:86:04:be:c7:91:b4:e9:49:f6: 39:c9:c4:67:6a:f7:8b:96:09:2f:d3:d4:a4:e5:a3:f0:d9:1d: e6:dc:28:65:da:70:27:9b:70:5a:6a:a5:5a:77:c3:51:e0:54: b0:7f:e4:a1:9a:4c:b5:d2:82:84:d9:3f:c8:57:dd:25:0a:80: 81:61:c6:a4:d1:5b:19:21:5d:19:1e:7d:b4:4f:a2:54:f4:bf: f9:d0:2e:ba:4a:94:f1:93:be:54:cc:3b:19:7a:ae:fd:bd:4a: b5:e3:55:a3:2a:a0:69:0e:08:78:9d:91:d5:df:02:bd:ec:c9: cc:d2:6e:68:bf:48:3c:73:df:e9:62:92:8f:6c:9d:2f:2c:32: 85:46:a7:30:22:22:9c:2d:af:d0:cf:02:e0:21:3b:1d:6a:a3: f7:81:0b:63:10:8c:f1:30:4a:05:08:4b:52:ad:4a:1d:14:9c: 0c:64:2b:71 [ CA]#
到此私有CA服务器的搭建、证书的申请和颁发就完成了,后续使用证书,就需要把证书放到对应的应用目录,配置其应用服务来使用其证书即可。通常申请证书不用在客户端申请,在服务端创建私钥,创建申请证书文件,然后签发证书,生成证书文件,然后把私钥和证书发给客户端即可。
5、吊销证书
[ CA]# openssl x509 -in certs/app.crt -noout -serial -subject serial=00 subject= /C=CN/ST=SICHUAN/O=TEST/OU=DEVOPS/CN=www.test.org [ CA]#
说明:以上命令是对要吊销的证书获取其序列号和subject信息,这个操作一般是客户端上查看,然后把信息发送给CA
[ CA]# openssl ca -revoke /etc/pki/CA/newcerts/00.pem Using configuration from /etc/pki/tls/openssl.cnf Revoking Certificate 00. Data Base Updated [ CA]#
说明:在CA上,根据客户端提交的serial与subject信息,对比检验是否与index.txt文件的信息一致,然后在进行吊销证书操作
6、更新证书吊销列表crl文件
[ CA]# openssl ca -gencrl -out /etc/pki/CA/crl.pem Using configuration from /etc/pki/tls/openssl.cnf /etc/pki/CA/crlnumber: No such file or directory error while loading CRL number 140437997475728:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen(‘/etc/pki/CA/crlnumber‘,‘r‘) 140437997475728:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404: [ CA]# echo 00 > /etc/pki/CA/crlnumber [ CA]# openssl ca -gencrl -out /etc/pki/CA/crl.pem Using configuration from /etc/pki/tls/openssl.cnf [ CA]#
说明:第一次更新证书吊销列表,它会提示我们说缺少crlnumber文件,这个文件同serial的作用类似,都是存放的是版本号,我们需要创建其文件,并写一个16进制的编号,通常是从00或者01开始。(这个文件同serial一样都会自动增长,一般后续不需要怎么维护它)
[ CA]# openssl crl -in /etc/pki/CA/crl.pem -noout -text Certificate Revocation List (CRL): Version 2 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: /C=CN/ST=SICHUAN/L=GUANGYUAN/O=TEST/OU=DEVOPS/CN=ca.test.com Last Update: Jan 29 11:48:03 2020 GMT Next Update: Feb 28 11:48:03 2020 GMT CRL extensions: X509v3 CRL Number: 0 Revoked Certificates: Serial Number: 00 Revocation Date: Jan 29 11:41:28 2020 GMT Signature Algorithm: sha256WithRSAEncryption 87:12:f8:b2:ec:b7:77:94:4b:bc:e4:ea:69:03:27:78:d3:b5: 43:8d:45:c5:a4:50:53:d7:3b:81:48:a1:cf:5d:43:4e:13:01: 91:5e:a2:f2:87:44:87:84:16:b2:1d:0e:28:81:88:d4:1a:c2: a4:55:22:9f:d0:b9:6b:3c:80:e2:6e:98:fb:c3:18:3e:d3:a0: 49:a3:0e:19:64:2f:03:51:4b:ec:32:1c:c8:41:62:46:e8:4f: 8c:ec:a2:07:1c:fc:4b:20:61:ca:04:0e:31:8b:b9:4e:ce:42: 81:66:d6:09:3e:1e:15:44:76:33:27:07:fd:17:10:6d:d0:12: cf:4f:ce:cb:3d:b4:6d:68:f1:5a:1a:4f:44:a6:65:cd:f6:3b: 4e:2e:3f:6d:2a:f8:d5:8a:52:5a:b0:8d:b1:8f:73:08:50:9c: 89:d3:c0:97:0e:13:89:37:cc:13:ad:d9:db:61:06:6d:4f:0a: 6b:58:a0:53:0a:2b:e8:23:18:cd:3b:0c:5d:9e:77:c3:85:3e: e3:3c:ab:ad:45:9e:3c:18:7a:85:b0:51:7e:4d:8e:c6:18:e7: fc:4d:f1:01:ac:b3:89:2c:eb:f7:0e:f9:3c:ea:5a:42:ff:43: 6b:98:9f:a0:89:59:28:92:c9:ed:d3:59:87:ca:04:8c:8c:92: c0:a1:72:8a [ CA]# cat /etc/pki/CA/index.txt R 210128110608Z 200129114128Z 00 unknown /C=CN/ST=SICHUAN/O=TEST/OU=DEVOPS/CN=www.test.org [ CA]# cat /etc/pki/CA/crlnumber 01 [ CA]#
说明:证书吊销后其index.txt里的信息会发生变化,R表示该证书已经被吊销,V表示该证书未吊销。
在windows上查看证书吊销列表crl文件