构建私有CA:
1.生成私钥:
[root@localhost ~]# (umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 4096)
2.生成自签证书:
[root@localhost ~]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3655
-new: 生成新证书签署请求
-x509: 专用于CA生成自签证书
-key: 生成请求时用到的私钥文件
-days :证书的有效期限
-out /PATH/TO/SOMECERTFILE: 证书的保存路径
Country Name (2 letter code) [XX]:CN #所在国家
State or Province Name (full name) []:Beijing #所在州或者省
Locality Name (eg, city) [Default City]:Beijing #所在的城市
Organization Name (eg, company) [Default Company Ltd]:Zebra #公司的名称
Organizational Unit Name (eg, section) []:Ops #部门的名字
Common Name (eg, your name or your server‘s hostname) []:zebra.com #服务器的名字
Email Address []:zebra@qq.com #管理员的邮箱
3.为CA提供所需的目录及文件
mkdir -pv /etc/pki/cil/CA/{certs,crl,newcerts} #如果没有这三个目录,需要建立
touch /etc/pki/CA/index.txt #数据库
echo 01 > /etc/pki/CA/serial #第一个证书的序列号
证书颁发:
要用到证书进行安全通信的服务器,需要向CA(自建的CA必须先自己给自己签署过证书)请求签署证书。
默认国家、省、公司名称必须与CA一致(可修改配置文件
[root@localhost ssl]# vim /etc/pki/tls/openssl.cnf
)
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = optional #此项原来是match,我已经给修改了,这是在CA机上改
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
步骤:(以httpd为例)前三步在请求的主机上做
用到证书的主机生成私钥
[root@localhost ~]# mkdir /etc/httpd/ssl
[root@localhost ~]# cd /etc/httpd/ssl
[root@localhost ssl]# (umask077;openssl genrsa -out /etc/httpd/ssl/httpd.key 2048)
2.生成证书签署请求
[root@localhost ssl]# openssl req -new -key /etc/httpd/ssl/httpd.key -out /etc/httpd/ssl/httpd.csr -days 365
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:zebra
Organizational Unit Name (eg, section) []:Ops
Common Name (eg, your name or your server‘s hostname) []:zebra.com
Email Address []:zebra@qq.com
Please enter the following ‘extra‘ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
3.将请求通过可靠方式发送给CA主机:
[root@localhost ssl]# scp httpd.csr 192.168.1.117:/tmp
root@192.168.1.117‘s password:
httpd.csr 100% 1037 1.0KB/s 00:00
4.在CA主机上签署证书:
[root@localhost tmp]# openssl ca -in /tmp/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Sep 24 02:22:36 2016 GMT
Not After : Sep 24 02:22:36 2017 GMT
Subject:
countryName = CN
stateOrProvinceName = Beijing
organizationName = zebra
organizationalUnitName = Ops
commonName = zebra.com
emailAddress = zebra@qq.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
05:CC:06:E5:17:4E:2E:A6:C8:EE:8A:98:D2:65:DE:96:FD:29:00:E6
X509v3 Authority Key Identifier:
keyid:32:C7:C3:54:15:B6:77:92:5C:DD:5A:A7:A2:85:E8:B1:58:54:8F:90
Certificate is to be certified until Sep 24 02:22:36 2017 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
5.查看证书信息:
[root@localhost certs]# openssl x509 -in httpd.crt -noout -subject -text -serial -dates
#一般查看蓝色的两项,绿色的可不查看
subject= /C=CN/ST=Beijing/O=zebra/OU=Ops/CN=zebra.com/emailAddress=zebra@qq.com
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=CN, ST=Beijing, L=Beijing, O=zebra, OU=Ops, CN=zebra.com/emailAddress=zebra@qq.com
Validity
Not Before: Sep 24 02:22:36 2016 GMT
Not After : Sep 24 02:22:36 2017 GMT
Subject: C=CN, ST=Beijing, O=zebra, OU=Ops, CN=zebra.com/emailAddress=zebra@qq.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:aa:11:aa:b4:14:7b:39:4c:4d:ce:51:e2:fe:c5:
7b:d2:8e:b6:98:ff:c9:86:c1:ca:8f:9e:2d:10:74:
92:66:50:70:4c:86:38:61:55:4d:86:7c:85:f1:a7:
52:ff:56:94:c4:0a:fa:33:d7:7f:e1:45:e6:e7:54:
d7:08:c7:e3:3a:b8:11:8d:f5:dd:31:de:25:b3:70:
29:69:85:1f:13:fd:50:8c:7f:7d:e1:5c:67:1b:f1:
05:8a:d6:ee:61:15:d6:95:06:68:92:62:7b:5c:97:
29:1b:78:f3:97:af:69:aa:1c:0a:d7:fe:92:7f:76:
0b:39:10:a4:3a:57:eb:fe:9a:a9:20:42:8e:86:17:
a1:b0:31:b4:92:ab:50:4f:e2:de:5c:1b:8b:e6:a4:
2b:2b:6d:8b:c9:8b:00:9b:de:c7:77:5f:ee:72:d8:
86:94:ad:7d:d2:96:8c:a8:fc:82:9d:0c:f6:68:6e:
06:7b:48:72:72:d4:1c:a1:0d:81:e5:ec:c1:66:06:
01:a5:fc:90:8e:e0:41:59:65:16:a0:d7:ea:27:00:
f3:d7:78:6e:f5:aa:46:3d:63:b6:9b:95:c1:b4:26:
ec:8a:3a:17:54:a2:bf:02:bf:7f:43:2d:3c:66:75:
84:39:77:8c:e0:6a:4a:df:e7:a1:32:d1:ea:ee:e9:
58:5d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
05:CC:06:E5:17:4E:2E:A6:C8:EE:8A:98:D2:65:DE:96:FD:29:00:E6
X509v3 Authority Key Identifier:
keyid:32:C7:C3:54:15:B6:77:92:5C:DD:5A:A7:A2:85:E8:B1:58:54:8F:90
Signature Algorithm: sha1WithRSAEncryption
01:db:87:5a:d1:4d:a0:24:d0:2c:ee:7a:7b:58:bf:4f:71:61:
ef:eb:67:17:64:99:fc:75:c5:79:07:07:28:74:d5:a4:27:97:
f4:54:bb:25:25:a9:c6:58:93:85:0f:4c:ea:80:14:d5:e9:88:
7e:66:33:fc:e3:e3:e2:0e:77:a9:d4:b0:4b:b3:50:0f:2e:0e:
e2:c2:f5:ba:e1:81:19:eb:c2:c7:9a:72:d2:87:8f:55:27:02:
2d:93:39:06:69:7b:8c:1b:c5:3b:66:c9:60:ce:1d:23:cc:9a:
9f:0a:f4:6e:12:91:e8:38:f3:29:b5:c6:dd:59:d0:12:f6:7e:
e5:5f:dd:3a:31:34:a9:25:c5:3a:fc:27:19:ff:72:cc:51:02:
49:21:90:dc:8b:31:a0:77:b1:96:e0:34:bc:04:5c:2c:3b:44:
53:91:af:54:84:1f:8d:91:a6:ea:5d:d4:b0:17:af:00:51:72:
83:a6:15:d5:a2:e2:0e:78:c6:a6:33:9d:74:90:d5:a3:5a:25:
2f:aa:b0:2d:5f:93:d4:07:5f:3e:ae:e3:a6:d5:1a:d7:e1:b6:
71:f7:61:ef:cd:5f:0b:37:28:ab:d5:2b:df:af:7e:d8:ef:54:
fe:91:2b:d5:48:22:69:d9:fa:b5:27:1f:06:26:14:61:ca:c9:
83:30:b1:1f:b3:f8:2f:42:67:a2:b3:07:20:55:be:06:00:41:
b7:b0:3c:95:f0:82:3b:e5:f0:70:70:7f:bf:5a:3c:ac:f3:dd:
1d:e1:3d:3e:bd:e6:87:2e:c3:86:95:48:e8:49:0c:47:4a:de:
5a:3a:b1:cb:85:60:7f:77:7a:bc:60:ca:aa:85:8b:dc:54:62:
50:36:37:7c:8b:3f:86:ce:a7:83:95:ed:dd:20:39:7b:b9:81:
93:67:cb:2c:ab:f9:eb:1d:95:2f:4e:90:2f:df:c6:17:1c:49:
46:46:61:12:8d:51:c6:3d:b6:b4:0f:45:92:7f:0d:57:26:5e:
fe:8f:f4:22:d0:a8:0b:d3:2c:bf:2b:18:03:7a:01:dd:fb:36:
16:9a:b6:ea:bf:dd:88:92:ab:c9:ec:13:82:b6:57:50:43:0d:
03:f7:c3:1c:a9:9d:82:83:c0:84:e9:eb:65:85:e8:d0:7f:26:
fe:c6:a0:78:9b:1f:19:1e:cd:c9:38:8d:cb:40:99:85:ea:f6:
13:4f:cc:6b:96:b7:e4:6f:7c:47:b2:f8:23:93:db:ea:e9:9c:
3a:7c:78:90:11:7e:68:57:b5:d7:6c:e9:7b:09:66:2f:4b:9f:
75:b2:c6:0c:ee:b0:e9:6b:ab:b7:00:c7:98:d0:58:5b:28:f2:
d0:68:15:29:f9:ff:df:3d
serial=01
notBefore=Sep 24 02:22:36 2016 GMT
notAfter=Sep 24 02:22:36 2017 GMT
6.将签过名的证书发还给请求方
吊销证书:
(a) 在客户端获取要吊销的证书的serial
opensslx509 -in /PATH/FROM/CERT_FILE-noout
-serial -subject
(b) 在CA上,根据客户提交的serial与subject信息,对比检验是否与index.txt文件中的信息一致
吊销证书:
opensslca -revoke /etc/pki/CA/newcerts/
SERIAL.pem
(c) 生成吊销证书的编号(第一次吊销一个证书时才需要执行)
echo 01 > /etc/pki/CA/crlnumber
(d) 更新证书吊销列表
opensslca -gencrl-out /etc/pki/CA/crl/ca.crl
查看crl文件:
opensslcrl-in /etc/pki/CA/crl/ca.crl
-noout-text
本文出自 “zebra930” 博客,请务必保留此出处http://zebra930.blog.51cto.com/11736340/1856022
原文地址:http://zebra930.blog.51cto.com/11736340/1856022