在CENTOS6.5上建立私有CA服务器。
首先看一下openssl的配置文件
# vim /etc/pki/tls/openssl.cnf 找到[ CA_default ],这里无需改动,已经做好相关配置,若要建立服务器,必须把生成的私钥及自签证书放在对应的目录下(注意字体加粗部分)。
[ CA_default ]
dir = /etc/pki/CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # 存放客户端证书相关信息.
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # 存放证书序列号
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem # The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
以下是建立CA服务器过程
生成私钥
(umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
使用rsa算法,在子shell中,生成私钥文件,保存在/etc/pki/CA/private/目录中,私钥长度为2048
2. 生成自签证书
openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 100
req 申请证书的命令,后面加-new表示新申请,-x509表示生成x509规范的证书,-key指定私钥文件的存放路径 -out指定生成证书的存放路径 -days指定证书有效期限。
3.初始化工作环境
手动建立2个文件,index.txt和serial
touch index.txt
touch serial
初始化证书序列号,从01开始
echo 01 > serial
至此CA服务器已经建立好。
客户端申请证书
客户端生成自己的私钥
[root@bogon CA]# (umask 077;openssl genrsa -out /ssl/clientkey 2048)
Generating RSA private key, 2048 bit long modulus
.....+++
....+++
e is 65537 (0x10001)
2. 客户端生成证书请求
openssl req -new -key /ssl/clientkey -out /ssl/clientcsr
3. 将证书发给服务器
4. 服务器签署证书
openssl ca -in /ssl/clientcsr -out /ssl/client.crt -days 10
5. 服务器将证书发给客户端
CA服务器的建立及发放证书已经完成。
.
