公司内部证书发放流程
| 客户机生成申请请求 | RA核验 | CA签署证书并发放 | 客户机获取证书 |
1、自建私有CA主机1
openssl的配置文件:/etc/pki/tls/openssl.cnf
1)创建所需要的文件:cd /etc/pki/CA/
touch index.txt
echo 01 > serial
[root@localhost CA]# tree . ├── cacert.pem ├── certs ├── crl ├── index.txt ├── newcerts │ ├── 01httpd.pem │ └── 01.pem ├── private │ └── cakey.pem ├── serial └── serial.old
2)CA自签证书
#(umask 077 ;openssl genrsa -out private/cakey.pem 2048)
#openssl req -new -x509 -key private/cakey.pem -days 3650 -out cacert.pem
-new:生成新证书签署请求
-x509:专用于CA生成自签证书
-key:生成请求时用到的私钥文件
-days ###:证书有效期限###
-out /PATH/TO/SOMEWCERTFILE :证书保存路径
[root@localhost CA]# openssl x509 -in cacert.pem -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 15788607697337265536 (0xdb1c670c91c92d80) Signature Algorithm: sha1WithRSAEncryption Issuer: C=cn, ST=hubei, L=hubei, O=longjingcun, OU=Ops, CN=lanin/emailAddress=lanlin678@qq.com Validity Not Before: Sep 24 01:43:32 2016 GMT Not After : Sep 22 01:43:32 2026 GMT Subject: C=cn, ST=hubei, L=hubei, O=longjingcun, OU=Ops, CN=lanin/emailAddress=lanlin678@qq.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:c2:3a:c0:a0:b2:fe:9b:0f:d5:91:43:31:e9:85: 47:a8:ad:b7:16:06:c7:04:6a:46:67:c4:41:e7:05: 6c:4b:8f:6a:dd:94:48:a5:04:93:20:cb:f6:ec:65: b2:49:12:76:f3:e8:a5:b6:0c:80:0b:d9:ae:9d:23: b1:3f:c3:6a:3c:00:d9:36:bb:da:4e:24:3b:71:f6: f0:c5:28:2a:24:72:c9:ac:c8:6e:5a:aa:0c:21:60: b5:f1:ff:3f:7c:d6:a8:a0:4c:42:b8:c1:f5:d5:de: b7:37:be:38:6a:bf:6d:a1:0a:97:be:b9:22:25:d6: 6c:f0:fd:af:5e:27:aa:cf:7e:64:e9:8e:0d:a9:b0: 0b:5b:95:cd:20:7b:8d:23:64:2f:0a:07:86:2b:32: 2f:13:0b:66:f1:35:f3:75:37:c9:a0:3e:49:40:5f: e6:6a:89:58:d4:77:c3:cc:db:aa:46:e3:8e:b1:3d: d3:5b:22:bf:1e:4d:48:7f:a5:0b:eb:6e:a9:b7:5b: e1:10:80:0d:7d:38:21:ac:60:a1:95:5e:2c:d7:72: ee:b1:fd:52:df:70:a5:6f:6e:aa:4c:cb:82:bb:8c: a7:0a:e8:b4:f7:ea:06:7a:fd:b3:00:b9:8c:6a:17: 7d:69:d7:c6:2f:83:c6:35:12:1c:f5:ff:d2:0a:cf: 1e:6d Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 01:E4:14:ED:C7:E3:1A:24:17:DE:15:F2:45:D3:1C:FD:D4:E3:52:A3 X509v3 Authority Key Identifier: keyid:01:E4:14:ED:C7:E3:1A:24:17:DE:15:F2:45:D3:1C:FD:D4:E3:52:A3 X509v3 Basic Constraints: CA:TRUE Signature Algorithm: sha1WithRSAEncryption 86:b8:78:0b:af:02:1b:de:4c:d8:fb:56:cc:3c:48:e8:0a:2a: f3:26:7e:33:b5:b0:3b:b8:b7:c1:66:aa:f2:a6:7a:42:82:6a: 22:76:64:b3:5c:25:4f:c4:1e:24:0c:51:48:56:58:1d:ae:83: 66:bf:50:6f:81:97:2e:69:3d:fa:35:c3:b0:0f:7f:2f:3f:40: 99:be:1a:ca:5c:67:b6:7e:bd:b8:67:2d:62:42:8f:b3:fb:e2: c3:5f:80:fb:07:ab:69:10:db:5f:13:b3:61:bd:23:aa:f9:13: 0b:1d:e6:df:98:37:51:a5:f9:9f:e8:e1:f5:13:a7:96:7c:c2: 20:cf:b4:22:d3:d0:90:a2:65:a7:1f:b9:06:6a:5d:8e:00:ac: 55:6b:cd:3a:10:e5:f0:3e:d3:9f:59:a8:f6:a9:2a:cd:70:a8: 21:d7:7d:bc:41:a9:3a:66:13:3f:63:e3:be:fe:3d:be:7c:06: 33:3e:f5:7e:e6:68:7f:a7:60:5d:f8:0a:80:a7:6d:3a:36:b0: 97:71:7a:f5:2c:a1:35:d5:1a:f3:f3:a0:b3:34:58:88:39:36: fd:48:4b:2c:9b:20:b7:82:10:5d:77:ca:77:20:9c:39:94:bb: 3a:9f:05:0a:54:66:62:f2:3a:c0:3a:1a:83:6b:78:11:d6:ee: f1:b7:78:59
2、发证
1)用到证书的主机2生成证书请求:
#(umask 077; openssl genrsa -out /etc/httpd/ssl/httpd.key 2048)
#openssl req -new -key /etc/httpd/ssl/httpd.key -days 365 -out /etc/httpd/ssl/httpd.csr
2)把请求文件传输给CA主机
#scp /etc/httpd/ssl/httpd.key root@CA_IP:/tmp/
3)CA 签证,并发还给主机2
#openssl ca -in /tmp/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365
#scp /etc/pki/CA/certs/httpd.crt root@主机2_IP:/etc/httpd/ssl/
查看证书中的信息:
#openssl x509 -in /PATN/FROM/CERT_FILE -noout -text |-subject |-serial
3、吊销证书
1)客户端获取要吊销的证书serial
#openssl x509 -in /PATN/FROM/CERT_FILE -noout -serial
[root@localhost ~]# openssl x509 -in /etc/httpd/ssl/httpd.crt -noout -serial serial=01 [root@localhost ~]# openssl x509 -in /etc/httpd/ssl/httpd.crt -noout -subject subject= /C=cn/ST=hubei/O=longjingcun/OU=OP\x08ps/CN=lanli\x08\x08in/emailAddress=lani\x08lin789@qq.com
2)CA
先根据客户提交的serial和subject信息,对比检验是否与index.txt 文件中的信息一致。
吊销证书:
#openssl ca -revoke /etc/pki/CA/newcerts/SERIAL.pem
3)生成吊销证书的编号(第一次吊销一个证书)
#echo 01 > /etc/pki/CA/crlnumber
4)更新证书吊销列表
#openssl ca -gencrl -out thiscrl.crl
查看吊销证书
#openssl crl -in /PATH/FROM/CRL_FILE.crl -noout -text
