前言
什么是CA?
CA是Certificate Authority的缩写,也叫“证书授权中心”。
它是负责管理和签发证书的第三方机构。一般来说,CA必须是所有行业和所有公众都信任的、认可的。因此它必须具有足够的权威性。就好比A、B两个公司都必须信任C公司,才会使用C公司作为公章中介。
什么是CA证书
CA证书自然就是CA所颁发的证书,客户想申请证书就要通过自身的私钥向CA请求生成公钥证书。CA证书也是数字证书的一种,是通过数字签名实现的数字化证书, 具有不能被伪造的特点。是实现web安全通信中必不可少的一环。
PKI
PKI:Public Key Infrastructure(公钥基础设施),可以理解为利用公钥技术为网络应用提供加密和数字签名等密码服务以及必须的密钥和证书管理体系。简单的就是CA的配置服务设置。它是提供安全服务的基础设施。
PKI 即不是一个协议也不是一个软件,它是一个标准,在这个标准知晓发展出为了实现安全基础服务目的的技术统称PKI。PKI技术是信息安全技术的核心,同事越是电子商务的关键和基础技术。
PKI:
CA:签证中心
RA:注册中心
CRL:证书吊销列表
证书数据库
证书申请和签署步骤:
1、生成申请请求
2、RA核验
3、CA签署
4、获得证书
1.搭建CA认证中心
CA所需要的目录和文件
查看openssl.cnf文件,它是openssl的基础配置文件
[root@CentOS7 CA]$cat /etc/pki/tls/openssl.cnf
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = /etc/pki/CA # Where everything is kept 工作目录
certs = $dir/certs # Where the issued certs are kept 证书文件目录,其中文件的文件名为认证时设置的文件名
crl_dir = $dir/crl # Where the issued crl are kept 证书吊销列表
database = $dir/index.txt # database index file. 证书数据库 index.txt文件需要手工创建
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs. 新证书文件目录,认证证证书时,自动创建相同的证书文件,文件名为证书序列号
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number 下一个认证证书的序列号
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
# Extension copying option: use with caution.
# copy_extensions = copy
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 365 # how long to certify for 证书有效期,默认是365天
default_crl_days= 30 # how long before next CRL
default_md = sha256 # use SHA-256 by default
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match #根据需求可以更改策略
# For the CA policy
[ policy_match ]
countryName = match CA认证时客户端与主机填写的信息必须相同
stateOrProvinceName = match CA认证时客户端与主机填写的信息必须相同
organizationName = match CA认证时客户端与主机填写的信息必须相同
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################touch /etc/pki/CA/{serial,index.txt} #创建序列号文件和数据库文件
[root@CentOS7 CA]$tree #确认CA目录下的目录和文件
.
├── certs
├── crl
├── index.txt
├── newcerts
├── private
└── serial
4 directories, 2 files
[root@CentOS7 CA]$echo 01 > /etc/pki/CA/serial #设置CA序列号生成私钥
[root@CentOS7 CA]$(umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
................................................+++
........................................................................................................+++
e is 65537 (0x10001)
[root@CentOS7 CA]$ll ./private
total 4
-rw-------. 1 root root 1679 Sep 10 19:37 cakey.pem可以在加入-des3 对私钥进行加密
[root@CentOS7 CA]$(umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem -des3 2048)生成自签名证书
openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 7300-new 生成新证书签署请求
-x509 生成自签格式证书,专用于创建CA时使用
-key 生成请求时用到的私有路径
-out 生成的请求文件路径,如果自签操作将直接生成签署过的证书
-days 证书的有效时长,单位 day
[root@CentOS7 CA]$openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/caert.pem -days 7300
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN #国家
State or Province Name (full name) []:shanghai #省(州)
Locality Name (eg, city) [Default City]:shanghai #城市
Organization Name (eg, company) [Default Company Ltd]:test.com #公司(组织)
Organizational Unit Name (eg, section) []:opt #部门
Common Name (eg, your name or your server's hostname) []:ca.test.com #主机名
Email Address []: #邮箱
2.颁发证书
生成请求证书
在一台要申请证书的客户端主机上,生成证书请求,以http为例
[root@Centos6 ~]#cd /etc/httpd
[root@Centos6 httpd]#mkdir ssl
[root@Centos6 httpd]#cd ssl
[root@Centos6 httpd]#(umask 077;openssl genrsa -out httpd.key 2048) #生成自己的私钥
Generating RSA private key, 2048 bit long modulus
....................................................................................................................................................................................................................................+++
...........................+++
e is 65537 (0x10001)
[root@Centos6 ssl]#openssl req -new -key httpd.key -out httpd.csr -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN #必须CA认证中心的配置一致
State or Province Name (full name) []:shanghai #必须CA认证中心的配置一致
Locality Name (eg, city) [Default City]:shanghai
Organization Name (eg, company) [Default Company Ltd]:test.com #必须CA认证中心的配置一致
Organizational Unit Name (eg, section) []:web
Common Name (eg, your name or your server's hostname) []:www.test.com
Email Address []:test@test.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: #为发送证书设置密钥,可以不设
An optional company name []:上传证书
客户端证书生成完成后,将http.csr证书文件上传到CA认证中心
[root@Centos6 ssl]#scp httpd.csr 192.168.15.71:/etc/pki/CA #ip地址为CA地址
root@192.168.15.71's password:
httpd.csr 100% 1009 1.0KB/s 00:00签署证书
CA签署证书,并将证书颁发给证书请求者
[root@CentOS7 CA]$openssl ca -in httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365 #CA上颁发证书,时间为365天
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Sep 10 12:57:55 2017 GMT
Not After : Sep 10 12:57:55 2018 GMT
Subject:
countryName = CN
stateOrProvinceName = shanghai
organizationName = test.com
organizationalUnitName = web
commonName = www.test.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
DB:30:D0:30:CF:13:30:C2:D7:8C:0D:3A:12:EB:48:E0:0A:71:17:94
X509v3 Authority Key Identifier:
keyid:00:52:C5:4D:18:89:EF:AF:18:B1:DC:41:D4:03:AE:E0:DF:23:5A:B2
Certificate is to be certified until Sep 10 12:57:55 2018 GMT (365 days)
Sign the certificate? [y/n]:y #上信息检查好后,确认签名
1 out of 1 certificate requests certified, commit? [y/n]y #确认提交
Write out database with 1 new entries
Data Base Updated #证书已经写入了证书数据库- 查看证书数据库
[root@CentOS7 CA]$cat index.txt
V 180910125755Z 01 unknown /C=CN/ST=shanghai/O=test.com/OU=web/CN=www.test.com
行首是V表示证书有效,R表示证书注销- 查看序列号文件变化和目录文件变化
[root@CentOS7 CA]$cat serial
02[root@CentOS7 CA]$tree
.
├── cacert.pem
├── certs
│ └── httpd.crt
├── crl
├── httpd.csr
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│ └── 01.pem #生成了一个与httpd.crt相同的文件
├── private
│ └── cakey.pem
├── serial
└── serial.old
4 directories, 10 files- 查看证书信息
[root@CentOS7 CA]$openssl x509 -in certs/httpd.crt -noout -serial -subject
serial=01
subject= /C=CN/ST=shanghai/O=test.com/OU=web/CN=www.test.com
-noout 不输出文件
-serial 查看证书的编号
-dates 查看证书的有效期
-subjest 查看证书颁发者
-issuer 查看证书使用者
-text 查看证书所有内容- 将签署证书文件发送给客户端
scp certs/httpd.crt 192.168.15.61:/etc/httpd/ssl注意:不同系统签发CA证书要注意openssl的版本问题,否认会出现证书签署失败的情况。
3.吊销证书
获取客户端需要吊销的证书信息
[root@Centos6 ssl]#openssl x509 -in httpd.crt -noout -serial -subject
serial=01
subject= /C=CN/ST=shanghai/O=test.com/OU=web/CN=www.test.comCA主机吊销证书
根据客户提交的证书serial和subject信息,对比其与本机数据库index.txt中存储的是否一致。
[root@CentOS7 CA]$cat index.txt
R 180910125755Z 170910143124Z 01 unknown /C=CN/ST=shanghai/O=test.com/OU=web/CN=www.test.com根据收到的客户端证书信息,吊销证书
[root@CentOS7 CA]$openssl ca -revoke newcerts/01.pem
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem: #输入CA私钥密码
Revoking Certificate 01.
Data Base Updated #证书数据库已经更新
[root@CentOS7 CA]$cat index.txt
R 180910125755Z 170910143124Z 01 unknown /C=CN/ST=shanghai/O=test.com/OU=web/CN=www.test.com
#行首是R已经吊销的
[root@CentOS7 CA]$ openssl ca -status 01 #查看证书状态,已经吊销了
Using configuration from /etc/pki/tls/openssl.cnf
01=Revoked (R)生成吊销证书的吊销编号
注意:第一次吊销证书时执行
[root@CentOS7 CA]$echo 01 > /etc/pki/CA/crl/crlnumber更新证书吊销列表
吊销证书后,还需要生成或更新吊销列表
[root@CentOS7 CA]$openssl ca -gencrl -out crl/cacrl.crl
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:查看crl文件和数据库文件
[root@CentOS7 CA]$openssl crl -in crl/cacrl.crl -noout -text
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: /C=CN/ST=shanghai/L=shanghai/O=test.com/OU=opt/CN=ca.test.com
Last Update: Sep 10 14:41:53 2017 GMT
Next Update: Oct 10 14:41:53 2017 GMT
CRL extensions:
X509v3 CRL Number:
1
Revoked Certificates:
Serial Number: 01
Revocation Date: Sep 10 14:31:24 2017 GMT
Signature Algorithm: sha256WithRSAEncryption
05:54:a8:61:01:93:96:f1:27:cc:fb:20:94:59:cb:91:05:3f:
f6:18:ec:59:39:07:02:68:27:76:dd:1e:4a:59:cc:01:8d:e9:
9a:1a:bf:db:b2:8b:37:e8:ee:0e:69:e9:ab:df:62:66:e6:1e:
c1:3e:05:bb:22:a9:97:a8:c1:cc:0e:f4:95:d0:c6:3f:c1:e7:
f5:14:a0:99:fa:8e:be:54:7d:1a:82:9a:a6:eb:4e:85:ee:33:
b7:33:78:3a:eb:fb:fc:1e:3c:74:71:5c:78:ef:55:44:de:25:
c5:14:1f:3a:f4:da:53:88:66:2a:8a:79:fa:23:29:34:aa:83:
86:79:c5:0a:3f:c2:cd:31:70:b7:dc:51:4c:3d:1a:ad:02:b9:
70:34:53:b4:b3:70:a6:4f:0e:77:21:13:16:3b:1b:91:8c:bd:
4f:22:e3:63:06:8a:d5:53:14:94:d2:14:c4:c1:56:cd:20:83:
58:ad:ff:5f:49:fd:b9:83:67:fd:1c:1d:b9:9f:c4:8a:55:f6:
4b:1a:41:1e:cc:c0:95:94:ff:d5:f0:b3:89:c2:01:94:a4:bb:
db:df:b5:97:74:1f:3a:c0:83:6a:f3:a7:41:44:4e:b3:57:69:
e5:96:8b:6b:a5:77:35:d3:0c:3e:90:2e:47:6d:70:1c:04:03:
eb:07:d9:da
本文章为转载内容,我们尊重原作者对文章享有的著作权。如有内容错误或侵权问题,欢迎原作者联系我们进行内容更正或删除文章。
