OpenSSL为网络通信提供安全及数据完整性的一种安全协议,囊括了主要的密码算法、常用的密钥和证书封装管理功能以及SSL协议,并提供了丰富的应用程序供测试或其它目的使用。

OpenSSL包含一个命令行工具用来完成OpenSSL库中的所有功能,更好的是,它可能已经安装到你的系统中了。

OpenSSL是一个强大的安全套接字层密码库,Apache使用它加密HTTPS,OpenSSH使用它加密SSH,但是,你不应该只将其作为一个库来使用,它还是一个多用途的、跨平台的密码工具。
接下来,我们将要实现给予openssl的CA建立及证书签发。
进入/etc/pki/目录,
[root@localhost ~]# cd /etc/pki/
[root@localhost pki]#
编辑配置文件:
[root@localhost pki]# vim tls/openssl.cnf

 

基于openssl的ca建立及证书签发_ca建立

基于openssl的ca建立及证书签发_证书签发_02

 

需要注意的是,配置文件中的certs,crl,newcerts目录以及index.txt,serial文件都需要我们自己创建。
[root@localhost pki]# cd CA/
[root@localhost CA]# mkdir certs newcerts crl
[root@localhost CA]# touch index.txt serial
[root@localhost CA]#
给我们的serial文件一个初始序列号:
[root@localhost CA]# echo "01" >serial
[root@localhost CA]#
接下来,产生我们的私钥文件:
[root@localhost CA]# cd ..
[root@localhost pki]# openssl genrsa 1024 >CA/private/cakey.pem
Generating RSA private key, 1024 bit long modulus
.................................................++++++
...................................++++++
e is 65537 (0x10001)
[root@localhost pki]#
私钥文件要注意保密,我们可以通过设置权限来解决:

 

基于openssl的ca建立及证书签发_ca建立_03

 

然后需要我们产生证书文件:
[root@localhost private]# cd ..
[root@localhost CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:BEIJING
Locality Name (eg, city) [Newbury]:BEIJING
Organization Name (eg, company) [My Company Ltd]:seccenter
Organizational Unit Name (eg, section) []:tec
Common Name (eg, your name or your server's hostname) []:ca.net.net
Email Address []:
[root@localhost CA]#
如下图,已经产生我们证书文件了。

 

基于openssl的ca建立及证书签发_openssl_04

 

接下来去查看我们的证书文件:
[root@localhost CA]# openssl x509 -in cacert.pem -noout –text

 

基于openssl的ca建立及证书签发_证书签发_05

 

 

完成了CA部分的实现,接下来需要为我们的 请求阶段做准备,
Apache服务已经安装:

 

基于openssl的ca建立及证书签发_证书签发_06

 

打开一个关于CA的文件,修改部分默认配置:

进入/etc/pki/tls目录下,编辑openssl.cnf文件:

 

基于openssl的ca建立及证书签发_ca建立_07

基于openssl的ca建立及证书签发_证书签发_08

基于openssl的ca建立及证书签发_openssl_09

 

(修改了第136,141,144行)
产生私钥:
[root@localhost CA]# mkdir -pv /etc/httpd/certs
mkdir: 已创建目录 “/etc/httpd/certs”
[root@localhost CA]# cd /etc/httpd/certs/
[root@localhost certs]# openssl genrsa 1024 >httpd.key
Generating RSA private key, 1024 bit long modulus
.....++++++
..........................................................................................................++++++
e is 65537 (0x10001)
[root@localhost certs]#
[root@localhost certs]# chmod 600 httpd.key             //修改权限
[root@localhost certs]#
 
私钥搞定以后,需要一个请求:
[root@localhost certs]# openssl req -new -key httpd.key -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BEIJING]:
Locality Name (eg, city) [BEIJING]:
Organization Name (eg, company) [My Company Ltd]:abc
Organizational Unit Name (eg, section) []:tec
Common Name (eg, your name or your server's hostname) []:www.abc.com
Email Address []:
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@localhost certs]#
至此,请求部分完成。
把请求递交给CA。在线递交方式。
然后完成签署:
[root@localhost certs]#openssl ca –in httpd.csr –out httpd.cert
输入‘y’,完成签署。