openssl建立私有CA的过程

原创

kuailejiuhaowdl 2015-01-30 15:05:27 博主文章分类：Linux运维之命令详解 ©著作权

文章标签 证书私有CA 生成密钥吊销列表 文章分类 服务器

©著作权归作者所有：来自51CTO博客作者kuailejiuhaowdl的原创作品，请联系作者获取转载授权，否则将追究法律责任

openssl建立私有CA：

1.生成密钥；

2.自签署证书；

通信节点：

1.生成密钥对儿；

2.生成证书签署请求；

3.把请求发送给CA；

CA：

1.验证请求者信息；

2.签署证书

3.把签好的证书发送给请求者；

简单通信结构图

在系统上的/etc/pki/CA目录下有存放CA的相关信息文件

[root@kvm ~]# ls /etc/pki/CA/
certs/ crl/ newcerts/ private/

openssl默认是安装了的，查看openssl安装后生成的配置文件：

[root@kvm ~]# rpm -qc openssl
/etc/pki/tls/openssl.cnf

查看配置文件的手册

[root@kvm ~]# man openssl.cnf

下面是部分openssl配置文件内容

####################################################################
[ ca ]
default_ca   = CA_default       # The default ca section

####################################################################
[ CA_default ]

dir       = /etc/pki/CA       # Where everything is kept
certs       = $dir/certs       # Where the issued certs are kept
crl_dir       = $dir/crl       # Where the issued crl are kept
database   = $dir/index.txt   # database index file.
#unique_subject   = no           # Set to 'no' to allow creation of
                   # several ctificates with same subject.
new_certs_dir   = $dir/newcerts       # default place for new certs.

certificate   = $dir/cacert.pem    # The CA certificate
serial       = $dir/serial        # The current serial number
crlnumber   = $dir/crlnumber   # the current crl number
                   # must be commented out to leave a V1 CRL
crl       = $dir/crl.pem        # The current CRL
private_key   = $dir/private/cakey.pem # The private key
RANDFILE   = $dir/private/.rand   # private random number file

x509_extensions   = usr_cert       # The extentions to add to the cert

# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt    = ca_default       # Subject Name options
cert_opt    = ca_default       # Certificate field options

# Extension copying option: use with caution.
# copy_extensions = copy

# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions   = crl_ext

default_days   = 365           # how long to certify for
default_crl_days= 30           # how long before next CRL
default_md   = default       # use public key default MD
preserve   = no           # keep passed DN ordering

# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy       = policy_match

# For the CA policy
[ policy_match ]
countryName       = match
stateOrProvinceName   = match
organizationName   = match
organizationalUnitName   = optional
commonName       = supplied
emailAddress       = optional

# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName       = optional
stateOrProvinceName   = optional
localityName       = optional
organizationName   = optional
organizationalUnitName   = optional
commonName       = supplied
emailAddress       = optional

####################################################################
[ req ]
default_bits       = 2048
default_md       = sha1
default_keyfile    = privkey.pem
distinguished_name   = req_distinguished_name
attributes       = req_attributes
x509_extensions   = v3_ca   # The extentions to add to the self signed cert

# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret

# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix   : PrintableString, BMPString (PKIX recommendation before 2004)
# utf8only: only UTF8Strings (PKIX recommendation after 2004).
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
string_mask = utf8only

# req_extensions = v3_req # The extensions to add to a certificate request

[ req_distinguished_name ]
countryName           = Country Name (2 letter code)
countryName_default       = XX
countryName_min           = 2
countryName_max           = 2

stateOrProvinceName       = State or Province Name (full name)
#stateOrProvinceName_default   = Default Province

localityName           = Locality Name (eg, city)
localityName_default   = Default City

0.organizationName       = Organization Name (eg, company)
0.organizationName_default   = Default Company Ltd

# we can do this but it is not needed normally :-)
#1.organizationName       = Second Organization Name (eg, company)
#1.organizationName_default   = World Wide Web Pty Ltd

organizationalUnitName       = Organizational Unit Name (eg, section)
#organizationalUnitName_default   =

commonName           = Common Name (eg, your name or your server\'s hostname)
commonName_max           = 64

emailAddress           = Email Address
emailAddress_max       = 64

# SET-ex3           = SET extension number 3

[ req_attributes ]
challengePassword       = A challenge password
challengePassword_min       = 4
challengePassword_max       = 20

unstructuredName       = An optional company name

一、建立CA服务器：

1.生成密钥

# (umask 077; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)

2.自签署证书

        # openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3655
               req: 生成证书签署请求
                   -news: 生成新请求
                   -key /path/to/keyfile: 指定私钥文件
                   -out /path/to/somefile: 指定证书文件
                   -x509: 生成自签署证书
                   -days n: 有效天数