Linux系统搭建私有CA证书服务器

Linux系统搭建私有CA证书服务器,第1张

概述一、CA简介 CA是什么?CA是Certificate Authority的简写,从字面意思翻译过来是凭证管理中心,认证授权。它有点类似我们生活中的身份z颁发机构,这里的CA就相当于生活中颁发身份z的

一、CA简介

  CA是什么?CA是Certificate Authority的简写,从字面意思翻译过来是凭证管理中心,认证授权。它有点类似我们生活中的身份z颁发机构,这里的CA就相当于生活中颁发身份z的机构。不同于生活中的颁发机构,这里的CA是给服务器颁发证书。颁发证书的目的同生活中的办理身份z的目的类似,都是为了证明一件事,生活中的身份z可以证明我们是一个合法的公民,而服务器颁发证书的目的也是证明我们服务是一个合法的服务器,换句话说就是有了证书我们就可以清楚知道我们访问的服务器到底是不是我们真正想访问的服务器。从而识别我们访问的服务器的真假。

二、中间人攻击原理

  如上图所示,我们在和对方服务器通信的过程,存在着中间人攻击的情况。所谓中间人攻击,就是攻击者站在通讯双方的中间,对于客户端它充当着服务器的角色,对于服务器端它又充当着客户端的角色。简单说它就是两边欺骗。当我们向服务器发起通信请求时,中间人会截获我们发向服务器端的报文,从而进行修改,然后把修改后的报文发送给服务端,服务端收到中间人篡改的数据报文,进行响应,把响应报文发送给中间人,然后中间人再发给客户端。这样一个过程就是中间人攻击的过程。可以看到客户端服务端双方直接通信是不安全的。如上图所示,通信双方交换密钥,直接交换就存在中间人欺骗,因为我们不能够确定远端服务器的真伪和客户端的真伪。为了解决这一问题,由此衍生出CA。CA在这里的充当的角色相当于中间人角色,不同的是CA是一个权威的中间人。它可以证明客户端和服务端的真伪。

三、加密解密以及获取公钥过程

  众所周知常用的加密方式有三种,单向加密,对称加密,和非对称加密。单向加密从字面意思理解就是一方加密,在加密过程中不使用密钥,我们把单向加密也叫不可逆加密,通常用于验证文件的真假,或者验证文件是否改动,从而验证文件的完整性。常用的单向加密算法有md5,sha。对称加密讲的是加密和解密用的同一密钥。换句话说对称加密只有一个密钥,只要拿到对应的密钥就可以解密。常用的对称加密有des。非对称加密讲的是公钥加密私钥解密,私钥加密公钥解密,且公钥和私钥是一对,加密解密都需要的是一对密钥里的任意一个。这种加密比前两种更加安全和适用,缺点是加解密大文件速度慢。

  了解了非对称加密的特性,我们再来说说它的过程。通信双方要进行非对称加密通信,前提是需要拿到对方的公钥,私钥放在各自手里,各自的公钥则存放在对方的手上。换句话讲,客户端需要拿到服务端的公钥,才能和服务端通信,服务端需要拿到客户端的公钥,才能主动和客户端通信。从而才可以实现非对称加密通信。那么客户端怎么得到服务端的公钥呢?如果客户端直接向服务端发送公钥,上面我们说过,这种方式存在中间人攻击,因为直接交换公钥是不都能确定对方身份的。这个时候就需要说说CA证书的作用了。

  证书里面存放了申请证书机构服务器的公钥和CA的信息以及有效期。通讯双方在建立加密通信的时候,需要验证证书的合法性,从而实现验证身份的目的。通常情况我们要验证证书的合法性就需要证书颁发机构的公钥来对证书解密,因为证书在颁发的时候,里面的公钥是通过颁发机构的私钥对其进行加密的。只要我们能够用颁发机构的公钥解开证书,那么就说明这个证书就是一个合法的证书,至少它证明了这个证书是权威机构(我们信任的)CA颁发的。同理通信双方要进行加密通信也是通过证书来获取密钥的。具体过程是这样的,客户端向服务端发起通信请求,服务端发送证书给客户端,客户端拿到证书进行解密,如果能够用信任CA机构的公钥解开,说明服务器发送过来的证书没有问题,然后把服务端公钥给存起来。客户端有了服务端的公钥后就可以向服务端发送用服务端的公钥加密的数据了,但是服务端没有客户端的公钥,它不能够用自己的私钥来加密数据发送给客户端,因为它的公钥是公开的,不光客户端上有服务端的公钥,中间人也有。所以为了确保数据的安全,客户端需要随机生成一个密码,然后通过服务器的公钥,把随机生成的密码加密后发送给服务端,服务端收到客户端发来的加密数据后,用自己的私钥解开,从而拿到客户端发来的随机密码,有了这个随机密码后,服务端就拿这个随机密码对称加密数据,然后发送给客户端。客户端收到服务端发送过来的加密报文,用刚才发送给服务端的随机密码解密,从而得到真正的数据。后续双方就是通过这个随机密码来加密解密传输数据。这里还需要说明的是,这个随机密码不是一直不变的,每隔一段时间后,客户端和服务端就会协商,重复上面的过程,生成新的随机密码进行加密解密通信。

  从上面的通信过程我们可以知道,证书的作用就是为了验证其服务器的真实合法性,以及传输服务端的公钥的作用。而服务器的公钥就是用来客户端向服务端发送随机密码,用来加密随机密码的作用,从而实现,只有服务端可以拿到这个随机密码的作用,实现安全加密通信。

四、CA服务器的实现

  1、安装openssl软件

[root@test ~]# yum install openssl -y

  说明:通常情况下openssl是系统默认安装的有,如果没有需要安装。

  2、查看配置文件,以及匹配策略

 36 [ ca ] 37 default_ca  = CA_default        # The default ca section 38  39 #################################################################### 40 [ CA_default ] 41  42 dir     = /etc/pki/CA       # Where everything is kept 43 certs       = $dir/certs        # Where the issued certs are kept 44 crl_dir     = $dir/crl      # Where the issued crl are kept 45 database    = $dir/index.txt    # database index file. 46 #unique_subject = no            # Set to 'no' to allow creation of 47                     # several ctificates with same subject. 48 new_certs_dir   = $dir/newcerts     # default place for new certs. 49  50 certificate = $dir/cacert.pem   # The CA certificate 51 serial      = $dir/serial       # The current serial number 52 crlnumber   = $dir/crlnumber    # the current crl number 53                     # must be commented out to leave a V1 CRL 54 crl     = $dir/crl.pem      # The current CRL 55 private_key = $dir/private/cakey.pem# The private key 56 RANDfile    = $dir/private/.rand    # private random number file 57  58 x509_extensions = usr_cert      # The extentions to add to the cert 59  60 # Comment out the following two lines for the "Traditional" 61 # (and highly broken) format. 62 name_opt    = ca_default        # Subject name options 63 cert_opt    = ca_default        # Certificate fIEld options 64  65 # Extension copying option: use with caution. 66 # copy_extensions = copy 67  68 # Extensions to add to a CRL. Note: netscape communicator chokes on V2 CRLs 69 # so this is commented out by default to leave a V1 CRL. 70 # crlnumber must also be commented out to leave a V1 CRL. 71 # crl_extensions    = crl_ext 72  73 default_days    = 365           # how long to certify for 74 default_crl_days= 30            # how long before next CRL75 default_md  = sha256        # use SHA-256 by default 76 preserve    = no            # keep passed DN ordering 77  78 # A few difference way of specifying how similar the request should look 79 # For type CA,the Listed attributes must be the same,and the optional 80 # and supplIEd fIElds are just that :-) 81 policy      = policy_match 82  83 # For the CA policy 84 [ policy_match ] 85 countryname     = match 86 stateOrProvincename = match 87 organizationname    = match 88 organizationalUnitname  = optional 89 commonname      = supplIEd 90 emailAddress        = optional 91  92 # For the 'anything' policy 93 # At this point in time,you must List all acceptable 'object' 94 # types. 95 [ policy_anything ] 96 countryname     = optional 97 stateOrProvincename = optional 98 localityname        = optional 99 organizationname    = optional100 organizationalUnitname  = optional101 commonname      = supplIEd102 emailAddress        = optional103 104 ####################################################################

  说明:可看到openssl默认配置里面指定了证书存放相关文件的路径,和CA默认匹配策略,其中国家名称、省州名称、组织名称是必须同CA设置的信息一致,当然这些匹配是否和CA设置的一样,是通过配置文件来判断的可自行设置。通用名称是必须要填写的,其他都是可选。

  3、创建CA自签名证书

    3.1、生成私钥

[root@test ~]# cd /etc/pki/CA/[root@test CA]# tree.├── certs├── crl├── newcerts└── private4 directorIEs,0 files[root@test CA]# (umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)Generating RSA private key,2048 bit long modulus..............................+++............+++e is 65537 (0x10001)[root@test CA]# tree.├── certs├── crl├── newcerts└── private    └── cakey.pem4 directorIEs,1 file[root@test CA]# cat private/cakey.pem -----BEGIN RSA PRIVATE KEY-----MIIEogIBAAKCAQEAmM8gDY90zksYI2myhqsGgMBGAPnlLbIBwiqYnte2PJZRnEJvaYRzCgw9wSca9oI5rUGu1wLOk8NlAkE6W4hXu6JaAp/eMZcqzYVU2a6VhxPQLBP35dvfZT4vps737OR+l8gcJRX2VPcfJuMU+r4KbBT4F3gP79hz/JxwK0yShliGCnPPcCK5xS6jKBH3ezdLsRy0ZCRUwX+ivlAJ8zJ/bV4m2OesIDW1LFPrvotRo+aBwexI1vk01Yww1x/DUnxiYCrOPS0V3wWpSS6r2qXVv0FyZGS1ZP/+Jf1ZfbvL2w9kcmlQ0wadHkx3M4HJyvWinOEpMsrTr3p9RK67oNs48QIDAQABAoIBADUWQBx16i6BCDHFVrBSWkAAjFFqf6QQY2wBQGRurHEAB/oxWmNeEFk9R3cDDur08vSuDP/FID7r0vuljZCfHVuiW4Lt51NzIPulhoTZkjkLORcXGNhSOpoBsKxS2u8BsrkoXB7GMn3yHHB2E6PIwfYqksYUf/TjTehEsPNZ9s2Sx/ioscHfnIRd7Uct0Gu5mI5C6qP/7BheyNRbbnFGGB0dSFDtFPqGUIfTeWApJUH1/vUTUXrrZLH4FEubMuf4k0ZIV3cGyvdZVVQ+iyoWTTetPOhFbRMnKtqgJ+yVhck7uEAgIB/JrMI3x768JoJpyAgxGlZFmxS86mdrTzDzZcECgYEAxwv/Jcrb3E5gGC77qSEWlq+IVomAgHRVU4M81byw6YV7wAssW10tX8pm84H3G8yJMuxGYdHdXpl9PzxwXaS7Qh82uZVQbgaliWyhHloEIoI+oH9pGtXfuWqQKmrYURtq8AoulhALn03zCjJINGfY9/WlYX6qi32UpnKg6snmDD8CgYEAxIhAu+By9YazW/YVgEHoh5UmWL0yfX8rBEn1fRwwhjfhQtfs50zol83SVKpKY8VtfR/r/YcIaWx8+R5g+g/aAYDeKHO1x+uW2yqWMdXjdkY/kzoM0G7gPvSC7F3vr6DWuHUC6v4839EEliKHyCK0NMumnPvoUUDrbP1YlJ1cLs8CgYBsGU/QLoOI+eemOp3iFF44J8xbcwGewY81c6iuS3Oo3x1+BpNoawohY8LVrFePeV1pkngG1/rpTWJ/3UsJEFXCa0FFOJocwWyCjcRSv4BPXXy1nXxvXofKIt14q94e7kz9X/vlqEEnmyXK+9PK4JsrLvVKJYhpiSIZ41cRK+ul8QKBgF0S3f1b3XWTtkt97k7QZ8wWAZQS/d9bI0cJs4Ptnrlhq2eZlNMxo+BHzC1WfGZlsGWKgZuOoJg0zba5AVpLuYXuvsdPJs5Bzy66K2ksj02LFT6nRjxL1h1adMp17jY0vKgcmiYqAzBH77BZZO6OKOO78orz7eDVKulxzcqL/4UXAoGAKk1Yfa8ZVJGlzjZHl/imvce2B+78ALJItw8hUAOxjU3780vzuppyG5o/Zg25XbW9FbOUXt+8Tyd3/yFBBGdZ1OvL9YSngtGyLX7X3aWbg9xwR7fz8bheI+J7QcLouNuHoUis+3EHbQIcQM9CTrP7sjFMM2LxPzxz7qPuV0ru2bg=-----END RSA PRIVATE KEY-----[root@test CA]# 

  说明:为了创建的私钥的安全,建议把其权限修改成600。当然创建私钥的时候也可以用对称加密算法对其私钥加密,这样更加安全。需要注意的是加密后的私钥,我们要用的时候就需要对其输入对称加密的口令。如果需要把私钥用对称加密算法加密,需要指定其加密算法即可。生成的私钥名称必须同配置文件中的名称相同。

    3.2、签发自签名证书

[root@test CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 1000You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a distinguished name or a DN.There are quite a few fIElds but you can leave some blankFor some fIElds there will be a default value,If you enter '.',the fIEld will be left blank.-----Country name (2 letter code) [XX]:CNState or Province name (full name) []:SICHUANLocality name (eg,city) [Default City]:GUANGYUANOrganization name (eg,company) [Default Company Ltd]:TESTOrganizational Unit name (eg,section) []:DEVOPSCommon name (eg,your name or your server's hostname) []:ca.test.comEmail Address []:[root@test CA]# tree.├── cacert.pem├── certs├── crl├── newcerts└── private    └── cakey.pem4 directorIEs,2 files[root@test CA]# cat cacert.pem -----BEGIN CERTIFICATE-----MIIDpTCCAo2gAwIBAgIJANCoyQ6AYK/SMA0GCSqGSIb3DQEBCwUAMGkxCzAJBgNVBAYTAkNomrAwDgYDVQQIDAdTSUNIVUFomrIwEAYDVQQHDAlHVUFOR1lVQU4xDTALBgNVBAoMBFRFU1QxDzANBgNVBAsMBkRFVk9QUzEUMBIGA1UEAwwLY2EudGVzdC5jb20wHhcNMjAwMTI5MTAzNjM2WhcNMjIxMDI1MTAzNjM2WjBpMQswCQYDVQQGEwJDTjEQMA4GA1UECAwHU0lDSFVBTjESMBAGA1UEBwwJR1VBTkdZVUFOMQ0wCwYDVQQKDARURVNUMQ8wDQYDVQQLDAZERVZPUFMxFDASBgNVBAMMC2NhLnRlc3QuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmM8gDY90zksYI2myhqsGgMBGAPnlLbIBwiqYnte2PJZRnEJvaYRzCgw9wSca9oI5rUGu1wLOk8NlAkE6W4hXu6JaAp/eMZcqzYVU2a6VhxPQLBP35dvfZT4vps737OR+l8gcJRX2VPcfJuMU+r4KbBT4F3gP79hz/JxwK0yShliGCnPPcCK5xS6jKBH3ezdLsRy0ZCRUwX+ivlAJ8zJ/bV4m2OesIDW1LFPrvotRo+aBwexI1vk01Yww1x/DUnxiYCrOPS0V3wWpSS6r2qXVv0FyZGS1ZP/+Jf1ZfbvL2w9kcmlQ0wadHkx3M4HJyvWinOEpMsrTr3p9RK67oNs48QIDAQABo1AwTjAdBgNVHQ4EFgQUQ/0tcuVAvzoOA13SD2x8W9Brx0EwHwYDVR0jBBgwFoAUQ/0tcuVAvzoOA13SD2x8W9Brx0EwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAAl/gUsSCgKjeSq5K2TyLc3VUP2KN1m+Wu9qWKAgXiaMxY8iWj3I8AxfNkTAqNGz66BpXh9G4hDL844spvnomjdubCufFlNLnrkxCIyWPNVKk69fCa61TANzgvTbIfh/xfdfyctZpU3q9Ptcra9ksYUg7mY7209xJ+emqsBnKwYKigCCrQTT3dxvRHFOV3Z0wJgHCtTetMI25OcpEXk3Tk75k+ayEmiTdMp2Zdk00qmOtZfCmtHO9KdHVTAOCAOaQtd4aOZMsgADBWXVP2NPmosUm2onvrKTFB6tYXXhj5j6tPVFunCZER2w2VMa+Q+pgmmt5AeqoALQaBdR31IFj0Q==-----END CERTIFICATE-----[root@test CA]# 

  说明:颁发的证书默认是没法用cat命令来查看证书里面的信息的,我们可以通过把证书导出到windows上查看,也可以通过openssl来查看。ca的私钥和证书存放路径需要参考其配置文件中的定义来指定存放。

  在windows上查看办法的证书

   说明:在windows上查看,需要把其后缀更改为.crt才可以双击查看。之所以它提示我们说此CA根目录证书不受信用,是因为windows上没有将其证书导入,没有改根CA的信息。默认情况下,windows里面内置了一些权威CA的证书,所以我们在权威的CA下申请的证书,放在windows上就不会报不信任的CA证书了。

  用openssl查看证书

[root@test CA]# openssl x509 -in cacert.pem -noout -textCertificate:    Data:        Version: 3 (0x2)        Serial Number:            d0:a8:c9:0e:80:60:af:d2    Signature Algorithm: sha256WithRSAEncryption        Issuer: C=CN,ST=SICHUAN,L=GUANGYUAN,O=TEST,OU=DEVOPS,CN=ca.test.com        ValIDity            Not Before: Jan 29 10:36:36 2020 GMT            Not After : Oct 25 10:36:36 2022 GMT        Subject: C=CN,CN=ca.test.com        Subject Public Key Info:            Public Key Algorithm: rSAEncryption                Public-Key: (2048 bit)                Modulus:                    00:98:cf:20:0d:8f:74:ce:4b:18:23:69:b2:86:ab:                    06:80:c0:46:00:f9:e5:2d:b2:01:c2:2a:98:9e:d7:                    b6:3c:96:51:9c:42:6f:69:84:73:0a:0c:3d:c1:27:                    1a:f6:82:39:ad:41:ae:d7:02:ce:93:c3:65:02:41:                    3a:5b:88:57:bb:a2:5a:02:9f:de:31:97:2a:cd:85:                    54:d9:ae:95:87:13:d0:2c:13:f7:e5:db:df:65:3e:                    2f:a6:ce:f7:ec:e4:7e:97:c8:1c:25:15:f6:54:f7:                    1f:26:e3:14:fa:be:0a:6c:14:f8:17:78:0f:ef:d8:                    73:fc:9c:70:2b:4c:92:86:52:06:0a:73:cf:70:22:                    b9:c5:2e:a3:28:11:f7:7b:37:4b:b1:1c:b4:64:24:                    54:c1:7f:a2:be:50:09:f3:32:7f:6d:5e:26:d8:e7:                    ac:88:35:b5:2c:53:eb:be:8b:51:a3:e6:81:c1:ec:                    48:d6:f9:34:d5:8c:30:d7:1f:c3:52:7c:62:60:2a:                    ce:3d:2d:15:df:05:a9:49:2e:ab:da:a5:d5:bf:41:                    72:64:64:b5:64:ff:fe:25:fd:59:7d:bb:cb:db:0f:                    64:72:69:50:d3:06:9d:1e:4c:77:33:81:c9:ca:f5:                    a2:9c:e1:29:32:ca:d3:af:7a:7d:44:ae:bb:a0:db:                    38:f1                Exponent: 65537 (0x10001)        X509v3 extensions:            X509v3 Subject Key IDentifIEr:                 43:FD:2D:72:E5:40:BF:3A:0E:03:5D:D2:0F:6C:7C:5B:D0:6B:C7:41            X509v3 Authority Key IDentifIEr:                 keyID:43:FD:2D:72:E5:40:BF:3A:0E:03:5D:D2:0F:6C:7C:5B:D0:6B:C7:41            X509v3 Basic Constraints:                 CA:TRUE    Signature Algorithm: sha256WithRSAEncryption         02:5f:e0:52:c4:82:80:a8:de:4a:ae:4a:d9:3c:8b:73:75:54:         3f:62:8d:d6:6f:96:bb:da:96:28:08:17:89:a3:31:63:c8:96:         8f:72:3c:03:17:cd:91:30:2a:34:6c:fa:e8:1a:57:87:d1:b8:         84:32:fc:e3:8b:29:be:7a:26:8d:d5:1b:0a:e7:c5:94:d2:e7:         ae:4c:42:23:25:8f:35:52:a4:eb:d7:c2:6b:ad:53:00:dc:e0:         bd:36:c8:7e:1f:f1:7d:d7:f2:72:d6:69:53:7a:bd:3e:d7:2b:         6b:d9:2c:61:48:3b:99:8e:f6:d3:dc:49:f9:e9:aa:b0:19:ca:         c1:82:a2:80:20:ab:41:34:f7:77:1b:d1:1c:53:95:dd:9d:30:         26:01:c2:b5:37:ad:30:8d:b9:39:ca:44:5e:4d:d3:93:be:64:         f9:ac:84:9a:24:dd:32:9d:99:76:4d:34:aa:63:ad:65:f0:a6:         b4:73:bd:29:d1:d5:4c:03:82:00:e6:90:b5:de:1a:39:93:2c:         80:00:c1:59:75:4f:d8:d3:e6:a2:c5:26:da:89:ef:ac:a4:c5:         07:ab:58:5d:78:63:e6:3e:ad:3d:51:6e:9c:26:44:47:6c:36:         54:c6:be:43:e3:e0:9a:6b:79:01:ea:a8:00:b4:1a:05:d4:77:         d4:81:63:d1[root@test CA]# 

  4、在客户端创建证书申请

    4.1、生成私钥信息

[root@test-node3 ~]# mkdir ssl[root@test-node3 ~]# cd ssl/[root@test-node3 ssl]# (umask 077;openssl genrsa -out /root/ssl/app.key 2048)Generating RSA private key,2048 bit long modulus.............................................................+++.........................+++e is 65537 (0x10001)[root@test-node3 ssl]# lsapp.key[root@test-node3 ssl]# cat app.key -----BEGIN RSA PRIVATE KEY-----MIIEpQIBAAKCAQEA6XtScxyxgI7gC+1xYQFSXIF9RqCTAZ4WpWGQYzs30XLT1cxl/hJ8McxMQ137H1g+PeEFbNV3oyBjEt3feCck5sb9TP4tsIhT6Lt3Zt6PIqOfDZ8kOxWDJp/DNXHwuC8ME/mfv3CleJbL5Clyb9ovYeZkEQPK9TgG7pCHU0AxTw0r7ELPA29Ugd/lFGQNTJt39Kmy7uBOPhKEQ+fHVaMqtmy1q/SpnM92vGvR40xRgl+HJ17A0ACAEjbf3wK+qoQ/WBCCpMkeTLoFEn/Sa7SmZZt2F0k2cTyxSzVKadPQulrpWVHbzX4IDI/ssS9weIDsll5eScj/CWWRFhKu7z98YQIDAQABAoIBAQDKu6RqA741DNqKQNC0FHu5i06GJyO+wdCUJdVD9MWQ/o3mFSdyqAZjDywhStek7fCNtngJeon5gUPFvBYwtHycTqjfU83EfXuumCkjj5jl0QFoyIijLRjGTu8n1xnYNDHenmAR0PQ9c2LzaPHPIbsG3RCCnbJ7nvyV5bU7mn+2TOb41csMVjLJoK2N91QEljkAn+4oqpTVJgJaTnUKvafBjCn+ctZDKcsZ0H/yFhGbt0ZFEXql3WFM5AOE5tBmlmqrQY/4CzeqlPCXzYpuUCHQBj9UYj58SfVUEoaN+gNX82amUqBOablJMpGR0vDh0CxsAxnPYF7O1o6PhXIjjmPJAoGBAPg74aMUmog3o91NpoedLdRrMOYcYBdd3H7KwPyXzHMoYHQjfhemhJKqZgE53U+TfxdFr8EJcR8aoDzDLp3+5F1ANCZD2FgvWptAyABx+I09J0OES0VBM3hhp0pOYot1ylBbFrvGGANFa8WAnO+yyNU91CFUhp7kmQ5TuUUHt2kzAoGBAPDJSiXn30hQO8zVCHXzCrcltKfSnU4liceI0jhneHfW8b42/tEegXVTEOIBiPmhLA8x8xeIC/fS1B0ih7Uus9MUBJUN7RhlWSxGPcxA//JAxffGJwmxoYxYFkwvoTyTQrJEigBmE6+PdSb7JOB4c3nt/YwPYvjQOIENolRMIwwbAoGBAOoNhA2AwLKAVVgXnBooQIsV2pBNVukRThKa1+YStuopuvAmeXIysDOdyPoE9j/OwblOso2fenKqZ0WDf1PnfqJsHZmqxLU5SQQzy6Bn1cROUdQeS95rwL0TzmmIipaxyv+DM2cvO3ryHNCnGNIFT8mIN5iJmzj8L7hLhteok+3zAoGAbot7RzvU/tYXHksPv1b9rGfbMNE49wPFFZ5zJQIcBKjiA3osMsXWmY6xSZF62WBtYeyEtmD3XaelSlr4Au6WEGo4UFY8a97bub/lz0hoOUgTm1WVxpWOnWgzlHaph630CPP+h4BVuVwbZPIYVBX4rhndNdg6kBDJIi+cPydVT9ECgYEAwF5U/YS9IIb8n1NXARXA3nWmfqdJM2JcYwh33ILFB0+2gm4nr4IExb14BlFMl8mYVKqykHpdE73/LYZWu/inkti8APmHyP3+7QHMWagpCucCHxGzagWysdo8HSqbkcQJoB0pTLPZGHEGulMzzAII6fc+sZsHPi2NLbZZFPGDWjk=-----END RSA PRIVATE KEY-----[root@test-node3 ssl]# 

    4.2、生成证书申请文件

[root@test-node3 ssl]# lltotal 4-rw------- 1 root root 1679 Jan 29 18:55 app.key[root@test-node3 ssl]# openssl req -new -key app.key -out app.csrYou are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a distinguished name or a DN.There are quite a few fIElds but you can leave some blankFor some fIElds there will be a default value,city) [Default City]:CHENGDUOrganization name (eg,section) []:DEVOPS    Common name (eg,your name or your server's hostname) []:www.test.orgEmail Address []:Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:[root@test-node3 ssl]# lltotal 8-rw-r--r-- 1 root root 1005 Jan 29 19:02 app.csr-rw------- 1 root root 1679 Jan 29 18:55 app.key[root@test-node3 ssl]

    4.3、把文件传给CA,在CA上进行证书颁发

[root@test CA]# rzrz waiting to receive. zmodem trl+C ȡ  100%    1005 bytes 1005 bytes/s 00:00:01       0 Errors[root@test CA]# lsapp.csr  cacert.pem  certs  crl  newcerts  private[root@test CA]# openssl ca -in app.csr -out /etc/pki/CA/certs/app.crt -days 365Using configuration from /etc/pki/tls/openssl.cnf/etc/pki/CA/index.txt: No such file or directoryunable to open '/etc/pki/CA/index.txt'140645247747984:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/pki/CA/index.txt','r')140645247747984:error:20074002:BIO routines:file_CTRL:system lib:bss_file.c:404:[root@test CA]# touch /etc/pki/CA/index.txt[root@test CA]# openssl ca -in app.csr -out /etc/pki/CA/certs/app.crt -days 365Using configuration from /etc/pki/tls/openssl.cnf/etc/pki/CA/serial: No such file or directoryerror while loading serial number140572255938448:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/pki/CA/serial','r')140572255938448:error:20074002:BIO routines:file_CTRL:system lib:bss_file.c:404:[root@test CA]# echo 00 > /etc/pki/CA/serial[root@test CA]# openssl ca -in app.csr -out /etc/pki/CA/certs/app.crt -days 365Using configuration from /etc/pki/tls/openssl.cnfCheck that the request matches the signatureSignature okCertificate Details:        Serial Number: 0 (0x0)        ValIDity            Not Before: Jan 29 11:06:08 2020 GMT            Not After : Jan 28 11:06:08 2021 GMT        Subject:            countryname               = CN            stateOrProvincename       = SICHUAN            organizationname          = TEST            organizationalUnitname    = DEVOPS            commonname                = www.test.org        X509v3 extensions:            X509v3 Basic Constraints:                 CA:FALSE            netscape Comment:                 OpenSSL Generated Certificate            X509v3 Subject Key IDentifIEr:                 AE:E9:31:DE:B1:86:4F:68:AB:D7:BB:E3:1B:74:AD:7A:44:D2:60:BB            X509v3 Authority Key IDentifIEr:                 keyID:43:FD:2D:72:E5:40:BF:3A:0E:03:5D:D2:0F:6C:7C:5B:D0:6B:C7:41Certificate is to be certifIEd until Jan 28 11:06:08 2021 GMT (365 days)Sign the certificate? [y/n]:y1 out of 1 certificate requests certifIEd,commit? [y/n]yWrite out database with 1 new entrIEsData Base Updated[root@test CA]# tree.├── app.crs├── cacert.pem├── certs│   └── app.crt├── crl├── index.txt├── index.txt.attr├── index.txt.old├── newcerts│   └── 00.pem├── private│   └── cakey.pem├── serial└── serial.old4 directorIEs,10 files[root@test CA]# 

  说明:在跟客户端颁发证书的时候需要依赖两个文件/etc/pki/CA/index.txt和/etc/pki/CA/serial,前者文件主要存放已经颁发的证书信息,后者存放下一个将要颁发的证书的序列号。这里说一下/etc/pki/CA下的各个文件和目录的作用吧,certs目录存放颁发证书的目录,crl存放吊销证书列表文件的目录,index.txt.attr存放证书subject信息是否唯一的配置信息,index.txt.old存放上一次颁发证书的信息,newcerts目录存放已经颁发的证书,并且以序列号命名的证书,每颁发一次证书,在我们指定的路径下生成指定名称的证书后,newcerts目录下会自动生成一个以序列号为名称的证书,这个证书同我们指定路径下存放的证书信息一模一样。private目录存放私钥文件。serial.old存放上一次颁发证书的序列号。

    4.4、查看颁发证书的信息

  windows上查看

  linux上查看

[root@test CA]# openssl x509 -in certs/app.crt -noout -textCertificate:    Data:        Version: 3 (0x2)        Serial Number: 0 (0x0)    Signature Algorithm: sha256WithRSAEncryption        Issuer: C=CN,CN=ca.test.com        ValIDity            Not Before: Jan 29 11:06:08 2020 GMT            Not After : Jan 28 11:06:08 2021 GMT        Subject: C=CN,CN=www.test.org        Subject Public Key Info:            Public Key Algorithm: rSAEncryption                Public-Key: (2048 bit)                Modulus:                    00:e9:7b:52:73:1c:b1:80:8e:e0:0b:ed:71:61:01:                    52:5c:81:7d:46:a0:93:01:9e:16:a5:61:90:63:3b:                    37:d1:72:d3:d5:cc:65:fe:12:7c:31:cc:4c:43:5d:                    fb:1f:58:3e:3d:e1:05:6c:d5:77:a3:20:63:12:dd:                    df:78:27:24:e6:c6:fd:4c:fe:2d:b0:88:53:e8:bb:                    77:66:de:8f:22:a3:9f:0d:9f:24:3b:15:83:26:9f:                    c3:35:71:f0:b8:2f:0c:13:f9:9f:bf:70:a5:78:96:                    cb:e4:29:72:6f:da:2f:61:e6:64:11:03:ca:f5:38:                    06:ee:90:87:53:40:31:4f:0d:2b:ec:42:cf:03:6f:                    54:81:df:e5:14:64:0d:4c:9b:77:f4:a9:b2:ee:e0:                    4e:3e:12:84:43:e7:c7:55:a3:2a:b6:6c:b5:ab:f4:                    a9:9c:cf:76:bc:6b:d1:e3:4c:51:82:5f:87:27:5e:                    c0:d0:00:80:12:36:df:df:02:be:aa:84:3f:58:10:                    82:a4:c9:1e:4c:ba:05:12:7f:d2:6b:b4:a6:65:9b:                    76:17:49:36:71:3c:b1:4b:35:4a:69:d3:d0:52:5a:                    e9:59:51:db:cd:7e:08:0c:8f:ec:b1:2f:70:7a:20:                    ec:2c:be:5e:49:c8:ff:09:65:91:16:12:ae:ef:3f:                    7c:61                Exponent: 65537 (0x10001)        X509v3 extensions:            X509v3 Basic Constraints:                 CA:FALSE            netscape Comment:                 OpenSSL Generated Certificate            X509v3 Subject Key IDentifIEr:                 AE:E9:31:DE:B1:86:4F:68:AB:D7:BB:E3:1B:74:AD:7A:44:D2:60:BB            X509v3 Authority Key IDentifIEr:                 keyID:43:FD:2D:72:E5:40:BF:3A:0E:03:5D:D2:0F:6C:7C:5B:D0:6B:C7:41    Signature Algorithm: sha256WithRSAEncryption         46:94:4f:ab:6f:43:43:fb:0d:d1:e2:71:ff:5d:5b:0e:39:59:         c2:3f:92:47:88:84:2f:80:e4:00:a1:94:86:9a:bc:19:bb:22:         22:e1:2f:93:d1:1b:19:92:5f:de:46:47:30:e4:f5:b7:d8:b4:         e7:62:37:9c:17:cc:e7:8c:f4:b7:8a:cc:09:62:fd:6f:56:e3:         a3:22:1d:d8:01:e2:34:87:45:86:04:be:c7:91:b4:e9:49:f6:         39:c9:c4:67:6a:f7:8b:96:09:2f:d3:d4:a4:e5:a3:f0:d9:1d:         e6:dc:28:65:da:70:27:9b:70:5a:6a:a5:5a:77:c3:51:e0:54:         b0:7f:e4:a1:9a:4c:b5:d2:82:84:d9:3f:c8:57:dd:25:0a:80:         81:61:c6:a4:d1:5b:19:21:5d:19:1e:7d:b4:4f:a2:54:f4:bf:         f9:d0:2e:ba:4a:94:f1:93:be:54:cc:3b:19:7a:ae:fd:bd:4a:         b5:e3:55:a3:2a:a0:69:0e:08:78:9d:91:d5:df:02:bd:ec:c9:         cc:d2:6e:68:bf:48:3c:73:df:e9:62:92:8f:6c:9d:2f:2c:32:         85:46:a7:30:22:22:9c:2d:af:d0:cf:02:e0:21:3b:1d:6a:a3:         f7:81:0b:63:10:8c:f1:30:4a:05:08:4b:52:ad:4a:1d:14:9c:         0c:64:2b:71[root@test CA]# 

  到此私有CA服务器的搭建、证书的申请和颁发就完成了,后续使用证书,就需要把证书放到对应的应用目录,配置其应用服务来使用其证书即可。通常申请证书不用在客户端申请,在服务端创建私钥,创建申请证书文件,然后签发证书,生成证书文件,然后把私钥和证书发给客户端即可。

  5、吊销证书

[root@test CA]# openssl x509 -in certs/app.crt -noout -serial -subjectserial=00subject= /C=CN/ST=SICHUAN/O=TEST/OU=DEVOPS/CN=www.test.org[root@test CA]# 

  说明:以上命令是对要吊销的证书获取其序列号和subject信息,这个 *** 作一般是客户端上查看,然后把信息发送给CA

[root@test CA]# openssl ca -revoke /etc/pki/CA/newcerts/00.pem Using configuration from /etc/pki/tls/openssl.cnfRevoking Certificate 00.Data Base Updated[root@test CA]# 

  说明:在CA上,根据客户端提交的serial与subject信息,对比检验是否与index.txt文件的信息一致,然后在进行吊销证书 *** 作

  6、更新证书吊销列表crl文件

[root@test CA]# openssl ca -gencrl -out /etc/pki/CA/crl.pemUsing configuration from /etc/pki/tls/openssl.cnf/etc/pki/CA/crlnumber: No such file or directoryerror while loading CRL number140437997475728:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/pki/CA/crlnumber','r')140437997475728:error:20074002:BIO routines:file_CTRL:system lib:bss_file.c:404:[root@test CA]# echo 00 > /etc/pki/CA/crlnumber[root@test CA]# openssl ca -gencrl -out /etc/pki/CA/crl.pemUsing configuration from /etc/pki/tls/openssl.cnf[root@test CA]# 

  说明:第一次更新证书吊销列表,它会提示我们说缺少crlnumber文件,这个文件同serial的作用类似,都是存放的是版本号,我们需要创建其文件,并写一个16进制的编号,通常是从00或者01开始。(这个文件同serial一样都会自动增长,一般后续不需要怎么维护它)

[root@test CA]# openssl crl -in /etc/pki/CA/crl.pem -noout -textCertificate Revocation List (CRL):        Version 2 (0x1)    Signature Algorithm: sha256WithRSAEncryption        Issuer: /C=CN/ST=SICHUAN/L=GUANGYUAN/O=TEST/OU=DEVOPS/CN=ca.test.com        Last Update: Jan 29 11:48:03 2020 GMT        Next Update: Feb 28 11:48:03 2020 GMT        CRL extensions:            X509v3 CRL Number:                 0Revoked Certificates:    Serial Number: 00        Revocation Date: Jan 29 11:41:28 2020 GMT    Signature Algorithm: sha256WithRSAEncryption         87:12:f8:b2:ec:b7:77:94:4b:bc:e4:ea:69:03:27:78:d3:b5:         43:8d:45:c5:a4:50:53:d7:3b:81:48:a1:cf:5d:43:4e:13:01:         91:5e:a2:f2:87:44:87:84:16:b2:1d:0e:28:81:88:d4:1a:c2:         a4:55:22:9f:d0:b9:6b:3c:80:e2:6e:98:fb:c3:18:3e:d3:a0:         49:a3:0e:19:64:2f:03:51:4b:ec:32:1c:c8:41:62:46:e8:4f:         8c:ec:a2:07:1c:fc:4b:20:61:ca:04:0e:31:8b:b9:4e:ce:42:         81:66:d6:09:3e:1e:15:44:76:33:27:07:fd:17:10:6d:d0:12:         cf:4f:ce:cb:3d:b4:6d:68:f1:5a:1a:4f:44:a6:65:cd:f6:3b:         4e:2e:3f:6d:2a:f8:d5:8a:52:5a:b0:8d:b1:8f:73:08:50:9c:         89:d3:c0:97:0e:13:89:37:cc:13:ad:d9:db:61:06:6d:4f:0a:         6b:58:a0:53:0a:2b:e8:23:18:cd:3b:0c:5d:9e:77:c3:85:3e:         e3:3c:ab:ad:45:9e:3c:18:7a:85:b0:51:7e:4d:8e:c6:18:e7:         fc:4d:f1:01:ac:b3:89:2c:eb:f7:0e:f9:3c:ea:5a:42:ff:43:         6b:98:9f:a0:89:59:28:92:c9:ed:d3:59:87:ca:04:8c:8c:92:         c0:a1:72:8a[root@test CA]# cat /etc/pki/CA/index.txtR       210128110608Z   200129114128Z   00      unkNown /C=CN/ST=SICHUAN/O=TEST/OU=DEVOPS/CN=www.test.org[root@test CA]# cat /etc/pki/CA/crlnumber01[root@test CA]#

  说明:证书吊销后其index.txt里的信息会发生变化,R表示该证书已经被吊销,V表示该证书未吊销。

  在windows上查看证书吊销列表crl文件

 

总结

以上是内存溢出为你收集整理的Linux系统搭建私有CA证书服务器全部内容,希望文章能够帮你解决Linux系统搭建私有CA证书服务器所遇到的程序开发问题。

如果觉得内存溢出网站内容还不错,欢迎将内存溢出网站推荐给程序员好友。

欢迎分享,转载请注明来源:内存溢出

原文地址: http://outofmemory.cn/yw/1015840.html

(0)
打赏 微信扫一扫 微信扫一扫 支付宝扫一扫 支付宝扫一扫
上一篇 2022-05-22
下一篇 2022-05-22

发表评论

登录后才能评论

评论列表(0条)

保存