首页 > 代码库 > 构建私有CA

构建私有CA

构建私有CA:

1.生成私钥:

[root@localhost ~]# (umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 4096)


2.生成自签证书:

 [root@localhost ~]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3655


-new: 生成新证书签署请求

-x509: 专用于CA生成自签证书

-key: 生成请求时用到的私钥文件

-days :证书的有效期限

-out /PATH/TO/SOMECERTFILE: 证书的保存路径


Country Name (2 letter code) [XX]:CN                #所在国家

State or Province Name (full name) []:Beijing       #所在州或者省

Locality Name (eg, city) [Default City]:Beijing     #所在的城市

Organization Name (eg, company) [Default Company Ltd]:Zebra    #公司的名称    

Organizational Unit Name (eg, section) []:Ops                  #部门的名字

Common Name (eg, your name or your server‘s hostname) []:zebra.com     #服务器的名字

Email Address []:zebra@qq.com                      #管理员的邮箱


3.为CA提供所需的目录及文件

  mkdir -pv /etc/pki/cil/CA/{certs,crl,newcerts}   #如果没有这三个目录,需要建立

  touch /etc/pki/CA/index.txt  #数据库

  echo 01 > /etc/pki/CA/serial #第一个证书的序列号


证书颁发:

要用到证书进行安全通信的服务器,需要向CA(自建的CA必须先自己给自己签署过证书)请求签署证书。


默认国家、省、公司名称必须与CA一致(可修改配置文件

[root@localhost ssl]# vim /etc/pki/tls/openssl.cnf 


# For the CA policy

[ policy_match ]

countryName             = match

stateOrProvinceName     = match

organizationName        = optional       #此项原来是match,我已经给修改了,这是在CA机上改

organizationalUnitName  = optional

commonName              = supplied

emailAddress            = optional


步骤:(以httpd为例)前三步在请求的主机上做


  1. 用到证书的主机生成私钥


    [root@localhost ~]# mkdir /etc/httpd/ssl

    [root@localhost ~]# cd /etc/httpd/ssl

    [root@localhost ssl]# (umask077;openssl genrsa -out /etc/httpd/ssl/httpd.key 2048)


2.生成证书签署请求

[root@localhost ssl]# openssl req -new -key /etc/httpd/ssl/httpd.key -out /etc/httpd/ssl/httpd.csr -days 365


Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:Beijing

Locality Name (eg, city) [Default City]:Beijing

Organization Name (eg, company) [Default Company Ltd]:zebra

Organizational Unit Name (eg, section) []:Ops      

Common Name (eg, your name or your server‘s hostname) []:zebra.com

Email Address []:zebra@qq.com


Please enter the following ‘extra‘ attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:


3.将请求通过可靠方式发送给CA主机:

[root@localhost ssl]# scp httpd.csr 192.168.1.117:/tmp

root@192.168.1.117‘s password: 

httpd.csr                                                  100% 1037     1.0KB/s   00:00    

4.在CA主机上签署证书:

[root@localhost tmp]# openssl ca -in /tmp/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365


Using configuration from /etc/pki/tls/openssl.cnf

Check that the request matches the signature

Signature ok

Certificate Details:

        Serial Number: 1 (0x1)

        Validity

            Not Before: Sep 24 02:22:36 2016 GMT

            Not After : Sep 24 02:22:36 2017 GMT

        Subject:

            countryName               = CN

            stateOrProvinceName       = Beijing

            organizationName          = zebra

            organizationalUnitName    = Ops

            commonName                = zebra.com

            emailAddress              = zebra@qq.com

        X509v3 extensions:

            X509v3 Basic Constraints: 

                CA:FALSE

            Netscape Comment: 

                OpenSSL Generated Certificate

            X509v3 Subject Key Identifier: 

                05:CC:06:E5:17:4E:2E:A6:C8:EE:8A:98:D2:65:DE:96:FD:29:00:E6

            X509v3 Authority Key Identifier: 

                keyid:32:C7:C3:54:15:B6:77:92:5C:DD:5A:A7:A2:85:E8:B1:58:54:8F:90


Certificate is to be certified until Sep 24 02:22:36 2017 GMT (365 days)

Sign the certificate? [y/n]:y



1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated


5.查看证书信息:

[root@localhost certs]# openssl x509 -in httpd.crt -noout -subject -text -serial -dates

#一般查看蓝色的两项,绿色的可不查看


subject= /C=CN/ST=Beijing/O=zebra/OU=Ops/CN=zebra.com/emailAddress=zebra@qq.com

Certificate:

    Data:

        Version: 3 (0x2)

        Serial Number: 1 (0x1)

    Signature Algorithm: sha1WithRSAEncryption

        Issuer: C=CN, ST=Beijing, L=Beijing, O=zebra, OU=Ops, CN=zebra.com/emailAddress=zebra@qq.com

        Validity

            Not Before: Sep 24 02:22:36 2016 GMT

            Not After : Sep 24 02:22:36 2017 GMT

        Subject: C=CN, ST=Beijing, O=zebra, OU=Ops, CN=zebra.com/emailAddress=zebra@qq.com

        Subject Public Key Info:

            Public Key Algorithm: rsaEncryption

                Public-Key: (2048 bit)

                Modulus:

                    00:aa:11:aa:b4:14:7b:39:4c:4d:ce:51:e2:fe:c5:

                    7b:d2:8e:b6:98:ff:c9:86:c1:ca:8f:9e:2d:10:74:

                    92:66:50:70:4c:86:38:61:55:4d:86:7c:85:f1:a7:

                    52:ff:56:94:c4:0a:fa:33:d7:7f:e1:45:e6:e7:54:

                    d7:08:c7:e3:3a:b8:11:8d:f5:dd:31:de:25:b3:70:

                    29:69:85:1f:13:fd:50:8c:7f:7d:e1:5c:67:1b:f1:

                    05:8a:d6:ee:61:15:d6:95:06:68:92:62:7b:5c:97:

                    29:1b:78:f3:97:af:69:aa:1c:0a:d7:fe:92:7f:76:

                    0b:39:10:a4:3a:57:eb:fe:9a:a9:20:42:8e:86:17:

                    a1:b0:31:b4:92:ab:50:4f:e2:de:5c:1b:8b:e6:a4:

                    2b:2b:6d:8b:c9:8b:00:9b:de:c7:77:5f:ee:72:d8:

                    86:94:ad:7d:d2:96:8c:a8:fc:82:9d:0c:f6:68:6e:

                    06:7b:48:72:72:d4:1c:a1:0d:81:e5:ec:c1:66:06:

                    01:a5:fc:90:8e:e0:41:59:65:16:a0:d7:ea:27:00:

                    f3:d7:78:6e:f5:aa:46:3d:63:b6:9b:95:c1:b4:26:

                    ec:8a:3a:17:54:a2:bf:02:bf:7f:43:2d:3c:66:75:

                    84:39:77:8c:e0:6a:4a:df:e7:a1:32:d1:ea:ee:e9:

                    58:5d

                Exponent: 65537 (0x10001)

        X509v3 extensions:

            X509v3 Basic Constraints: 

                CA:FALSE

            Netscape Comment: 

                OpenSSL Generated Certificate

            X509v3 Subject Key Identifier: 

                05:CC:06:E5:17:4E:2E:A6:C8:EE:8A:98:D2:65:DE:96:FD:29:00:E6

            X509v3 Authority Key Identifier: 

                keyid:32:C7:C3:54:15:B6:77:92:5C:DD:5A:A7:A2:85:E8:B1:58:54:8F:90


    Signature Algorithm: sha1WithRSAEncryption

         01:db:87:5a:d1:4d:a0:24:d0:2c:ee:7a:7b:58:bf:4f:71:61:

         ef:eb:67:17:64:99:fc:75:c5:79:07:07:28:74:d5:a4:27:97:

         f4:54:bb:25:25:a9:c6:58:93:85:0f:4c:ea:80:14:d5:e9:88:

         7e:66:33:fc:e3:e3:e2:0e:77:a9:d4:b0:4b:b3:50:0f:2e:0e:

         e2:c2:f5:ba:e1:81:19:eb:c2:c7:9a:72:d2:87:8f:55:27:02:

         2d:93:39:06:69:7b:8c:1b:c5:3b:66:c9:60:ce:1d:23:cc:9a:

         9f:0a:f4:6e:12:91:e8:38:f3:29:b5:c6:dd:59:d0:12:f6:7e:

         e5:5f:dd:3a:31:34:a9:25:c5:3a:fc:27:19:ff:72:cc:51:02:

         49:21:90:dc:8b:31:a0:77:b1:96:e0:34:bc:04:5c:2c:3b:44:

         53:91:af:54:84:1f:8d:91:a6:ea:5d:d4:b0:17:af:00:51:72:

         83:a6:15:d5:a2:e2:0e:78:c6:a6:33:9d:74:90:d5:a3:5a:25:

         2f:aa:b0:2d:5f:93:d4:07:5f:3e:ae:e3:a6:d5:1a:d7:e1:b6:

         71:f7:61:ef:cd:5f:0b:37:28:ab:d5:2b:df:af:7e:d8:ef:54:

         fe:91:2b:d5:48:22:69:d9:fa:b5:27:1f:06:26:14:61:ca:c9:

         83:30:b1:1f:b3:f8:2f:42:67:a2:b3:07:20:55:be:06:00:41:

         b7:b0:3c:95:f0:82:3b:e5:f0:70:70:7f:bf:5a:3c:ac:f3:dd:

         1d:e1:3d:3e:bd:e6:87:2e:c3:86:95:48:e8:49:0c:47:4a:de:

         5a:3a:b1:cb:85:60:7f:77:7a:bc:60:ca:aa:85:8b:dc:54:62:

         50:36:37:7c:8b:3f:86:ce:a7:83:95:ed:dd:20:39:7b:b9:81:

         93:67:cb:2c:ab:f9:eb:1d:95:2f:4e:90:2f:df:c6:17:1c:49:

         46:46:61:12:8d:51:c6:3d:b6:b4:0f:45:92:7f:0d:57:26:5e:

         fe:8f:f4:22:d0:a8:0b:d3:2c:bf:2b:18:03:7a:01:dd:fb:36:

         16:9a:b6:ea:bf:dd:88:92:ab:c9:ec:13:82:b6:57:50:43:0d:

         03:f7:c3:1c:a9:9d:82:83:c0:84:e9:eb:65:85:e8:d0:7f:26:

         fe:c6:a0:78:9b:1f:19:1e:cd:c9:38:8d:cb:40:99:85:ea:f6:

         13:4f:cc:6b:96:b7:e4:6f:7c:47:b2:f8:23:93:db:ea:e9:9c:

         3a:7c:78:90:11:7e:68:57:b5:d7:6c:e9:7b:09:66:2f:4b:9f:

         75:b2:c6:0c:ee:b0:e9:6b:ab:b7:00:c7:98:d0:58:5b:28:f2:

         d0:68:15:29:f9:ff:df:3d

serial=01

notBefore=Sep 24 02:22:36 2016 GMT

notAfter=Sep 24 02:22:36 2017 GMT


6.将签过名的证书发还给请求方



吊销证书:

(a) 在客户端获取要吊销的证书的serial

opensslx509 -in /PATH/FROM/CERT_FILE-noout

-serial -subject


(b) 在CA上,根据客户提交的serial与subject信息,对比检验是否与index.txt文件中的信息一致

吊销证书:

opensslca -revoke /etc/pki/CA/newcerts/

SERIAL.pem


(c) 生成吊销证书的编号(第一次吊销一个证书时才需要执行)

echo 01 > /etc/pki/CA/crlnumber


(d) 更新证书吊销列表

opensslca -gencrl-out /etc/pki/CA/crl/ca.crl


查看crl文件:

opensslcrl-in /etc/pki/CA/crl/ca.crl

-noout-text


本文出自 “zebra930” 博客,请务必保留此出处http://zebra930.blog.51cto.com/11736340/1856022

构建私有CA