搭建私有CA

搭建私有CA
[ CA_default ]

dir = /etc/pki/CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several certs with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.

certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file

1、创建文件夹
#mkdir -pv /etc/pki/CA/{certs,crl,newcerts,private}
#touch /etc/pki/CA/index.txt
#echo 01 > /etc/pki/CA/serial
2、生成CA私钥
#(umask 066;openssl genrsa -out private/cakey.pem 2048)
3、生成CA自签名证书
#openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem

Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:rhel8u0
Email Address []:

tree /etc/pki/CA/
/etc/pki/CA/
├── cacert.pem 签名
├── certs
├── crl
├── newcerts
└── private
└── cakey.pem 私钥
查看签名信息
[23:02:58 root@redhat8u0 CA]#openssl x509 -in cacert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
50:95:60:8b:eb:05:b2:18:0b:72:75:bd:67:c8:0c:2f:3f:55:b8:8d
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CN, ST = beijing, L = beijing, O = magedu, OU = it, CN = rhel8u0
Validity
Not Before: Jul 16 15:02:20 2020 GMT
Not After : Jul 14 15:02:20 2030 GMT
Subject: C = CN, ST = beijing, L = beijing, O = magedu, OU = it, CN = rhel8u0
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:b1:b8:71:57:41:fe:11:86:1b:9d:41:ef:e0:b3:
f3:5c:a6:b0:57:bc:f7:65:81:bd:86:38:68:df:79:
f5:43:d2:72:c5:81:1a:ea:31:31:91:ac:9c:c9:55:
22:92:a9:5d:ff:7e:32:e8:55:4a:aa:5b:6d:4e:81:
f7:d8:58:8e:de:eb:eb:b9:20:c9:29:6e:25:19:08:
fd:02:1b:fd:9a:ad:ca:95:59:4f:30:c9:5b:14:25:
7b:3d:1f:34:41:8d:09:b3:c2:7a:73:9e:db:b2:e8:
1e:3a:a5:71:0f:2e:e8:d2:cf:72:51:02:77:c4:d2:
21:94:f6:bd:e2:af:52:15:06:6e:06:13:76:dc:32:
cd:c9:e1:83:7f:ee:60:7b:03:c0:e0:0f:12:a1:cb:
53:41:d3:b8:ca:ba:63:3e:13:8f:60:13:a8:ba:59:
e4:90:84:42:eb:56:23:52:8e:6a:85:ec:4d:35:cb:
b3:11:2f:9f:aa:d0:45:65:1d:ff:b3:7a:1e:f0:5c:
e0:20:08:11:4a:5a:cc:de:3d:31:e4:97:9e:86:6f:
61:19:63:1d:fd:16:94:65:6c:db:a3:36:26:c0:03:
04:c2:64:92:0f:3d:16:5c:90:e2:c3:4b:5d:44:52:
16:c0:51:67:50:9a:80:04:11:3e:18:38:3c:dd:c3:
69:1b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
04:60:4B:AE:32:38:87:C8:8F:78:06:CB:CD:BA:E1:DC:B6:07:1B:98
X509v3 Authority Key Identifier:
keyid:04:60:4B:AE:32:38:87:C8:8F:78:06:CB:CD:BA:E1:DC:B6:07:1B:98

X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
00:a1:8e:8d:ff:42:d2:01:b9:a1:36:b4:42:b2:c0:d9:75:49:
9c:44:f2:dc:4c:d5:bd:0f:48:04:68:3c:74:2e:eb:76:9c:29:
b2:3a:80:d7:87:e0:2b:12:02:a6:47:40:6f:14:e3:8b:e5:cb:
3e:07:04:b4:5b:61:bd:dc:bd:22:33:65:bb:2f:af:8d:d5:51:
14:dd:75:a4:0f:00:d3:cb:04:f9:ab:7f:15:db:52:ee:7e:cd:
2e:aa:af:2a:dc:3e:6e:96:2f:64:da:1e:aa:3a:2e:ad:47:3a:
07:da:c6:d1:2e:cf:32:b5:dd:c0:0e:fa:6b:d3:c9:c7:fd:14:
aa:b1:23:72:b1:fb:bf:65:51:23:e8:f4:f1:1c:27:d1:8a:41:
cd:60:75:7e:9a:0b:5b:4b:01:44:c4:20:ad:79:c6:cd:ab:f5:
9b:c4:3f:e9:3d:60:f0:bb:10:24:43:57:c1:ce:af:be:2b:60:
81:42:6f:96:dc:4e:c4:b2:e6:63:ac:36:a0:19:b1:fe:9f:d8:
15:ac:7d:b1:f5:97:e6:e0:21:89:b6:a0:f2:c1:b9:a4:2f:84:
5c:b1:8e:c1:e9:af:03:37:51:97:cc:1c:c9:4e:74:d8:64:1d:
80:0d:e7:b7:38:c9:ec:6a:94:1c:09:84:9a:ae:39:f6:af:3b:
2e:ef:1d:3a
一条命令生成私钥和签名app.key为私钥，app.crt为签名
#openssl req -utf8 -newkey rsa:1024 -subj "/CN=www.magedu.org" -keyout app.key -nodes -x509 -out app.crt

4、申请证书并颁发证书
为需要使用证书的主机生成私钥
#(umask 066;openssl genrsa -out /data/test.key 2048)
为需要使用证书的主机生成证书申请文件
#openssl req -new -key /data/test.key -out /data/test.csr
在CA签署证书并将证书颁发给请求者
#openssl ca -in /data/test.csr -out /etc/pki/CA/certs/test.crt -days 100

[00:47:38 root@redhat8u0 CA]#tree
.
├── cacert.pem
├── certs
│   └── test.crt 证书文件
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│   └── 01.pem
├── private
│   └── cakey.pem CA证书
├── serial
└── serial.old
/data/test.key 私钥文件

[00:48:05 root@redhat8u0 CA]#openssl x509 -in certs/test.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CN, ST = beijing, L = beijing, O = magedu, OU = it, CN = rhel8u0 发布者
Validity
Not Before: Jul 16 16:46:17 2020 GMT
Not After : Oct 24 16:46:17 2020 GMT
Subject: C = CN, ST = beijing, O = magedu, OU = opt, CN = duan 颁发者

5、证书吊销
#openssl ca -revoke /etc/pki/CA/newcerts/01.pem
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 01.
Data Base Updated
#cat index.txt
R 201024164617Z 200716165928Z 01 unknown /C=CN/ST=beijing/O=magedu/OU=opt/CN=duan
R代表无效
V代表有效

指定第一个吊销证书编号：第一次更新证书吊销列表前，才需要执行
#echo 01 > /etc/pki/CA/crlnumber
更新吊销列表，可以发布到公网上
#openssl ca -gencrl -out /etc/pki/CA/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf
查看吊销证书信息
#openssl crl -in /etc/pki/CA/crl.pem -noout -text
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CN, ST = beijing, L = beijing, O = magedu, OU = it, CN = rhel8u0
Last Update: Jul 16 17:04:45 2020 GMT
Next Update: Aug 15 17:04:45 2020 GMT
CRL extensions:
X509v3 CRL Number:
1
Revoked Certificates:
Serial Number: 01
Revocation Date: Jul 16 16:59:28 2020 GMT
Signature Algorithm: sha256WithRSAEncryption
39:20:62:3f:a2:a5:84:c2:23:78:ef:54:45:28:80:7d:d9:d7:
f6:65:54:c7:c5:90:dd:ff:01:ca:d8:5a:76:d2:b7:ff:d4:b3:
bc:f5:6d:f7:75:7a:92:d0:53:da:5a:f1:20:f6:ec:61:bc:46:
93:60:1f:dd:dd:4a:a7:6f:c3:23:af:c4:cf:2b:fa:ea:15:4e:
22:c7:53:37:0b:00:f5:d4:55:d2:5c:5b:c5:14:70:a1:29:a8:
98:87:22:ba:c7:97:98:28:0b:ee:6b:de:a1:9e:60:0c:35:fe:
7d:ee:83:5d:04:bc:99:7f:91:57:4d:fb:88:47:46:ec:c6:57:
5c:e4:9d:33:39:81:f3:ae:cf:bf:f1:4e:75:ce:20:2d:72:ac:
41:57:1b:d1:71:65:0e:79:cb:60:ac:ac:69:8e:c3:7b:ef:e0:
41:a3:6e:e6:48:7b:08:d9:aa:4d:f4:0c:d4:22:91:e4:23:1e:
c7:8c:3a:68:a6:d2:8d:7d:d3:f1:5e:5e:98:e8:d4:1d:4d:7e:
0d:c7:96:73:9a:de:db:08:ab:b2:ba:ca:1f:f6:a9:6a:1d:ca:
bc:fe:88:a8:33:83:b3:51:62:c1:0f:67:de:99:09:19:bc:d6:
68:c2:9e:ca:76:5f:6c:e1:65:64:cc:ab:10:20:d2:a9:82:5c:
2d:7d:04:00