搭建本地CA认证中心并申请证书签名

1、搭建 CA 认证中心

1、安装CA认证软件包中心

[root@CA ~]# rpm -qf `which openssl` # 默认已经安装
 openssl-1.0.2k-16.el7_6.1.x86_64

2、配置一个自己的 CA 认证中心。生成 CA 的根证书和私钥。 根证书中包括:CA 的公钥

[root@CA ~]# vim /etc/pki/tls/openssl.cnf
改:172 basicConstraints=CA:FALSE
为:172 basicConstraints=CA:TRUE #让自己成为 CA 认证中心

3、生成CA的公钥证书和私钥

[root@CA ~]# /etc/pki/tls/misc/CA  -h #查看帮助
 usage: /etc/pki/tls/misc/CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify

选项 :
-newcert 新证书
-newreq 新请求
-newreq-nodes 新请求节点
-newca 新的 CA 证书
-sign 签证
-verify 验证

[root@CA ~]# /etc/pki/tls/misc/CA -newca
CA certificate filename (or enter to create) #直接回车
Making CA certificate ...
Generating a 2048 bit RSA private key
....................+++
..........................................................................+++
writing new private key to '/etc/pki/CA/private/./cakey.pem'
Enter PEM pass phrase:**123456 # 输入密码,保护私钥。**
Verifying - Enter PEM pass phrase:**123456 # 再次输入密码。**
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
----
Country Name (2 letter code) [XX]:**CN**
State or Province Name (full name) []:**beijing**
Locality Name (eg, city) [Default City]:**haidian**
Organization Name (eg, company) [Default Company Ltd]: **ning**
Organizational Unit Name (eg, section) []:**IT**
Common Name (eg, your name or your server's hostname) []:**ningfg.cn #普通名称(例如,您的姓名或您的服务器的主机名),随便写. 指定 CA 认证中心服务器的名字**
Email Address []:**1@163.com**
Please enter the following 'extra' attributes
to be sent with your certificate request **#添加一个“额外”的属性,让客户端发送 CA 证书,请求文件时,要输入的密码**
A challenge password []: **#直接回车**
An optional company name []: **#直接回车**
Using configuration from /etc/pki/tls/openssl.cnf **# CA 服务器的配置文件。上面修改的内容会添加到这个配置文件中**
Enter pass phrase for /etc/pki/CA/private/./cakey.pem: **123456 #输入刚才保护 CA私钥的密码**
Check that the request matches the signature
Signature ok
Certificate Details:
 Serial Number:
 c9:16:bb:49:48:20:ed:16
 Validity
 Not Before: Dec 20 12:00:19 2015 GMT
 Not After : Dec 19 12:00:19 2017 GMT
 Subject(主题):
 countryName = CN
 stateOrProvinceName = beijing
 organizationName = xuegod
 organizationalUnitName = IT
 commonName = ningfg
 emailAddress = 1@163.com
 X509v3 extensions:
 X509v3 Subject Key Identifier:
 BF:E3:16:CC:EB:42:BD:6D:56:8E:A4:21:70:E6:72:40:0C:77:C0:C0
 X509v3 Authority Key Identifier:
 keyid:BF:E3:16:CC:EB:42:BD:6D:56:8E:A4:21:70:E6:72:40:0C:77:C0:C0
 X509v3 Basic Constraints:
 CA:TRUE
Certificate is to be certified until Dec 19 12:00:19 2017 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated

到此 CA 认证中心就搭建好了

4、查看生成的CA根证书,根证书中包括CA公钥

[root@CA ~]# vim /etc/pki/CA/cacert.pem
Certificate:
 Data:
 Version: 3 (0x2)
 Serial Number:
 c0:1d:ed:ba:fc:7e:b4:40
 Signature Algorithm: sha1WithRSAEncryption
 Issuer: C=CN, ST=beijing, O=ning, OU=IT,
CN=ningfg/emailAddress=1@163.com **#CA 机构信息**
 Validity
 Not Before: May 9 11:54:20 2015 GMT
 Not After : May 8 11:54:20 2018 GMT
 Subject: C=CN, ST=beijing, O=xuegod, OU=IT,
CN=shenjianming/emailAddress=1@
163.com
 Subject Public Key Info: **#CA 认证中心公钥信息**
 Public Key Algorithm: rsaEncryption
 Public-Key: (2048 bit)
 Modulus:

5、查看根证书的私钥

[root@CA ~]# vim /etc/pki/CA/private/cakey.pem
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQI2JxR6+eEWI0CAggA
MBQGCCqGSIb3DQMHBAjjVO7+mmTUuwSCBMil6B4xGLDfbskPQd++sEtyMtV8Y62l
GztBjiSSNCE0amDVvhi5hG5dZpq9i/ik1Jh31DQ6siet10vm7/EZC4KSqagDsi66

2、Apache-web服务器申请证书(另一台服务器,非CA服务器)

1、生成证书请求文件,获得证书

[root@apache-web ~]# openssl genrsa -des3 -out /etc/httpd/conf.d/server.key
encrypt the generated key with DES in ede cbc mode (168 bit key) **#加密一下私钥**
Generating RSA private key, 512 bit long modulus
.....++++++++++++
..............................++++++++++++
e is 65537 (0x10001)
Enter pass phrase for /etc/httpd/conf.d/server.key:**123456 #输入保护私钥的密码,保护私钥时,使用的加密算法是 -des3**
Verifying - Enter pass phrase for /etc/httpd/conf.d/server.key: 123456

2、使用私钥生成证书请求文件

[root@apache-web ~]# openssl req -new -key /etc/httpd/conf.d/server.key -out /server.csr #注意后期添加的国家,省,组织等信息要和 CA 保持一致
Enter pass phrase for /etc/httpd/conf.d/server.key:**123456 #输入私钥的密码**
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:**CN**
State or Province Name (full name) []:**beijing**
Locality Name (eg, city) [Default City]:**haidian**
Organization Name (eg, company) [Default Company Ltd]:**ning**
Organizational Unit Name (eg, section) []:**IT**
Common Name (eg, your name or your server's hostname) []:**ningfg.cn**
**#这里要求输入的 CommonName 必须与通过浏览器访问您网站的 URL 完全相同,否则用户会发现您服务器证书的通用名与站点的名字不匹配,用户就会怀疑您的证书的真实性。可以使域名也可以使 IP 地址。**
Email Address []:1@163.com
Please enter the following 'extra' attributes to be sent with your certificate request
A challenge password []: **#不输密码直接回车**
An optional company name []:

注:证书请求文件中有 ningfg 的公钥。 这个公钥是在生成证书请求文件时,通过指定的私钥/etc/httpd/conf.d/server.key 生成的。

3、将证书请求文件发给CA服务器

[root@apache-web ~]# scp /server.csr 192.168.1.63:/tmp/

4、CA签名(在CA服务器上操作)

[root@CA ~]# openssl ca -h
[root@CA ~]# openssl ca -keyfile /etc/pki/CA/private/cakey.pem -cert /etc/pki/CA/cacert.pem -in /tmp/server.csr -out /server.crt
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:123456
Check that the request matches the signature
Signature ok
Certificate Details:
 Serial Number:
 ce:60:e0:a3:fe:ee:88:09
 Validity
 Not Before: Dec 21 15:25:53 2015 GMT
 Not After : Dec 21 15:25:53 2015 GMT
 Subject:
 countryName = CN
 stateOrProvinceName = beijing
 organizationName = ning
 organizationalUnitName = IT
 commonName = ningfg.cn
 emailAddress = 1@163.com
 X509v3 extensions:
 X509v3 Basic Constraints:
 CA:TRUE
 Netscape Comment:
 OpenSSL Generated Certificate
 X509v3 Subject Key Identifier:
 1B:30:0B:28:4A:31:EA:FC:05:7D:54:A3:87:A0:6E:BE:F8:D6:3C:F8
 X509v3 Authority Key Identifier:
 keyid:6D:0F:0C:C5:96:32:A8:8B:D3:FF:36:39:5B:15:5B:9B:31:12:4A:C3
Certificate is to be certified until Dec 21 15:25:53 2015 GMT (365 days) #证书有效期是365 天。证书进行认证,直到 12 月 21 日十四时 25 分 53 秒格林尼治标准时间 2015 年(365 天)
Sign the certificate? [y/n]:y  #注册证书
1 out of 1 certificate requests certified, commit? [y/n]y #确认
Write out database with 1 new entries
Data Base Updated

5、将证书复制到apache-web服务器

[root@CA ~]# scp /server.crt 192.168.1.64:/

到此证书签名完毕

posted @ 2021-03-05 15:10  随笔宁  阅读(972)  评论(0)    收藏  举报