建立私有CA并实现证书申请和颁发
1、创建CA所需要的文件:(其中后面两个6和7也同样需要创建)(创建CA与颁发CA的定义都是基于/etc/pki/tls/opessl.cnf这个文件来实现的,因此要想更改,可以去更改这个文件当中的内容)
[root@host pki]# mkdir -p /etc/pki/CA/{certs,crl,newcerts,private} #创建相关的文件夹
[root@host pki]# touch /etc/pki/CA/index.txt #生成证书索引数据库文件(这个和↓面这两步在7和6上也需要做)
[root@host pki]# echo 01 > serial #指定第一个颁发证书的序列号,为16进制数
2、生成CA个人的私钥
[root@host CA]# (umask 066;openssl genrsa -out private/cakey.pem 4096) #因为加了小括号,因此是在子进程中运行的,umask的值不会影响当前进程
Generating RSA private key, 4096 bit long modulus (2 primes)
..............................................................................................................................................................................................++++
..........................++++
e is 65537 (0x010001)
3、生成CA自签名证书:
[root@host CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem #参数介绍见下面 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN #指定国家;https://country-code.cl/ 在这里查询 State or Province Name (full name) []:henan #指定省份或区 Locality Name (eg, city) [Default City]:zhengzhou #指定城市 Organization Name (eg, company) [Default Company Ltd]:magedu #指定机构 Organizational Unit Name (eg, section) []:it #指定部门 Common Name (eg, your name or your server's hostname) []:ca.centos8.com #指定颁发者 Email Address []: #指定邮箱地址
参数选项说明:
-new:生成新证书签署请求;
-x509:专用用于CA生成字签证书
-key:生成请求时用到的私钥文件
-day:证书的有效期限
-out:证书的保存路径(在配置文件当中有固定路径,该文件可以自动生成)
详细查看自签名证书:
[root@host CA]# openssl x509 -in cacert.pem -noout -text #使用x509来查看,-noout是不输出的意思,-text是使用证书文件格式来查看 [16:10:29 root@host CA]# openssl x509 -in cacert.pem -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 51:a0:14:b3:b8:e2:c1:6b:bb:69:50:3b:49:50:66:5b:60:71:a5:1b Signature Algorithm: sha256WithRSAEncryption Issuer: C = CN, ST = henan, L = zhengzhou, O = magedu, OU = it, CN = ca.centos8.com #证书颁发给谁的相关地点等信息 Validity #证书的有效期 Not Before: Sep 5 08:10:29 2020 GMT Not After : Sep 3 08:10:29 2030 GMT Subject: C = CN, ST = henan, L = zhengzhou, O = magedu, OU = it, CN = ca.centos8.com #证书颁发者的详细相关信息 Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (4096 bit) ......
1、为需要使用证书的主机生成私钥:
[root@host CA]# mkdir /data/certs #在data目录下创建一个专门存放私钥的目录
[root@host CA]# cd /data/certs
[root@host certs]# (umask 066;openssl genrsa -out /data/certs/test.key 1024)
Generating RSA private key, 1024 bit long modulus (2 primes)
..+++++
............................+++++
e is 65537 (0x010001)
2、为需要使用证书的主机生成证书申请文件:(文件名无所谓,后缀必须是csr)
[root@host certs]# openssl req -new -key /data/certs/test.key -out /data/certs/test.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN #这一项必须要和CA一致(除非更改了配置文件) State or Province Name (full name) []:henan #同上一个条件一样 Locality Name (eg, city) [Default City]:nanyang #可以是不同城市 Organization Name (eg, company) [Default Company Ltd]:magedu #除非更改设置,不然要和CA一致 Organizational Unit Name (eg, section) []:ops #可以不一样 Common Name (eg, your name or your server's hostname) []:www.bai.com#签发给谁 Email Address []: #邮箱可以不写 Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: #密码可以不写 An optional company name []: #一样可以不写
3、在CA签署证书并将证书颁发给请求者:
[root@host CA]# openssl ca -in /data/certs/test.csr -out /etc/pki/CA/certs/test.crt -days 365 #以下大部分都是申请的时候的设置, Using configuration from /etc/pki/tls/openssl.cnf Can't open /etc/pki/CA/index.txt.attr for reading, No such file or directory ...... Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Sep 5 10:58:33 2020 GMT Not After : Sep 5 10:58:33 2021 GMT Subject: countryName = CN stateOrProvinceName = henan organizationName = magedu organizationalUnitName = ops commonName = www.bai.com ... Certificate is to be certified until Sep 5 10:58:33 2021 GMT (365 days) Sign the certificate? [y/n]:y #确认信息的可靠性 1 out of 1 certificate requests certified, commit? [y/n]y #再次确认 Write out database with 1 new entries Data Base Updated
4、查看证书中的信息:
[root@host certs]# openssl x509 -in /etc/pki/CA/certs/text.crt -noout -text ......
以下是相关文件的改变
[root@host CA]# cat index.txt #证书列表 V 210905105833Z 01 unknown /C=CN/ST=henan/O=magedu/OU=ops/CN=www.bai.com #V表示证书的是有效的 [root@host CA]# cat serial #下一个证书的编号 02 [root@host CA]# cat serial.old #上一个证书的编号 01
查看指定编号的证书状态:
[root@host certs]# openssl ca -status 01 Using configuration from /etc/pki/tls/openssl.cnf 01=Valid (V)
若是已经颁发过了证书,还想要继续颁发,只需要:
[root@host certs]# cat /etc/pki/CA/index.txt.attr
unique_subject = yes #将这个yes改为no即可
吊销证书,但是没有生成吊销证书列表
[root@host CA]# openssl ca -revoke /etc/pki/CA/newcerts/01.pem Using configuration from /etc/pki/tls/openssl.cnf #newcerts在这里是参数,而不是文件夹 Revoking Certificate 01. Data Base Updated [root@host CA]# cat index.txt #上个命令会自动更改这个文件的内容,使有效边无效 R 210905105833Z 200905122754Z 01 unknown /C=CN/ST=henan/O=magedu/OU=ops/CN=www.bai.com #发现这个证书已经过期了 V 210831113718Z 02 unknown /C=CN/ST=henan/O=magedu/OU=it/CN=www.bai.com
证书在吊销后,需要生成证书吊销列表,来确认证书已经吊销了,不然证书虽然被吊销了,但是吊销的证书是没人知道哪些证书被吊销了
生成吊销证书列表,可以先生成证书吊销列表,也可以先吊销证书,在生成证书吊销列表(像下面这两个文件之前都是没有的,现在生成了他们)
[root@host CA]# echo 01 > /etc/pki/CA/crlnumber #这个是吊销证书列表的编号,16进制
[root@host CA]# openssl ca -gencrl -out /etc/pki/CA/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf
生成的/etc/pki/CA/crl.pem,可以下载到windows,然后重命名后缀为”.crl”这样就可以看到里面的内容了
在centos上查看证书吊销列表:
[root@host CA]# openssl crl -in /etc/pki/CA/crl.pem -noout -text
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CN, ST = henan, L = zhengzhou, O = magedu, OU = it, CN = ca.centos8.com
Last Update: Sep 5 12:38:14 2020 GMT
Next Update: Oct 5 12:38:14 2020 GMT
CRL extensions:
X509v3 CRL Number:
1
Revoked Certificates:
Serial Number: 01 #吊销列表的编号/etc/pki/CA/crlnumber中的第一个,与证书编号
Revocation Date: Sep 5 12:27:54 2020 GMT #无关
Signature Algorithm: sha256WithRSAEncryption
......
在centos7中更加快捷的生成证书
[root@M47m certs]# pwd #一定要在这个目录下,不要到CA去了 /etc/pki/tls/certs [root@M47m certs]# make bai.crt #在这个目录下直接使用make,后缀很重要在后面有说明 umask 77 ; \ /usr/bin/openssl genrsa -aes128 2048 > bai.key #在这里可以看见是使用了加密算法了的 Generating RSA private key, 2048 bit long modulus .......................................................+++ .........................+++ e is 65537 (0x10001) Enter pass phrase: #使用make实际上是使用了软链接,因此要在这里输入密码 Verifying - Enter pass phrase: umask 77 ; \ /usr/bin/openssl req -utf8 -new -key bai.key -x509 -days 365 -out bai.crt Enter pass phrase for bai.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN #与centos8一样,要写如的要求一样 State or Province Name (full name) []:shanxi Locality Name (eg, city) [Default City]:xian Organization Name (eg, company) [Default Company Ltd]:magedu Organizational Unit Name (eg, section) []:it Common Name (eg, your name or your server's hostname) []:ca.bai.con Email Address []: [root@M47m certs]# openssl x509 -in bai.crt -noout -text #查看生成的证书 Certificate: Data: Version: 3 (0x2) Serial Number: fa:f1:e8:69:ad:c0:5f:68 Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, ST=shanxi, L=xian, O=magedu, OU=it, CN=ca.bai.con Validity Not Before: Sep 5 13:23:27 2020 GMT Not After : Sep 5 13:23:27 2021 GMT Subject: C=CN, ST=shanxi, L=xian, O=magedu, OU=it, CN=ca.bai.con ......
原因是因为:
[root@M47m certs]# pwd /etc/pki/tls/certs [root@M47m certs]# ls bai.crt bai.key ca-bundle.crt ca-bundle.trust.crt make-dummy-cert Makefile renew-dummy-cert [root@M47m certs]# cat -n Makefile #在这个文件夹中定义了make使用,当文件名的后缀为一下的时候会做什么样的事情 ...... 45 %.pem: #使用这个后缀,将私钥和证书放到了一起的打包文件 46 umask 77 ; \ 47 PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \ 48 PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \ 49 /usr/bin/openssl req $(UTF8) -newkey $(TYPE) -keyout $$PEM1 -nodes -x509 -days $(DAYS) -out $$PEM2 $(EXTRA_FLAGS) ; \ 50 cat $$PEM1 > $@ ; \ 51 echo "" >> $@ ; \ 52 cat $$PEM2 >> $@ ; \ 53 $(RM) $$PEM1 $$PEM2 54 55 %.key: #生成密钥文件 56 umask 77 ; \ 57 /usr/bin/openssl genrsa -aes128 $(KEYLEN) > $@ 58 59 %.csr: %.key #证书申请文件 60 umask 77 ; \ 61 /usr/bin/openssl req $(UTF8) -new -key $^ -out $@ 62 63 %.crt: %.key #生成证书文件 64 umask 77 ; \ 65 /usr/bin/openssl req $(UTF8) -new -key $^ -x509 -days $(DAYS) -out $@ $(EXTRA_FLAGS) ......
这个文件在centos6和7中都有,但是就centos8中没有,因此可以将这个文件拷贝到centos8中,然后来这样子使用
浙公网安备 33010602011771号