在如今互联网时代,越来越多的人注重信息安全,及对重要信息加密。加密即我们将文字转换成不能直接阅读的形式(即密文)的过程称为加密。像网站,把我们平时看到的“http”加密成“https”来传输,这样保证了信息在传输的过程中不被窃听。https就是“HTTP 协议”和“SSL/TLS 协议”的组合。HTTP over SSL”或“HTTP over TLS”,对http协议的文本数据进行加密处理后,成为二进制形式传输。
像有些网站用的是http,是没有证书的,被一些浏览器认为是不安全的。如:
但凡涉及到交易的那就不一样,那就要使用https协议。如淘宝网
这里就有证书的信息(CA),我们可通过下载来观察下
那什么是CA证书呢?
CA 也拥有一个证书(内含公钥和私钥)。网上的公众用户通过验证 CA 的签字从而信任 CA ,任何人都可以得到 CA 的证书(含公钥),用以验证它所签发的证书。
如果用户想得到一份属于自己的证书,他应先向 CA 提出申请。在 CA 判明申请者的身份后,便为他分配一个公钥,并且 CA 将该公钥与申请者的身份信息绑在一起,并为之签字后,便形成证书发给申请者。
如果一个用户想鉴别另一个证书的真伪,他就用 CA 的公钥对那个证书上的签字进行验证,一旦验证通过,该证书就被认为是有效的。证书实际是由证书签证机关(CA)签发的对用户的公钥的认证。
证书的内容包括:电子签证机关的信息、公钥用户信息、公钥、权威机构的签字和有效期等等。目前,证书的格式和验证方法普遍遵循X.509 国际标准。
下面我们就模拟创建私有CA并给节点颁发证书
一:创建环境:
centos7.3 当作CA服务器 centos6.9 充当客户端(申请者)
在centos7.3上作为CA服务器需了解CA的配置文件:/etc/pki/tls/openssl.cnf
[ CA_default ]
dir = /etc/pki/CA # Where everything is kept (CA有关的文件存放位置)
certs = $dir/certs # Where the issued certs are kept(签发的证书位置)
crl_dir = $dir/crl # Where the issued crl are kept(吊销证书存放位置)
database = $dir/index.txt # database index file.(生成证书索引数据库文件)
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate(CA公钥位置)
serial = $dir/serial # The current serial number(指定颁发证书的序列号)
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key (CA私钥)
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
policy = policy_match
# For the CA policy 策略
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
这里 三种策略:匹配、支持和可选
匹配指要求申请填写的信息跟CA设置信息必须一致,支持指必须填写这项申请信息,可选指可有可无
二、创建所需的文件(centos7.3)
[root@centos7 ~]#cd /etc/pki/CA
[root@centos7 CA]#ls
certs crl newcerts private
[root@centos7 CA]#touch index.txt 生成证书索引数据库文件(默认没有)
[root@centos7 CA]#echo 01 > serial 指定第一个颁发证书的序列号(默认也没有 这里01两位采用的是十六进制)
[root@centos7 CA]#ls
certs crl index.txt newcerts private serial
1.生成私钥文件
[root@centos7 CA]#(umask 066;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
................................+++
.........+++
e is 65537 (0x10001)
[root@centos7 CA]#ll private/
total 4
-rw------- 1 root root 1679 Jul 16 19:21 cakey.pem
2.生成自签证书
[root@centos7 CA]#openssl req -new -x509 -key private/cakey.pem -out private/cacert.pem -days 3650 # 生成自签证书指明私钥文件,证书保存路径,有效期限等
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN # 所在国家
State or Province Name (full name) []:henan # 所在省
Locality Name (eg, city) [Default City]:zhengzhou # 所在城市
Organization Name (eg, company) [Default Company Ltd]:keji # 组织(公司)名称
Organizational Unit Name (eg, section) []:ops # 所在岗位
Common Name (eg, your name or your server's hostname) []:keji.com 证书持有者姓名或请求证书服务器的主机名
Email Address []: # 邮件地址
[root@centos7 CA]#ll
total 8
-rw-r--r-- 1 root root 1302 Jul 16 19:22 cacert.pem
drwxr-xr-x. 2 root root 22 Jul 16 21:24 certs
drwxr-xr-x. 2 root root 6 Nov 6 2016 crl
drwxr-xr-x 2 root root 22 Jul 16 19:55 csr
-rw-r--r-- 1 root root 0 Jul 16 19:01 index.txt
drwxr-xr-x. 2 root root 6 Nov 6 2016 newcerts
drwx------. 2 root root 23 Jul 16 21:24 private
-rw-r--r-- 1 root root 3 Jul 16 19:02 serial
3.查看自签名证书
[root@centos7 CA]#openssl x509 -in private/cacert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 11375816810472933637 (0x9ddf051e12280905)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=henan, L=zhengzhou, O=keji, OU=ops, CN=keji.com
Validity
Not Before: Jul 16 09:22:51 2017 GMT
Not After : Jul 14 09:22:51 2027 GMT
Subject: C=CN, ST=henan, L=zhengzhou, O=keji, OU=ops, CN=keji.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b0:8e:c6:90:33:22:57:52:13:8c:29:ad:c4:34:
35:35:0c:23:ee:68:96:4a:2f:cc:03:0a:14:99:50:
3a:a9:f0:69:b5:38:fa:aa:47:ec:9c:ca:c0:83:de:
64:c7:fa:d0:e1:cb:a3:a7:d7:e3:02:17:29:27:6f:
a3:11:1c:36:73:5d:eb:72:d2:ab:d9:32:8f:a1:1a:
0f:1a:a0:dc:c9:1c:64:87:18:68:ab:8e:bb:d7:eb:
25:7f:b9:6f:49:75:a6:1e:b0:25:11:08:77:a3:98:
5f:73:4c:b2:ef:db:fe:6e:45:15:76:5e:4c:bb:16:
7c:dc:2a:52:5d:3c:7d:e1:ee:bd:ae:f6:c8:23:74:
b5:17:1b:fa:a7:86:02:6e:79:9c:ef:fd:8f:6c:6d:
c8:5f:0a:d3:e2:a4:ab:8d:fd:f0:7e:46:be:94:3d:
52:b4:69:ef:58:e6:29:14:6c:0f:8d:40:af:68:0d:
8d:6c:07:50:e2:a1:87:7c:8a:66:9f:06:04:8a:8b:
07:25:b0:bf:28:cc:a0:52:ec:5f:65:8e:3e:03:36:
92:99:c3:af:bf:a2:14:10:01:f0:ac:31:d4:33:09:
47:25:f0:28:90:b7:84:86:57:20:7f:11:30:9c:4b:
39:19:3f:c2:99:a6:85:4f:22:4a:32:d2:ba:79:e3:
74:97
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
7E:D8:E1:ED:AB:FF:05:D6:F5:45:87:06:5B:11:1D:EF:B1:A5:29:FF
X509v3 Authority Key Identifier:
keyid:7E:D8:E1:ED:AB:FF:05:D6:F5:45:87:06:5B:11:1D:EF:B1:A5:29:FF
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
84:b8:f6:7a:2f:9b:ed:64:88:85:5e:93:33:b9:3d:93:ff:31:
5c:99:bd:05:d8:aa:50:21:c7:a7:26:44:d1:05:01:7b:e0:58:
36:f5:15:23:14:b5:ad:6b:90:b0:3b:d0:fb:d2:0d:01:39:9d:
3b:df:b2:df:ba:ae:20:eb:9b:27:40:55:e2:ea:14:9b:aa:75:
91:36:20:61:5f:fa:80:d0:81:b6:9c:7e:e1:05:fc:52:44:f3:
ad:9d:00:fb:2e:1b:cc:f1:6c:72:b6:d8:11:46:66:9d:a6:cf:
d2:27:08:2b:27:3b:66:0d:da:c8:31:76:a3:04:16:35:c8:79:
8f:02:7f:06:89:47:48:11:b8:1d:47:59:7f:67:c4:c0:f2:d9:
a5:5e:6b:e8:42:c1:11:94:6c:05:7e:88:b8:56:4e:6e:29:66:
46:2c:d2:04:a1:cb:90:a1:81:9f:a2:74:c1:b9:38:86:c0:d5:
f8:ba:9f:62:38:ea:14:68:b7:da:3d:94:93:6e:55:97:68:42:
39:cf:e0:71:6c:b8:f7:df:6d:57:fa:94:a0:80:f0:e7:e9:c2:
d9:26:93:b0:a1:db:62:ab:29:fc:96:6e:5d:08:31:79:04:a8:
42:98:83:23:aa:61:c5:f0:33:b8:2e:91:76:21:d6:3b:ae:86:
1a:f0:31:55
三、客户端证书请求发送给CA进行签署 (centos 6.9)
1.生成密钥文件:
[root@centos6 ~]#(umask 066;openssl genrsa -out /etc/pki/tls/private/test.key 2048)
Generating RSA private key, 2048 bit long modulus
.......................................................................................................+++
......................................+++
e is 65537 (0x10001)
[root@centos6 ~]#ll /etc/pki/tls/private
total 4
-rw-------. 1 root root 1679 Jul 16 02:32 test.key
2.利用私钥生成证书签署请求:
[root@centos6 ~]#openssl req -new -key /etc/pki/tls/private/test.key -out /etc/pki/tls/private/test.csr -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:henan
Locality Name (eg, city) [Default City]:zhengzhou
Organization Name (eg, company) [Default Company Ltd]:kejitwo
Organizational Unit Name (eg, section) []:ops
Common Name (eg, your name or your server's hostname) []:kejitwo.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
注意:默认国家,省,公司名称三项必须和CA一致
[root@centos6 ~]#ll /etc/pki/tls/private
total 8
-rw-r--r--. 1 root root 1005 Jul 16 02:46 test.csr
-rw-------. 1 root root 1679 Jul 16 02:32 test.key
3.传输给CA(centos7.3):
[root@centos6 ~]#scp /etc/pki/tls/private/test.csr 192.168.18.142:/etc/pki/CA/csr
The authenticity of host '192.168.18.142 (192.168.18.142)' can't be established.
RSA key fingerprint is 5a:d9:05:80:2c:2b:99:b5:f5:1f:5a:e6:31:ff:51:6f.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.18.142' (RSA) to the list of known hosts.
root@192.168.18.142's password:
test.csr 100% 1005 1.0KB/s 00:00
[root@centos7 CA]#ll csr/
total 4
-rw-r--r-- 1 root root 1005 Jul 16 02:35 test.csr
四、签署(centos7.3)
1.CA签发证书
[root@centos7 CA]#openssl ca -in /etc/pki/CA/csr/test.csr -out /etc/pki/CA/certs/test.crt -days 365
# 签发证书,-in指明要签的证书文件位置,-out指明签好后输出的文件位置,必须放在certs下,指明期限
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jul 16 11:46:40 2017 GMT
Not After : Jul 16 11:46:40 2018 GMT
Subject:
countryName = CN
stateOrProvinceName = henan
organizationName = keji
organizationalUnitName = ops
commonName = centos6.9.zj.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
4F:22:F5:49:09:17:75:91:A9:5D:64:69:7A:CC:E5:76:7A:9B:9C:70
X509v3 Authority Key Identifier:
keyid:7E:D8:E1:ED:AB:FF:05:D6:F5:45:87:06:5B:11:1D:EF:B1:A5:29:FF
Certificate is to be certified until Jul 16 11:46:40 2018 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@centos7 CA]#tree
.
├── cacert.pem
├── certs
│ └── test.crt
├── crl
├── csr
│ └── test.csr
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│ └── 01.pem
├── private
│ └── cakey.pem
├── serial
└── serial.old
5 directories, 10 files
[root@centos7 CA]#cat index.txt # 可以看到第一个签署的证书编号为01
V 180716114640Z 01 unknown /C=CN/ST=henan/O=keji/OU=ops/CN=centos6.9.zj.com
2.把签署好的证书发还给请求者
[root@centos7 CA]#scp /etc/pki/CA/certs/test.crt 192.168.18.130:/etc/pki/tls/
The authenticity of host '192.168.18.130 (192.168.18.130)' can't be established.
RSA key fingerprint is a7:2e:2a:99:b0:33:c5:88:98:4b:0e:ce:7c:8c:6a:96.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.18.130' (RSA) to the list of known hosts.
root@192.168.18.130's password:
test.crt
五、在客户端上查看已签署的证书(centos6.9)
[root@centos6 ~]#openssl x509 -in /etc/pki/tls/test.crt -noout -text # 请求者收到后查看
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=henan, L=zhengzhou, O=keji, OU=ops, CN=keji.com
Validity
Not Before: Jul 16 11:46:40 2017 GMT
Not After : Jul 16 11:46:40 2018 GMT
Subject: C=CN, ST=henan, O=keji, OU=ops, CN=centos6.9.zj.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:e0:5a:dc:b0:34:7f:08:76:34:1f:5f:ba:95:27:
ec:d0:eb:be:37:14:c2:58:de:65:5c:fb:76:4b:fa:
91:0b:f4:6a:be:e6:0f:96:dd:12:26:af:c4:78:23:
bc:33:3c:dd:d6:99:e7:53:0d:ce:93:2c:4c:fc:0d:
d8:5b:a1:08:aa:f8:12:ce:a5:30:fd:63:0a:49:91:
32:db:4e:f6:67:86:2c:dc:99:f6:29:d0:7f:cb:b3:
97:17:f7:4e:71:aa:53:08:87:2b:d0:11:df:93:42:
8b:a8:87:c3:64:11:d2:76:5c:9c:0c:03:a3:00:fc:
2a:3a:e3:d7:7f:f2:e2:f4:f9:d0:f8:b3:14:47:0b:
78:96:e3:31:53:02:69:94:13:a8:e3:59:f8:fd:f3:
64:59:75:b5:ad:75:ca:2e:0f:af:bd:25:ec:41:2d:
2c:c8:09:00:f5:f5:ff:e5:fb:9d:88:cf:c2:72:ef:
29:e5:8f:08:86:2b:c6:63:40:c0:de:a3:08:b8:69:
68:f1:f7:63:60:54:bc:08:a1:71:8b:2f:9e:d1:e4:
8b:48:54:63:b4:73:dd:c0:bb:6c:a6:3b:96:d9:5d:
e5:ae:6f:67:cb:f5:d6:0a:c4:6d:7b:02:a4:7f:8a:
21:03:b7:4a:7a:9a:7b:1f:be:f8:89:6a:92:dc:04:
83:87
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
4F:22:F5:49:09:17:75:91:A9:5D:64:69:7A:CC:E5:76:7A:9B:9C:70
X509v3 Authority Key Identifier:
keyid:7E:D8:E1:ED:AB:FF:05:D6:F5:45:87:06:5B:11:1D:EF:B1:A5:29:FF
Signature Algorithm: sha256WithRSAEncryption
7b:ec:35:5b:14:51:87:6c:05:99:5d:55:08:50:72:54:40:8e:
f8:e9:f5:b5:21:09:b4:a2:00:fa:c3:59:4a:18:6d:24:e6:77:
8a:a5:98:2c:91:36:1e:4b:10:cb:ab:99:73:c9:cd:d0:e0:46:
99:b3:3f:8f:20:eb:65:d6:4c:71:c1:48:e1:5d:21:d8:42:e5:
88:e5:80:40:bc:60:b0:25:cb:ec:1e:1a:7d:85:68:45:98:8d:
3f:5c:d4:3e:c8:b4:46:86:36:05:a0:64:1d:51:1e:ef:23:0d:
50:6e:c3:c0:f4:97:d7:0f:68:d7:e1:65:cd:dd:1a:01:ea:1e:
cf:18:a2:f7:56:5e:4f:bd:d2:57:8c:ac:23:f3:99:a4:a0:9a:
2b:0b:31:0b:7d:09:bc:ca:a4:e7:98:11:4b:d9:08:93:e3:fe:
18:be:a5:0c:9f:9c:b4:c9:bd:70:90:30:f6:3d:75:c4:cc:11:
0b:d7:6d:57:33:83:4a:41:92:da:7c:9c:3d:fb:59:1b:2a:aa:
79:3f:cc:2e:8b:20:42:69:93:27:79:30:93:eb:2a:43:55:45:
0d:88:28:0e:db:f5:72:f3:a8:1c:8b:97:a0:58:f9:6a:b2:4a:
8e:25:43:e9:03:68:69:8d:82:59:96:13:1b:65:4d:62:9c:e6:
8c:8f:37:c8
六.在window下查看制作的CA证书
到这里我们就对CA进行完整的操作。如果想更直观的观察自己制作的CA证书,我们还可以把文件导入到window中查看,这里就要把cacert.pem的CA自签名证书后缀改下Windows能识别的文件格式。如下图所示
如有不足请多多指教!