搭建CA和申请证书
相关参考配置文件:/etc/pki/tls/openssl.cnf
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = /etc/pki/CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
# Extension copying option: use with caution.
# copy_extensions = copy
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = sha256 # use SHA-256 by default
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ req ]
default_bits = 2048
default_md = sha256
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
需要用到的参考目录
dir = /etc/pki/CA # Where everything is kept
certs = /etc/pki/CA/certs # Where the issued certs are kept
database = /etc/pki/CA/index.txt # database index file.
new_certs_dir = /etc/pki/CA/newcerts # default place for new certs.
certificate = /etc/pki/CA/cacert.pem # The CA certificate
serial = /etc/pki/CA/serial # The current serial number
private_key = /etc/pki/CA/private/cakey.pem # The private key
注意事项:默认客户端证书请求中国家、省、公司名称三项必须和CA保持一致,否则无法颁发证书,原因:/etc/pki/tls/openssl.cnf配置文件中policy = policy_match,将其改为policy=policy_anything,或者将[ policy_match ]下countryName 、stateOrProvinceName、organizationName 这三项的值由match改为optional将不再要求一致
服务端搭建私有CA
1、创建所需的文件
touch /etc/pki/CA/index.txt 生成证书索引数据库文件
echo 01 > /etc/pki/CA/serial 指定第一个颁发证书的序列号(可自定,但需是两位数)
2、生成CA私钥
(umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
[root@centos CA]#(umask 077; openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
........................................................................+++
....................................+++
e is 65537 (0x10001)
3、自签名(给自己颁发证书)
openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3650
-new: 生成新证书签署请求
-x509: 专用于CA生成自签证书
-key: 生成请求时用到的私钥文件
-days n:证书的有效期限
-out /PATH/TO/SOMECERTFILE: 证书的保存路径
[root@centos CA]#openssl req -new -x509 -key private/cakey.pem -days 7300 -out cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:henan
Locality Name (eg, city) [Default City]:zhengzhou
Organization Name (eg, company) [Default Company Ltd]:xmj
Organizational Unit Name (eg, section) []:x
Common Name (eg, your name or your server's hostname) []:xmj.com
Email Address []:
openssl x509 -in /etc/pki/CA/cacert.pem -noout -text 查看CA证书信息
[root@centos CA]#openssl x509 -in cacert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 11583334546095199587 (0xa0c045660683d563)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=cn, ST=henan, L=zhengzhou, O=xmj, OU=x, CN=xmj.com
Validity
Not Before: Jul 17 07:11:40 2017 GMT
Not After : Jul 12 07:11:40 2037 GMT
Subject: C=cn, ST=henan, L=zhengzhou, O=xmj, OU=x, CN=xmj.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c3:c1:ed:52:ee:9f:8b:52:2d:48:69:86:05:84:
30:8b:57:14:1f:04:23:2d:a3:3d:c5:87:5d:65:35:
61:65:0e:fc:74:93:88:be:2a:66:47:ea:e4:c6:e7:
0c:6b:74:4d:28:e9:eb:21:75:58:8a:61:83:84:d8:
7f:09:4a:0e:63:c9:e1:d6:26:92:46:94:79:3b:f1:
08:a3:f7:05:cc:f6:87:f7:74:29:67:71:f0:f4:82:
6a:bf:51:e9:99:01:4e:df:dc:ff:d7:88:54:22:06:
d4:76:e1:1b:4f:4e:8a:e4:2f:64:6e:2f:c4:0d:25:
2c:cd:4f:e3:d0:1f:3e:e2:2d:82:a5:12:7a:95:88:
10:08:36:71:59:af:3a:c5:bf:b5:1d:8c:11:79:bc:
d6:18:d5:cd:39:f7:66:8a:ef:19:11:22:e3:7d:3f:
db:2b:67:4d:e5:20:98:43:7b:a3:60:cb:da:75:65:
d0:e3:22:f7:d0:98:90:e5:c8:16:5b:65:c0:64:6a:
71:33:6a:80:5c:2d:47:b5:8a:b5:53:64:3d:70:a4:
77:a5:df:dc:67:53:d9:f3:55:3c:68:9c:c5:f8:61:
25:ff:8b:e1:9a:2c:11:0f:4f:ad:f6:da:55:e9:d8:
57:d3:81:6d:45:b9:f0:f3:4f:c6:bb:2c:9b:de:4e:
cd:a1
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
04:9D:1F:51:07:F9:4B:23:D2:58:6C:89:EC:30:13:94:4D:1B:14:EF
X509v3 Authority Key Identifier:
keyid:04:9D:1F:51:07:F9:4B:23:D2:58:6C:89:EC:30:13:94:4D:1B:14:EF
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha1WithRSAEncryption
c1:1f:ab:c9:3b:61:71:ff:21:b4:6f:03:0e:de:e8:f7:78:be:
b7:1c:50:85:6d:20:5a:4f:fa:22:6b:b6:29:d0:a2:a2:dc:7e:
95:bc:14:a4:84:49:9f:cb:cd:27:1e:c9:8f:5a:98:89:a4:1d:
af:76:b8:13:6d:96:d3:f7:7d:8b:9a:b7:26:71:63:32:af:59:
d2:12:0a:4f:4b:e8:55:c2:79:ef:da:bd:2d:ea:c2:7a:3d:87:
4d:7f:51:22:48:f8:84:2e:0b:43:8c:a4:6b:e3:ea:d7:79:3b:
f2:ee:8f:26:f6:08:97:b7:e1:b2:0a:a7:30:46:23:04:74:d8:
75:22:77:ac:1a:88:db:41:e5:a9:e6:9d:18:a5:14:44:58:c5:
87:4e:f0:b1:ce:01:a7:8d:c5:ed:0a:51:04:c5:a6:9a:c9:00:
64:1b:21:96:58:69:54:05:1a:3b:14:10:d0:6a:49:db:78:34:
69:77:c9:24:33:63:85:fc:41:0f:f8:e0:da:9e:ca:c7:10:fe:
7e:03:8f:60:e2:bb:56:92:38:12:a4:e7:d3:6a:07:f1:c6:44:
81:f1:68:81:d8:c4:92:91:0a:b9:28:1d:ea:17:3b:ef:91:8c:
ab:b1:78:6d:c8:ac:63:02:3a:12:ba:d0:bb:bc:2d:28:c4:ba:
cb:59:7a:5e
客户端申请证书
1、给web服务器生成私钥
(umask 077;openssl genrsa -out /root/app/service.key 2048 )
2、申请证书
生成证书申请文件
openssl req -new -key /root/app/service.key -out /root/app/service.csr
3、发送申请文件至服务端
scp /root/app/service.csr IP:/etc/pki/CA
CA签署证书,颁发证书给申请者
服务端
1、创建客户端证书申请目录
mkdir /etc/pki/CA/csr
mv /etc/pki/CA/service.csr /etc/pki/CA/csr
[root@centos CA]#tree
.
├── cacert.pem
├── certs
├── crl
├── index.txt
├── newcerts
├── private
│ └── cakey.pem
├── serial
└── service.csr
4 directories, 5 files
[root@centos CA]#mkdir csr
[root@centos CA]#mv service.csr csr
[root@centos CA]#tree
.
├── cacert.pem
├── certs
├── crl
├── csr
│ └── service.csr
├── index.txt
├── newcerts
├── private
│ └── cakey.pem
└── serial
5 directories, 5 files
[root@centos CA]#ll
total 28
-rw-r--r--. 1 root root 1294 Jul 17 15:11 cacert.pem
drwxr-xr-x. 2 root root 4096 Mar 23 05:46 certs
drwxr-xr-x. 2 root root 4096 Mar 23 05:46 crl
drwxr-xr-x. 2 root root 4096 Jul 17 15:59 csr
-rw-r--r--. 1 root root 0 Jul 17 14:55 index.txt
drwxr-xr-x. 2 root root 4096 Mar 23 05:46 newcerts
drwx------. 2 root root 4096 Jul 17 15:00 private
-rw-r--r--. 1 root root 3 Jul 17 14:55 serial
2、颁发证书
openssl ca -in /etc/pki/CA/csr/service.csr -out /etc/pki/CA/certs/service.crt -days 365
[root@centos CA]#pwd
/etc/pki/CA
[root@centos CA]#openssl ca -in csr/service.csr -out certs/service.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jul 17 08:08:07 2017 GMT
Not After : Jul 17 08:08:07 2018 GMT
Subject:
countryName = cn
stateOrProvinceName = henan
organizationName = xmj
organizationalUnitName = m
commonName = www.xmj.com
emailAddress = 111111
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
58:C1:E6:56:07:FF:B7:FD:EC:AC:9A:DD:05:19:EA:98:D0:7F:9B:6B
X509v3 Authority Key Identifier:
keyid:04:9D:1F:51:07:F9:4B:23:D2:58:6C:89:EC:30:13:94:4D:1B:14:EF
Certificate is to be certified until Jul 17 08:08:07 2018 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@centos CA]#ll
total 40
-rw-r--r--. 1 root root 1294 Jul 17 15:11 cacert.pem
drwxr-xr-x. 2 root root 4096 Jul 17 16:08 certs
drwxr-xr-x. 2 root root 4096 Mar 23 05:46 crl
drwxr-xr-x. 2 root root 4096 Jul 17 15:59 csr
-rw-r--r--. 1 root root 89 Jul 17 16:08 index.txt
-rw-r--r--. 1 root root 21 Jul 17 16:08 index.txt.attr
-rw-r--r--. 1 root root 0 Jul 17 14:55 index.txt.old
drwxr-xr-x. 2 root root 4096 Jul 17 16:08 newcerts
drwx------. 2 root root 4096 Jul 17 15:00 private
-rw-r--r--. 1 root root 3 Jul 17 16:08 serial
-rw-r--r--. 1 root root 3 Jul 17 14:55 serial.old
[root@centos CA]#cd newcerts/
[root@centos newcerts]#ls
01.pem
[root@centos newcerts]#cd ..
######serial文件里放的是下一个申请证书的证书编号
[root@centos CA]#cat serial
02
######此时数据库已更新,V为证书状态表示已颁发可用的
[root@centos CA]#cat index.txt
V 180717080807Z 01 unknown /C=cn/ST=henan/O=xmj/OU=m/CN=www.xmj.com/emailAddress=111111
[root@centos CA]#tree
.
├── cacert.pem
├── certs
│ └── service.crt
├── crl
├── csr
│ └── service.csr
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│ └── 01.pem
├── private
│ └── cakey.pem
├── serial
└── serial.old
5 directories, 10 files
3、申请的证书的查看
openssl x509 -in /etc/pki/CA/certs/service.crt -noout -text|issuer|subject|serial|dates
openssl ca -status SERIAL 查看指定编号的证书状态
[root@centos CA]#openssl x509 -in certs/service.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=cn, ST=henan, L=zhengzhou, O=xmj, OU=x, CN=xmj.com
Validity
Not Before: Jul 17 08:08:07 2017 GMT
Not After : Jul 17 08:08:07 2018 GMT
Subject: C=cn, ST=henan, O=xmj, OU=m, CN=www.xmj.com/emailAddress=111111
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:bd:a1:a2:49:f0:e5:9a:fd:3f:e6:87:24:0e:79:
6b:3e:05:db:52:06:d7:34:15:4a:2c:92:48:1f:c1:
0f:c6:7d:18:4b:fd:d0:82:10:c1:a4:9e:ae:65:05:
6a:2c:e4:53:cd:0d:07:cf:ff:77:1a:b6:3d:87:0f:
c5:b9:81:82:bb:7c:ef:9b:1b:24:82:f1:1e:2a:4d:
0c:a1:a5:1b:43:ad:33:01:e3:a4:ee:4f:d8:28:7a:
e7:fa:e4:fc:08:f4:89:13:e7:ca:85:77:00:34:15:
3d:61:02:74:bc:7d:af:13:de:02:4e:c2:ac:60:7d:
ff:2b:70:ed:06:66:6a:1f:63:c0:a2:bf:87:6d:d8:
dc:dc:14:70:3c:e3:14:72:75:b4:6d:d1:e8:28:72:
f5:f5:0f:9c:32:c5:cb:04:54:e9:51:32:5d:d9:5e:
71:54:3a:da:d4:33:ed:ac:14:25:6d:4b:c8:08:33:
11:f5:9f:ba:04:95:8b:d3:c9:11:e3:16:ae:c3:23:
d1:12:f0:80:cb:e9:d6:5b:03:d5:9e:1e:11:e2:4a:
ec:7a:c8:fd:69:ab:56:2d:3e:f3:db:48:a0:a6:b3:
0a:17:20:f0:bb:f8:e9:3d:a1:f3:87:a3:13:a6:93:
f9:9c:cd:88:cc:73:af:43:6a:ce:2f:5f:f6:08:a1:
31:3d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
58:C1:E6:56:07:FF:B7:FD:EC:AC:9A:DD:05:19:EA:98:D0:7F:9B:6B
X509v3 Authority Key Identifier:
keyid:04:9D:1F:51:07:F9:4B:23:D2:58:6C:89:EC:30:13:94:4D:1B:14:EF
Signature Algorithm: sha1WithRSAEncryption
2e:a5:ed:ab:b7:b1:e5:fb:03:e7:dd:4e:15:61:25:81:c3:ee:
a6:e4:60:e2:74:36:61:8b:39:e4:25:fd:12:12:ce:37:28:fe:
7d:1f:c4:c7:fa:fc:60:a9:e9:36:1d:b9:23:e9:d9:91:e3:e0:
b2:e2:32:41:a7:4e:8d:a4:9e:33:0d:66:b9:cb:1a:7c:31:61:
78:18:ce:03:50:b1:e1:07:b9:39:0d:f5:c8:80:b9:d6:06:0f:
4c:5a:67:29:3c:34:70:c6:d5:2d:d8:5f:0b:4d:ba:0e:8c:cb:
56:b9:fb:df:5f:58:df:ab:7e:ac:41:9e:32:74:65:b3:2d:70:
d2:f7:78:05:17:47:bb:ef:de:44:b3:8b:70:03:11:da:79:eb:
e9:57:9d:e8:c2:43:43:73:72:b6:ff:e4:bc:0f:41:38:b7:af:
7a:74:b2:17:57:c5:8a:8d:b5:d1:ba:aa:42:bf:3f:17:f3:54:
8e:54:86:3c:95:0a:d1:27:d6:a7:ce:f6:c5:2b:e6:79:68:76:
6a:5b:bb:d9:6a:23:7a:f2:3d:41:bb:f5:ec:29:fc:0a:46:e5:
11:8b:04:39:86:6e:7d:59:50:7e:2c:47:f2:9f:20:31:54:07:
87:1e:39:af:28:dd:c0:c2:6f:2a:89:91:c6:25:2a:35:0e:f9:
a6:2e:51:62
[root@centos CA]#openssl x509 -in certs/service.crt -noout -issuer
issuer= /C=cn/ST=henan/L=zhengzhou/O=xmj/OU=x/CN=xmj.com
[root@centos CA]#openssl x509 -in certs/service.crt -noout -subject
subject= /C=cn/ST=henan/O=xmj/OU=m/CN=www.xmj.com/emailAddress=111111
[root@centos CA]#openssl x509 -in certs/service.crt -noout -serial
serial=01
[root@centos CA]#openssl x509 -in certs/service.crt -noout -dates
notBefore=Jul 17 08:08:07 2017 GMT
notAfter=Jul 17 08:08:07 2018 GMT
[root@centos CA]#openssl ca -status 01
Using configuration from /etc/pki/tls/openssl.cnf
01=Valid (V)
4、把证书复制发送给客户端
吊销证书
1、在客户端获取要吊销的证书的serial
openssl x509 -in /PATH/FROM/CERT_FILE -noout -serial -subject
[root@centos app]#pwd
/root/app
[root@centos app]#openssl x509 -in service.crt -noout -serial -subject
serial=01
subject= /C=cn/ST=henan/O=xmj/OU=m/CN=www.xmj.com/emailAddress=111111
2、在CA上,根据客户提交的serial与subject信息,对比检验是 否与index.txt文件中的信息一致,吊销证书:
openssl ca -revoke /etc/pki/CA/newcerts/*.pem
创建吊销列表数据库(初始值01可自定)
echo 01 > /etc/pki/CA/crlnumber
更新证书吊销列表
openssl ca -gencrl -out crl.pem
查看吊销列表
openssl crl -in crl.pem -noout -text
[root@centos CA]#pwd
/etc/pki/CA
[root@centos CA]#cat index.txt
V 180717080807Z 01 unknown /C=cn/ST=henan/O=xmj/OU=m/CN=www.xmj.com/emailAddress=111111
######吊销证书
[root@centos CA]#openssl ca -revoke newcerts/01.pem
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 01.
Data Base Updated
######数据库更新,证书状态由V变为R(吊销)
[root@centos CA]#cat index.txt
R 180717080807Z 170717090033Z 01 unknown /C=cn/ST=henan/O=xmj/OU=m/CN=www.xmj.com/emailAddress=111111
######创建吊销列表数据库(初始值01可自定)
[root@centos CA]#echo 01 > crlnumber
[root@centos CA]#tree
.
├── cacert.pem
├── certs
│ └── service.crt
├── crl
├── crlnumber
├── csr
│ └── service.csr
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── newcerts
│ └── 01.pem
├── private
│ └── cakey.pem
├── serial
└── serial.old
5 directories, 12
######更新证书吊销列表
[root@centos CA]#openssl ca -gencrl -out crl/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf
[root@centos CA]#tree
.
├── cacert.pem
├── certs
│ └── service.crt
├── crl
│ └── crl.pem
├── crlnumber
├── crlnumber.old
├── csr
│ └── service.csr
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── newcerts
│ └── 01.pem
├── private
│ └── cakey.pem
├── serial
└── serial.old
5 directories, 14 files
######crlnumber文件中存放的是下一个被吊销证书的编号
[root@centos CA]#cat crlnumber
02
[root@centos CA]#cat crlnumber.old
01
######查看吊销列表
[root@centos CA]#openssl crl -in crl/crl.pem -noout -text
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: /C=cn/ST=henan/L=zhengzhou/O=xmj/OU=x/CN=xmj.com
Last Update: Jul 17 09:02:34 2017 GMT
Next Update: Aug 16 09:02:34 2017 GMT
CRL extensions:
X509v3 CRL Number:
1
Revoked Certificates:
Serial Number: 01
Revocation Date: Jul 17 09:00:33 2017 GMT
Signature Algorithm: sha1WithRSAEncryption
5c:87:ce:3e:52:da:f3:6f:5f:d9:4a:f2:20:73:d1:22:d6:85:
34:2d:0d:5a:99:6a:90:13:ec:ff:3c:b1:b2:ad:d9:c1:00:f3:
29:0c:21:22:c6:76:2d:0a:8e:b1:23:76:70:c8:38:ae:28:2d:
2a:b6:df:8e:87:cf:db:dd:79:db:17:ba:aa:73:1f:3c:b9:8e:
69:e3:1b:24:30:56:f3:36:50:57:83:a5:ee:3e:c5:15:44:de:
6d:38:b3:47:29:c6:e8:7a:6b:66:0e:4a:c7:23:c1:ef:d6:2b:
fd:5a:c0:48:04:c1:33:b8:fb:78:3b:27:30:f8:76:0f:4d:44:
35:13:0d:af:67:14:03:63:38:00:44:db:79:1c:0e:27:4d:5f:
27:0b:2b:79:b2:94:75:19:1b:a9:79:1c:00:62:41:ad:28:ec:
78:06:eb:04:0f:92:4d:01:42:e7:b3:a2:d5:82:6d:f2:4d:b6:
00:1e:45:35:ab:ac:50:15:6d:1e:60:74:84:a3:d6:17:f4:21:
b4:d7:5d:1e:ed:69:82:22:13:34:a8:60:5a:9e:70:cc:58:26:
68:5d:92:dd:78:87:47:91:c8:94:12:89:43:fc:eb:1f:9f:8e:
22:1e:19:4b:ea:6d:2d:0b:1c:e7:17:e7:e9:33:e6:19:37:6f:
70:03:25:51