建立私有CA实现证书申请颁发

建立私有CA:

  • OpenCA:OpenCA开源组织使用Perl对OpenSSL进行二次开发而成的一套完善的PKI免费软件
  • openssl:相关包 openssl和openssl-libs

证书申请及签署步骤:

  • 1、生成证书申请请求
  • 2、RA核验
  • 3、CA签署
  • 4、获取证书

配置文件:

[root@centos8 ~]#cat /etc/pki/tls/openssl.cnf
#
......
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = /etc/pki/CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
 # several certs with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
 # must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extensions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = sha256 # use SHA-256 by default
preserve = no # keep passed DN ordering
policy = policy_match
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
......

创建私有CA

mkdir /etc/pki/CA/certs  /etc/pki/CA/crl  /etc/pki/CA/newcerts  /etc/pki/CA/private -pv

 tree /etc/pki/CA/
/etc/pki/CA/
├── certs
├── crl
├── newcerts
└── private

生成CA私钥:

openssl genrsa -out private/cakey.pem

生成CA自签名证书:

[root@CentOS8-8 CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:will
Organizational Unit Name (eg, section) []:linux43
Common Name (eg, your name or your server's hostname) []: *.will.org
Email Address []:admin@will.org
[root@CentOS8-8 CA]# ll
total 4
-rw-r--r-- 1 root root 1428 Jan 14 14:32 cacert.pem
drwxr-xr-x 2 root root    6 Jan 14 14:14 certs
drwxr-xr-x 2 root root    6 Jan 14 14:14 crl
drwxr-xr-x 2 root root    6 Jan 14 14:14 newcerts
drwxr-xr-x 2 root root   23 Jan 14 14:22 private

查看证书

openssl x509 -in cacert.pem -noout -text

生成自签名证书(一个服务的时候使用)

openssl req -utf8 -newkey rsa:1024 -subj "/CN=www.magedu.org" -keyout app.key -nodes -x509 -out app.crt

申请证书并颁发证书

[root@CentOS8-8 ~]# mkdir /data/app/certs -p
[root@CentOS8-8 ~]# cd /data/app/certs/

1、为需要使用证书的主机生成生成私钥

#(umask 066; openssl genrsa -out   /data/test.key 2048)(范例)

openssl genrsa -out app.key

2、为需要使用证书的主机生成证书申请文件

openssl req -new -key app.key -out app.csr

创建所需文件:

[root@CentOS8-8 certs]# touch /etc/pki/CA/index.txt
[root@CentOS8-8 certs]# echo 0F > /etc/pki/CA/serial

3、在CA签署证书并将证书颁发给请求者

[root@CentOS8-8 certs]# openssl ca -in /data/app/certs/app.csr -out /etc/pki/CA/certs/app.crt -days 100

注意:默认要求 国家,省,公司名称三项必须和CA一致

一条命令申请证书

openssl req -newkey rsa:1024 -nodes -keyout app2.key -out app2.csr

颁发请求者报错:

[root@CentOS8-8 pki]# openssl ca -in /data/app/certs/app2.csr -out /etc/pki/CA/certs/app.crt -days 200
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
The countryName field is different between
CA certificate (CN) and the request (US)

解决方法:

vim /etc/pki/tls/openssl.cnf 
#修改配置文件第99行
policy      = policy_match #改成 policy      = policy_anything

检查证书是否有效

openssl ca -status 0F

吊销证书

获取要吊销的证书的信息

openssl x509 -in newcerts/10.pem -noout -text

在CA上,根据客户提交的serial与subject信息,对比检验是否与index.txt文件中的信息一致,吊销证 书:

openssl ca -revoke /etc/pki/CA/newcerts/10.pem #吊销证书

指定第一个吊销证书的编号,注意:第一次更新证书吊销列表前,才需要执行

echo 01 > /etc/pki/CA/crlnumber

更新证书吊销列表

openssl ca -gencrl -out /etc/pki/CA/crl.pem

查看crl文件:

openssl crl -in /etc/pki/CA/crl.pem -noout -text

CentOS 7 创建自签名证书

[root@centos7 ~]#cd /etc/pki/tls/certs
[root@centos7 certs]#make
This makefile allows you to create:
 o public/private key pairs
 o SSL certificate signing requests (CSRs)
 o self-signed SSL test certificates
To create a key pair, run "make SOMETHING.key".
To create a CSR, run "make SOMETHING.csr".
To create a test certificate, run "make SOMETHING.crt".
To create a key and a test certificate in one file, run "make SOMETHING.pem".
To create a key for use with Apache, run "make genkey".
To create a CSR for use with Apache, run "make certreq".
To create a test certificate for use with Apache, run "make testcert".
To create a test certificate with serial number other than random, add
SERIAL=num
You can also specify key length with KEYLEN=n and expiration in days with DAYS=n
Any additional options can be passed to openssl req via EXTRA_FLAGS
Examples:
  make server.key
  make server.csr
  make server.crt
  make stunnel.pem
  make genkey
  make certreq
  make testcert
  make server.crt SERIAL=1
  make stunnel.pem EXTRA_FLAGS=-sha384
  make testcert DAYS=600
[root@centos7 certs]#ls
ca-bundle.crt ca-bundle.trust.crt make-dummy-cert Makefile renew-dummy-cert
[root@centos7 certs]#cat Makefile
UTF8 := $(shell locale -c LC_CTYPE -k | grep -q charmap.*UTF-8 && echo -utf8)
DAYS=365
KEYLEN=2048
TYPE=rsa:$(KEYLEN)
EXTRA_FLAGS=
ifdef SERIAL
 EXTRA_FLAGS+=-set_serial $(SERIAL)
endif
.PHONY: usage
.SUFFIXES: .key .csr .crt .pem
.PRECIOUS: %.key %.csr %.crt %.pem
usage:
 @echo "This makefile allows you to create:"
 @echo " o public/private key pairs"
 @echo " o SSL certificate signing requests (CSRs)"
 @echo " o self-signed SSL test certificates"
 @echo
 @echo "To create a key pair, run \"make SOMETHING.key\"."
 @echo "To create a CSR, run \"make SOMETHING.csr\"."
 @echo "To create a test certificate, run \"make SOMETHING.crt\"."
 @echo "To create a key and a test certificate in one file, run \"make
SOMETHING.pem\"."
 @echo
 @echo "To create a key for use with Apache, run \"make genkey\"."
 @echo "To create a CSR for use with Apache, run \"make certreq\"."
 @echo "To create a test certificate for use with Apache, run \"make
testcert\"."
 @echo
 @echo "To create a test certificate with serial number other than random,
add SERIAL=num"
 @echo "You can also specify key length with KEYLEN=n and expiration in days
with DAYS=n"
 @echo "Any additional options can be passed to openssl req via EXTRA_FLAGS"
 @echo
 @echo Examples:
 @echo " make server.key"
 @echo " make server.csr"
 @echo " make server.crt"
 @echo " make stunnel.pem"
 @echo " make genkey"
 @echo " make certreq"
 @echo " make testcert"
 @echo " make server.crt SERIAL=1"
 @echo " make stunnel.pem EXTRA_FLAGS=-sha384"
 @echo " make testcert DAYS=600"
%.pem:
 umask 77 ; \
 PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
 PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
 /usr/bin/openssl req $(UTF8) -newkey $(TYPE) -keyout $$PEM1 -nodes -x509 -
days $(DAYS) -out $$PEM2 $(EXTRA_FLAGS) ; \
 cat $$PEM1 >  $@ ; \
 echo ""   >> $@ ; \
 cat $$PEM2 >> $@ ; \
 $(RM) $$PEM1 $$PEM2
%.key:
 umask 77 ; \
 /usr/bin/openssl genrsa -aes128 $(KEYLEN) > $@
%.csr: %.key
 umask 77 ; \
 /usr/bin/openssl req $(UTF8) -new -key $^ -out $@
%.crt: %.key
 umask 77 ; \
 /usr/bin/openssl req $(UTF8) -new -key $^ -x509 -days $(DAYS) -out $@
$(EXTRA_FLAGS)
TLSROOT=/etc/pki/tls
KEY=$(TLSROOT)/private/localhost.key
CSR=$(TLSROOT)/certs/localhost.csr
CRT=$(TLSROOT)/certs/localhost.crt
genkey: $(KEY)
certreq: $(CSR)
testcert: $(CRT)
$(CSR): $(KEY)
 umask 77 ; \
 /usr/bin/openssl req $(UTF8) -new -key $(KEY) -out $(CSR)
$(CRT): $(KEY)
 umask 77 ; \
 /usr/bin/openssl req $(UTF8) -new -key $(KEY) -x509 -days $(DAYS) -out
$(CRT) $(EXTRA_FLAGS)
[root@centos7 certs]#
[root@centos7 certs]#make app.crt
umask 77 ; \
/usr/bin/openssl genrsa -aes128 2048 > app.key
Generating RSA private key, 2048 bit long modulus
...............+++
............................................+++
e is 65537 (0x10001)
Enter pass phrase:
Verifying - Enter pass phrase:
umask 77 ; \
/usr/bin/openssl req -utf8 -new -key app.key -x509 -days 365 -out app.crt
Enter pass phrase for app.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:hubei
Locality Name (eg, city) [Default City]:wuhan
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:www.magedu.org
Email Address []:admin@magedu.org
[root@centos7 certs]#ls
app.crt app.key ca-bundle.crt ca-bundle.trust.crt make-dummy-cert Makefile
renew-dummy-cert
[root@centos7 certs]#openssl x509 -in app.crt -noout -text
Certificate:
   Data:
       Version: 3 (0x2)
       Serial Number:
            90:d7:97:6a:21:21:f8:5e
   Signature Algorithm: sha256WithRSAEncryption
       Issuer: C=CN, ST=hubei, L=wuhan, O=magedu, OU=it,
CN=www.magedu.org/emailAddress=admin@magedu.org
       Validity
           Not Before: Feb  5 00:28:31 2020 GMT
           Not After : Feb  4 00:28:31 2021 GMT
       Subject: C=CN, ST=hubei, L=wuhan, O=magedu, OU=it,
CN=www.magedu.org/emailAddress=admin@magedu.org
       Subject Public Key Info:
           Public Key Algorithm: rsaEncryption
               Public-Key: (2048 bit)
               Modulus:
                    00:f8:dd:d3:ea:0b:f1:97:0f:27:de:44:a2:32:77:
                   fb:5c:73:74:17:7b:5f:a4:9c:a2:d4:3b:d4:49:4c:
                   da:e0:a2:6a:41:05:6e:10:1e:96:dc:95:34:ed:08:
                    05:18:ba:27:c5:e5:f0:7c:65:15:78:f8:9b:bf:ee:
                    41:ef:1c:6f:7f:35:29:fd:f5:cf:4a:f1:36:7e:0c:
                    37:96:b1:01:e5:aa:7f:6e:a0:56:b0:33:28:ed:db:
                   7a:56:34:67:83:be:bd:ad:3d:e7:80:d9:cf:6a:c7:
                   c9:7f:d1:83:73:33:7f:77:27:a5:2e:17:84:82:c7:
                    50:3d:20:d8:20:f1:5e:61:d2:69:07:8f:0e:cd:ea:
                   c2:51:bd:aa:a0:ce:61:18:6f:00:43:13:21:8d:6d:
                   3b:85:13:d8:93:ed:fc:65:28:ec:12:d1:67:40:d0:
                    98:54:9a:59:1e:10:4f:c5:8c:b5:b1:26:55:2f:e1:
                    53:1d:6b:71:88:64:e2:b1:21:28:8c:c7:04:3a:70:
                    87:c7:48:41:44:95:43:2f:e8:da:5f:f8:93:1a:9a:
                   de:e4:e3:82:57:60:6a:49:08:2e:5f:57:f7:62:b2:
                   bb:8a:1f:8b:2b:dc:40:dd:35:30:42:c1:f4:c6:1a:
                   0b:61:df:37:ed:bd:25:39:4c:5f:27:32:57:9e:d0:
                    11:9d
               Exponent: 65537 (0x10001)
       X509v3 extensions:
           X509v3 Subject Key Identifier:
                28:48:D7:B5:02:7E:D7:4B:A1:74:A7:86:4B:3C:E5:FC:39:7B:F4:2E
           X509v3 Authority Key Identifier:
              
keyid:28:48:D7:B5:02:7E:D7:4B:A1:74:A7:86:4B:3C:E5:FC:39:7B:F4:2E
           X509v3 Basic Constraints:
               CA:TRUE
   Signature Algorithm: sha256WithRSAEncryption
         a3:66:1b:85:dc:9e:1b:c7:c8:e4:29:3c:32:b2:fc:71:c9:79:
         9e:ad:db:78:bd:a4:42:1a:ef:d7:7f:4a:84:d9:46:e1:60:fa:
         9f:04:83:67:88:74:fd:99:d2:e3:7b:34:86:27:a1:d0:3c:be:
         5f:93:d0:17:e9:d1:f6:19:2b:d5:e7:48:1f:56:ac:65:22:ec:
         64:6f:a3:05:0c:83:2f:29:a8:ef:cc:25:51:d0:16:21:93:9e:
         85:fc:82:d4:8c:ba:14:47:6e:fd:33:44:71:a7:c4:7f:92:2a:
         01:40:f9:69:70:73:27:89:73:82:ea:21:95:48:e2:c1:5d:b8:
         ed:e7:61:49:88:1c:b6:8a:a6:bd:cc:83:6b:2c:19:b9:07:21:
46:f8:1f:dc:cb:3c:9c:6d:b9:b1:dc:03:b0:5a:00:de:41:7c:
         96:d8:3a:f3:06:fc:24:03:60:54:35:85:a2:1e:79:fc:cb:6e:
         fd:e2:c3:7b:16:6e:7c:56:17:d4:64:c9:15:e9:a4:b0:9a:a7:
         c5:d6:f8:c8:e4:99:b1:b0:f0:8b:b4:ea:8e:a9:29:c1:4a:19:
         69:7a:d7:51:93:23:51:b6:0b:63:e1:45:a7:3f:65:4d:89:55:
         e8:52:29:0a:41:d2:fb:76:20:7e:14:da:a8:ad:e6:fc:b0:a9:
         5f:10:b0:d3
[root@centos7 certs]#

 

上一篇:Grafana监控告警通知邮件/钉钉


下一篇:5 搭建apiserver