建立私有CA:
- OpenCA:OpenCA开源组织使用Perl对OpenSSL进行二次开发而成的一套完善的PKI免费软件
- openssl:相关包 openssl和openssl-libs
证书申请及签署步骤:
- 1、生成证书申请请求
- 2、RA核验
- 3、CA签署
- 4、获取证书
配置文件:
[root@centos8 ~]#cat /etc/pki/tls/openssl.cnf # ...... #################################################################### [ ca ] default_ca = CA_default # The default ca section #################################################################### [ CA_default ] dir = /etc/pki/CA # Where everything is kept certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. #unique_subject = no # Set to 'no' to allow creation of # several certs with same subject. new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/cacert.pem # The CA certificate serial = $dir/serial # The current serial number crlnumber = $dir/crlnumber # the current crl number # must be commented out to leave a V1 CRL crl = $dir/crl.pem # The current CRL private_key = $dir/private/cakey.pem# The private key RANDFILE = $dir/private/.rand # private random number file x509_extensions = usr_cert # The extensions to add to the cert # Comment out the following two lines for the "traditional" # (and highly broken) format. name_opt = ca_default # Subject Name options cert_opt = ca_default # Certificate field options default_days = 365 # how long to certify for default_crl_days= 30 # how long before next CRL default_md = sha256 # use SHA-256 by default preserve = no # keep passed DN ordering policy = policy_match # For the CA policy [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional # For the 'anything' policy # At this point in time, you must list all acceptable 'object' # types. [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional ......
创建私有CA
mkdir /etc/pki/CA/certs /etc/pki/CA/crl /etc/pki/CA/newcerts /etc/pki/CA/private -pv
tree /etc/pki/CA/
/etc/pki/CA/
├── certs
├── crl
├── newcerts
└── private
生成CA私钥:
openssl genrsa -out private/cakey.pem
生成CA自签名证书:
[root@CentOS8-8 CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:beijing Locality Name (eg, city) [Default City]:beijing Organization Name (eg, company) [Default Company Ltd]:will Organizational Unit Name (eg, section) []:linux43 Common Name (eg, your name or your server's hostname) []: *.will.org Email Address []:admin@will.org [root@CentOS8-8 CA]# ll total 4 -rw-r--r-- 1 root root 1428 Jan 14 14:32 cacert.pem drwxr-xr-x 2 root root 6 Jan 14 14:14 certs drwxr-xr-x 2 root root 6 Jan 14 14:14 crl drwxr-xr-x 2 root root 6 Jan 14 14:14 newcerts drwxr-xr-x 2 root root 23 Jan 14 14:22 private
查看证书
openssl x509 -in cacert.pem -noout -text
生成自签名证书(一个服务的时候使用)
openssl req -utf8 -newkey rsa:1024 -subj "/CN=www.magedu.org" -keyout app.key -nodes -x509 -out app.crt
申请证书并颁发证书
[root@CentOS8-8 ~]# mkdir /data/app/certs -p [root@CentOS8-8 ~]# cd /data/app/certs/
1、为需要使用证书的主机生成生成私钥
#(umask 066; openssl genrsa -out /data/test.key 2048)(范例) openssl genrsa -out app.key
2、为需要使用证书的主机生成证书申请文件
openssl req -new -key app.key -out app.csr
创建所需文件:
[root@CentOS8-8 certs]# touch /etc/pki/CA/index.txt [root@CentOS8-8 certs]# echo 0F > /etc/pki/CA/serial
3、在CA签署证书并将证书颁发给请求者
[root@CentOS8-8 certs]# openssl ca -in /data/app/certs/app.csr -out /etc/pki/CA/certs/app.crt -days 100
注意:默认要求 国家,省,公司名称三项必须和CA一致
一条命令申请证书
openssl req -newkey rsa:1024 -nodes -keyout app2.key -out app2.csr
颁发请求者报错:
[root@CentOS8-8 pki]# openssl ca -in /data/app/certs/app2.csr -out /etc/pki/CA/certs/app.crt -days 200 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok The countryName field is different between CA certificate (CN) and the request (US)
解决方法:
vim /etc/pki/tls/openssl.cnf #修改配置文件第99行 policy = policy_match #改成 policy = policy_anything
检查证书是否有效
openssl ca -status 0F
吊销证书
获取要吊销的证书的信息
openssl x509 -in newcerts/10.pem -noout -text
在CA上,根据客户提交的serial与subject信息,对比检验是否与index.txt文件中的信息一致,吊销证 书:
openssl ca -revoke /etc/pki/CA/newcerts/10.pem #吊销证书
指定第一个吊销证书的编号,注意:第一次更新证书吊销列表前,才需要执行
echo 01 > /etc/pki/CA/crlnumber
更新证书吊销列表
openssl ca -gencrl -out /etc/pki/CA/crl.pem
查看crl文件:
openssl crl -in /etc/pki/CA/crl.pem -noout -text
CentOS 7 创建自签名证书
[root@centos7 ~]#cd /etc/pki/tls/certs
[root@centos7 certs]#make
This makefile allows you to create:
o public/private key pairs
o SSL certificate signing requests (CSRs)
o self-signed SSL test certificates
To create a key pair, run "make SOMETHING.key".
To create a CSR, run "make SOMETHING.csr".
To create a test certificate, run "make SOMETHING.crt".
To create a key and a test certificate in one file, run "make SOMETHING.pem".
To create a key for use with Apache, run "make genkey".
To create a CSR for use with Apache, run "make certreq".
To create a test certificate for use with Apache, run "make testcert".
To create a test certificate with serial number other than random, add
SERIAL=num
You can also specify key length with KEYLEN=n and expiration in days with DAYS=n
Any additional options can be passed to openssl req via EXTRA_FLAGS
Examples:
make server.key
make server.csr
make server.crt
make stunnel.pem
make genkey
make certreq
make testcert
make server.crt SERIAL=1
make stunnel.pem EXTRA_FLAGS=-sha384
make testcert DAYS=600
[root@centos7 certs]#ls
ca-bundle.crt ca-bundle.trust.crt make-dummy-cert Makefile renew-dummy-cert
[root@centos7 certs]#cat Makefile
UTF8 := $(shell locale -c LC_CTYPE -k | grep -q charmap.*UTF-8 && echo -utf8)
DAYS=365
KEYLEN=2048
TYPE=rsa:$(KEYLEN)
EXTRA_FLAGS=
ifdef SERIAL
EXTRA_FLAGS+=-set_serial $(SERIAL)
endif
.PHONY: usage
.SUFFIXES: .key .csr .crt .pem
.PRECIOUS: %.key %.csr %.crt %.pem
usage:
@echo "This makefile allows you to create:"
@echo " o public/private key pairs"
@echo " o SSL certificate signing requests (CSRs)"
@echo " o self-signed SSL test certificates"
@echo
@echo "To create a key pair, run \"make SOMETHING.key\"."
@echo "To create a CSR, run \"make SOMETHING.csr\"."
@echo "To create a test certificate, run \"make SOMETHING.crt\"."
@echo "To create a key and a test certificate in one file, run \"make
SOMETHING.pem\"."
@echo
@echo "To create a key for use with Apache, run \"make genkey\"."
@echo "To create a CSR for use with Apache, run \"make certreq\"."
@echo "To create a test certificate for use with Apache, run \"make
testcert\"."
@echo
@echo "To create a test certificate with serial number other than random,
add SERIAL=num"
@echo "You can also specify key length with KEYLEN=n and expiration in days
with DAYS=n"
@echo "Any additional options can be passed to openssl req via EXTRA_FLAGS"
@echo
@echo Examples:
@echo " make server.key"
@echo " make server.csr"
@echo " make server.crt"
@echo " make stunnel.pem"
@echo " make genkey"
@echo " make certreq"
@echo " make testcert"
@echo " make server.crt SERIAL=1"
@echo " make stunnel.pem EXTRA_FLAGS=-sha384"
@echo " make testcert DAYS=600"
%.pem:
umask 77 ; \
PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
/usr/bin/openssl req $(UTF8) -newkey $(TYPE) -keyout $$PEM1 -nodes -x509 -
days $(DAYS) -out $$PEM2 $(EXTRA_FLAGS) ; \
cat $$PEM1 > $@ ; \
echo "" >> $@ ; \
cat $$PEM2 >> $@ ; \
$(RM) $$PEM1 $$PEM2
%.key:
umask 77 ; \
/usr/bin/openssl genrsa -aes128 $(KEYLEN) > $@
%.csr: %.key
umask 77 ; \
/usr/bin/openssl req $(UTF8) -new -key $^ -out $@
%.crt: %.key
umask 77 ; \
/usr/bin/openssl req $(UTF8) -new -key $^ -x509 -days $(DAYS) -out $@
$(EXTRA_FLAGS)
TLSROOT=/etc/pki/tls
KEY=$(TLSROOT)/private/localhost.key
CSR=$(TLSROOT)/certs/localhost.csr
CRT=$(TLSROOT)/certs/localhost.crt
genkey: $(KEY)
certreq: $(CSR)
testcert: $(CRT)
$(CSR): $(KEY)
umask 77 ; \
/usr/bin/openssl req $(UTF8) -new -key $(KEY) -out $(CSR)
$(CRT): $(KEY)
umask 77 ; \
/usr/bin/openssl req $(UTF8) -new -key $(KEY) -x509 -days $(DAYS) -out
$(CRT) $(EXTRA_FLAGS)
[root@centos7 certs]#
[root@centos7 certs]#make app.crt
umask 77 ; \
/usr/bin/openssl genrsa -aes128 2048 > app.key
Generating RSA private key, 2048 bit long modulus
...............+++
............................................+++
e is 65537 (0x10001)
Enter pass phrase:
Verifying - Enter pass phrase:
umask 77 ; \
/usr/bin/openssl req -utf8 -new -key app.key -x509 -days 365 -out app.crt
Enter pass phrase for app.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:hubei
Locality Name (eg, city) [Default City]:wuhan
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:www.magedu.org
Email Address []:admin@magedu.org
[root@centos7 certs]#ls
app.crt app.key ca-bundle.crt ca-bundle.trust.crt make-dummy-cert Makefile
renew-dummy-cert
[root@centos7 certs]#openssl x509 -in app.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
90:d7:97:6a:21:21:f8:5e
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=hubei, L=wuhan, O=magedu, OU=it,
CN=www.magedu.org/emailAddress=admin@magedu.org
Validity
Not Before: Feb 5 00:28:31 2020 GMT
Not After : Feb 4 00:28:31 2021 GMT
Subject: C=CN, ST=hubei, L=wuhan, O=magedu, OU=it,
CN=www.magedu.org/emailAddress=admin@magedu.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:f8:dd:d3:ea:0b:f1:97:0f:27:de:44:a2:32:77:
fb:5c:73:74:17:7b:5f:a4:9c:a2:d4:3b:d4:49:4c:
da:e0:a2:6a:41:05:6e:10:1e:96:dc:95:34:ed:08:
05:18:ba:27:c5:e5:f0:7c:65:15:78:f8:9b:bf:ee:
41:ef:1c:6f:7f:35:29:fd:f5:cf:4a:f1:36:7e:0c:
37:96:b1:01:e5:aa:7f:6e:a0:56:b0:33:28:ed:db:
7a:56:34:67:83:be:bd:ad:3d:e7:80:d9:cf:6a:c7:
c9:7f:d1:83:73:33:7f:77:27:a5:2e:17:84:82:c7:
50:3d:20:d8:20:f1:5e:61:d2:69:07:8f:0e:cd:ea:
c2:51:bd:aa:a0:ce:61:18:6f:00:43:13:21:8d:6d:
3b:85:13:d8:93:ed:fc:65:28:ec:12:d1:67:40:d0:
98:54:9a:59:1e:10:4f:c5:8c:b5:b1:26:55:2f:e1:
53:1d:6b:71:88:64:e2:b1:21:28:8c:c7:04:3a:70:
87:c7:48:41:44:95:43:2f:e8:da:5f:f8:93:1a:9a:
de:e4:e3:82:57:60:6a:49:08:2e:5f:57:f7:62:b2:
bb:8a:1f:8b:2b:dc:40:dd:35:30:42:c1:f4:c6:1a:
0b:61:df:37:ed:bd:25:39:4c:5f:27:32:57:9e:d0:
11:9d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
28:48:D7:B5:02:7E:D7:4B:A1:74:A7:86:4B:3C:E5:FC:39:7B:F4:2E
X509v3 Authority Key Identifier:
keyid:28:48:D7:B5:02:7E:D7:4B:A1:74:A7:86:4B:3C:E5:FC:39:7B:F4:2E
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
a3:66:1b:85:dc:9e:1b:c7:c8:e4:29:3c:32:b2:fc:71:c9:79:
9e:ad:db:78:bd:a4:42:1a:ef:d7:7f:4a:84:d9:46:e1:60:fa:
9f:04:83:67:88:74:fd:99:d2:e3:7b:34:86:27:a1:d0:3c:be:
5f:93:d0:17:e9:d1:f6:19:2b:d5:e7:48:1f:56:ac:65:22:ec:
64:6f:a3:05:0c:83:2f:29:a8:ef:cc:25:51:d0:16:21:93:9e:
85:fc:82:d4:8c:ba:14:47:6e:fd:33:44:71:a7:c4:7f:92:2a:
01:40:f9:69:70:73:27:89:73:82:ea:21:95:48:e2:c1:5d:b8:
ed:e7:61:49:88:1c:b6:8a:a6:bd:cc:83:6b:2c:19:b9:07:21:
46:f8:1f:dc:cb:3c:9c:6d:b9:b1:dc:03:b0:5a:00:de:41:7c:
96:d8:3a:f3:06:fc:24:03:60:54:35:85:a2:1e:79:fc:cb:6e:
fd:e2:c3:7b:16:6e:7c:56:17:d4:64:c9:15:e9:a4:b0:9a:a7:
c5:d6:f8:c8:e4:99:b1:b0:f0:8b:b4:ea:8e:a9:29:c1:4a:19:
69:7a:d7:51:93:23:51:b6:0b:63:e1:45:a7:3f:65:4d:89:55:
e8:52:29:0a:41:d2:fb:76:20:7e:14:da:a8:ad:e6:fc:b0:a9:
5f:10:b0:d3
[root@centos7 certs]#