openssl--CA

openssl–CA证书

CA的配置文件是/etc/pki/tls目录下的openssl.cnf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
#默认CA将从CA_default这一段中加载配置
####################################################################
[ CA_default ]
dir = /etc/pki/CA # 把那个目录当做为CA的工作路径
certs = $dir/certs # 已经签署过的证书存放路径
crl_dir = $dir/crl # 吊销列表存放路径
database = $dir/index.txt # 索引文件数据库
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # 默认存放新证书的路径
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # 签署过证书的序列号
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
# Extension copying option: use with caution.
# copy_extensions = copy
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = sha256 # use SHA-256 by default
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = 国家
stateOrProvinceName = 省
localityName = 市
organizationName = 公司
organizationalUnitName = 部门
commonName = 持有证书的人名,或者拥有证书的主机名
emailAddress = 邮件地址

构建私有CA:

一、首先创建私钥:
    在/etc/pki/CA/private目录下创建私钥确保权限600:
1
2
3
4
5
6
7
8
[root@station51 private]# (umask 0077;openssl genrsa -out cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
.....................................+++
....................+++
e is 65537 (0x10001)
[root@station51 private]# ll
total 4
-rw------- 1 root root 1675 May 29 17:08 cakey.pem
二、生成自签证书:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
[root@station51 private]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3655
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:test
Organizational Unit Name (eg, section) []:Ops
Common Name (eg, your name or your server's hostname) []:ca.testserver
Email Address []:test@test.com
[root@station51 private]# cd ..
[root@station51 CA]# ll
total 20
-rw-r--r-- 1 root root 1399 May 29 17:16 cacert.pem
drwxr-xr-x. 2 root root 4096 Jun 29 2015 certs
drwxr-xr-x. 2 root root 4096 Jun 29 2015 crl
drwxr-xr-x. 2 root root 4096 Jun 29 2015 newcerts
drwx------. 2 root root 4096 May 29 17:08 private

说明:

openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cecert.pem -days 3655
-new:生成新证书签署请求;
-x509:生成自签格式证书,专用于创建私有CA时;
-key:生成请求时用到的私有文件路径;
-out:生成的请求文件路径;如果自签操作将直接生成签署过的证书;
-days:证书的有效时长,单位是day;

三、为CA提供所需的目录及文件(这步操作在CentOS6中需要手动创建,CentOS7中自动生成);
~]# mkdir  -pv  /etc/pki/CA/{certs,crl,newcerts}
~]# touch  /etc/pki/CA/{serial,index.txt}
~]# echo  01 > /etc/pki/CA/serial

以上步骤完成后私有CA就已经完成了。

实验:

要用到证书进行安全通信的服务器,需要向CA请求签署证书:

一、安装所需要的软件包

yum -y install httpd mod_ssl

二、生成自签证书

步骤:

touch /etc/pki/CA/index.txt
echo 01 > /etc/pki/CA/serial
cd /etc/pki/CA
(umask 0077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 1024)
cd /etc/pki/CA/private
openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
[root@localhost ~]# yum -y install httpd mod_ssl
Loaded plugins: fastestmirror, refresh-packagekit, security
Repository 'centos' is missing name in configuration, using id
Repository 'epel' is missing name in configuration, using id
Setting up Install Process
Loading mirror speeds from cached hostfile
centos | 4.0 kB 00:00
epel | 4.3 kB 00:00
Package httpd-2.2.15-53.el6.centos.x86_64 already installed and latest version
Resolving Dependencies
--> Running transaction check
---> Package mod_ssl.x86_64 1:2.2.15-53.el6.centos will be installed
--> Finished Dependency Resolution
Dependencies Resolved
========================================================================================
Package Arch Version Repository Size
========================================================================================
Installing:
mod_ssl x86_64 1:2.2.15-53.el6.centos centos 97 k
Transaction Summary
========================================================================================
Install 1 Package(s)
Total download size: 97 k
Installed size: 187 k
Downloading Packages:
mod_ssl-2.2.15-53.el6.centos.x86_64.rpm | 97 kB 00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : 1:mod_ssl-2.2.15-53.el6.centos.x86_64 1/1
Verifying : 1:mod_ssl-2.2.15-53.el6.centos.x86_64 1/1
Installed:
mod_ssl.x86_64 1:2.2.15-53.el6.centos
Complete!
[root@localhost ~]# touch /etc/pki/CA/index.txt
[root@localhost ~]# echo 01 > /etc/pki/CA/serial
[root@localhost ~]# cd /etc/pki/CA
[root@localhost CA]# (umask 0077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 1024)
Generating RSA private key, 1024 bit long modulus
...........++++++
.++++++
e is 65537 (0x10001)
[root@localhost CA]# cd /etc/pki/CA/private
[root@localhost private]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BJ
Locality Name (eg, city) [Default City]:BJ
Organization Name (eg, company) [Default Company Ltd]:www.test.com
Organizational Unit Name (eg, section) []:www.test.com
Common Name (eg, your name or your server's hostname) []:www.test.com
Email Address []:
[root@localhost private]#

三、生成证书请求

步骤:
    mkdir /web/ssl -pv
    cd /web/ssl
    (umask 0077; openssl genrsa -out http.key 1024)
    openssl req -new -key http.key -out httpd.csr
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
[root@localhost ~]# mkdir /web/ssl
mkdir: cannot create directory `/web/ssl': No such file or directory
[root@localhost ~]# mkdir /web/ssl -pv
mkdir: created directory `/web'
mkdir: created directory `/web/ssl'
[root@localhost ~]# cd /web/ssl/
[root@localhost ssl]# (umask 0077;openssl genrsa -out http.key 1024)
Generating RSA private key, 1024 bit long modulus
.................................................................++++++
......++++++
e is 65537 (0x10001)
[root@localhost ssl]# openssl req -new -key http.key -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BJ
Locality Name (eg, city) [Default City]:BJ
Organization Name (eg, company) [Default Company Ltd]:www.test.com
Organizational Unit Name (eg, section) []:www.test.com
Common Name (eg, your name or your server's hostname) []:www.test.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@localhost ssl]#

四、签名请求文件

步骤:openssl ca -in /web/ssl/httpd.csr -out /etc/pki/CA/newcerts/httpd.crt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: May 29 19:14:32 2017 GMT
Not After : May 29 19:14:32 2018 GMT
Subject:
countryName = CN
stateOrProvinceName = BJ
organizationName = www.test.com
organizationalUnitName = www.test.com
commonName = www.test.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
3C:45:24:8C:7A:9C:DC:07:EF:91:37:88:55:E8:BF:0C:5C:53:F1:7F
X509v3 Authority Key Identifier:
keyid:3A:6A:75:4F:6D:E9:F1:F6:48:81:64:BD:FD:B8:4E:BA:30:6E:3A:75
Certificate is to be certified until May 29 19:14:32 2018 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

五、配置 ssl.conf,实现 https

修改配置文件vim /etc/httpd/conf.d/ssl.conf
    SSLCertificateFile /etc/pki/CA/newcerts/httpd.crt
    SSLCertificateKeyFile /web/ssl/http.key
    DocumentRoot "/var/www/html"
    ServerName www.test.com:443

systemctl restart httpd
ss -ntl | grep 443

六、添加证书到本地PC即可

<% if (theme.canvas_nest) { %> <% } %> s