前往小程序,Get更优阅读体验!
立即前往
首页
学习
活动
专区
工具
TVP
发布
社区首页 >专栏 >内网创建私有CA证书

内网创建私有CA证书

作者头像
小柒吃地瓜
发布2020-04-23 17:09:29
2.7K0
发布2020-04-23 17:09:29
举报
文章被收录于专栏:梦在深巷

关建立私有CA证书

  • OpenSSL: 三个组件: openssl: 多用途的命令行工具; libcrypto: 加密解密库; libssl:ssl协议的实现;
代码语言:javascript
复制
# PKI:Public Key Infrastructure
#     CA
#     RA
#     CRL
#     证书存取库

# 建立私有CA:
#     OpenCA
#     openssl

# 证书申请及签署步骤:
#     1、生成申请请求;
#     2、RA核验;
#     3、CA签署;
#     4、获取证书;

创建私有CA步骤

openssl的配置文件:/etc/pki/tls/openssl.conf

  • 签发流程:
代码语言:javascript
复制
#1. 创建需要的文件
#    touch index.txt
#    echo 01 > serial
#2. CA自签证书
#    (umask 077; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
#    openssl req -new -x509 -key /etc/pki/CA/private/cakey.epm -days 7300 -out /etc/pki/CA/cacert.pem
#        -new: 生成新证书签署请求;
#        -x509: 专用于CA生成自签证书;
#        -key: 生成请求时用到的私钥文件;
#        -days n:证书的有效期限;
#        -out /PATH/TO/SOMECERTFILE: 证书的保存路径;
#3. 发证
#    (a) 用到证书的主机生成证书请求;
#        (umask 077; openssl genrsa -out /etc/httpd/ssl/httpd.key 2048)
#        openssl req -new -key /etc/httpd/ssl/httpd.key -days 365 -out /etc/httpd/ssl/httpd.csr

#    (b) 把请求文件传输给CA;

#    (c) CA签署证书,并将证书发还给请求者;
#        openssl ca -in /tmp/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365

#        查看证书中的信息:
#        openssl x509 -in /PATH/FROM/CERT_FILE -noout -text|-subject|-serial
#4. 吊销证书
#    (a) 客户端获取要吊销的证书的serial
#        openssl x509 -in /PATH/FROM/CERT_FILE -noout -serial -subject

#    (b) CA
#        先根据客户提交的serial与subject信息,对比检验是否与index.txt文件中的信息一致;
#        吊销证书:
#        openssl ca -revoke /etc/pki/CA/newcerts/SERIAL.pem

#    (c) 生成吊销证书的编号(第一次吊销一个证书)
#        echo 01 > /etc/pki/CA/crlnumber

#    (d) 更新证书吊销列表
#        openssl ca -gencrl -out thisca.crl

#        查看crl文件:
#           openssl crl -in /PATH/FROM/CRL_FILE.crl -noout -text
证书的签发与吊销测试
代码语言:javascript
复制
#生成CA
[root@master CA]# touch index.txt
[root@master CA]# echo 01 > serial
[root@master CA]# (umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
..................................................+++
..........................................................+++
e is 65537 (0x10001)
[root@master CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 7300 -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN #城市名
State or Province Name (full name) []:GuangZhou  #省名   
Locality Name (eg, city) [Default City]:TianHe  #地方名字
Organization Name (eg, company) [Default Company Ltd]:itab  #公司名字
Organizational Unit Name (eg, section) []:jkl  #名字
Common Name (eg, your name or your server's hostname) []:ca.itab.com #主机名
Email Address []:caadmin@itab.com #邮箱
[root@master CA]# ll
total 8
-rw-r--r--  1 root root 1407 Nov 28 11:06 cacert.pem
drwxr-xr-x. 2 root root    6 Aug  9 09:38 certs
drwxr-xr-x. 2 root root    6 Aug  9 09:38 crl
-rw-r--r--  1 root root    0 Nov 28 07:58 index.txt
drwxr-xr-x. 2 root root    6 Aug  9 09:38 newcerts
drwx------. 2 root root   22 Nov 28 07:59 private
-rw-r--r--  1 root root    3 Nov 28 07:58 serial


#主机申请证书发送至CA服务器签署证书
[root@slave httpd]# (umask 077; openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus
.........................................................................................................................+++
............................................+++
e is 65537 (0x10001)
[root@slave httpd]# openssl req -new -key httpd.key -days 365 -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:GuangZhou
Locality Name (eg, city) [Default City]:TianHe
Organization Name (eg, company) [Default Company Ltd]:itab
Organizational Unit Name (eg, section) []:jkl 
Common Name (eg, your name or your server's hostname) []:www.itab.com
Email Address []:webadmin.itab.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
#需要主机的是主机生成证书的时候要和CA的信息一致

#上传证书至CA服务器签名
[root@slave httpd]# scp httpd.csr root@10.10.1.109:/tmp/
httpd.csr                                                                         100% 1050     1.0KB/s   00:00 

[root@master CA]# openssl ca -in /tmp/httpd.csr -out /tmp/httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Nov 28 03:52:57 2019 GMT
            Not After : Nov 27 03:52:57 2020 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = GuangZhou
            organizationName          = itab
            organizationalUnitName    = jkl
            commonName                = www.itab.com
            emailAddress              = webadmin.itab.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                28:98:E1:2E:E2:20:B2:F9:A7:ED:72:37:BE:87:C4:E4:45:2A:6A:5B
            X509v3 Authority Key Identifier: 
                keyid:D6:30:CC:B0:D7:5E:A1:8E:C7:8F:D1:8A:9A:A1:27:03:8C:C7:ED:B6

Certificate is to be certified until Nov 27 03:52:57 2020 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

[root@master CA]# cat index.txt #签好的证书会在index.txt里面显示信息
V       201127035257Z           01      unknown /C=CN/ST=GuangZhou/O=itab/OU=jkl/CN=www.itab.com/emailAddress=webadmin.itab.com

[root@master CA]# cp newcerts/01.pem certs/ #把签好的证书放到certs目录下


#把证书发送回需要签名的主机上
[root@master CA]# scp /tmp/httpd.crt root@10.10.1.216:/etc/httpd/ssl/httpd.crt
httpd.crt                                                                         100% 4600     5.8MB/s   00:00  
[root@slave ssl]# ll -h
total 8.0K
-rw-r--r-- 1 root root 4.5K Nov 28 11:57 httpd.crt

版权属于:龙之介大人

本文链接:https://cloud.tencent.com/developer/article/1619616

本站所有原创文章采用知识共享署名-非商业性使用-相同方式共享 4.0 国际许可协议进行许可。 您可以自由的转载和修改,但请务必注明文章来源和作者署名并说明文章非原创且不可用于商业目的。

本文参与 腾讯云自媒体同步曝光计划,分享自作者个人站点/博客。
原始发表:2019 年 12 月,如有侵权请联系 cloudcommunity@tencent.com 删除

本文分享自 作者个人站点/博客 前往查看

如有侵权,请联系 cloudcommunity@tencent.com 删除。

本文参与 腾讯云自媒体同步曝光计划  ,欢迎热爱写作的你一起参与!

评论
登录后参与评论
0 条评论
热度
最新
推荐阅读
目录
  • 关建立私有CA证书
    • 创建私有CA步骤
      • 证书的签发与吊销测试
相关产品与服务
SSL 证书
腾讯云 SSL 证书(SSL Certificates)为您提供 SSL 证书的申请、管理、部署等服务,为您提供一站式 HTTPS 解决方案。
领券
问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档