用于建立安全站点的工具,颁发证书,例如https,ftps等
默认配置文件:
[root@bogon CA]# cat /etc/pki/tls/openssl.cnf [ CA_default ] dir = /etc/pki/CA #CA默认工作目录 certs = $dir/certs #CA签发证书的位置 crl_dir = $dir/crl #CA吊销证书的位置 database = $dir/index.txt #CA颁发证书的索引,相当于目录 new_certs_dir = $dir/newcerts #新生成证书的保存路径 certificate = $dir/cacert.pem #CA的自签证书 serial = $dir/serial #CA签署的序列号 crlnumber = $dir/crlnumber #CA吊销的序列号 crl = $dir/crl.pem #当前吊销证书的文件 private_key = $dir/private/cakey.pem#CA自己的私钥文件
建立私有CA,并进行自我签署
1.首先将配置文件中需要的文件及文件夹建立出来
[root@bogon CA]# mkdir certs crl newcerts private [root@bogon CA]# touch index.txt serial crlnumber [root@bogon CA]# ls certs crl crlnumber index.txt newcerts serial
2.给CA签署的序列号文件一个开始编号(只需要第一次给)
[root@bogon CA]# echo 01 > serial [root@bogon CA]# cat serial 01
3.生成CA私钥,存放位置对应配置文件,并将权限设置为600
[root@bogon CA]# openssl genrsa -out private/cakey.pem 2048 Generating RSA private key, 2048 bit long modulus ...................+++ ...................+++ e is 65537 (0x10001) [root@bogon CA]# chmod 600 private/cakey.pem [root@bogon CA]# ls -l private/cakey.pem -rw-------. 1 root root 1679 Jun 4 04:50 private/cakey.pem
4.生成CA自签证书
req:发起签署请求,当对应x509时表示自发自签。
-new:新建证书
-x509:专用于自签CA证书,为别人签署不需要使用
-key:对应的私钥文件
-out:生成文件,与配置文件对应
-days:有效期
[root@bogon CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 36500 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN #国家 State or Province Name (full name) []:beijing #省 Locality Name (eg, city) [Default City]:beijing #城市 Organization Name (eg, company) [Default Company Ltd]:abc #公司 Organizational Unit Name (eg, section) []:01 #部门 Common Name (eg, your name or your server's hostname) []:www.abc.com #服务器主机名 Email Address []:1@abc.com #管理员邮箱
为其他人颁发证书
1.在需要证书的服务器上创建秘钥文件,为了安全起见将权限改为600,这里用的httpd举例,并且这里的ssl目录是自己创建的
[root@bogon CA]# openssl genrsa -out /etc/httpd/ssl/httpd.key 2048 Generating RSA private key, 2048 bit long modulus ...................................................................+++ .......+++ e is 65537 (0x10001) [root@bogon CA]# chmod 600 /etc/httpd/ssl/httpd.key [root@bogon CA]# ls -l /etc/httpd/ssl/httpd.key -rw-------. 1 root root 1679 Jun 4 17:07 /etc/httpd/ssl/httpd.key
2.生成证书签署请求,csr代表请求文件
[root@bogon CA]# openssl req -new -key /etc/httpd/ssl/httpd.key -out /etc/httpd/ssl/httpd.csr -days 165 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:beijing Locality Name (eg, city) [Default City]:beijing Organization Name (eg, company) [Default Company Ltd]:abc Organizational Unit Name (eg, section) []:abc Common Name (eg, your name or your server's hostname) []:www.abc.com Email Address []:1@q.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: #添加密码 An optional company name []: #重复密码
3.将签署请求文件发送给CA
[root@bogon CA]# scp /etc/httpd/ssl/httpd.csr root@172.17.148.113:/tmp httpd.csr 100% 1033 1.0KB/s 00:00 [root@bogon CA]#
4.在CA端签署收到的请求
ca:签署
crt:证书文件
days:签署有效期
[root@bogon CA]# openssl ca -in /tmp/httpd.csr -out certs/httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jun 4 09:17:01 2018 GMT
Not After : Jun 4 09:17:01 2019 GMT
Subject:
countryName = CN
stateOrProvinceName = beijing
organizationName = abc
organizationalUnitName = abc�8�8
commonName = www.abc.com
emailAddress = 1@q.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
7E:7C:E1:B2:10:17:32:D5:A5:1A:FC:E4:C2:DC:E0:48:36:67:A9:BF
X509v3 Authority Key Identifier:
keyid:C6:AA:7E:FE:18:6D:85:9E:B4:61:AE:4C:D3:1D:EB:61:3B:3C:36:C7
Certificate is to be certified until Jun 4 09:17:01 2019 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
5.将签署完成的证书发送给客户端
[root@bogon CA]# scp certs/httpd.crt root@172.17.148.255:/etc/httpd/ssl/
6.查看签署证书的信息等
[root@bogon CA]# cat index.txt #查看这个目录文件 V 190604091701Z 01 unknown /C=CN/ST=beijing/O=abc/OU=abcx08x08/CN=www.abc.com/emailAddress=1@q.com #v表示已签署 R已吊销 [root@bogon CA]# openssl x509 -in certs/httpd.crt -noout [ -text | -serial | -subject ] text,显示全部 serial显示序号 subject显示标题
7.为了安全起见将,csr文件删除
[root@bogon CA]# rm -rf /tmp/httpd.csr #CA端 [root@aaa CA]# rm -rf /etc/httpd/ssl/httpd.csr #请求端
吊销证书
1.获取要吊销的证书的序列号及主题信息,一般在客户端做
[root@bogon CA]# openssl x509 -in certs/httpd.crt -noout -serial -subject serial=01 subject= /C=CN/ST=beijing/O=abc/OU=abcx08x08/CN=www.abc.com/emailAddress=1@q.com
2.根据客户端的serial和subject信息对比是否与CA端index.txt文件中的信息是否一致
[root@bogon CA]# cat index.txt V 190604091701Z 01 unknown /C=CN/ST=beijing/O=abc/OU=abcx08x08/CN=www.abc.com/emailAddress=1@q.com
3.如果一致,则吊销
[root@bogon CA]# openssl ca -revoke newcerts/01.pem #在新生成证书目录下有相对应序号的证书文件 Using configuration from /etc/pki/tls/openssl.cnf Revoking Certificate 01. Data Base Updated
4.生成吊销证书编号(只有在第一次吊销的时候使用)
[root@bogon CA]# echo 01 > crlnumber [root@bogon CA]# cat crlnumber 01
5.跟新证书吊销列表,随便写一个文件
[root@bogon CA]# openssl ca -gencrl -out diaoxiao.crl
6.查看吊销列表
[root@bogon CA]# openssl crl -in diaoxiao.crl -noout -text