• openssl配置自建CA

    个人学习笔记,谢绝转载!!!

    原文:https://www.cnblogs.com/wshenjin/p/12519455.html

    自建CA

    自签证书:
    说明:证书的默认配置文档说明在/etc/pki/tls/openssl.cnf,查看里面关于[CA_default] 的内容可以大体了解CA相关信息的存放位置。

    [ CA_default ]
dir             = /etc/pki/CA             # 定义路径变量
certs           = $dir/certs              # 已颁发证书的保存目录
database        = $dir/index.txt          # 数据库索引文件
new_certs_dir   = $dir/newcerts           # 新签署的证书保存目录
certificate     = $dir/cacert.pem         # CA证书路径名
serial          = $dir/serial             # 当前证书序列号
private_key     = $dir/private/cakey.pem  # CA的私钥路径名
    1.创建CA下相关目录和文档
    # mkdir /etc/pki/CA/{certs,crl,newcerts,private}
# touch /etc/pki/CA/{serial,index.txt}

    其中目录/etc/pki/CA/{certs,newcerts,private}在安装openssl后就默认存在,所以无需独立创建。
    但证书的database文件index.txt和序列文件serial必须创建好,且序列号文件中得先给定一个序号,如"01":

    # echo 01 > /etc/pki/CA/serial
    2.生成CA私钥

    CA的私钥存放位置为配置文件中private_key所指定的值,默认为/etc/pki/CA/private/cakey.pem:

    # (umask 077 ; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
    3.生成CA自签证书

    配置文件中的"certificate=$dir/cacert.pem"项,CA证书应该放在/etc/pki/CA目录下,且命名为cacert.pem,只有这样以后才能签署其它证书请求:

    # openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3650 
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:GuangDong
Locality Name (eg, city) [Default City]:GuangZhou
Organization Name (eg, company) [Default Company Ltd]:Im CA
Organizational Unit Name (eg, section) []:ca
Common Name (eg, your name or your server's hostname) []:imca.com
Email Address []:root@imca.com

    创建请求文件时,其中Country Name、State or Province Name、Organization Name和Common Name默认是必须提供的。

    至此,自建CA就完成。

    用自建CA签发证书

    1.创建私钥
    # (umask 077;openssl genrsa -out example.com.key 2048)
    2.创建证书申请文件
    # openssl req -new -key example.com.key -out example.com.csr
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:GuangDong
Locality Name (eg, city) [Default City]:GuangZhou
Organization Name (eg, company) [Default Company Ltd]:lulu
Organizational Unit Name (eg, section) []:game 
Common Name (eg, your name or your server's hostname) []:example.com
Email Address []:example@lulu.com 

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:
    3.签署证书
    # openssl ca -in example.com.csr -out example.com.crt -days 365
    4.查看
    # openssl x509 -in example.com.crt  -noout -serial -subject
serial=02
subject= /C=CN/ST=GuangDong/O=lulu/OU=game/CN=*.example.com/emailAddress=root@lulu.com
    5.说明

    在填写证书申请文件时,Country Name、State or Province Name、Organization Name和Common Name必须提供,且前三者必须和CA对应项完全相同。
    这些是由配置文件/etc/pki/tls/openssl.cnf匹配策略决定的:

    [ ca ]
default_ca      = CA_default            # The default ca section
[ CA_default ]
policy          = policy_match
[ policy_match ]
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

    "match"表示openssl ca要签署的证书请求文件中的项要和CA证书中的项匹配,即要相同,
    "supplied"表示必须要提供的项,
    "optional"表示可选项,所以可以留空。

    签署成功后,我们看看CA目录的文件结构:

    # tree /etc/pki/CA/
/etc/pki/CA
├── cacert.pem
├── certs
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│   └── 01.pem
├── private
│   └── cakey.pem
├── serial
└── serial.old

    01.pem 就是刚才签署成功的证书,md5是一样的:

    # md5sum example.com.crt  /etc/pki/CA/newcerts/01.pem 
bea8caec9183addbe8df2b293e8694a1  example.com.crt
bea8caec9183addbe8df2b293e8694a1  /etc/pki/CA/newcerts/01.pem
    6.将自建CA证书加入系统
    # cat/etc/pki/CA/cacert.pem >> /etc/pki/tls/certs/ca-bundle.crt

    这样自签证书就可以被系统信任了:

    # curl -Iv -s  https://example.com/index.html 
* About to connect() to example.com port 443 (#0)
*   Trying 127.0.0.1...
* Connected to example.com (127.0.0.1) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
*       subject: E=example@lulu.com,CN=example.com,OU=game,O=lulu,ST=GuangDong,C=CN
*       start date: Mar 18 10:03:22 2020 GMT
*       expire date: Mar 18 10:03:22 2021 GMT
*       common name: example.com
*       issuer: E=root@imca.com,CN=imca.com,OU=ca,O=Im CA,L=GuangZhou,ST=GuangDong,C=CN
> HEAD /index.html HTTP/1.1
> User-Agent: curl/7.29.0
> Host: example.com
> Accept: */*

    证书签署成功后,查看一下/etc/pki/CA的目录结构:

    /etc/pki/CA/
├── cacert.pem
├── certs
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│   └── 01.pem
├── private
│   └── cakey.pem
├── serial
└── serial.old

    再看下数据库索引文件和序列号文件:

    # cat /etc/pki/CA/index.txt
V       210318100322Z           01      unknown /C=CN/ST=GuangDong/O=lulu/OU=game/CN=example.com/emailAddress=example@lulu.com
# cat /etc/pki/CA/serial
02

    那么,下次签署证书请求时,序列号将是"02"。

    错误处理

    错误处理1:
    Using configuration from /etc/pki/tls/openssl.cnf
Error opening CA certificate /etc/pki/CA/cacert.pem
140003788384144:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/pki/CA/cacert.pem','r')
140003788384144:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:
unable to load certificate

    CA证书/etc/pki/CA/cacert.pem 和配置文件/etc/pki/tls/openssl.cnf中certificate指定的位置不一样.

    错误处理2:
    Using configuration from /etc/pki/tls/openssl.cnf
unable to load number from /etc/pki/CA/serial
error while loading serial number
140422411036560:error:0D066096:asn1 encoding routines:a2i_ASN1_INTEGER:short line:f_int.c:210:

    一般是因为serial文件中没有赋初值,echo 01 > /etc/pki/CA/serial

    错误处理3:
    Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
The organizationName field needed to be the same in the
CA certificate (comm) and the request (lulu)

    因为默认使用/etc/pki/tls/openssl.cnf,里面要求其一致,修改organizationName=supplied

    参考链接

    https://www.cnblogs.com/f-ck-need-u/p/7115871.html
  • 相关阅读:
    Java+7入门经典 -1 简介
    优化算法动画演示Alec Radford's animations for optimization algorithms
    如何写科技论文How to write a technical paper
    开始学习深度学习和循环神经网络Some starting points for deep learning and RNNs
    用500行Julia代码开始深度学习之旅 Beginning deep learning with 500 lines of Julia
    用10张图来看机器学习Machine learning in 10 pictures
    ICLR 2013 International Conference on Learning Representations深度学习论文papers
    ICLR 2014 International Conference on Learning Representations深度学习论文papers
    卷积神经网络CNN(Convolutional Neural Networks)没有原理只有实现
    卷积神经网络Convolutional Neural Networks
  • 原文地址:https://www.cnblogs.com/wshenjin/p/12519455.html
Copyright © 2020-2023  润新知