私有CA建立和证书生申请

CA在创建时有规定的格式,详细需要参考/etc/pki/tls/openssl.cnf此文件存放了CA相关的一些配置信息。

以下为比较重要的2个相关配置:

1.此段为CA的详细目录结构

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
####################################################################
[ ca ]
default_ca      = CA_default            # The default ca section

####################################################################
[ CA_default ]

dir             = /etc/pki/CA           # Where everything is kept
certs           = $dir/certs            # Where the issued certs are kept
crl_dir         = $dir/crl              # Where the issued crl are kept
database        = $dir/index.txt        # database index file.
#unique_subject = no                    # Set to 'no' to allow creation of
                                        # several ctificates with same subject.
new_certs_dir   = $dir/newcerts         # default place for new certs.

certificate     = $dir/cacert.pem       # The CA certificate
serial          = $dir/serial           # The current serial number
crlnumber       = $dir/crlnumber        # the current crl number
                                        # must be commented out to leave a V1 CRL
crl             = $dir/crl.pem          # The current CRL
private_key     = $dir/private/cakey.pem# The private key
RANDFILE        = $dir/private/.rand    # private random number file

x509_extensions = usr_cert              # The extentions to add to the cert

2.此段为证书签署的相关规则,其中标记为match的表示客户端在提交证书签署申请时必须和CA相同的部分。若要不同也可以修改policy规则

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy          = policy_match             #此处若修改为policy_anything就能实现客户端申请证书时countryName、stateOrProvinceName、organizationName和CA不同也能签署。

# For the CA policy
[ policy_match ]
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

一、创建私有CA

1.生成证书索引数据库文件

1
[root@centos7 CA]# touch index.txt

2.指定证书颁发序列号

1
[root@centos7 CA]# echo 01 > serial

3.生成私钥

私钥必须存放在/etc/pki/CA/private下取名为cakey.pem

1
2
3
4
5
[root@centos7 CA]# (umask 066;openssl genrsa -out private/cakey.pem 4096)       #生成私钥,指定长度为4096位
Generating RSA private key, 4096 bit long modulus
.........................................++
.....................++
e is 65537 (0x10001)

4.生成自签证书

自签证书的存放位置和命名也有规定,必须存放在/etc/pki/CA/下,取名为cacert.pem 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
[root@centos7 CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650     #生成自签证书,指定有效时长为3650天
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing  
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:ops
Common Name (eg, your name or your server's hostname) []:ca.magedu.com
Email Address []:

二、客户端申请证书

1.在客户端生成私钥文件

客户端的私钥一般在需要生成私钥的应用下生成

1
2
3
4
5
[root@centos7 data]# (umask 066;openssl genrsa -out test.key 1024)
Generating RSA private key, 1024 bit long modulus
....................................................................................................................++++++
.....++++++
e is 65537 (0x10001)

2.利用私钥生成证书签署请求

签署请求中Country Name、State or Provice Name、Organization Name必须相同。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
[root@centos7 data]# openssl req -new -key test.key -out test.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:ops
Common Name (eg, your name or your server's hostname) []:www.mylinuxops.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

3.将证书签署请求发给CA

1
2
3
4
5
6
7
8
[root@centos7 data]# scp test.csr 192.168.73.132:/tmp
The authenticity of host '192.168.73.132 (192.168.73.132)' can't be established.
ECDSA key fingerprint is SHA256:YNlH0VBV0kp4lAClVvfMWVx/bHcbKKHXQwyd13d+MME.
ECDSA key fingerprint is MD5:8a:1c:3d:c2:04:b1:be:05:95:33:9e:16:e8:ad:6c:25.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.73.132' (ECDSA) to the list of known hosts.
root@192.168.73.132's password: 
test.csr                                                               100%  660   220.9KB/s   00:00

三、CA服务器端签署证书

CA服务器签署证书时,需要指定证书有效时长

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
[root@centos7 CA]# openssl ca -in /tmp/test.csr -out certs/test.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Apr 15 22:42:33 2019 GMT
            Not After : Apr 14 22:42:33 2020 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = beijing
            organizationName          = magedu
            organizationalUnitName    = ops
            commonName                = www.mylinuxops.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                6F:FE:2A:6D:CA:54:71:43:EC:58:54:8B:94:8E:92:BC:04:9B:6D:91
            X509v3 Authority Key Identifier: 
                keyid:EE:25:E6:80:F8:8A:68:3F:E5:5E:C4:38:FB:1C:B9:93:C9:2B:5B:AD

Certificate is to be certified until Apr 14 22:42:33 2020 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

四、其他

1.查看证书中的信息:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
[root@centos7 CA]# openssl x509 -in certs/test.crt -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=beijing, L=beijing, O=magedu, OU=ops, CN=ca.magedu.com
        Validity
            Not Before: Apr 15 22:42:33 2019 GMT
            Not After : Apr 14 22:42:33 2020 GMT
        Subject: C=CN, ST=beijing, O=magedu, OU=ops, CN=www.mylinuxops.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:d1:ab:99:29:51:31:e8:2d:69:e6:04:25:89:61:
                    2d:81:71:c6:cf:b0:a2:a2:8a:94:6f:b3:ab:40:fa:
                    1f:da:40:33:7b:46:0f:f7:61:21:18:be:3b:5d:b8:
                    18:a2:8a:9e:99:66:9c:9c:7c:68:2e:ab:73:00:87:
                    3a:91:aa:b5:a0:f0:2c:ec:d0:f2:44:15:86:74:2a:
                    39:d0:64:42:a8:d5:69:ca:c2:79:a1:5a:e3:c9:dc:
                    6e:9e:1e:ab:89:cf:47:62:57:67:17:d3:9f:09:4f:
                    0d:ed:f3:b7:d1:99:b0:49:95:99:25:0b:70:30:ef:
                    a2:72:8d:42:90:8b:51:bb:41
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                6F:FE:2A:6D:CA:54:71:43:EC:58:54:8B:94:8E:92:BC:04:9B:6D:91
            X509v3 Authority Key Identifier: 
                keyid:EE:25:E6:80:F8:8A:68:3F:E5:5E:C4:38:FB:1C:B9:93:C9:2B:5B:AD

    Signature Algorithm: sha256WithRSAEncryption
         a0:b9:ac:ef:a6:cb:9c:af:99:5b:f8:f2:dd:f4:0b:dc:63:51:
         99:16:3d:b9:53:91:5e:e5:61:f0:9d:85:cb:57:19:b8:fd:fd:
         6e:3a:9c:f2:2a:d0:69:90:89:ff:75:90:20:f6:25:d0:d2:f9:
         4f:23:34:fd:b7:3c:25:00:7c:a3:7f:f3:14:2b:54:54:3e:cf:
         19:fa:80:48:b2:f3:3a:c7:cf:20:7a:91:3e:43:6f:88:2d:36:
         9a:50:23:12:d1:0c:fa:78:c3:3a:7e:90:85:b1:ba:a8:4a:f0:
         c9:a1:6c:e9:7c:ff:e5:8a:f1:30:8d:36:33:1c:22:03:5b:37:
         73:95:a8:6f:2d:68:42:5d:78:e2:9c:24:c4:b2:f7:59:37:1e:
         af:90:ea:1e:bc:73:d7:95:83:42:64:f5:e1:fb:45:e6:9c:e3:
         2b:04:6f:de:d0:de:01:d9:dc:af:9c:47:2d:31:5e:c3:71:6d:
         23:a6:f3:e0:77:65:c9:a3:39:c0:f2:c5:d2:21:df:84:64:cd:
         0f:4b:19:ea:b4:d5:75:2a:52:54:38:e4:d6:6a:e0:9e:61:c6:
         3a:04:21:cb:d5:2f:c9:f3:21:15:a6:bf:48:ea:06:f4:a8:20:
         43:49:e9:e5:d5:c6:74:06:6a:53:c6:31:48:08:89:6f:af:9a:
         aa:d7:62:e3:9b:60:f2:55:1e:0d:e0:e2:ab:02:76:ab:f0:2f:
         c5:39:fe:11:e3:1d:51:19:96:2d:57:6b:a6:d1:97:8d:fb:cb:
         4f:08:b5:29:af:c8:b8:c7:c9:32:7d:a6:30:ee:ad:c7:13:af:
         d9:9f:c4:09:f1:57:6b:aa:66:de:ad:28:c9:ea:a3:52:26:9b:
         29:e2:0a:14:30:c5:fb:06:70:89:69:f2:5a:de:49:bd:4a:f3:
         af:20:f0:b6:c5:97:37:9a:b4:35:03:5e:75:6c:a0:82:1e:bb:
         0c:68:fe:f4:ee:06:3b:0a:2e:e1:72:0c:b1:32:f4:f3:0f:c0:
         ee:66:1e:5b:9b:e5:02:72:8a:f4:f8:94:3b:c3:85:5f:53:38:
         47:b4:47:61:1a:a1:fd:36:9d:40:81:0a:65:37:47:ad:9e:d5:
         a3:0f:58:87:d5:2f:7f:b5:bc:15:e8:cc:f4:16:c0:67:fa:a2:
         b6:f1:2b:4e:5d:ac:8f:fe:c5:20:3a:b5:49:18:5d:be:29:01:
         67:5f:2f:e9:77:31:34:5c:e2:12:78:1c:a2:c8:3a:67:d1:90:
         3b:24:ed:49:68:5d:c4:f3:f7:8f:4c:bf:02:88:15:3b:11:90:
         9e:f0:fc:d2:41:48:8b:6c:53:22:8d:b0:1b:53:67:05:dc:f5:
         72:37:19:1b:05:24:4b:3b

2.查看指定编号的证书状态

1
2
3
[root@centos7 CA]# openssl ca -status 01
Using configuration from /etc/pki/tls/openssl.cnf
01=Valid (V)

CA证书的吊销

1.在客户机上查看索要吊销的证书的serial和subject

1
2
3
[root@centos7 certs]# openssl x509 -in test.crt -noout -serial -subject
serial=01
subject= /C=CN/ST=beijing/O=magedu/OU=ops/CN=www.mylinuxops.com

2.根据客户端所提交的信息,在CA服务器端比对index.txt内的信息

1
2
[root@centos7 CA]# cat index.txt
V	200414224233Z		01	unknown	/C=CN/ST=beijing/O=magedu/OU=ops/CN=www.mylinuxops.com

3.吊销证书

1
2
3
4
[root@centos7 CA]# openssl ca -revoke /etc/pki/CA/newcerts/01.pem 
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 01.
Data Base Updated

4.指定第一个证书吊销的编号(第一次执行吊销时需要执行此步骤)

1
[root@centos7 CA]# echo 01 > /etc/pki/CA/crlnumber

5.生成证书吊销列表

1
2
[root@centos7 CA]# openssl ca -gencrl -out /etc/pki/CA/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf

6.查看证书吊销列表

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
[root@centos7 CA]# openssl crl -in crl.pem -noout -text
Certificate Revocation List (CRL):
        Version 2 (0x1)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: /C=CN/ST=beijing/L=beijing/O=magedu/OU=ops/CN=ca.magedu.com
        Last Update: Apr 16 08:41:46 2019 GMT
        Next Update: May 16 08:41:46 2019 GMT
        CRL extensions:
            X509v3 CRL Number: 
                1
Revoked Certificates:
    Serial Number: 01
        Revocation Date: Apr 16 08:38:37 2019 GMT
    Signature Algorithm: sha256WithRSAEncryption
         a3:07:8f:b4:a8:ec:76:fb:d1:6c:88:f6:1d:ba:e6:79:5e:19:
         59:3a:38:8d:26:d0:15:d2:22:b1:2f:a5:b0:b0:fc:49:11:00:
         0a:2a:93:22:8d:44:ec:18:c9:5d:ad:66:60:32:36:8a:55:77:
         03:9e:fb:51:b4:8e:9d:b7:d8:3b:d1:da:64:9e:ae:9f:5a:04:
         19:69:f6:e9:de:94:75:92:f4:f4:33:b6:2b:e9:8e:27:dd:40:
         9f:90:11:0f:36:d4:4a:ef:af:55:08:ec:87:81:c6:7c:38:02:
         fb:e2:d9:77:61:dc:2a:2c:61:c5:36:aa:6e:34:59:77:fe:47:
         81:6d:02:15:e5:4b:f2:1f:ae:b3:e0:2e:5e:49:9d:c1:51:f9:
         2e:69:d5:5f:9b:26:25:20:d9:88:ac:30:94:e2:25:e5:ee:17:
         f4:62:ca:ea:be:af:aa:7a:07:e7:e5:91:24:80:cc:52:9b:30:
         e2:3e:59:66:2a:77:28:7b:6a:10:99:a3:a3:27:30:17:a1:94:
         49:bb:ae:eb:7f:53:d9:07:a5:0c:8f:b0:97:0a:cb:42:d8:37:
         22:d9:0b:48:5e:a9:a0:13:78:0d:71:5b:76:25:11:f2:62:7b:
         e7:a5:f5:52:03:a6:25:ea:3a:da:d6:37:5a:55:ed:89:3e:67:
         6f:b7:d7:a9:75:94:e8:17:af:cc:87:ed:bb:4d:19:3c:ee:af:
         a5:4d:fe:5e:f9:80:7a:16:4d:8c:99:36:77:75:e7:81:03:05:
         92:91:01:5c:5e:d7:d0:d3:2b:ef:62:cd:20:5b:1b:40:30:29:
         41:83:c6:7b:cc:29:2a:c3:6c:76:88:ed:a8:ac:be:83:00:7b:
         56:c6:de:97:cf:6a:a5:bd:38:1e:84:b1:00:37:e5:85:15:eb:
         86:51:f8:51:f6:e4:7e:2e:25:e2:8b:10:7d:3e:a6:4d:e5:bd:
         cb:8b:1e:2f:71:60:83:e5:75:1b:91:87:90:39:4a:67:88:87:
         51:d3:b9:ff:0a:f6:36:3c:ba:a0:ae:32:6d:48:d7:e0:3d:20:
         06:b5:ae:05:74:ab:13:84:49:dc:d7:91:c3:48:38:2d:b3:e9:
         b7:f0:13:9d:54:44:f1:5c:52:35:95:f5:da:9c:85:62:3f:28:
         3a:c1:8a:32:e9:f6:f6:93:d2:40:7f:8a:71:20:6e:04:2f:2f:
         33:2b:ac:2a:bb:33:b1:09:4d:4b:67:69:a9:48:a7:a7:a4:cb:
         7e:61:fb:3e:85:dd:1f:99:8b:35:d6:7d:75:9d:34:61:84:8e:
         46:39:e7:4b:09:e3:00:44:69:24:73:ac:37:82:73:1b:42:0d:
         1f:60:5a:e7:47:6c:5f:a6

创建私有CA脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
#!/bin/bash
PS3="plese choose a nember: "
select menu in 创建CA 申请证书 签发证书 退出;do
        case $menu in
        创建CA)
                cd /etc/pki/CA
                touch serial
                echo 01 > index.txt
                (umask 066;openssl genrsa -out private/cakey.pem 4096)
                openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650 << EOF
                CN
                beijing
                beijing
                magedu
                ca.magedu.com

                EOF
                ;;
        申请证书)
                read -p "please input your need crt appdir: " APPDIR
                read -p "please input your need crt app name: " NAME
                read -p "please input CA server ip: " IP
                cd $APPDIR
                (unmask 066;openssl genrsa -out $NAME.key 2048)
                openssl req -new -key ${NAME}.key -out ${NAME}.csr
                scp ${NAME}.csr ${IP}:/tmp
                unset IP
                ;;
        签发证书)
                read -p "please input client ip: " IP
                NAME=`cd /tmp;ls *.csr`
                openssl ca -in /tmp/${NAME}.csr -out /etc/pki/CA/certs/${NAME}.crt
                rm -rf /tmp/*.csr
                scp /etc/pki/CA/certs/${NAME}.crt $IP:/tmp
                unset IP
                ;;
        退出)
                break
                ;;
        esac
done
~