利用openssl創建私有CA的步驟和過程
阿新 • • 發佈:2018-04-11
創建私有CAopenssl命令行 工具:命令包含眾多的子命令來實現各種安全加密功能
標準命令有: enc, dgst, ca, req, genrsa, rand, rsa, x509, passwd, ... 1.對稱加密命令:enc 提供對稱加密算法,以進行數據或文件的手動加密; 格式:openssl enc -ciphername [-in filename] [-out filename] [-e] [-d] [-a/-base64] [-salt] -ciphername:加密算法的名稱 -in filename:openssl要讀取的文件路徑; -out filename:加密或解密操作後用於保存結果的文件路徑; -e:加密操作 -d:解密操作 -a/-base64:用純文本格式進行密文編碼; -salt:隨機加鹽; 示例: 加密文件(使用-e,-in選項,指定文件和加密後存放的位置): ~]# openssl enc -e -des3 -in anaconda-ks.cfg -a -out anaconda-ks.cfg.encryptfile 解密文件(使用-d,-out選項,指定文件和加密後存放的位置): ~]# openssl enc -d -des3 -out anaconda-ks.cfg -a -in anaconda-ks.cfg.encryptfile 2.單向解密命令:dgst 示例: 對fstab文件進行單向解密 ~]# openssl dgst -sha1 fstab 3.生成隨機數命令:rand openssl rand [-out file] [-rand file(s)] [-base64] [-hex] num 示例: ~]# openssl rand -base64 8 4.生成帶鹽的密碼:passwd openssl passwd -1 -salt SALT_STRING 示例: ~]# openssl passwd -1 -salt 01234567 5.公鑰加密算法:genrsa 生成rsa加密算法的私鑰; openssl genrsa [-out filename] [-des] [-des3] [-idea] [-f4] [-3] [numbits] 建議使用權限遮罩碼來生成私鑰: ~]# (umask 077 ; openssl genrsa -out /tmp/my.key 4096) ~]# (umask 077 ; openssl genrsa > /tmp/my.key 4096) 從以及生成的私鑰文件中抽取公鑰:rsa openssl rsa [-in filename] [-out filename] [-pubout] -pubout:抽取公鑰 -in filename:私鑰文件的路徑 -out filename:公鑰文件的路徑 示例: ~]# openssl rsa -in my.key -out mykey.pub -pubout 利用openssl建立私有CA: 1.創建CA所在主機的私鑰文件; 2.生成自簽證書; 3.必須為CA提供必要的目錄級文件及文本級文件; 目錄級文件: /etc/pki/CA/certs /etc/pki/CA/crl /etc/pki/CA/newcerts 文本級文件: /etc/pki/CA/serial:保存證書的序列號,一般初始序列號為01; /etc/pki/CA/index.txt:證書索引; /etc/pki/tls/openssl.cnf:配置文件; 創建私有CA的步驟: 1.創建CA的私鑰文件: [root@chenliang CA]# ls certs crl newcerts private [root@chenliang CA]# (umask 077 ; openssl genrsa -out /etc/pki/CA/private/clcakey.pem 2048) Generating RSA private key, 2048 bit long modulus ....+++ ....................................................................................................................................+++ e is 65537 (0x10001) [root@chenliang CA]# ll private/ 總用量 4 -rw-------. 1 root root 1675 4月 11 09:01 clcakey.pem 2.生成自簽證書: [root@chenliang CA]# openssl req -new -x509 -key /etc/pki/CA/private/clcakey.pem -out /etc/pki/CA/clcacert.pem -days 10000 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.‘, the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:Hebei Locality Name (eg, city) [Default City]:Handan Organization Name (eg, company) [Default Company Ltd]:cl Organizational Unit Name (eg, section) []:Tech Common Name (eg, your name or your server‘s hostname) []:clca.handan.com Email Address []:mail.clhandan.com [root@chenliang CA]# ls certs clcacert.pem crl newcerts private 3.完善目錄及文本文件結構:
[root@chenliang CA]# touch /etc/pki/CA/index.txt
[root@chenliang CA]# ls
certs clcacert.pem crl index.txt newcerts private
[root@chenliang CA]# echo 01 > /etc/pki/CA/serial
[root@chenliang CA]# ls
certs clcacert.pem crl index.txt newcerts private serial
在CA上查看證書內容: 查看序列號: [root@chenliang CA]# openssl x509 -in clcacert.pem -noout -serial serial=F0FD9E8DA617E97D 查看證書內容: [root@chenliang CA]# openssl x509 -in clcacert.pem -noout -subject subject= /C=CN/ST=hebei\x08:Hebei/L=Handan/O=cl/OU=Tech/CN=clca.handan.com/emailAddress=mail.clhandan.com 吊銷證書:必須在CA上執行; 1.獲取客戶端證書對應的序列號: openssl x509 -in /etc/pki/CA/certificate -noout -serial 2.吊銷證書: openssl ca -revoke /etc/pki/CA/newcerts/SERIAL.pem 註意:上述命令中的"SERIAL"要換成準備吊銷的證書的序列號; 3.生成吊銷證書的吊銷索引文件;僅需要第一次吊銷證書時執行此操作: echo "SERIAL" > /etc/pki/CA/crl/crlnumber 4.更新證書吊銷列表: openssl ca -genctl -out /etc/pki/CA/crl/ca.crl 5.查看CRL: openssl crl -in /etc/pki/CA/crl/ca.crl -noout -text
利用openssl創建私有CA的步驟和過程