1. 程式人生 > >linux安全和加密篇(四)—openssl證書申請和建立CA

linux安全和加密篇(四)—openssl證書申請和建立CA

OpenSSL證書申請

1、PKI: Public Key Infrastructure

  • CA            證書頒發機構
  • RA            證書請求機構 request
  • CRL         

2、建立私有CA: 搭建CA

  • OpenCA
  • openssl

3、證書申請及簽署步驟:

  • 1、生成申請請求 字尾位csr
  • 2、 RA核驗
  • 3、 CA簽署
  • 4、獲取證書

建立CA和申請證書

建立私有CA:

[[email protected] ~]# cd /etc/pki/tls/
[[email protected] tls]# ls
cert.pem  certs  misc  openssl.cnf  private

*******openssl的配置檔案: /etc/pki/tls/openssl.cnf CA重要配置檔案******

三種策略: 匹配、支援和可選

匹配指要求申請填寫的資訊跟CA設定資訊必須一致, 支援指必須填寫這項申請資訊, 可選指可有可無

openssl.cnf檔案中和證書相關的專案有

[[email protected] tls]# vim openssl.cnf 

[ ca ]                                                   #default_ca預設ca 為 CA_default

default_ca = CA_default                 # The default ca section

[ CA_default ]

dir = /etc/pki/CA                          # Where everything is kept                                    (CA的工作目錄)

certs = $dir/certs                       # Where the issued certs are kept                          (頒發證書的目錄)

crl_dir = $dir/crl                          # Where the issued crl are kept                             (證書吊銷列表目錄)

database = $dir/index.txt          # database index file.                                               (證書資料庫索引檔案目錄)

index.txt             檔案預設不存在 需要手工建立,其中的內容由CA自動生成

new_certs_dir = $dir/newcerts                          # default place for new certs.                     (新證書的存放路徑)

certificate = $dir/cacert.pem                             # The CA certificate                                     ( CA的根證書存放檔案)

serial = $dir/serial                                               # The current serial number                         (證書編號 16進位制)

crlnumber = $dir/crlnumber                                # the current crl number                               (吊銷證書編號存放處)

crl = $dir/crl.pem                                                 # The current CRL                                         (證書吊銷列表檔案) 

private_key = $dir/private/cakey.pem               # The private key                                   ( CA證書私鑰)字尾必須命名為cakey.pem)

RANDFILE = $dir/private/.rand                          # private random number file                        ( 隨機檔案不重要)

default_days = 365                                            # how long to certify for                                 (證書預設有效期)

default_crl_days= 30                                         # how long before next                                     (CRL吊銷列表有效期釋出時間)

default_md = default                                          # use public key default MD                          ( 預設公鑰機密機制為MD5)

preserve = no                                                     # keep passed DN ordering                           ( 不重要)

CA策略問題 很重要

[ policy_match ]

countryName = match(CA所在的國家和客戶端必須相同)

stateOrProvinceName = match(省必須相同)

organizationName = match (組織必須相同)

organizationalUnitName = optional (部門)

commonName = supplied (給誰頒發的證書必須填)

emailAddress = optional (郵箱可選)

建立CA

1、建立所需要的檔案

[[email protected] CA]# touch /etc/pki/CA/index.txt

生成證書索引資料庫檔案    (預設為空檔案)

[[email protected] CA]# echo 01 > /etc/pki/CA/serial

 指定第一個頒發證書的序列號

2、 CA自簽證書

生成私鑰

  • cd /etc/pki/CA/
  • (umask 066; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
[[email protected] ~]# cd /etc/pki/CA/

[[email protected] CA]# (umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
.......................................................................................+++
...................................+++

生成自簽名證書

  • openssl req -new -x509 –key(私鑰的檔名)
  • /etc/pki/CA/private/cakey.pem -days 7300 -out
  • /etc/pki/CA/cacert.pem
  • -new: 生成新證書籤署請求
  • -x509: 專用於CA生成自簽證書
  • -key: 生成請求時用到的私鑰檔案       (private下的cakey.pem檔名)
  • -days n:證書的有效期限
  • -out /PATH/TO/SOMECERTFILE: 證書的儲存路徑
[[email protected] CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650

Country Name (2 letter code) [XX]:CN                                    ##國家
State or Province Name (full name) []:beijing                           ##省份
Locality Name (eg, city) [Default City]:beijing                         ##城市
Organization Name (eg, company) [Default Company Ltd]:magedu            ##機構
Organizational Unit Name (eg, section) []:opt
Common Name (eg, your name or your server's hostname) []:ca.magedu.com
Email Address []:
[[email protected] CA]# ll
total 4
-rw-r--r--  1 root root 1322 Oct  5 11:12 cacert.pem
drwxr-xr-x. 2 root root    6 Aug  4  2017 certs
drwxr-xr-x. 2 root root    6 Aug  4  2017 crl
drwxr-xr-x. 2 root root    6 Aug  4  2017 newcerts
drwx------. 2 root root   23 Oct  5 11:07 private

同時也可以把CA證書匯出到windows中

[[email protected] CA]# sz cacert.pem 
rz
Starting zmodem transfer.  Press Ctrl+C to cancel.
Transferring cacert.pem...
  100%       1 KB       1 KB/sec    00:00:01       0 Errors

匯出後修改檔案字尾:cacert.pem.crt

[[email protected] CA]# openssl x509 -in cacert.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            d4:a9:a8:07:a3:d3:fd:13
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=beijing, L=beijing, O=magedu, OU=opt, CN=ca.magedu.com
        Validity
            Not Before: Oct  5 03:12:54 2018 GMT
            Not After : Oct  2 03:12:54 2028 GMT
        Subject: C=CN, ST=beijing, L=beijing, O=magedu, OU=opt, CN=ca.magedu.com

***********************************檢視已經存在的CA證書*************************

客戶端向伺服器申請證書

3、頒發證書                                         

1、在需要使用證書的主機生成證書請求

給web伺服器生成私鑰

(umask 066; openssl genrsa -out    /etc/pki/tls/private/test.key 2048)

例子:生成私鑰的目錄可以根據需求放置

[[email protected] /etc/httpd 07:17:49]#(umask 066;openssl genrsa -out app.key 1024)
Generating RSA private key, 1024 bit long modulus
....................................................................++++++
....................++++++
e is 65537 (0x10001)

2、生成證書申請檔案

openssl req -new -key /etc/pki/tls/private/test.key   -days 365 -out etc/pki/tls/text.csr

[[email protected] /etc/httpd 07:19:57]#openssl req -new -key app.key  -out app.csr


Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:opt
Common Name (eg, your name or your server's hostname) []:www.bgg.com
Email Address []:

***********注意:客戶端向伺服器申請證書時,填寫的國家、省份、組織,必須和CA證書相同

[[email protected] /etc/httpd 07:23:06]#ls
app.csr  app.key

3、將證書請求檔案傳輸給CA伺服器

[[email protected] /etc/httpd 07:25:32]#scp app.csr 192.168.161.130:/etc/pki/CA
[email protected]'s password: 
app.csr                                                   100%  647     0.6KB/s   00:00

4、CA簽署證書,並將證書頒發給請求者

[[email protected] CA]# openssl ca -in app.csr -out certs/app.crt -days 360
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Oct  5 06:15:04 2018 GMT
            Not After : Sep 30 06:15:04 2019 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = beijing
            organizationName          = magedu
            organizationalUnitName    = opt
            commonName                = www.bgg.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                62:B6:BA:94:C0:24:F1:B1:A1:37:20:C1:25:59:DA:A9:FA:65:C2:B1
            X509v3 Authority Key Identifier: 
                keyid:45:26:FF:3F:81:CF:80:5C:35:C5:4D:FB:E2:DE:DA:6E:63:35:9A:4E

Certificate is to be certified until Sep 30 06:15:04 2019 GMT (360 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
[[email protected] CA]# tree
.
├── app.csr
├── cacert.pem
├── certs
│   └── app.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│   └── 01.pem
├── private
│   └── cakey.pem
├── serial
└── serial.old

注意:預設國家,省,公司名稱三項必須和CA一致

[[email protected] CA]# sz certs/app.crt 
rz
Starting zmodem transfer.  Press Ctrl+C to cancel.
Transferring app.crt...
  100%       3 KB       3 KB/sec    00:00:01       0 Errors

匯出到windows中

如果預設國家,省,公司名稱三項必須和CA不一致,我們可以修改策略來解決證書頒發問題

[[email protected] tls]# vim /etc/pki/tls/openssl.cnf        ##修改策咯


[ policy_match ]
countryName             = match                           ##改為optional
stateOrProvinceName     = match                           ##改為optional
organizationName        = match
organizationalUnitName  = optional

 

********************************證書頒發完成*************************************