1 CA是什么

CA(Certificate Authority)证书颁发机构主要负责证书的颁发、管理以及归档和吊销。证书内包含了拥有证书者的姓名、地址、电子邮件帐号、公钥、证书有效期、发放证书的CA、CA的数字签名等信息。证书主要有三大功能:加密、签名、身份验证。

2 搭建CA服务器

2.1 配置文件查看

default_ca      = CA_default            # The default ca section                                          # ca的配置使用哪个片段。

####################################################################

[ CA_default ]

dir             = /etc/pki/CA           # Where everything is kept                                        # ca的主目录

certs           = $dir/certs            # Where the issued certs are kept                                 # 证书的保存位置

crl_dir         = $dir/crl              # Where the issued crl are kept

database        = $dir/index.txt        # database index file.                                            # 证书的索引文件

#unique_subject = no                    # Set to 'no' to allow creation of                                # 是否运行相同的subject信息的证书请求

                                        # several ctificates with same subject.

new_certs_dir   = $dir/newcerts         # default place for new certs.                                    # 最新的证书放置位置

certificate     = $dir/cacert.pem       # The CA certificate                                              # ca的自己给自己签发的证书(自签证书)

serial          = $dir/serial           # The current serial number                                       # 当前序列号

crlnumber       = $dir/crlnumber        # the current crl number

                                        # must be commented out to leave a V1 CRL

crl             = $dir/crl.pem          # The current CRL                                                 # 当前证书吊销列表

private_key     = $dir/private/cakey.pem# The private key                                                 # ca自己的私钥位置

RANDFILE        = $dir/private/.rand    # private random number file

x509_extensions = usr_cert              # The extentions to add to the cert

default_days    =                    # how long to certify for                                         # 默认颁发证书时间

policy          = policy_match                                                                            # 证书办法策略,这个片段下面就有

# For the CA policy

[ policy_match ]

countryName             = match                                                                           # match代表证书签发单位和证书请求单位的对应项目必须相同,其他的影响不大。

stateOrProvinceName     = match

organizationName        = match

organizationalUnitName  = optional

commonName              = supplied

emailAddress            = optional

countryName_default             = XX                                                                      # 默认国家,2为字母。下面还有其他的默认配置项目,比如默认省,默认市,默认公司等等。

2.2 生成秘钥

[root@localhost CA]# cd /etc/pki/CA/               #切换到CA目录

[root@localhost CA]# (umask ; openssl genrsa -out private/cakey.pem )  #调用openssl子命令genrsa生成私钥

Generating RSA private key,  bit long modulus

..+++

...................................................................................................................................................................................................................+++

e is  (0x10001)

注:上述命令使用()扩着,表示在当前shell的子shell执行,()内的设定只在子shell内生效,每个命令使用“;”分割 , umask指定掩码, -out选项指定了生成的私钥存放位置,不指定是输出到终端的。2048 指定秘钥的长度,默认是1024。

2.2 生成自签证书

[root@localhost CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name ( letter code) [GB]:CN

State or Province Name (full name) [Berkshire]:ZHENGZHOU

Locality Name (eg, city) [Newbury]:

[root@localhost CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name ( letter code) [GB]:CN

State or Province Name (full name) [Berkshire]:HENAN

Locality Name (eg, city) [Newbury]:ZHENGZHOU

Organization Name (eg, company) [My Company Ltd]:ZKYT

Organizational Unit Name (eg, section) []:TECH

Common Name (eg, your name or your server's hostname) []:ca.linuxpanda.com

Email Address []:caadmin@linuxpanda.com
  • req:生成证书签署请求
  • -x509:生成自签署证书
  • -days n:证书的有效天数
  • -new:新请求
  • -key /path/to/keyfile:指定私钥文件
  • -out /path/to/somefile:输出证书文件位置

2.3 查看自己的证书

[root@localhost CA]$ openssl x509 -in cacert.pem  -noout -text

2.4 初始化工作环境

[root@localhost CA]# touch index.txt serial   #创建index.txt,serial文件

[root@localhost CA]# echo  >serial          #写入初始值

[root@localhost CA]# mkdir csr crl newcerts        #创建目录csr,crl newcerts
  • index.txt:索引文件,用于匹配证书编号
  • serial:证书序列号文件,只在首次生成证书时赋值
  • csr:证书请求目录
  • crl:吊销列表目标
  • newcerts:证书目录

3.节点申请证书

3.1生成密钥对

[root@localhost CA]# cd /etc/httpd/ssl                       #进入httpd的配置子目录ssl

-bash: cd: /etc/httpd/ssl: No such file or directory

[root@localhost CA]# ls

cacert.pem  index.txt  private  serial

[root@localhost CA]# cd /etc/httpd/               #查看目录情况

[root@localhost httpd]# ls

conf  conf.d  logs  modules  run  

[root@localhost httpd]# mkdir ssl                  #创建ssl目录,用于存放秘钥

[root@localhost httpd]# (umask ; openssl genrsa -out ssl/httpd.key ) #生成私钥

Generating RSA private key,  bit long modulus

.+++

............................+++

e is  (0x10001)

3.2生成证书请求

[root@localhost httpd]# openssl req -new -key ssl/httpd.key  -out ssl/httpd.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name ( letter code) [GB]:CN

State or Province Name (full name) [Berkshire]:HENAN

Locality Name (eg, city) [Newbury]:ZHENGZHOU

Organization Name (eg, company) [My Company Ltd]:ZKYT

Organizational Unit Name (eg, section) []:TECH

Common Name (eg, your name or your server's hostname) []:tech1.linuxpanda.com

Email Address []:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

3.3证书请求文件发送到服务器

[root@localhost httpd]# scp ssl/httpd.csr 192.168.137.100:/etc/pki/CA/csr/httpd.csr

root@192.168.137.100's password:

httpd.csr                                                                                                                                                         %      .0KB/s   :

[root@localhost httpd]# ls /etc/pki/CA/csr

httpd.csr

4 CA服务器签署证书

4.1 CA服务器上签署证书

[root@localhost CA]# openssl ca -in csr/httpd.csr  -out httpd.crt -days

Using configuration from /etc/pki/tls/openssl.cnf

Error opening CA private key ../../CA/private/cakey.pem

:error::system library:fopen:No such file or directory:bss_file.c::fopen('../../CA/private/cakey.pem','r')

:error::BIO routines:FILE_CTRL:system lib:bss_file.c::

unable to load CA private key

[root@localhost CA]# vim /etc/pki/tls/

cert.pem     certs/       misc/        openssl.cnf  private/

[root@localhost CA]# vim /etc/pki/tls/openssl.cnf      #编辑配置文件,修改../../CA 为 /etc/pki/CA 即可

[root@localhost CA]# openssl ca -in csr/httpd.csr  -out httpd.crt -days

Using configuration from /etc/pki/tls/openssl.cnf

I am unable to access the /etc/pki/CA/newcerts directory          #没有创建newcerts 目录

/etc/pki/CA/newcerts: No such file or directory

[root@localhost CA]# mkdir newcerts                               #创建目录newcerts

[root@localhost CA]# openssl ca -in csr/httpd.csr  -out httpd.crt -days

Using configuration from /etc/pki/tls/openssl.cnf

Check that the request matches the signature

Signature ok

Certificate Details:

        Serial Number:  (0x1)

        Validity

            Not Before: Mar  ::  GMT

            Not After : Mar  ::  GMT

        Subject:

            countryName               = CN

            stateOrProvinceName       = HENAN

            organizationName          = ZKYT

            organizationalUnitName    = TECH

            commonName                = tech1.linuxpanda.com

        X509v3 extensions:

            X509v3 Basic Constraints:

                CA:FALSE

            Netscape Comment:

                OpenSSL Generated Certificate

            X509v3 Subject Key Identifier:

                B3:E9::1A::::F1:A2::B4::C6:FD:5A:AF:8E::CB:C3

            X509v3 Authority Key Identifier:

                keyid::0F:4A:D3::3F::D7:FA::3C:0A::9B:6F:6A::::

Certificate is to be certified until Mar  ::  GMT ( days)

Sign the certificate? [y/n]:y

 out of  certificate requests certified, commit? [y/n]y

Write out database with  new entries

4.2将证书发送给请求者

[root@localhost CA]# scp httpd.crt  192.168.137.100:/etc/httpd/ssl

root@192.168.137.100's password:

httpd.crt

5 吊销证书

5.1节点请求吊销

[root@localhost CA]# openssl x509 -in httpd.crt  -noout -serial -subject

serial=

subject= /C=CN/ST=HENAN/O=ZKYT/OU=TECH/CN=tech1.linuxpanda.com
  • x509:证书格式
  • -in:要吊销的证书
  • -noout:不输出额外信息
  • -serial:显示序列号
  • -subject:显示subject信息

5.2节点提交的serial和subject信息是否和index.txt的信息一致

[root@localhost CA]# cat index.txt

V    180325021521Z            unknown    /C=CN/ST=HENAN/O=ZKYT/OU=TECH/CN=tech1.linuxpanda.com

5.3 吊销证书

[root@localhost CA]# openssl ca -revoke newcerts/.pem

Using configuration from /etc/pki/tls/openssl.cnf

Revoking Certificate .

Data Base Updated

5.4生成吊销证书的编号(如果是第一次吊销)

root@localhost CA]# echo  > crlnumber

5.5更新吊销证书列表

我们虽然上面已经吊销了证书, 但是别人是无法知道的。 只能通过crl来让别人知道谁谁谁的证书被吊销了。

[root@localhost CA]# openssl ca -gencrl -out crl/ca.crl

Using configuration from /etc/pki/tls/openssl.cnf

5.6查看crl文件内容

[root@localhost CA]# openssl crl -in crl/ca.crl -noout -text

Certificate Revocation List (CRL):

        Version  (0x1)

        Signature Algorithm: sha1WithRSAEncryption

        Issuer: /C=CN/ST=HENAN/L=ZHENGZHOU/O=ZKYT/OU=TECH/CN=ca.linuxpanda.com/emailAddress=caadmin@linuxpanda.com

        Last Update: Mar  ::  GMT

        Next Update: Apr  ::  GMT

        CRL extensions:

            X509v3 CRL Number: 

Revoked Certificates:

    Serial Number:

        Revocation Date: Mar  ::  GMT

    Signature Algorithm: sha1WithRSAEncryption

        :::c1:0e:9d:f5::b9:b5:ae:2b:be:ce:::8d:e7:

        7a::eb:e0::5b:bd::aa::e5:dd:a6::f4:4c:e0:e5:

        c2::2d::ff:2e::ad::9d:::0f:6d:dc:0f:a7:fc:

        e8::0e:6f:f2:cf:a8:ed::ea:ff::bb:4b::c7:a1::

        :b0:::0c:cc:db:5b:f9:b3:::e5:fd:bd:f7::a2:

        4a::d9:b9:ad:7d:a7::::c2:bb:::dd:c3:::

        :b2:f9:dc:7f:4c:d7::::ad:bd:::e6:8d:1c:9d:

        e1:d8:ab:::a8::c7:a1::2a:b4:fb:dd:c4:b9:::

        :2c:e5::7f:::1d:e5::a7:::d7:a8:8b:a5:5f:

        da::4e:7c:f8:::a7:5e:2a::c1:b2::c8:c1::df:

        :fa:2d:ba::e4:b8:::d0:fb:e3:9e:c9:3b::6b:ae:

        8a:a5:b6:6e:9e::ed:5d::ab:6f:a9::6d:b2::5d::

        ce:0f::3e:f6:e6:f5:e8:a5:ef:d2:d1:d7:eb:bc:e7::1b:

        fc::6b::b2::c2::8a:e3:::f9::a5:6e:a1:4d:

        2d::e2:

搭建私有CA服务器的更多相关文章

  1. linux下安装EJBCA 搭建私有CA服务器

    linux下安装EJBCA 搭建私有CA服务器 EJBCA是一个全功能的JAVA的CA系统软件,我们可以用此搭建私有CA服务器: 一:首先我的测试环境: 1.  linux mint18.3 62位: ...

  2. 搭建私有CA并实现证书颁发

    一.搭建私有CA服务器 1.安装包 # yum -y install openssl 2.生成密钥对儿 # cd /etc/pki/CA # (umask 077;openssl genrsa -ou ...

  3. Linux系统搭建私有CA证书服务器

    一.CA简介 CA是什么?CA是Certificate Authority的简写,从字面意思翻译过来是凭证管理中心,认证授权.它有点类似我们生活中的身份证颁发机构,这里的CA就相当于生活中颁发身份证的 ...

  4. 搭建私有CA

    一.实验目的 搭建私有CA并使其可以实现公司内部的的签名服务. 二.实验环境: 系统架构:Centos7(服务器).Centos6(需要申请证书的服务器)需要的软件包:openssl.openssl- ...

  5. 搭建私有CA并基于OpenSSL实现双向身份认证

    0x00 前言 互联网上的Web应用由于用户数目广泛,都是采用单向身份认证的,只需要客户端验证服务端的身份.但如果是企业内部的应用对接,客户端数量有限,可能就会要求对客户端也做身份验证,这时就需要一个 ...

  6. 利用阿里云搭建私有Git服务器

    服务器系统:Centos 6 (查看centos版本命令:lsb_release -a) 客户端系统:Windows 7 一.服务器端安装Git ==通常centos上使用yum源安装的git版本过低 ...

  7. 使用BaGet 搭建私有nuget 服务器

    使用BaGet 搭建私有nuget 服务器 netNugetBaGet 引言 为了增强代码的安全性和企业团队开发的高效性,搭建私有的package 包管理服务器是很有必要的,搭建私有的类库管理服务有以 ...

  8. NET Core:搭建私有Nuget服务器以及打包发布Nuget包

    docker 安装 https://www.cnblogs.com/liuxiaoji/p/11014329.html 1.使用docker搭建私有Nuget服务器 docker run -d -p ...

  9. 搭建私有 Nuget 服务器教程(1)

    对于 .NET 开发者来说,nuget 是必不可少的程序包管理工具.相应地,大部分开发团队都需要在内部搭建 Nuget 服务器,以管理私有 nupkg 包.本教程所使用的 Nuget 服务器,不是微软 ...

随机推荐

  1. 使用mybatis plus 操作数据库

    mybatis plus 是基于mybatis 的一个增强包,比 mybatis 更加容易使用. 特点: 1.分页支持 2.支持自定义查询. 3.简单的情况下,不需要写map.xml 文件 4.支持租 ...

  2. 第45章:MongoDB-集群--Sharding(分片)--分片的管理

    ①列出所有的Shard db.runCommand({“listshards”:1}); ②查看分片信息 db.printShardingStatus(); ③判断是否分片 db.runCommand ...

  3. git撤销commit 并保存之前的修改

    撤销并保留修改 参数 –soft  # 先进行commit ,之后后悔啦  $ git commit -am "对首篇报告研究员字段改为author_name" 执行git log ...

  4. vue中集成pdfjs自定义分页

    <template> <div id="div_read_area_scrool" class="no-scrollbar--x" :styl ...

  5. pycharm无法使用ctrl+c/v复制粘贴的问题

    最近在使用pycharm的时候发现不能正常使用ctrl+c/v进行复制粘贴,也无法使用tab键对大段代码进行整体缩进.后来发现是因为安装了vim插件的问题,在setting里找到vim插件,取消勾选即 ...

  6. pip3 install的时候报错timed out

    问题: 执行pip install requests报错 Read timed out.   解决方法: 修改超时时间: pip --default-timeout=1000 install -U r ...

  7. jquery综合

    1.选择器性能比较: http://www.jcodecraeer.com/a/javascript/2012/0418/112.html http://developer.51cto.com/art ...

  8. python对象的for迭代实现

    第一种:__iter__ 实现__iter__的对象,是可迭代对象.__iter__方法可以直接封装一个迭代器,从而实现for循环 class A: def __init__(self): self. ...

  9. 网络操作系统 第十章 DNS服务器管理与配置

    1.什么是域名系统?描述域名解析的过程. 1)域名系统:Domain Name System缩写DNS,是因特网的一项核心服务 域名系统作为可以将域名和IP地址相互映射的一个分布式数据库,能够使人更方 ...

  10. jquery向Django后台发送数组

    在$.ajax中加入 traditional:true, //加上此项可以传数组 后端用 array = request.POST.getlist('ids') #django接收数组 来接收数组