申请证书
- 申请证书的流程
a主向互联网的一些ca审请证书;提交一些相关信息和自己的公钥.这时候ca会用在自己的私钥签名a主机的公钥
a向b送自己的公钥;由于CA是权威机构所以b有ca的公钥;所以b可以打开由ca私钥加密的a的公钥;通过间接的CA来交换公钥
opssl 的介绍
加密文件与解密文件
openssl enc -e -des3 -a -salt -in fstab -out fstab.ssl 加密文件fstab文件输出至fstab.ssl
openssl enc -d -des3 -a -salt -in fstab.ssl -out fstab.l 解密fstab.ssl 文件输出至fstab.l
哈希值运算
[root@centos7 ~]# openssl dgst fstab
MD5(fstab)= 6565565f82e586bce20e7ea08058d26d
[root@centos7 ~]# md5sum fstab
6565565f82e586bce20e7ea08058d26d fstab
[root@centos7 ~]#
[root@centos7 ~]# openssl passwd -1
Password:
Verifying - Password:
$1$3x5F7nVj$n7R2Lss4M.eqVkwRDQtnn0
生成随机数
openssl rand -base64|-hex NUM
生成公钥与私钥
openssl
[root@centos7 ~]# openssl genrsa -out /app/chenxi.ke -des 2048 并用对称密钥对私钥加密
[root@centos7 ~]# (umask 066; openssl genrsa -out yuer.key -des 2048) 创建密钥并用对称密钥加密;设置好文件的权限
创建ca服务器
####################################################################
[ ca ]
default_ca = CA_default # The default ca section 可以创建多个CA,ca_default是默认的CA
####################################################################
[ CA_default ] 默认CA的相关配置
dir = /etc/pki/CA # Where everything is kept 变量
certs = $dir/certs # Where the issued certs are kept存放发布的证书
crl_dir = $dir/crl # Where the issued crl are kept 吊销列表
database = $dir/index.txt # database index file. 存放证书的编号
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs. 新证书的存放
certificate = $dir/cacert.pem # The CA certificate CA证书
serial = $dir/serial # The current serial number下一个证书编号
crlnumber = $dir/crlnumber # the current crl number吊销证书号
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key CA私钥文件路径
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
# Extension copying option: use with caution.
# copy_extensions = copy
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 365 # how long to certify for证书颁发有效期
default_crl_days= 30 # how long before next CRL30天发布一下证书吊销列表
default_md = sha256 # use SHA-256 by default 哈希算法
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match 策略匹配;默认使用的策略
# For the CA policy
[ policy_match ]
countryName = match 国家名match必须与CA匹配optional可以不匹配
stateOrProvinceName = match 州
organizationName = match 组织
organizationalUnitName = optional 部门
commonName = supplied 主机或域名
emailAddress = optional 邮件地址
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
创建CA的自签名证书
[root@centos7 app]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 9000
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN 国家必须一致因为配置文件中定义了
State or Province Name (full name) []:chenxi 省份必须一致
Locality Name (eg, city) [Default City]:chenxi 市
Organization Name (eg, company) [Default Company Ltd]:chenxideshijie 公司名字
Organizational Unit Name (eg, section) []:ai部门
Common Name (eg, your name or your server's hostname) []:chenxi.ca ca服务器名
Email Address []:chenxi@123.com 邮箱 可以不写
查看证书问价
客户端申请证书
创建私钥文件
[root@chenxi ~]# (umask 066; openssl genrsa -out /app/service.key 1024 )
生成证书请求
[root@chenxi ~]# openssl req -new -key /app/service.key -out /app/service.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN 国家名必须与CA一致
State or Province Name (full name) []:chenxi 省名字必须与CA的一致
Locality Name (eg, city) [Default City]:chenxideyue 市的名字可以不一致
Organization Name (eg, company) [Default Company Ltd]:chenxideshijie 公司名字名字必须一致
Organizational Unit Name (eg, section) []:shenghuo 部门名字不一致
Common Name (eg, your name or your server's hostname) []:chenxi 域名
Email Address []:邮件地址
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
将客户端的申请证书文件传给CA服务器
[root@chenxi ~]# scp /app/service.csr 172.16.251.154:/etc/pki/CA/
为管理方便创建一个目录存放用户申请证书文件
[root@centos7 app]# mkdir /etc/pki/CA/csr
CA服务器为用户签署正整数
表示没有创建数据库/etc/pki/CA/index.txt
这个错误是没有此/etc/pki/CA/serial
[root@centos7 CA]# openssl ca -in /etc/pki/CA/crl/service.csr -out /etc/pki/CA/certs/service.crt -days 100
Using configuration from /etc/pki/tls/openssl.cnf
/etc/pki/CA/serial: No such file or directory
error while loading serial number
140233124767648:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('/etc/pki/CA/serial','r')
140233124767648:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
表示 /etc/pki/CA/serial的格式不对
Using configuration from /etc/pki/tls/openssl.cnf
unable to load number from /etc/pki/CA/serial
error while loading serial number
140223783708576:error:0D066096:asn1 encoding routines:a2i_ASN1_INTEGER:short line:f_int.c:215:
应该这样创建此/etc/pki/CA/serial文件
[root@centos7 CA]# echo 01 > /etc/pki/CA/serial
创建证书
[root@centos7 CA]# openssl ca -in /etc/pki/CA/crl/service.csr -out /etc/pki/CA/certs/service.crt -days 100 100 只有效的天数
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jul 17 02:51:30 2017 GMT
Not After : Oct 25 02:51:30 2017 GMT
Subject:
countryName = CN
stateOrProvinceName = chenxi
organizationName = chenxideshijie
organizationalUnitName = shenghuo
commonName = chenxi
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
B8:AF:B5:28:90:17:97:75:21:35:A4:8A:EF:3D:15:A2:23:1D:D0:6B
X509v3 Authority Key Identifier:
keyid:DC:42:0A:44:AF:2B:33:77:09:4C:6F:76:AE:7B:4C:EE:03:1D:84:4F
Certificate is to be certified until Oct 25 02:51:30 2017 GMT (100 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@centos7 CA]# openssl ca -in /etc/pki/CA/crl/service.csr -out /etc/pki/CA/certs/service.crt -days 100
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jul 17 02:51:30 2017 GMT
Not After : Oct 25 02:51:30 2017 GMT
Subject:
countryName = CN
stateOrProvinceName = chenxi
organizationName = chenxideshijie
organizationalUnitName = shenghuo
commonName = chenxi
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
B8:AF:B5:28:90:17:97:75:21:35:A4:8A:EF:3D:15:A2:23:1D:D0:6B
X509v3 Authority Key Identifier:
keyid:DC:42:0A:44:AF:2B:33:77:09:4C:6F:76:AE:7B:4C:EE:03:1D:84:4F
Certificate is to be certified until Oct 25 02:51:30 2017 GMT (100 days)
Sign the certificate? [y/n]:y 是否同意
1 out of 1 certificate requests certified, commit? [y/n]y 确定吗
Write out database with 1 new entries
Data Base Updated
[root@centos7 CA]# openssl ca -in /etc/pki/CA/crl/service.csr -out /etc/pki/CA/certs/service.crt -days 100
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jul 17 02:51:30 2017 GMT
Not After : Oct 25 02:51:30 2017 GMT
Subject:
countryName = CN
stateOrProvinceName = chenxi
organizationName = chenxideshijie
organizationalUnitName = shenghuo
commonName = chenxi
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
B8:AF:B5:28:90:17:97:75:21:35:A4:8A:EF:3D:15:A2:23:1D:D0:6B
X509v3 Authority Key Identifier:
keyid:DC:42:0A:44:AF:2B:33:77:09:4C:6F:76:AE:7B:4C:EE:03:1D:84:4F
Certificate is to be certified until Oct 25 02:51:30 2017 GMT (100 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@centos7 CA]# tree
.
├── cacert.pem
├── certs 客户生成证书的存放目录
│ └── service.crt
├── crl
│ └── service.csr
├── csr
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts 新生成的
│ └── 01.pem
├── private
│ └── cakey.pem
├── serial
└── serial.old
5 directories, 10 files
查看证书的信息
如果同一台机器生成多个证书,不需要多个私钥
同一个私钥生成另一个请求
吊销证书
创建吊销序列号文件
更新吊销列表
网友评论