使用openssl模拟CA和CA证书的签发

当使用ssl/tls进行加密通信时，必须要有数字证书。若通信只限制在局域网内，可以不向第三方机构申请签发证书，可以通过openssl模拟CA(Certificate Authority)，并通过该CA签发证书。下文讲述在Centos7.3上使用openssl工具签发证书的具体步骤。

1 生成模拟CA

1.1 修改配置文件/etc/pki/tls/openssl.cnf

打开openssl的配置文件/etc/pki/tls/openssl.cnf，修改CA机构的默认信息，具体修改内容如下

[ req_distinguished_name ]
countryName         = Country Name (2 letter code)
countryName_default     = CN
countryName_min         = 2
countryName_max         = 2

stateOrProvinceName     = State or Province Name (full name)
stateOrProvinceName_default = JangSu

localityName            = Locality Name (eg, city)
localityName_default        = NanJing

0.organizationName      = Organization Name (eg, company)
0.organizationName_default  = ZTE

# we can do this but it is not needed normally :-)
#1.organizationName     = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd

organizationalUnitName      = Organizational Unit Name (eg, section)
organizationalUnitName_default  = Tech

commonName          = Common Name (eg, your name or your server\'s hostname)
commonName_max          = 64

emailAddress            = Email Address
emailAddress_max        = 64

配置项说明：

• countryName_default 默认的国家名称简写，这里配置为CN；
• stateOrProvinceName_default，默认的省份名，这里配置为JangS；
• localityName_default，默认的城市名称，这里配置为NanJing；
• 0.organizationName_default，默认的组织名称，这里配置为ZTE；
• organizationalUnitName_default，默认的部门名称，这里配置为Tech；

1.2 生成CA自签证书

生成CA的私钥

(umask 077; openssl genrsa -out private/cakey.pem 2048)

[root@localhost CA]# pwd
/etc/pki/CA

[root@localhost CA]# (umask 077; openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
.......................................................................................................+++
..........+++
e is 65537 (0x10001)

生成自签证书

openssl req -new -x509 -key private/cakey.pem -out cacert.pem 

[root@localhost CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem 
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [JangSu]:
Locality Name (eg, city) [NanJing]:
Organization Name (eg, company) [ZTE]:
Organizational Unit Name (eg, section) [Tech]:
Common Name (eg, your name or your server's hostname) []:ca.xiaojie.com
Email Address []:xiaojie@163.com

[root@localhost CA]# ls private
cacert.pem  cakey.pem

• cakey.pem为CA的私钥；
• cacert.pem为CA的自签证书；

查看签发证书中的内容

openssl x509 -text -in cacert.pem 

[root@localhost CA]# openssl x509 -text -in cacert.pem 
Certificate:
Data:
    Version: 3 (0x2)
    Serial Number: 13441978108521887108 (0xba8b7fdefd063584)
Signature Algorithm: sha256WithRSAEncryption
    Issuer: C=CN, ST=JS, L=NanJing, O=ZTE, OU=Tech, CN=ca.xiaojie.com/emailAddress=caxiaojie@163.com
    Validity
        Not Before: Jun  2 03:30:22 2018 GMT
        Not After : Jun  2 03:30:22 2019 GMT
    Subject: C=CN, ST=JS, L=NanJing, O=Ztesoft, OU=Tech, CN=ca.xiaojie.com/emailAddress=caxiaojie@163.com
    Subject Public Key Info:
        Public Key Algorithm: rsaEncryption
            Public-Key: (1024 bit)
            Modulus:
                00:d2:ce:94:8e:26:52:bd:6e:7d:54:31:02:20:57:
                01:81:1b:fc:24:3b:b1:e8:f1:4c:5d:e2:49:d8:5f:
                5c:5e:02:89:76:29:f5:8d:33:17:98:06:80:06:ee:
                37:dd:87:47:0d:f1:56:f0:cb:5e:5a:30:dc:31:46:
                5a:cb:74:4c:76:8c:58:0b:bd:85:ff:15:16:67:64:
                99:dd:53:3b:d0:6b:23:e3:35:3d:56:4a:ea:5d:89:
                ab:f3:dc:75:ee:b6:5e:71:c6:f9:f6:ae:53:72:ba:
                41:b4:06:0d:4f:80:1c:83:ab:5b:68:4f:78:eb:aa:
                c0:f2:af:c4:b5:ac:f2:e8:f5
            Exponent: 65537 (0x10001)
    X509v3 extensions:
        X509v3 Subject Key Identifier: 
            3E:E1:CC:F3:0D:53:2C:E3:DC:42:16:1D:DF:7B:A6:64:0F:E7:85:0B
        X509v3 Authority Key Identifier: 
            keyid:3E:E1:CC:F3:0D:53:2C:E3:DC:42:16:1D:DF:7B:A6:64:0F:E7:85:0B

        X509v3 Basic Constraints: 
            CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
     be:5a:44:22:98:bb:cc:8a:15:32:ef:7c:ef:cb:2d:0f:6e:95:
     42:f4:1f:54:23:40:02:63:7e:52:e3:97:2d:e2:77:fb:20:3b:
     b3:b4:9f:b5:d7:01:05:5f:c2:9d:a9:2d:e8:93:48:33:ed:4c:
     8a:3c:e2:a0:f1:d3:9e:b0:37:af:4a:75:aa:4a:42:3c:4e:a6:
     c7:07:dc:98:75:84:3a:fe:8a:65:ab:4b:39:29:02:57:5b:30:
     eb:1f:26:13:cc:65:39:65:83:47:cc:e6:da:89:9d:61:3c:57:
     65:66:1d:c6:06:cb:b5:da:ae:4c:22:d0:f0:4d:ed:4c:4e:f9:
     ea:d8

创建公共目录

[root@localhost CA]# mkdir certs  crl  newcerts  private
[root@localhost CA]# touch index.txt
[root@localhost CA]# touch serial
[root@localhost CA]# echo 01 > serial
[root@localhost CA]# ls
certs  crl  index.txt  newcerts  private  serial

• private，CA的私钥；
• newcerts， 保存CA新签发的证书；
• crl ， 被吊销的证书列表；
• index.txt，保存签发的证书信息；
• serial，保存证书签发的序列号；

2. 机构A请求CA签发证书

生成机构A的私钥

(umask 077; openssl genrsa -out httpd.key 1024)

生成证书签发请求

openssl req -new -key httpd.key -out httpd.csr

[root@localhost ssl]# openssl req -new -key httpd.key -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [JangSu]:
Locality Name (eg, city) [NanJing]:
Organization Name (eg, company) [ZTE]:
Organizational Unit Name (eg, section) [Tech]:
Common Name (eg, your name or your server's hostname) []:www.xiaojie.com
Email Address []:xiaojie@123.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@localhost ssl]# ls
httpd.csr  httpd.key

将httpd.csr发送给CA，CA根据httpd.csr签发证书

openssl ca -in httpd.csr -out httpd.crt -days 365

• -in，指定证书签发请求文件；
• -out, 指定生成的证书文件；
• -days, 指定证书的有效期；

[root@localhost ssl]# openssl ca -in httpd.csr -out httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Jun  2 04:07:48 2018 GMT
            Not After : Jun  2 04:07:48 2019 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = JangSu
            organizationName          = Ztesoft
            organizationalUnitName    = Tech
            commonName                = www.xiaojie.com
            emailAddress              = xiaojie@123.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                3F:8F:5F:80:F1:C4:77:0A:2E:4D:9C:75:16:FC:8B:6E:77:EF:6A:35
            X509v3 Authority Key Identifier: 
                keyid:75:D5:93:C0:53:3F:B1:DE:90:E0:9A:CC:92:BE:EF:F0:38:F4:20:C8

Certificate is to be certified until Jun  2 04:07:48 2019 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

httpd.crt 就是签发的证书，可以直接使用httpd.crt证书了。

3. 在httpd中使用证书

安装mod_ssl模块

yum install mod_ssl

配置/etc/httpd/conf.d/ssl.conf

• 修改DocumentRoot ，DocumentRoot "/work/www/html"【网站的目录】；
• 修改ServerName， ServerName www.YOUR_DOMAIN:443【域名+443端口】；
• 配置SSLCertificateFile ，即CA证书文件httpd.crt，SSLCertificateFile /etc/ssl/certs/httpd.crt；
• 配置SSLCertificateKeyFile, 即私钥文件httpd.key， SSLCertificateKeyFile /etc/ssl/private/httpd.key；
• 配置 SSLCertificateChainFile,证书信任链，也就是根证书， 这里配置的就是CA的证书。SSLCertificateChainFile /etc/ssl/certs/cacert.pem；

参考

• Centos7.3 使httpd支持https
• 对称加密、单向加密和非对称加密