证书服务器CA的搭建和管理

  • Post author:
  • Post category:其他


很多时候,我们希望在使用互联网的时候,我们的通信是受到保护的,而在互联网上活动时使用最多的莫过于使用网站了,所以我们就需要考虑如何加密使用网站的过程中所传送的消息,htts加密协议的出现解决了我们的困扰,而htts协议是基于证书的方式实现的,那如何用证书来保护我们在网站上所传送的消息了,要想使用证书,要么向互联上的专业证书机构去申请证书,要么自己搭建证书服务器(CA)来给自己的网络设备颁发证书,以保证相互之间的通信是通过加密协议传输的。当然如果去向专业的证书机构申请证书是需要花费较大代价的,所以很多企业想使用证书加密通信,但又不想花太大的代价去申请证书,所以就在自己公司的服务器上的搭建属于自己的证书管理服务器(CA),所以做为一名运维人员,就很有必要来探讨一下这个话题了。



一、CA的搭建和管理的相关知识


openssl的配置文件:/etc/pki/tls/openssl.cnf



(1) 创建所需要的文件

touch /etc/pki/CA/index.txt

echo 01 > /etc/pki/CA/serial



(2) CA自签证书


生成私钥

cd /etc/pki/CA/

(umask 066; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)


生成自签名证书

openssl req -new -x509 –key /etc/pki/CA/private/cakey.pem -days 7300

-out /etc/pki/CA/cacert.pem

-new: 生成新证书签署请求

-x509: 专用于CA生成自签证书

-key: 生成请求时用到的私钥文件

-days n:证书的有效期限

-out /PATH/TO/SOMECERTFILE: 证书的保存路径



(3) 颁发证书


(a) 在需要使用证书的主机生成证书请求;

给web服务器生成私钥

(umask 066; openssl genrsa -out /etc/httpd/ssl/httpd.key 2048)

生成证书申请文件

openssl req -new -key /etc/httpd/ssl/httpd.key -days 365 -out /etc/httpd/ssl/httpd.csr


(b) 将证书请求文件传输给CA


(c) CA签署证书,并将证书颁发给请求者;

openssl ca -in /tmp/httpd.csr –out /etc/pki/CA/certs/httpd.crt -days 365

注意:默认国家,省 ,公司名称必须和CA一致


(d) 查看证书中的信息:

openssl x509 -in /PATH/FROM/CERT_FILE -noout -text|subject|serial|dates



(4) 吊销证书


(a) 在客户端获取要吊销的证书的serial

openssl x509 -in /PATH/FROM/CERT_FILE -noout -serial -subject


(b) 在CA上,根据客户提交的serial与subject信息,对比检验是否与index.txt文件中的信息一致

吊销证书:openssl ca -revoke /etc/pki/CA/newcerts/SERIAL.pem


(c) 生成吊销证书的编号(第一次吊销一个证书时才需要执行)

echo 01 > /etc/pki/CA/crlnumber


(d) 更新证书吊销列表

openssl ca -gencrl -out /etc/pki/CA/crl/ca.crl

查看crl文件:

openssl crl -in /etc/pki/CA/crl/ca.crl -noout -text



二、搭建CA



1、CA环境展示:

[root@Centos630G ~]# hostname

Centos630G

[root@Centos630G ~]# ip addr show eth0

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000

link/ether 00:0c:29:e1:ee:04 brd ff:ff:ff:ff:ff:ff

inet 10.1.42.61/16 brd 10.1.255.255 scope global eth0

inet6 fe80::20c:29ff:fee1:ee04/64 scope link

valid_lft forever preferred_lft forever

[root@Centos630G ~]# cd /etc/pki/CA

[root@Centos630G CA]# tree

.

├── certs

├── crl

├── newcerts

└── private

4 directories, 0 files

[root@Centos630G CA]#



2、创建CA需要的文件:

[root@Centos630G CA]# touch index.txt

[root@Centos630G CA]# echo 01 > serial

[root@Centos630G CA]# ll

total 20

drwxr-xr-x. 2 root root 4096 May  9 10:56 certs

drwxr-xr-x. 2 root root 4096 May  9 10:56 crl

-rw-r–r–. 1 root root    0 Sep 22 12:27 index.txt

drwxr-xr-x. 2 root root 4096 May  9 10:56 newcerts

drwx——. 2 root root 4096 May  9 10:56 private

-rw-r–r–. 1 root root    3 Sep 22 12:27 serial

[root@Centos630G CA]#



3、给CA创建私钥:

[root@Centos630G CA]# (umask 066;openssl genrsa -out private/cakey.pem 2048)

Generating RSA private key, 2048 bit long modulus

……………..+++

………….+++

e is 65537 (0x10001)

[root@Centos630G CA]# tree

.

├── certs

├── crl

├── index.txt

├── newcerts

├── private

│   └── cakey.pem

└── serial

4 directories, 3 files

[root@Centos630G CA]#



4、给CA生成自签名证书:

[root@Centos630G CA]# openssl req -new -x509 -key private/cakey.pem -days 7300 -out cacert.pem

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ‘.’, the field will be left blank.

—–

Country Name (2 letter code) [XX]:cn

State or Province Name (full name) []:beijing

Locality Name (eg, city) [Default City]:haidian

Organization Name (eg, company) [Default Company Ltd]:companyA

Organizational Unit Name (eg, section) []:IT

Common Name (eg, your name or your server’s hostname) []:centos630g

Email Address []:183530300@qq.com

[root@Centos630G CA]# ls

cacert.pem  certs  crl  index.txt  newcerts  private  serial

[root@Centos630G CA]#



三、使用CA给客户颁发证书



1、申请证书的客户机环境展示:

[root@centos730g ~]# hostname

centos730g

[root@centos730g ~]# ip addr show eno16777736

2: eno16777736: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000

link/ether 00:0c:29:4c:4a:32 brd ff:ff:ff:ff:ff:ff

inet 10.1.42.71/16 brd 10.1.255.255 scope global eno16777736

valid_lft forever preferred_lft forever

inet6 fe80::20c:29ff:fe4c:4a32/64 scope link

valid_lft forever preferred_lft forever

[root@centos730g ~]#



2、给客户机生成私钥:

[root@centos730g ~]# (umask 066;openssl genrsa -out centos730g.prikey 2048)

Generating RSA private key, 2048 bit long modulus

………………………….+++

…………………………………………………………………..+++

e is 65537 (0x10001)

[root@centos730g ~]# ls

centos730g.prikey

[root@centos730g ~]#



3、给客户机生成证书申请文件:

[root@centos730g ~]# openssl req -new -key centos730g.prikey -days 365 -out centos730g.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ‘.’, the field will be left blank.

—–

Country Name (2 letter code) [XX]:cn

State or Province Name (full name) []:beijing

Locality Name (eg, city) [Default City]:haidian

Organization Name (eg, company) [Default Company Ltd]:companyA

Organizational Unit Name (eg, section) []:web

Common Name (eg, your name or your server’s hostname) []:centos730g

Email Address []:183530300@qq.com

Please enter the following ‘extra’ attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

[root@centos730g ~]# ls

centos730g.csr  centos730g.prikey

[root@centos730g ~]#



4、在客户机上将证书申请文件传输到CA上:

[root@centos730g ~]# scp centos730g.csr 10.1.42.61:/etc/pki/CA/crl

The authenticity of host ‘10.1.42.61 (10.1.42.61)’ can’t be established.

RSA key fingerprint is 91:e8:0f:0d:56:3c:38:b4:bf:b0:dd:b5:ee:0c:cb:b4.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added ‘10.1.42.61’ (RSA) to the list of known hosts.

root@10.1.42.61’s password:

centos730g.csr               100% 1050     1.0KB/s   00:00

[root@centos730g ~]#



5、在CA上给申请签证的客户签署证书:

[root@Centos630G CA]# ls crl

centos730g.csr

[root@Centos630G CA]# openssl ca -in crl/centos730g.csr -out certs/centos730g.crt -days 365

Using configuration from /etc/pki/tls/openssl.cnf

Check that the request matches the signature

Signature ok

Certificate Details:

Serial Number: 1 (0x1)

Validity

Not Before: Sep 22 17:15:37 2016 GMT

Not After : Sep 22 17:15:37 2017 GMT

Subject:

countryName               = cn

stateOrProvinceName       = beijing

organizationName          = companyA

organizationalUnitName    = web

commonName                = centos730g

emailAddress              = 183530300@qq.com

X509v3 extensions:

X509v3 Basic Constraints:

CA:FALSE

Netscape Comment:

OpenSSL Generated Certificate

X509v3 Subject Key Identifier:

19:A6:3F:5F:8C:75:7F:2F:32:6A:4D:F2:BC:53:BD:C9:F7:66:7C:BC

X509v3 Authority Key Identifier:

keyid:51:8C:1F:CD:A5:73:04:65:96:55:E4:D3:FE:69:28:DD:07:CE:1B:12

Certificate is to be certified until Sep 22 17:15:37 2017 GMT (365 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

[root@Centos630G CA]# ls certs

centos730g.crt

[root@Centos630G CA]#



6、在CA上将签署好的证书传输给申请的客户:

[root@Centos630G CA]# scp certs/centos730g.crt 10.1.42.71:/rootThe authenticity of host ‘10.1.42.71 (10.1.42.71)’ can’t be established.

RSA key fingerprint is f2:c8:a3:77:da:65:42:3a:bf:53:24:e2:0b:0f:23:eb.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added ‘10.1.42.71’ (RSA) to the list of known hosts.

root@10.1.42.71’s password:

centos730g.crt               100% 4596     4.5KB/s   00:00

[root@Centos630G CA]#



7、客户收到颁发的证书之后,就可以配置相应的网络服务开始使用了

[root@centos730g ~]# ll

total 16

-rw-r–r–. 1 root root 4596 Sep 22 17:17 centos730g.crt

-rw-r–r–. 1 root root 1050 Sep 22 17:10 centos730g.csr

-rw——-. 1 root root 1675 Sep 22 16:41 centos730g.prikey

[root@centos730g ~]#


查看颁发的证书

[root@centos730g ~]# openssl x509 -in centos730g.crt -noout -te

xt

Certificate:

Data:

Version: 3 (0x2)

Serial Number: 1 (0x1)

Signature Algorithm: sha1WithRSAEncryption

Issuer: C=cn, ST=beijing, L=haidian, O=companyA, OU=IT, CN=centos630g/emailAddress=183530300@qq.com

Validity

Not Before: Sep 22 17:15:37 2016 GMT

Not After : Sep 22 17:15:37 2017 GMT

Subject: C=cn, ST=beijing, O=companyA, OU=web, CN=centos730g/emailAddress=183530300@qq.com

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

Public-Key: (2048 bit)

Modulus:

00:ca:a2:3c:e5:04:7a:5c:88:fd:2a:64:5d:41:18:

95:4f:4e:b4:ae:06:07:5b:e0:ac:d1:74:99:f4:3d:

2a:0a:35:4c:90:49:cf:51:84:69:44:de:e2:c1:9b:

9f:8d:29:9c:b7:5a:c2:b0:fd:a6:29:84:91:73:7f:

1a:f9:ba:00:f0:8f:2d:28:18:a5:bd:24:8b:cc:a0:

31:45:d8:c7:fe:51:da:5f:f5:27:39:02:fb:7e:07:

b7:6c:63:0f:b1:ec:7c:f5:57:c7:8c:1a:9f:23:04:

e0:2e:d6:c6:3a:ad:b3:5c:42:13:54:62:a1:83:ed:

d2:61:48:eb:98:06:a5:32:d3:b2:5b:00:05:0a:6b:

fb:97:90:1f:10:d9:8c:e6:00:af:c2:72:cc:ba:08:

fd:98:87:99:80:ec:40:41:a2:a6:df:ae:1b:29:bc:

22:25:f0:3f:59:6a:10:31:65:c8:44:7a:2b:2f:0b:

00:ce:d7:a6:3c:ab:83:47:10:20:75:76:46:51:9d:

ca:a8:65:b0:7f:28:d9:4c:24:90:47:4f:40:6c:ba:

b5:cf:cd:bb:a3:07:f3:35:f0:08:cc:61:52:90:ea:

57:c2:3b:9f:cc:c1:b0:4a:e5:8b:21:8c:c8:74:b2:

da:8d:aa:94:de:d3:bb:c3:9e:10:6c:d9:93:7a:b9:

5b:8d

Exponent: 65537 (0x10001)

X509v3 extensions:

X509v3 Basic Constraints:

CA:FALSE

Netscape Comment:

OpenSSL Generated Certificate

X509v3 Subject Key Identifier:

19:A6:3F:5F:8C:75:7F:2F:32:6A:4D:F2:BC:53:BD:C9:F7:66:7C:BC

X509v3 Authority Key Identifier:

keyid:51:8C:1F:CD:A5:73:04:65:96:55:E4:D3:FE:69:28:DD:07:CE:1B:12

Signature Algorithm: sha1WithRSAEncryption

10:23:27:f2:3c:ad:3c:ca:6a:d3:ae:db:1d:fb:51:95:2f:91:

ef:ba:f4:b3:b2:91:dc:0a:e0:7a:3f:45:e5:97:16:24:a0:52:

a4:3e:51:d1:86:c1:d0:de:d7:3c:7f:62:3c:f1:9e:88:93:03:

15:c4:38:29:ba:cc:ba:0c:78:d0:7e:76:e5:dd:70:a4:6e:17:

e7:19:ae:47:f3:39:32:d7:97:67:73:bb:bb:4a:28:ed:a1:f5:

ec:d6:46:4d:8c:80:27:e2:48:f7:1b:54:58:1e:cc:cb:52:0b:

91:24:b5:04:28:5c:70:1f:22:aa:3b:7f:4b:7d:f3:8a:f8:35:

07:38:47:68:8c:57:b8:77:64:7a:bd:95:d5:5e:c8:82:32:a8:

5b:ac:2b:c2:72:fa:08:ea:ee:30:1b:a9:39:eb:77:6e:65:32:

90:ee:11:cc:38:05:84:a2:ed:14:d8:cc:73:ac:01:8c:8d:ae:

27:38:c3:de:cd:75:4d:d3:09:9d:6e:b8:c3:e6:b1:c5:79:12:

46:da:f4:c8:fe:97:1c:4b:66:c6:98:d6:b9:7c:fe:4a:a1:30:

97:32:2e:01:cf:3c:eb:b8:bd:e1:da:6f:bc:98:8c:b8:99:b6:

dc:42:51:b7:d1:ad:92:ff:95:91:ab:0f:3d:1e:db:e4:9e:1d:

b0:b0:99:04

[root@centos730g ~]#



四、CA上吊销证书



1、在申请吊销证书的客户机上查看需要吊销的证书的serial以及subject信息,并提交给CA

[root@centos730g ~]# openssl x509 -in centos730g.crt -noout -serial -subject

serial=01

subject= /C=cn/ST=beijing/O=companyA/OU=web/CN=centos730g/emailAddress=183530300@qq.com

[root@centos730g ~]#



2、在CA上根据客户提交的serial以及subject信息,比对服务器上index.txt文件中的信息一致后,执行吊销证书操作

[root@Centos630G CA]# openssl x509 -in certs/centos730g.crt -noout -serial -subject

serial=01

subject= /C=cn/ST=beijing/O=companyA/OU=web/CN=centos730g/emailAddress=183530300@qq.com

[root@Centos630G CA]# cat index.txt

V


170922171537Z


01


unknown


/C=cn/ST=beijing/O=companyA/OU=web/CN=centos730g/emailAddress=183530300@qq.com

[root@Centos630G CA]#



3、信息确认一致,正式执行吊销操作

[root@Centos630G CA]# tree

.

├── cacert.pem

├── certs

│   └── centos730g.crt

├── crl

│   └── centos730g.csr

├── index.txt

├── index.txt.attr

├── index.txt.old

├── newcerts

│   └── 01.pem

├── private

│   └── cakey.pem

├── serial

└── serial.old

4 directories, 10 files

[root@Centos630G CA]# openssl ca -revoke newcerts/01.pem

Using configuration from /etc/pki/tls/openssl.cnf

Revoking Certificate 01.

Data Base Updated

[root@Centos630G CA]# tree

.

├── cacert.pem

├── certs

│   └── centos730g.crt

├── crl

│   └── centos730g.csr

├── index.txt

├── index.txt.attr

├── index.txt.attr.old

├── index.txt.old

├── newcerts

│   └── 01.pem

├── private

│   └── cakey.pem

├── serial

└── serial.old

4 directories, 11 files

[root@Centos630G CA]#

此时多出了一个新文件:index.txt.attr.old



4、生成吊销证书的编号(第一次吊销证书时才需要执行本操作)

[root@Centos630G CA]# echo 01 > crlnumber

[root@Centos630G CA]# openssl ca -gencrl -out crl/ca.crl

Using configuration from /etc/pki/tls/openssl.cnf

[root@Centos630G CA]# tree

.

├── cacert.pem

├── certs

│   └── centos730g.crt

├── crl

│   ├── ca.crl

│   └── centos730g.csr

├── crlnumber

├── crlnumber.old

├── index.txt

├── index.txt.attr

├── index.txt.attr.old

├── index.txt.old

├── newcerts

│   └── 01.pem

├── private

│   └── cakey.pem

├── serial

└── serial.old

4 directories, 14 files

[root@Centos630G CA]#


第一次吊销操作完成后会在CA上多出4个新文件

index.txt.attr.old

ca.crl

crlnumber.old

index.txt.attr.old


查看证书吊销列表文件

[root@Centos630G CA]# openssl crl -in crl/ca.crl -noout -text

Certificate Revocation List (CRL):

Version 2 (0x1)

Signature Algorithm: sha1WithRSAEncryption

Issuer: /C=cn/ST=beijing/L=haidian/O=companyA/OU=IT/CN=centos630g/emailAddress=183530300@qq.com

Last Update: Sep 22 17:44:35 2016 GMT

Next Update: Oct 22 17:44:35 2016 GMT

CRL extensions:

X509v3 CRL Number:

1

Revoked Certificates:

Serial Number: 01

Revocation Date: Sep 22 17:29:54 2016 GMT

Signature Algorithm: sha1WithRSAEncryption

11:5a:02:a8:9f:a0:9c:85:c0:cd:e8:65:06:98:90:f0:31:83:

cc:c6:f5:7d:4b:4b:d7:1a:57:63:c5:ac:ac:51:d4:46:d8:80:

f7:0c:94:42:5f:24:f1:87:97:f6:05:23:de:b4:3e:3b:3f:4f:

d2:55:ef:13:c0:78:80:d1:eb:fa:47:eb:1c:58:cb:d4:f2:9b:

bd:eb:88:2a:d5:be:05:ee:26:f8:ba:ba:cf:a3:7f:8c:73:db:

84:a3:de:74:9c:4d:eb:64:69:be:78:d1:ec:f9:82:10:46:72:

5f:5a:e3:99:c4:f9:1c:36:18:f4:b7:5e:f4:72:6b:20:b0:98:

7a:3c:c1:a4:e6:c3:d5:af:3f:68:44:7b:ae:34:69:0e:49:fd:

fc:1f:70:9c:f6:b9:d4:a2:c1:25:d8:d1:e1:75:82:53:c4:63:

c2:ce:1a:47:81:4a:73:18:81:35:ba:24:95:ff:8e:b3:61:6f:

ce:ae:49:2f:73:d4:14:e3:5a:04:a6:c4:15:71:3b:e2:4c:fa:

7f:05:42:1a:41:02:98:cb:82:70:ee:de:b2:5f:90:a9:cb:18:

93:28:dd:ff:62:e1:90:7e:88:cd:19:41:40:5f:17:47:65:2f:

ab:95:0f:27:8f:95:44:05:b7:d9:90:3e:e3:8c:ff:e9:d0:55:

49:05:97:a9

[root@Centos630G CA]#

掌握了上述这些操作的同时,搭建及管理私有CA是没什么问题了,所以大家可以自行实践,有什么问题,欢迎留言指正。

转载于:https://blog.51cto.com/183530300/1856773


关闭菜单