OpenSSL加密证书

用于建立安全站点的工具,颁发证书,例如https,ftps等

默认配置文件:

[root@bogon CA]# cat /etc/pki/tls/openssl.cnf 
[ CA_default ]
dir             = /etc/pki/CA           #CA默认工作目录
certs           = $dir/certs            #CA签发证书的位置
crl_dir         = $dir/crl              #CA吊销证书的位置
database        = $dir/index.txt        #CA颁发证书的索引,相当于目录
new_certs_dir   = $dir/newcerts         #新生成证书的保存路径
certificate     = $dir/cacert.pem       #CA的自签证书
serial          = $dir/serial           #CA签署的序列号
crlnumber       = $dir/crlnumber        #CA吊销的序列号
crl             = $dir/crl.pem          #当前吊销证书的文件
private_key     = $dir/private/cakey.pem#CA自己的私钥文件

 建立私有CA,并进行自我签署

1.首先将配置文件中需要的文件及文件夹建立出来

[root@bogon CA]# mkdir certs crl newcerts private
[root@bogon CA]# touch index.txt serial crlnumber
[root@bogon CA]# ls
certs  crl  crlnumber  index.txt  newcerts  serial

 2.给CA签署的序列号文件一个开始编号(只需要第一次给)

[root@bogon CA]# echo 01 > serial 
[root@bogon CA]# cat serial 
01

 3.生成CA私钥,存放位置对应配置文件,并将权限设置为600

[root@bogon CA]# openssl genrsa -out private/cakey.pem 2048
Generating RSA private key, 2048 bit long modulus
...................+++
...................+++
e is 65537 (0x10001)
[root@bogon CA]# chmod 600 private/cakey.pem 
[root@bogon CA]# ls -l private/cakey.pem 
-rw-------. 1 root root 1679 Jun  4 04:50 private/cakey.pem

 4.生成CA自签证书

  req:发起签署请求,当对应x509时表示自发自签。
  -new:新建证书
  -x509:专用于自签CA证书,为别人签署不需要使用
  -key:对应的私钥文件
  -out:生成文件,与配置文件对应
  -days:有效期

[root@bogon CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 36500
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN         #国家
State or Province Name (full name) []:beijing  #省
Locality Name (eg, city) [Default City]:beijing  #城市
Organization Name (eg, company) [Default Company Ltd]:abc  #公司
Organizational Unit Name (eg, section) []:01   #部门
Common Name (eg, your name or your server's hostname) []:www.abc.com  #服务器主机名
Email Address []:1@abc.com  #管理员邮箱

为其他人颁发证书

 1.在需要证书的服务器上创建秘钥文件,为了安全起见将权限改为600,这里用的httpd举例,并且这里的ssl目录是自己创建的

[root@bogon CA]# openssl genrsa -out /etc/httpd/ssl/httpd.key 2048
Generating RSA private key, 2048 bit long modulus
...................................................................+++
.......+++
e is 65537 (0x10001) 
[root@bogon CA]# chmod 600 /etc/httpd/ssl/httpd.key 
[root@bogon CA]# ls -l /etc/httpd/ssl/httpd.key 
-rw-------. 1 root root 1679 Jun  4 17:07 /etc/httpd/ssl/httpd.key

 2.生成证书签署请求,csr代表请求文件

[root@bogon CA]# openssl req -new -key /etc/httpd/ssl/httpd.key -out /etc/httpd/ssl/httpd.csr -days 165
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:abc
Organizational Unit Name (eg, section) []:abc
Common Name (eg, your name or your server's hostname) []:www.abc.com
Email Address []:1@q.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:       #添加密码
An optional company name []:  #重复密码

 3.将签署请求文件发送给CA

[root@bogon CA]# scp /etc/httpd/ssl/httpd.csr root@172.17.148.113:/tmp
httpd.csr                   100% 1033     1.0KB/s   00:00    
[root@bogon CA]# 

 4.在CA端签署收到的请求

  ca:签署
  crt:证书文件
  days:签署有效期

[root@bogon CA]# openssl ca -in /tmp/httpd.csr -out certs/httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Jun  4 09:17:01 2018 GMT
            Not After : Jun  4 09:17:01 2019 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = beijing
            organizationName          = abc
            organizationalUnitName    = abc\08\08
            commonName                = www.abc.com
            emailAddress              = 1@q.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                7E:7C:E1:B2:10:17:32:D5:A5:1A:FC:E4:C2:DC:E0:48:36:67:A9:BF
            X509v3 Authority Key Identifier: 
                keyid:C6:AA:7E:FE:18:6D:85:9E:B4:61:AE:4C:D3:1D:EB:61:3B:3C:36:C7
Certificate is to be certified until Jun  4 09:17:01 2019 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

 5.将签署完成的证书发送给客户端

[root@bogon CA]# scp certs/httpd.crt root@172.17.148.255:/etc/httpd/ssl/

 6.查看签署证书的信息等

[root@bogon CA]# cat index.txt   #查看这个目录文件
V	190604091701Z		01	unknown	/C=CN/ST=beijing/O=abc/OU=abc\x08\x08/CN=www.abc.com/emailAddress=1@q.com 
#v表示已签署 R已吊销
[root@bogon CA]# openssl x509 -in certs/httpd.crt -noout [ -text | -serial | -subject ]
text,显示全部
serial显示序号
subject显示标题

 7.为了安全起见将,csr文件删除

[root@bogon CA]# rm -rf /tmp/httpd.csr      #CA端
[root@aaa CA]# rm -rf /etc/httpd/ssl/httpd.csr    #请求端

 吊销证书

1.获取要吊销的证书的序列号及主题信息,一般在客户端做

[root@bogon CA]# openssl x509 -in certs/httpd.crt -noout -serial -subject
serial=01
subject= /C=CN/ST=beijing/O=abc/OU=abc\x08\x08/CN=www.abc.com/emailAddress=1@q.com

2.根据客户端的serial和subject信息对比是否与CA端index.txt文件中的信息是否一致

[root@bogon CA]# cat index.txt
V	190604091701Z		01	unknown	/C=CN/ST=beijing/O=abc/OU=abc\x08\x08/CN=www.abc.com/emailAddress=1@q.com

 3.如果一致,则吊销

[root@bogon CA]# openssl ca -revoke newcerts/01.pem   #在新生成证书目录下有相对应序号的证书文件
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 01.
Data Base Updated

 4.生成吊销证书编号(只有在第一次吊销的时候使用)

[root@bogon CA]# echo 01 > crlnumber 
[root@bogon CA]# cat crlnumber 
01

 5.跟新证书吊销列表,随便写一个文件

[root@bogon CA]# openssl ca -gencrl -out diaoxiao.crl

 6.查看吊销列表

[root@bogon CA]# openssl crl -in diaoxiao.crl -noout -text

 

posted @ 2018-06-04 17:28  ForLivetoLearn  阅读(409)  评论(0编辑  收藏  举报