openssl建立CA中心

實驗用了三臺機：

CA中心：server1.example.com(192.168.10.254)

mail server: station20.example.com(192.168.10.20)

mail client: station19.example.com(192.168.10.19)

實驗基於Red Hat Enterprise Linux server 5 update 4版

一.CA中心(server1.example.com:192.168.10.254)的設定

[[email protected] tls]# pwd

/etc/pki/tls

[[email protected]

cert.pem certs misc openssl.cnf private

[[email protected] tls]# rpm -qa |grep openssl

openssl-0.9.8e-12.el5

##linux下的ssl是由openssl提供的。

--------------->開始配置openssl.cnf

[[email protected] tls]#vim openssl.cnf

[ CA_default ]

dir = /etc/pki/CA #CA存放的路徑

certs = $dir/certs #存放簽名的公鑰

crl_dir = $dir/crl # 證書過期列表，存放過期證書

database = $dir/index.txt # 證書頒發、吊銷的資訊

new_certs_dir = $dir/newcerts # 證書副本(吊銷憑證)

certificate = $dir/my-ca.crt #CA公鑰(任何人都可以擁有的)

serial = $dir/serial # 序列號(每作一次簽名,序列號就增加1)

crlnumber = $dir/crlnumber #吊銷序列號

crl = $dir/my-ca.crl #吊銷證書名單列表

private_key = $dir/private/my-ca.key# The private key

RANDFILE = $dir/private/.rand # private random number file

x509_extensions = usr_cert # The extentions to add to the cert

default_days = 365 # 證書有效期

default_crl_days= 30 #crl更新時間

default_md = sha1 # which md to use.

preserve = no # keep passed DN ordering

[ policy_match ]

countryName = match #國家程式碼必須完全匹配

stateOrProvinceName = match #

organizationName = match

organizationalUnitName = optional #optional可以不一樣

commonName = supplied #代表唯一身份,必須不匹配

emailAddress = optional

[ req_distinguished_name ]

countryName = Country Name (2 letter code)

countryName_default = CN #國家程式碼

countryName_min = 2

countryName_max = 2

stateOrProvinceName = State or Province Name (full name)

stateOrProvinceName_default = Hubei #洲或省

localityName = Locality Name (eg, city)

localityName_default = Wuhan #城市

0.organizationName = Organization Name (eg, company)

0.organizationName_default = Example, Inc. #組織

##openssl.cnf配置完成

[[email protected] tls]# cd ../CA/

[[email protected] CA]# ls

private

[[email protected] CA]# mkdir {certs,newcerts,crl} #建立剛才定義的那幾個目錄

[[email protected] CA]# ls

certs crl newcerts private

[[email protected] CA]# echo 00 > serial ;touch index.txt #分配一個開始序列號並建立index.txt

[[email protected] CA]# echo 00 >crlnumber #同上

------------->開始生成CA中心自己的私鑰

[[email protected] CA]#(umask 077; openssl genrsa –out private/my-ca.key –des3 2048 )

Generating RSA private key, 2048 bit long modulus

..................+++

.........................................................................................................................................+++

e is 65537 (0x10001)

Enter pass phrase for private/my-ca.key:redhat #輸入私鑰密碼

Verifying - Enter pass phrase for private/my-ca.key:redhat #確認輸入

-------------->通過私鑰來生成公鑰:

[[email protected] CA]# openssl req -new -x509 -key private/my-ca.key -days 365 > my-ca.crt

Enter pass phrase for private/my-ca.key:

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [Hubei]:

Locality Name (eg, city) [Wuhan]:

Organization Name (eg, company) [Example, Inc.]:

Organizational Unit Name (eg, section) []:

Common Name (eg, your name or your server's hostname) []:server1.example.com

Email Address []:

##CA中心已經搭完了,,

下面開始用服務來驗證

用一臺機搭建mail伺服器(station20.example.com:192.168.10.20)

[[email protected] ~]# yum install –y dovecot postfix system-switch-mail

[[email protected] ~]#vim /etc/postfix/main.cf

inet_interfaces = all

[[email protected] ~]# vim /etc/dovecot.conf

protocols = imaps pop3s

[r[email protected] ~]#service postfix restart

[[email protected] ~]#service dovecot restart

-------------->生成私鑰

[[email protected] ~]# openssl genrsa 1024 > station20.key

Generating RSA private key, 1024 bit long modulus

.........................++++++

..............++++++

e is 65537 (0x10001)

[[email protected] ~]# ls

anaconda-ks.cfg Desktop install.log install.log.syslog station20.key

--------------->通過私鑰生成一個證書請求檔案.

[[email protected] ~]# openssl req -new -key station20.key -out dovecot.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [GB]:CN

State or Province Name (full name) [Berkshire]:Hubei

Locality Name (eg, city) [Newbury]:Wuhan

Organization Name (eg, company) [My Company Ltd]:Example, Inc.

Organizational Unit Name (eg, section) []: ###以上填寫均要跟CA中心的一致

Common Name (eg, your name or your server's hostname) []:station20.example.com

Email Address []:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

---------------->把證書請求檔案發給CA中心

[[email protected] ~]# scp dovecot.csr 192.168.10.254:/root

[email protected]'s password:

dovecot.csr 100% 647 0.6KB/s 00:00

--------------->CA中心簽名[注意:現在在CA中心(server1.example.com:192.168.10.254)操作了]

[[email protected] ~]# openssl ca -in dovecot.csr -out dovecot.crt

Using configuration from /etc/pki/tls/openssl.cnf

Enter pass phrase for /etc/pki/CA/private/my-ca.key:

Check that the request matches the signature

Signature ok

Certificate Details:

Serial Number: 0 (0x0)

Validity

Not Before: Sep 3 12:06:36 2010 GMT

Not After : Sep 3 12:06:36 2011 GMT

Subject:

countryName = CN

stateOrProvinceName = Hubei

organizationName = Example, Inc.

commonName = station20.example.com

X509v3 extensions:

X509v3 Basic Constraints:

CA:FALSE

Netscape Comment:

OpenSSL Generated Certificate

X509v3 Subject Key Identifier:

C8:F2:8B:F3:21:E4:AD:65:FC:C6:2A:E2:AB:26:8A:8D:57:A2:3A:84

X509v3 Authority Key Identifier:

keyid:5D:81:EC:7B:76:E0:9E:34:A9:99:05:0F:23:91:B9:EB:64:A6:37:05

Certificate is to be certified until Sep 3 12:06:36 2011 GMT (365 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

-------------->生成後傳回給mailserver(station20.example.com:192.168.10.20)

[[email protected] ~]# cp /etc/pki/CA/my-ca.crt pub/

[[email protected] ~]# cp dovecot.crt pub/

[[email protected] ~]# cd pub/

[[email protected] pub]# ls

dovecot.crt my-ca.crt

[[email protected] pub]# scp * 192.168.10.20:/root

[email protected]'s password:

dovecot.crt 100% 3699 3.6KB/s 00:00

my-ca.crt 100% 1472 1.4KB/s 00:00

-------------->設定/etc/dovecot.conf

[[email protected] ~]# ls

anaconda-ks.cfg dovecot.crt install.log my-ca.crt

Desktop dovecot.csr install.log.syslog station20.key

[[email protected] ~]# cp station20.key /etc/pki/tls/private/dovecot.pem #公鑰

[[email protected] ~]# cp dovecot.crt /etc/pki/tls/certs/dovecot.pem #私鑰

[[email protected] ~]# vim /etc/dovecot.conf

ssl_cert_file = /etc/pki/tls/certs/dovecot.pem

ssl_key_file = /etc/pki/tls/private/dovecot.pem

下面客戶端(station19.example.com:192.168.10.19)開始驗證

---------------à安裝雷鳥.(當然條件好的話咱可以使用win下的outlook或foxmail)

新建一個賬號

使用pop3,等下還要修改為pop3s的

其他的猛電擊下一步就可以了

然後再設定為995的pop3s

因為CA公鑰是權威機構,所以mail client 需要匯入CA權威公鑰,現在我從mail server 傳送CA公鑰給mail client.

[[email protected] ~]# scp my-ca.crt 192.168.10.19:/root/

[email protected]'s password:

my-ca.crt 100% 1472 1.4KB/s 00:00

我們可以先試著接收一下郵件看效果先

看吧,告訴我這是一個不受信任的證書,問you要不要信任,信不信由你, 這個在實際環境挺險的,所以我要做下一步,把咱的權威CA匯入到信任列表中,成為受信任的權威合法機構.

雷鳥匯入CA證書

點import匯入

點啥都信它.

檢視一下證書列表,看到了我們搭的CA中心了

再收郵件看看還有沒有那個不受信任的效果呢/

直接提示輸入密碼

最後啥提示都沒有,全亮綠燈,實驗基本成功

二.再香的餑餑也有過期的時候,下面做一下CA中心測試吊銷證書的實驗

------------>生成吊銷證書

[[email protected] newcerts]# pwd

/etc/pki/CA/newcerts

[[email protected] newcerts]# openssl ca -revoke 00.pem

Using configuration from /etc/pki/tls/openssl.cnf

Enter pass phrase for /etc/pki/CA/private/my-ca.key:

Revoking Certificate 00.

Data Base Updated

[[email protected] newcerts]# ls

00.pem

---------------->生成過期列表.

[[email protected] CA]# openssl ca -gencrl -out /etc/pki/CA/crl/my-ca.crl

Using configuration from /etc/pki/tls/openssl.cnf

Enter pass phrase for /etc/pki/CA/private/my-ca.key:

由於firefox與thunderbird不支援此格式,需要轉換,一般別的不需要此步

[[email protected] crl]# openssl crl -in my-ca.crl -outform DER -out my-ca-der.crl

[[email protected] crl]# ls

my-ca.crl my-ca-der.crl

順便搭個httpserver讓別人能下載得到過期列表

[[email protected] crl]# yum install -y httpd

[[email protected] crl]# service httpd restart

[[email protected] crl]# mkdir /var/www/html/certs

[[email protected] crl]# cp my-ca-der.crl /var/www/html/certs/

客戶端匯入過期列表.

當再接收郵件時,將不可用了1!

CA的研究先到這裡了,俺是新手,歡迎學習!

轉載於:https://blog.51cto.com/masondong/401079