openssl建立CA中心
openssl建立CA中心
實驗用了三臺機:
CA中心:server1.example.com(192.168.10.254)
mail server: station20.example.com(192.168.10.20)
mail client: station19.example.com(192.168.10.19)
實驗基於Red Hat Enterprise Linux server 5 update 4版
一.CA中心(server1.example.com:192.168.10.254)的設定
[[email protected] tls]# pwd
/etc/pki/tls
cert.pem certs misc openssl.cnf private
[[email protected] tls]# rpm -qa |grep openssl
openssl-0.9.8e-12.el5
##linux下的ssl是由openssl提供的。
--------------->開始配置openssl.cnf
[[email protected] tls]#vim openssl.cnf
[ CA_default ]
dir = /etc/pki/CA #CA存放的路徑
certs = $dir/certs #存放簽名的公鑰
crl_dir = $dir/crl # 證書過期列表,存放過期證書
database = $dir/index.txt # 證書頒發、吊銷的資訊
new_certs_dir = $dir/newcerts # 證書副本(吊銷憑證)
certificate = $dir/my-ca.crt #CA公鑰(任何人都可以擁有的)
serial = $dir/serial # 序列號(每作一次簽名,序列號就增加1)
crlnumber = $dir/crlnumber #吊銷序列號
crl = $dir/my-ca.crl #吊銷證書名單列表
private_key = $dir/private/my-ca.key# The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
default_days = 365 # 證書有效期
default_crl_days= 30 #crl更新時間
default_md = sha1 # which md to use.
preserve = no # keep passed DN ordering
[ policy_match ]
countryName = match #國家程式碼必須完全匹配
stateOrProvinceName = match #
organizationName = match
organizationalUnitName = optional #optional可以不一樣
commonName = supplied #代表唯一身份,必須不匹配
emailAddress = optional
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = CN #國家程式碼
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Hubei #洲或省
localityName = Locality Name (eg, city)
localityName_default = Wuhan #城市
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Example, Inc. #組織
##openssl.cnf配置完成
[[email protected] tls]# cd ../CA/
[[email protected] CA]# ls
private
[[email protected] CA]# mkdir {certs,newcerts,crl} #建立剛才定義的那幾個目錄
[[email protected] CA]# ls
certs crl newcerts private
[[email protected] CA]# echo 00 > serial ;touch index.txt #分配一個開始序列號並建立index.txt
[[email protected] CA]# echo 00 >crlnumber #同上
------------->開始生成CA中心自己的私鑰
[[email protected] CA]#(umask 077; openssl genrsa –out private/my-ca.key –des3 2048 )
Generating RSA private key, 2048 bit long modulus
..................+++
.........................................................................................................................................+++
e is 65537 (0x10001)
Enter pass phrase for private/my-ca.key:redhat #輸入私鑰密碼
Verifying - Enter pass phrase for private/my-ca.key:redhat #確認輸入
-------------->通過私鑰來生成公鑰:
[[email protected] CA]# openssl req -new -x509 -key private/my-ca.key -days 365 > my-ca.crt
Enter pass phrase for private/my-ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Hubei]:
Locality Name (eg, city) [Wuhan]:
Organization Name (eg, company) [Example, Inc.]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:server1.example.com
Email Address []:
##CA中心已經搭完了,,
下面開始用服務來驗證
用一臺機搭建mail伺服器(station20.example.com:192.168.10.20)
[[email protected] ~]# yum install –y dovecot postfix system-switch-mail
[[email protected] ~]#vim /etc/postfix/main.cf
inet_interfaces = all
[[email protected] ~]# vim /etc/dovecot.conf
protocols = imaps pop3s
[r[email protected] ~]#service postfix restart
[[email protected] ~]#service dovecot restart
-------------->生成私鑰
[[email protected] ~]# openssl genrsa 1024 > station20.key
Generating RSA private key, 1024 bit long modulus
.........................++++++
..............++++++
e is 65537 (0x10001)
[[email protected] ~]# ls
anaconda-ks.cfg Desktop install.log install.log.syslog station20.key
--------------->通過私鑰生成一個證書請求檔案.
[[email protected] ~]# openssl req -new -key station20.key -out dovecot.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:Hubei
Locality Name (eg, city) [Newbury]:Wuhan
Organization Name (eg, company) [My Company Ltd]:Example, Inc.
Organizational Unit Name (eg, section) []: ###以上填寫均要跟CA中心的一致
Common Name (eg, your name or your server's hostname) []:station20.example.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
---------------->把證書請求檔案發給CA中心
[[email protected] ~]# scp dovecot.csr 192.168.10.254:/root
[email protected]'s password:
dovecot.csr 100% 647 0.6KB/s 00:00
--------------->CA中心簽名[注意:現在在CA中心(server1.example.com:192.168.10.254)操作了]
[[email protected] ~]# openssl ca -in dovecot.csr -out dovecot.crt
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/my-ca.key:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Sep 3 12:06:36 2010 GMT
Not After : Sep 3 12:06:36 2011 GMT
Subject:
countryName = CN
stateOrProvinceName = Hubei
organizationName = Example, Inc.
commonName = station20.example.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
C8:F2:8B:F3:21:E4:AD:65:FC:C6:2A:E2:AB:26:8A:8D:57:A2:3A:84
X509v3 Authority Key Identifier:
keyid:5D:81:EC:7B:76:E0:9E:34:A9:99:05:0F:23:91:B9:EB:64:A6:37:05
Certificate is to be certified until Sep 3 12:06:36 2011 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
-------------->生成後傳回給mailserver(station20.example.com:192.168.10.20)
[[email protected] ~]# cp /etc/pki/CA/my-ca.crt pub/
[[email protected] ~]# cp dovecot.crt pub/
[[email protected] ~]# cd pub/
[[email protected] pub]# ls
dovecot.crt my-ca.crt
[[email protected] pub]# scp * 192.168.10.20:/root
[email protected]'s password:
dovecot.crt 100% 3699 3.6KB/s 00:00
my-ca.crt 100% 1472 1.4KB/s 00:00
-------------->設定/etc/dovecot.conf
[[email protected] ~]# ls
anaconda-ks.cfg dovecot.crt install.log my-ca.crt
Desktop dovecot.csr install.log.syslog station20.key
[[email protected] ~]# cp station20.key /etc/pki/tls/private/dovecot.pem #公鑰
[[email protected] ~]# cp dovecot.crt /etc/pki/tls/certs/dovecot.pem #私鑰
[[email protected] ~]# vim /etc/dovecot.conf
ssl_cert_file = /etc/pki/tls/certs/dovecot.pem
ssl_key_file = /etc/pki/tls/private/dovecot.pem
下面客戶端(station19.example.com:192.168.10.19)開始驗證
---------------à安裝雷鳥.(當然條件好的話咱可以使用win下的outlook或foxmail)
新建一個賬號
使用pop3,等下還要修改為pop3s的
其他的猛電擊下一步就可以了
然後再設定為995的pop3s
因為CA公鑰是權威機構,所以mail client 需要匯入CA權威公鑰,現在我從mail server 傳送CA公鑰給mail client.
[[email protected] ~]# scp my-ca.crt 192.168.10.19:/root/
[email protected]'s password:
my-ca.crt 100% 1472 1.4KB/s 00:00
我們可以先試著接收一下郵件看效果先
看吧,告訴我這是一個不受信任的證書,問you要不要信任,信不信由你, 這個在實際環境挺險的,所以我要做下一步,把咱的權威CA匯入到信任列表中,成為受信任的權威合法機構.
雷鳥匯入CA證書
點import匯入
點啥都信它.
檢視一下證書列表,看到了我們搭的CA中心了
再收郵件看看還有沒有那個不受信任的效果呢/
直接提示輸入密碼
最後啥提示都沒有,全亮綠燈,實驗基本成功
二.再香的餑餑也有過期的時候,下面做一下CA中心測試吊銷證書的實驗
------------>生成吊銷證書
[[email protected] newcerts]# pwd
/etc/pki/CA/newcerts
[[email protected] newcerts]# openssl ca -revoke 00.pem
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/my-ca.key:
Revoking Certificate 00.
Data Base Updated
[[email protected] newcerts]# ls
00.pem
---------------->生成過期列表.
[[email protected] CA]# openssl ca -gencrl -out /etc/pki/CA/crl/my-ca.crl
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/my-ca.key:
由於firefox與thunderbird不支援此格式,需要轉換,一般別的不需要此步
[[email protected] crl]# openssl crl -in my-ca.crl -outform DER -out my-ca-der.crl
[[email protected] crl]# ls
my-ca.crl my-ca-der.crl
順便搭個httpserver讓別人能下載得到過期列表
[[email protected] crl]# yum install -y httpd
[[email protected] crl]# service httpd restart
[[email protected] crl]# mkdir /var/www/html/certs
[[email protected] crl]# cp my-ca-der.crl /var/www/html/certs/
客戶端匯入過期列表.
當再接收郵件時,將不可用了1!
CA的研究先到這裡了,俺是新手,歡迎學習!
轉載於:https://blog.51cto.com/masondong/401079