搭建私有CA
一、實驗目的
搭建私有CA並使其可以實現公司內部的的簽名服務。
二、實驗環境:
系統架構:Centos7(服務器)、Centos6(需要申請證書的服務器)
需要的軟件包:openssl、openssl-libs、libssl
三、配置文件解析
搭建CA需要/etc/pki/tls/openssl.cnf文件,該配置文件 由openssl-libs生成
該配置文件中我們主要關註一下這些選項,我只列出了需要關註的,源配置文件不關註的不要修改
[ ca ] default_ca = CA_default 這裏代表默認的ca 策略 [ CA_default ] dir = /etc/pki/CA 定義CA的目錄 certs = $dir/certs 定義證書的存放位置$dir表示上一個選項dir,之後的也是同樣的意思 crl_dir = $dir/crl 定義吊銷證書的目錄 database = $dir/index.txt 證書數據庫文件,註意:默認這個文件是不存在的需要手動創建,如果不創建,在簽名證書時會報錯 new_certs_dir = $dir/newcerts 新證書的存放位置,每次簽發證書之後都會在這個目錄和$dir/certs目錄生成同樣的證書,但是這裏是以編號命名的 certificate = $dir/cacert.pem 自簽或上級頒發的證書存放位置,註意:這裏是自己的證書 serial = $dir/serial 存放證書編號的位置,註意:默認這個文件不存在,需要手動創建,且需要初始化一個16進制的序號,我們一般都使用00作為初始化的默認值 crlnumber = $dir/crlnumber 存放吊銷證書編號的目錄,註意是編號 crl = $dir/crl.pem 吊銷的證書 private_key = $dir/private/cakey.pem自己的私有秘鑰 RANDFILE = $dir/private/.rand 自己的隨機數文件,這個默認不需要改 x509_extensions = usr_cert # The extentions to add to the cert default_days = 365 # 默認的證書有效期 default_crl_days= 30 # 默認多少天發布一次crl(吊銷) default_md = sha256 # 使用默認的單項加密算法 policy = policy_match # 策略,這裏是一個映射,映射的是“[ policy_match ]” [ policy_match ] #默認的申請ca的策略 countryName = match #國家 stateOrProvinceName = match #州或省 organizationName = match #組織名稱 organizationalUnitName = optional #組織的名稱 commonName = supplied #域名 emailAddress = optional #電子郵件 [ policy_anything ] #默認的申請ca的策略 countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional 如果要更換policy的策略,可以自己寫,也可以借助默認的修改一下即可
四、修改openssl.cnf文件
一般私有CA都是用在公司內部的,作為自己公司的證書服務器,所以policy我們使用系統默認的策略“policy_match”,即countryName、stateOrProvinceName 、organizationName 都是完全匹配的,因為,我們不需要為其他公司授權,所以權限放小一點。
default_days 我們修改證書有效期為20年 : default_days = 7300
五、配置私有CA
配置CA的步驟如下:
1、生成自己的私鑰文件
2、生成自簽名證書
1、搭建CA
[root@newhostname tls]# (umask 066;openssl genrsa -out /etc/pki/CA/private/cakey.pem) Generating RSA private key, 2048 bit long modulus .................................................+++ .........................................................+++ e is 65537 (0x10001) 生成自己的私鑰文件,註意:私鑰文件必須保存在與配置文件標註的位置,且文件名必須相同 [root@newhostname tls]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/certs/cacert.pem -days 7300 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.‘, the field will be left blank. ----- Country Name (2 letter code) [XX]:zh State or Province Name (full name) []:beijing Locality Name (eg, city) [Default City]:beijing Organization Name (eg, company) [Default Company Ltd]:xedj Organizational Unit Name (eg, section) []:xedj Common Name (eg, your name or your server‘s hostname) []:*.xedj.com Email Address []: req 表示請求,詳細參數可以通過man req來查看; -new表示生成一個新的證書 -key 指定加密要使用的私鑰文件 -x509表示自簽名 -days 表示證書的有效期,因為改過配置文件,所以不加這項默認也是20年 註意,輸出位置必須是配置文件指定的位置指定的名字,否則後面會報錯
2、現在我們查看一下我們生成的證書
[root@newhostname certs]# cat /etc/pki/CA/certs/cacert.pem -----BEGIN CERTIFICATE----- MIIDmzCCAoOgAwIBAgIJAKz4AXj1nsaNMA0GCSqGSIb3DQEBCwUAMGQxCzAJBgNV BAYTAnpoMRAwDgYDVQQIDAdiZWlqaW5nMRAwDgYDVQQHDAdiZWlqaW5nMQ0wCwYD VQQKDAR4ZWRqMQ0wCwYDVQQLDAR4ZWRqMRMwEQYDVQQDDAoqLnhlZGouY29tMB4X DTE4MDEwODEyMzUxOVoXDTM4MDEwMzEyMzUxOVowZDELMAkGA1UEBhMCemgxEDAO BgNVBAgMB2JlaWppbmcxEDAOBgNVBAcMB2JlaWppbmcxDTALBgNVBAoMBHhlZGox DTALBgNVBAsMBHhlZGoxEzARBgNVBAMMCioueGVkai5jb20wggEiMA0GCSqGSIb3 DQEBAQUAA4IBDwAwggEKAoIBAQC9UvPlmX1dWlzLlta/IusSt9cf6ZniEkEatews WksSbdp8cBYYdFz8xLcqEZrlMtr/WkTHRWQ6rc5/9MhH2TM23Ybq3QVdA3i2XOiT IDMjjpkfcnjHXgOpTXwfvWFaduMGvEByPK4Yy1jd+cW58YUxopmPh9EtPBjhzwpe fERJR0V2bjfHCsH6Zh76V8n1WwuqTuFNIqAHp8BFJ+5LLXWsJ6PUunOaZKSTGquj 3bMWUmawuYW9eoiUy3U7XMhCk2f9daE1gjsn0NitWpQ9BpyUn7Ak8RxBI77qP7uZ 3S2opGX8aui8XjkOJohX/3zU8PV01ZsigLC5Az7OG33je52PAgMBAAGjUDBOMB0G A1UdDgQWBBQxykBPVHt2bAHf8TnHisovok3AnTAfBgNVHSMEGDAWgBQxykBPVHt2 bAHf8TnHisovok3AnTAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCu rrCIVm2wJI3+shCC+V2Q3mVy0iGsi1gXPMsCK0ruAPM6Q0+QnkhB9Eh1ko57mJrA 68rR7RO6xtGfY69ItSHwmwsfSYOAMSZ1PLjJK5s0OVPRv+umZ0dXLhQIPCS2Rkow vb6D8xOQU6oe3/Z37AWMag/r4QNhmiZpYO/NrEjgFFTfyYyE0LeMHyVi57+M+bBa cmhHN/DiCVL4Whu9Q+FhE5Z37BCm7m8jez48ktiu8daP34MuDZ0SJHAPG/BtEBE/ wZYyLcCzi2w1v7SIKYradZYNo/5v4LZ2GEi/Mqmqik9hpml4ShBf7d9VzeNylJHM /uqph3aD3egMJWuYGOsb -----END CERTIFICATE----- [root@newhostname certs]# 證書經過私鑰加過密,什麽都看不出來,必須通過一下方式來查看 [root@newhostname certs]# openssl x509 -in /etc/pki/CA/certs/cacert.pem -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: ac:f8:01:78:f5:9e:c6:8d Signature Algorithm: sha256WithRSAEncryption Issuer: C=zh, ST=beijing, L=beijing, O=xedj, OU=xedj, CN=*.xedj.com Validity Not Before: Jan 8 12:35:19 2018 GMT Not After : Jan 3 12:35:19 2038 GMT Subject: C=zh, ST=beijing, L=beijing, O=xedj, OU=xedj, CN=*.xedj.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:bd:52:f3:e5:99:7d:5d:5a:5c:cb:96:d6:bf:22: eb:12:b7:d7:1f:e9:99:e2:12:41:1a:b5:ec:2c:5a: 4b:12:6d:da:7c:70:16:18:74:5c:fc:c4:b7:2a:11: 9a:e5:32:da:ff:5a:44:c7:45:64:3a:ad:ce:7f:f4: c8:47:d9:33:36:dd:86:ea:dd:05:5d:03:78:b6:5c: e8:93:20:33:23:8e:99:1f:72:78:c7:5e:03:a9:4d: 7c:1f:bd:61:5a:76:e3:06:bc:40:72:3c:ae:18:cb: 58:dd:f9:c5:b9:f1:85:31:a2:99:8f:87:d1:2d:3c: 18:e1:cf:0a:5e:7c:44:49:47:45:76:6e:37:c7:0a: c1:fa:66:1e:fa:57:c9:f5:5b:0b:aa:4e:e1:4d:22: a0:07:a7:c0:45:27:ee:4b:2d:75:ac:27:a3:d4:ba: 73:9a:64:a4:93:1a:ab:a3:dd:b3:16:52:66:b0:b9: 85:bd:7a:88:94:cb:75:3b:5c:c8:42:93:67:fd:75: a1:35:82:3b:27:d0:d8:ad:5a:94:3d:06:9c:94:9f: b0:24:f1:1c:41:23:be:ea:3f:bb:99:dd:2d:a8:a4: 65:fc:6a:e8:bc:5e:39:0e:26:88:57:ff:7c:d4:f0: f5:74:d5:9b:22:80:b0:b9:03:3e:ce:1b:7d:e3:7b: 9d:8f Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 31:CA:40:4F:54:7B:76:6C:01:DF:F1:39:C7:8A:CA:2F:A2:4D:C0:9D X509v3 Authority Key Identifier: keyid:31:CA:40:4F:54:7B:76:6C:01:DF:F1:39:C7:8A:CA:2F:A2:4D:C0:9D X509v3 Basic Constraints: CA:TRUE Signature Algorithm: sha256WithRSAEncryption ae:ae:b0:88:56:6d:b0:24:8d:fe:b2:10:82:f9:5d:90:de:65: 72:d2:21:ac:8b:58:17:3c:cb:02:2b:4a:ee:00:f3:3a:43:4f: 90:9e:48:41:f4:48:75:92:8e:7b:98:9a:c0:eb:ca:d1:ed:13: ba:c6:d1:9f:63:af:48:b5:21:f0:9b:0b:1f:49:83:80:31:26: 75:3c:b8:c9:2b:9b:34:39:53:d1:bf:eb:a6:67:47:57:2e:14: 08:3c:24:b6:46:4a:30:bd:be:83:f3:13:90:53:aa:1e:df:f6: 77:ec:05:8c:6a:0f:eb:e1:03:61:9a:26:69:60:ef:cd:ac:48: e0:14:54:df:c9:8c:84:d0:b7:8c:1f:25:62:e7:bf:8c:f9:b0: 5a:72:68:47:37:f0:e2:09:52:f8:5a:1b:bd:43:e1:61:13:96: 77:ec:10:a6:ee:6f:23:7b:3e:3c:92:d8:ae:f1:d6:8f:df:83: 2e:0d:9d:12:24:70:0f:1b:f0:6d:10:11:3f:c1:96:32:2d:c0: b3:8b:6c:35:bf:b4:88:29:8a:da:75:96:0d:a3:fe:6f:e0:b6: 76:18:48:bf:32:a9:aa:8a:4f:61:a6:69:78:4a:10:5f:ed:df: 55:cd:e3:72:94:91:cc:fe:ea:a9:87:76:83:dd:e8:0c:25:6b: 98:18:eb:1b [root@newhostname certs]# x509是用來表示證書顯示和簽署實用程序 -noout用來消除編碼的版本 -text使用它text的格式打印輸出 通過上面的命令就可以查看我們剛才輸入的證書的各種信息
[root@newhostname certs]# echo 01 >/etc/pki/CA/serial [root@newhostname certs]# touch /etc/pki/CA/index.txt 前面第三節有註釋這這個文件是做什麽的,這裏不再贅述
六、其他人通過搭建的私有CA申請證書
執行步驟:
1、預申請服務器生成自己的私鑰
2、生成證書請求文件
3、將請求文件發送給私有CA
4、CA簽名並返還生成的證書給請求者
[root@joker-6-01 ~]# (umaks 066;openssl genrsa -out /etc/pki/CA/private/zhang.pem 2048) -bash: umaks: command not found Generating RSA private key, 2048 bit long modulus ........................................................+++ ......................+++ e is 65537 (0x10001) 生成私鑰文件 [root@joker-6-01 ~]# openssl req -new -key /etc/pki/CA/private/zhang.pem -out /etc/pki/CA/certs/zhang.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.‘, the field will be left blank. ----- Country Name (2 letter code) [XX]:zh State or Province Name (full name) []:beijing Locality Name (eg, city) [Default City]:beijing Organization Name (eg, company) [Default Company Ltd]:xedj Organizational Unit Name (eg, section) []:xedj Common Name (eg, your name or your server‘s hostname) []*.xedj.com ^ Email Address []: Please enter the following ‘extra‘ attributes to be sent with your certificate request A challenge password []: An optional company name []: 生成證書請求文件 現在我們查看一下這個請求文件 [root@joker-6-01 ~]# cat /etc/pki/CA/certs/zhang.csr -----BEGIN CERTIFICATE REQUEST----- MIICqTCCAZECAQAwZDELMAkGA1UEBhMCemgxEDAOBgNVBAgMB2JlaWppbmcxEDAO BgNVBAcMB2JlaWppbmcxDTALBgNVBAoMBHhlZGoxDTALBgNVBAsMBHhlZGoxEzAR BgNVBAMMCioueGVkai5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB AQD4IWgr62LGdkRHcCaxlhKCWlRrOfWXkQPhd9VQCGHWNzU4xcTZNGWXtDqhUOFu E5rc1wteyoUbiDRU8aKgCCKS61ZBInCnwsF3y/YVLGsbaz9z9GqVW7EJoCkaPafu SUudy0OT6Vvq+rcXcUDIfdunsjO9+MqXvpetYpd09cXCsUvVhBn2LPPTj0T7+Nju BlgTYjkJzzPSUOoll1vupIuEAOREHkZG8lyPoYVKIzRB6g6HdM6xlNN9MkrxbMLo /FSJDh1DtyK8v6Z+hHJT7Da4AqQAloi1tYw713KGuVlnykMe7Kl3e28YmlExeeVX Ztw4DLLHMocsR40spWx2rWkfAgMBAAGgADANBgkqhkiG9w0BAQUFAAOCAQEAQDi+ GjO3dd+aLM6SqcPx5kSmGA3Ar7L1I2r6WC//+28PdirdBXA8iW+UwxmUHUc4T5Hh i2geQrn9PoHmesrmHS8eXseFnl6BzYLIpyD1wumkoiLZnMZycyPQ2MuFM0xyUGU6 OOgvpYpj8PTRYn6kV4OS1Cq8qFQoi3lGHC7/ldLKVtRXAW72zsHC0DZjd+jFj0sD rJLHVYPQasn1P+3ePVvp1tGFSD89lEd5Lzv0p0OXsP50Ao2xzgbtSfuHVhmUxQXX 8aui7J/OZ4qawYqZXjaRX+xFlzogrpP69Wd+TtOpFk5X7i/goWmLv1bgWPIbMb+I OxDT165IbFdEe4layQ== -----END CERTIFICATE REQUEST-----
1總的來說生成證書請求文件與CA生成自簽證書只差一個 -x509參數
下面將預申請服務器的請求文件發送到CA,用CA來簽名
[root@joker-6-01 security]# scp /etc/pki/CA/certs/zhang.csr 172.18.30.253:~ [email protected]‘s password: Permission denied, please try again. [email protected]‘s password: zhang.csr 100% 1001 1.0KB/s 00:00 我們這裏只是做實驗,就使用scp來傳輸文件了 在CA服務器上生成自簽證書的時候,我把目錄搞錯了;自簽證書必須和配置文件一致,放對位置,現在把證書移到正確位置 mv /etc/pki/CA/certs/cacert.pem /etc/pki/CA/ 下免在CA機器上做簽名操作 [root@newhostname CA]# openssl ca -in ~/zhang.csr -out /etc/pki/CA/certs/zhang.crt -days 365 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Jan 8 15:48:14 2018 GMT Not After : Jan 8 15:48:14 2019 GMT Subject: countryName = zh stateOrProvinceName = beijing organizationName = xedj organizationalUnitName = xedj commonName = *.xedj.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: FD:72:7A:F5:46:8C:69:C2:A2:74:3C:4C:0D:BF:6A:A1:84:70:C7:9F X509v3 Authority Key Identifier: keyid:31:CA:40:4F:54:7B:76:6C:01:DF:F1:39:C7:8A:CA:2F:A2:4D:C0:9D Certificate is to be certified until Jan 8 15:48:14 2019 GMT (365 days) Sign the certificate? [y/n]:Y 1 out of 1 certificate requests certified, commit? [y/n]Y Write out database with 1 new entries Data Base Updated 簽名成功,現在可以簽過名的證書返回給原服務器 [root@newhostname certs]# scp /etc/pki/CA/certs/zhang.crt 172.18.30.254:/etc/pki/CA/certs/ [email protected]‘s password: zhang.crt 100% 4437 6.3MB/s 00:00
查看數據庫和現在的編號 [root@newhostname CA]# cat serial 02 [root@newhostname CA]# cat index.txt V 190108154814Z 01 unknown /C=zh/ST=beijing/O=xedj/OU=xedj/CN=*.xedj.com [root@newhostname CA]# echo 01 > /etc/pki/CA/crlnumber 初始化吊銷證書序號
七、吊銷證書
步驟:
1、查看要吊銷證書的編號,確保不會吊銷錯
2、進行吊銷操作
[root@newhostname CA]# cat index.txt V 190108154814Z 01 unknown /C=zh/ST=beijing/O=xedj/OU=xedj/CN=*.xedj.com 查看數據庫文件 第三列是證書序號即生成時serial序號,第五列是證書的主題,吊銷時要確保主題是我們鑰吊銷的證書主題 [root@newhostname CA]# openssl ca -revoke /etc/pki/CA/newcerts/01.pem Using configuration from /etc/pki/tls/openssl.cnf Revoking Certificate 01. Data Base Updated 吊銷完成 -revoke 後面為serial序號命名的pem文件(這個具體也是根據配置文件來做的)
[root@newhostname CA]# openssl ca -gencrl -out /etc/pki/CA/crl.pem Using configuration from /etc/pki/tls/openssl.cnf 、 更新證書吊銷列表 [root@newhostname CA]# openssl crl -in /etc/pki/CA/crl.pem -noout -text 查看以吊銷的證書
八、操作總結
1、(umask 066;openssl genrsa -out /etc/pki/CA/private/cakey.pem) 創建ca私鑰
2、openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/certs/cacert.pem -days 7300 生成CA的自簽證書
3、openssl x509 -in /etc/pki/CA/certs/cacert.pem -noout -text 查看自簽證書內容|
4、echo 01 >/etc/pki/CA/serial
touch /etc/pki/CA/index.txt 創建證書編號和數據庫文件
5、(umaks 066;openssl genrsa -out /etc/pki/CA/private/zhang.pem 2048) 需要簽名的服務器生成自己的私鑰文件
6、openssl req -new -key /etc/pki/CA/private/zhang.pem -out /etc/pki/CA/certs/zhang.csr 通過私鑰文件生成證書請求文件
7、openssl ca -in ~/zhang.csr -out /etc/pki/CA/certs/zhang.crt -days 365 將上一部生成的證書傳送到CA服務器,並做簽名操作
8、將做過簽名證書返還給申請的服務器
9、cat index.txt 查看數據庫文件
10、echo 01 > /etc/pki/CA/crlnumber 初始化吊銷證書序號
11、openssl ca -revoke /etc/pki/CA/newcerts/01.pem 根據主題信息吊銷需要吊銷的證書|
12、openssl ca -gencrl -out /etc/pki/CA/crl.pem 更新吊銷證書列表
13、openssl crl -in /etc/pki/CA/crl.pem -noout -text 查看吊銷的證書
搭建私有CA