很多时候,我们希望在使用互联网的时候,我们的通信是受到保护的,而在互联网上活动时使用最多的莫过于使用网站了,所以我们就需要考虑如何加密使用网站的过程中所传送的消息,htts加密协议的出现解决了我们的困扰,而htts协议是基于证书的方式实现的,那如何用证书来保护我们在网站上所传送的消息了,要想使用证书,要么向互联上的专业证书机构去申请证书,要么自己搭建证书服务器(CA)来给自己的网络设备颁发证书,以保证相互之间的通信是通过加密协议传输的。当然如果去向专业的证书机构申请证书是需要花费较大代价的,所以很多企业想使用证书加密通信,但又不想花太大的代价去申请证书,所以就在自己公司的服务器上的搭建属于自己的证书管理服务器(CA),所以做为一名运维人员,就很有必要来探讨一下这个话题了。
一、CA的搭建和管理的相关知识
openssl的配置文件:/etc/pki/tls/openssl.cnf
(1) 创建所需要的文件
touch /etc/pki/CA/index.txt
echo 01 > /etc/pki/CA/serial
(2) CA自签证书
生成私钥
cd /etc/pki/CA/
(umask 066; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
生成自签名证书
openssl req -new -x509 –key /etc/pki/CA/private/cakey.pem -days 7300
-out /etc/pki/CA/cacert.pem
-new: 生成新证书签署请求
-x509: 专用于CA生成自签证书
-key: 生成请求时用到的私钥文件
-days n:证书的有效期限
-out /PATH/TO/SOMECERTFILE: 证书的保存路径
(3) 颁发证书
(a) 在需要使用证书的主机生成证书请求;
给web服务器生成私钥
(umask 066; openssl genrsa -out /etc/httpd/ssl/httpd.key 2048)
生成证书申请文件
openssl req -new -key /etc/httpd/ssl/httpd.key -days 365 -out /etc/httpd/ssl/httpd.csr
(b) 将证书请求文件传输给CA
(c) CA签署证书,并将证书颁发给请求者;
openssl ca -in /tmp/httpd.csr –out /etc/pki/CA/certs/httpd.crt -days 365
注意:默认国家,省 ,公司名称必须和CA一致
(d) 查看证书中的信息:
openssl x509 -in /PATH/FROM/CERT_FILE -noout -text|subject|serial|dates
(4) 吊销证书
(a) 在客户端获取要吊销的证书的serial
openssl x509 -in /PATH/FROM/CERT_FILE -noout -serial -subject
(b) 在CA上,根据客户提交的serial与subject信息,对比检验是否与index.txt文件中的信息一致
吊销证书:openssl ca -revoke /etc/pki/CA/newcerts/SERIAL.pem
(c) 生成吊销证书的编号(第一次吊销一个证书时才需要执行)
echo 01 > /etc/pki/CA/crlnumber
(d) 更新证书吊销列表
openssl ca -gencrl -out /etc/pki/CA/crl/ca.crl
查看crl文件:
openssl crl -in /etc/pki/CA/crl/ca.crl -noout -text
二、搭建CA
1、CA环境展示:
[[email protected] ~]# hostname
Centos630G
[[email protected] ~]# ip addr show eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:e1:ee:04 brd ff:ff:ff:ff:ff:ff
inet 10.1.42.61/16 brd 10.1.255.255 scope global eth0
inet6 fe80::20c:29ff:fee1:ee04/64 scope link
valid_lft forever preferred_lft forever
[[email protected] ~]# cd /etc/pki/CA
[[email protected] CA]# tree
.
├── certs
├── crl
├── newcerts
└── private
4 directories, 0 files
[[email protected] CA]#
2、创建CA需要的文件:
[[email protected] CA]# touch index.txt
[[email protected] CA]# echo 01 > serial
[[email protected] CA]# ll
total 20
drwxr-xr-x. 2 root root 4096 May 9 10:56 certs
drwxr-xr-x. 2 root root 4096 May 9 10:56 crl
-rw-r--r--. 1 root root 0 Sep 22 12:27 index.txt
drwxr-xr-x. 2 root root 4096 May 9 10:56 newcerts
drwx------. 2 root root 4096 May 9 10:56 private
-rw-r--r--. 1 root root 3 Sep 22 12:27 serial
[[email protected] CA]#
3、给CA创建私钥:
[[email protected] CA]# (umask 066;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
.................+++
.............+++
e is 65537 (0x10001)
[[email protected] CA]# tree
.
├── certs
├── crl
├── index.txt
├── newcerts
├── private
│ └── cakey.pem
└── serial
4 directories, 3 files
[[email protected] CA]#
4、给CA生成自签名证书:
[[email protected] CA]# openssl req -new -x509 -key private/cakey.pem -days 7300 -out cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:haidian
Organization Name (eg, company) [Default Company Ltd]:companyA
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server‘s hostname) []:centos630g
Email Address []:[email protected]
[[email protected] CA]# ls
cacert.pem certs crl index.txt newcerts private serial
[[email protected] CA]#
三、使用CA给客户颁发证书
1、申请证书的客户机环境展示:
[[email protected] ~]# hostname
centos730g
[[email protected] ~]# ip addr show eno16777736
2: eno16777736: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:4c:4a:32 brd ff:ff:ff:ff:ff:ff
inet 10.1.42.71/16 brd 10.1.255.255 scope global eno16777736
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe4c:4a32/64 scope link
valid_lft forever preferred_lft forever
[[email protected] ~]#
2、给客户机生成私钥:
[[email protected] ~]# (umask 066;openssl genrsa -out centos730g.prikey 2048)
Generating RSA private key, 2048 bit long modulus
...............................+++
.............................................................................+++
e is 65537 (0x10001)
[[email protected] ~]# ls
centos730g.prikey
[[email protected] ~]#
3、给客户机生成证书申请文件:
[[email protected] ~]# openssl req -new -key centos730g.prikey -days 365 -out centos730g.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:haidian
Organization Name (eg, company) [Default Company Ltd]:companyA
Organizational Unit Name (eg, section) []:web
Common Name (eg, your name or your server‘s hostname) []:centos730g
Email Address []:[email protected]
Please enter the following ‘extra‘ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[[email protected] ~]# ls
centos730g.csr centos730g.prikey
[[email protected] ~]#
4、在客户机上将证书申请文件传输到CA上:
[[email protected] ~]# scp centos730g.csr 10.1.42.61:/etc/pki/CA/crl
The authenticity of host ‘10.1.42.61 (10.1.42.61)‘ can‘t be established.
RSA key fingerprint is 91:e8:0f:0d:56:3c:38:b4:bf:b0:dd:b5:ee:0c:cb:b4.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘10.1.42.61‘ (RSA) to the list of known hosts.
[email protected]‘s password:
centos730g.csr 100% 1050 1.0KB/s 00:00
[[email protected] ~]#
5、在CA上给申请签证的客户签署证书:
[[email protected] CA]# ls crl
centos730g.csr
[[email protected] CA]# openssl ca -in crl/centos730g.csr -out certs/centos730g.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Sep 22 17:15:37 2016 GMT
Not After : Sep 22 17:15:37 2017 GMT
Subject:
countryName = cn
stateOrProvinceName = beijing
organizationName = companyA
organizationalUnitName = web
commonName = centos730g
emailAddress = [email protected]
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
19:A6:3F:5F:8C:75:7F:2F:32:6A:4D:F2:BC:53:BD:C9:F7:66:7C:BC
X509v3 Authority Key Identifier:
keyid:51:8C:1F:CD:A5:73:04:65:96:55:E4:D3:FE:69:28:DD:07:CE:1B:12
Certificate is to be certified until Sep 22 17:15:37 2017 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[[email protected] CA]# ls certs
centos730g.crt
[[email protected] CA]#
6、在CA上将签署好的证书传输给申请的客户:
[[email protected] CA]# scp certs/centos730g.crt 10.1.42.71:/rootThe authenticity of host ‘10.1.42.71 (10.1.42.71)‘ can‘t be established.
RSA key fingerprint is f2:c8:a3:77:da:65:42:3a:bf:53:24:e2:0b:0f:23:eb.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘10.1.42.71‘ (RSA) to the list of known hosts.
[email protected]‘s password:
centos730g.crt 100% 4596 4.5KB/s 00:00
[[email protected] CA]#
7、客户收到颁发的证书之后,就可以配置相应的网络服务开始使用了
[[email protected] ~]# ll
total 16
-rw-r--r--. 1 root root 4596 Sep 22 17:17 centos730g.crt
-rw-r--r--. 1 root root 1050 Sep 22 17:10 centos730g.csr
-rw-------. 1 root root 1675 Sep 22 16:41 centos730g.prikey
[[email protected] ~]#
查看颁发的证书
[[email protected] ~]# openssl x509 -in centos730g.crt -noout -te
xt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=cn, ST=beijing, L=haidian, O=companyA, OU=IT, CN=centos630g/[email protected]
Validity
Not Before: Sep 22 17:15:37 2016 GMT
Not After : Sep 22 17:15:37 2017 GMT
Subject: C=cn, ST=beijing, O=companyA, OU=web, CN=centos730g/[email protected]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ca:a2:3c:e5:04:7a:5c:88:fd:2a:64:5d:41:18:
95:4f:4e:b4:ae:06:07:5b:e0:ac:d1:74:99:f4:3d:
2a:0a:35:4c:90:49:cf:51:84:69:44:de:e2:c1:9b:
9f:8d:29:9c:b7:5a:c2:b0:fd:a6:29:84:91:73:7f:
1a:f9:ba:00:f0:8f:2d:28:18:a5:bd:24:8b:cc:a0:
31:45:d8:c7:fe:51:da:5f:f5:27:39:02:fb:7e:07:
b7:6c:63:0f:b1:ec:7c:f5:57:c7:8c:1a:9f:23:04:
e0:2e:d6:c6:3a:ad:b3:5c:42:13:54:62:a1:83:ed:
d2:61:48:eb:98:06:a5:32:d3:b2:5b:00:05:0a:6b:
fb:97:90:1f:10:d9:8c:e6:00:af:c2:72:cc:ba:08:
fd:98:87:99:80:ec:40:41:a2:a6:df:ae:1b:29:bc:
22:25:f0:3f:59:6a:10:31:65:c8:44:7a:2b:2f:0b:
00:ce:d7:a6:3c:ab:83:47:10:20:75:76:46:51:9d:
ca:a8:65:b0:7f:28:d9:4c:24:90:47:4f:40:6c:ba:
b5:cf:cd:bb:a3:07:f3:35:f0:08:cc:61:52:90:ea:
57:c2:3b:9f:cc:c1:b0:4a:e5:8b:21:8c:c8:74:b2:
da:8d:aa:94:de:d3:bb:c3:9e:10:6c:d9:93:7a:b9:
5b:8d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
19:A6:3F:5F:8C:75:7F:2F:32:6A:4D:F2:BC:53:BD:C9:F7:66:7C:BC
X509v3 Authority Key Identifier:
keyid:51:8C:1F:CD:A5:73:04:65:96:55:E4:D3:FE:69:28:DD:07:CE:1B:12
Signature Algorithm: sha1WithRSAEncryption
10:23:27:f2:3c:ad:3c:ca:6a:d3:ae:db:1d:fb:51:95:2f:91:
ef:ba:f4:b3:b2:91:dc:0a:e0:7a:3f:45:e5:97:16:24:a0:52:
a4:3e:51:d1:86:c1:d0:de:d7:3c:7f:62:3c:f1:9e:88:93:03:
15:c4:38:29:ba:cc:ba:0c:78:d0:7e:76:e5:dd:70:a4:6e:17:
e7:19:ae:47:f3:39:32:d7:97:67:73:bb:bb:4a:28:ed:a1:f5:
ec:d6:46:4d:8c:80:27:e2:48:f7:1b:54:58:1e:cc:cb:52:0b:
91:24:b5:04:28:5c:70:1f:22:aa:3b:7f:4b:7d:f3:8a:f8:35:
07:38:47:68:8c:57:b8:77:64:7a:bd:95:d5:5e:c8:82:32:a8:
5b:ac:2b:c2:72:fa:08:ea:ee:30:1b:a9:39:eb:77:6e:65:32:
90:ee:11:cc:38:05:84:a2:ed:14:d8:cc:73:ac:01:8c:8d:ae:
27:38:c3:de:cd:75:4d:d3:09:9d:6e:b8:c3:e6:b1:c5:79:12:
46:da:f4:c8:fe:97:1c:4b:66:c6:98:d6:b9:7c:fe:4a:a1:30:
97:32:2e:01:cf:3c:eb:b8:bd:e1:da:6f:bc:98:8c:b8:99:b6:
dc:42:51:b7:d1:ad:92:ff:95:91:ab:0f:3d:1e:db:e4:9e:1d:
b0:b0:99:04
[[email protected] ~]#
四、CA上吊销证书
1、在申请吊销证书的客户机上查看需要吊销的证书的serial以及subject信息,并提交给CA
[[email protected] ~]# openssl x509 -in centos730g.crt -noout -serial -subject
serial=01
subject= /C=cn/ST=beijing/O=companyA/OU=web/CN=centos730g/[email protected]
[[email protected] ~]#
2、在CA上根据客户提交的serial以及subject信息,比对服务器上index.txt文件中的信息一致后,执行吊销证书操作
[[email protected] CA]# openssl x509 -in certs/centos730g.crt -noout -serial -subject
serial=01
subject= /C=cn/ST=beijing/O=companyA/OU=web/CN=centos730g/[email protected]
[[email protected] CA]# cat index.txt
V 170922171537Z 01 unknown /C=cn/ST=beijing/O=companyA/OU=web/CN=centos730g/[email protected]
[[email protected] CA]#
3、信息确认一致,正式执行吊销操作
[[email protected] CA]# tree
.
├── cacert.pem
├── certs
│ └── centos730g.crt
├── crl
│ └── centos730g.csr
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│ └── 01.pem
├── private
│ └── cakey.pem
├── serial
└── serial.old
4 directories, 10 files
[[email protected] CA]# openssl ca -revoke newcerts/01.pem
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 01.
Data Base Updated
[[email protected] CA]# tree
.
├── cacert.pem
├── certs
│ └── centos730g.crt
├── crl
│ └── centos730g.csr
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── newcerts
│ └── 01.pem
├── private
│ └── cakey.pem
├── serial
└── serial.old
4 directories, 11 files
[[email protected] CA]#
此时多出了一个新文件:index.txt.attr.old
4、生成吊销证书的编号(第一次吊销证书时才需要执行本操作)
[[email protected] CA]# echo 01 > crlnumber
[[email protected] CA]# openssl ca -gencrl -out crl/ca.crl
Using configuration from /etc/pki/tls/openssl.cnf
[[email protected] CA]# tree
.
├── cacert.pem
├── certs
│ └── centos730g.crt
├── crl
│ ├── ca.crl
│ └── centos730g.csr
├── crlnumber
├── crlnumber.old
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── newcerts
│ └── 01.pem
├── private
│ └── cakey.pem
├── serial
└── serial.old
4 directories, 14 files
[[email protected] CA]#
第一次吊销操作完成后会在CA上多出4个新文件
index.txt.attr.old
ca.crl
crlnumber.old
index.txt.attr.old
查看证书吊销列表文件
[[email protected] CA]# openssl crl -in crl/ca.crl -noout -text
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: /C=cn/ST=beijing/L=haidian/O=companyA/OU=IT/CN=centos630g/[email protected]
Last Update: Sep 22 17:44:35 2016 GMT
Next Update: Oct 22 17:44:35 2016 GMT
CRL extensions:
X509v3 CRL Number:
1
Revoked Certificates:
Serial Number: 01
Revocation Date: Sep 22 17:29:54 2016 GMT
Signature Algorithm: sha1WithRSAEncryption
11:5a:02:a8:9f:a0:9c:85:c0:cd:e8:65:06:98:90:f0:31:83:
cc:c6:f5:7d:4b:4b:d7:1a:57:63:c5:ac:ac:51:d4:46:d8:80:
f7:0c:94:42:5f:24:f1:87:97:f6:05:23:de:b4:3e:3b:3f:4f:
d2:55:ef:13:c0:78:80:d1:eb:fa:47:eb:1c:58:cb:d4:f2:9b:
bd:eb:88:2a:d5:be:05:ee:26:f8:ba:ba:cf:a3:7f:8c:73:db:
84:a3:de:74:9c:4d:eb:64:69:be:78:d1:ec:f9:82:10:46:72:
5f:5a:e3:99:c4:f9:1c:36:18:f4:b7:5e:f4:72:6b:20:b0:98:
7a:3c:c1:a4:e6:c3:d5:af:3f:68:44:7b:ae:34:69:0e:49:fd:
fc:1f:70:9c:f6:b9:d4:a2:c1:25:d8:d1:e1:75:82:53:c4:63:
c2:ce:1a:47:81:4a:73:18:81:35:ba:24:95:ff:8e:b3:61:6f:
ce:ae:49:2f:73:d4:14:e3:5a:04:a6:c4:15:71:3b:e2:4c:fa:
7f:05:42:1a:41:02:98:cb:82:70:ee:de:b2:5f:90:a9:cb:18:
93:28:dd:ff:62:e1:90:7e:88:cd:19:41:40:5f:17:47:65:2f:
ab:95:0f:27:8f:95:44:05:b7:d9:90:3e:e3:8c:ff:e9:d0:55:
49:05:97:a9
[[email protected] CA]#
掌握了上述这些操作的同时,搭建及管理私有CA是没什么问题了,所以大家可以自行实践,有什么问题,欢迎留言指正。