通过openssl建立CA

1 CA简介

  CA是证书的签发机构，它是PKI的核心。CA是负责签发证书、认证证书、管理已颁发证书的机关。它要制定政策和具体步骤来验证、识别用户身份，并对用户证书进行签名，以确保证书持有者的身份和公钥的拥有权。比如Alice和Bob通信，中间通信万一被黑客C监听到，冒充Alice和Bob，这样信息就会泄密，这时候通过CA来验证双方身份的真实性。证书内容包括1，证书的持有者的相关信息2，CA的相关信息3，证书的使用方法4，公钥信息PKI—public key instruction 公钥基础设施：核心是CA。

2 CA建立的步骤

1 ），openssl 建立私有CA，其中包括生成秘钥；自签证书

2），节点需要：生成秘钥对；生成证书签署请求；把请求发送给CA

3），CA：验证请求者的信息；签署证书；签好的证书发送给请求者。

3，实验步骤

1，建立CA服务器，生成秘钥，文件必须是400或者是600权限

[[email protected] private]# (umask 077; openssl genrsa -out /etc/pki/CA/private/ccc.pem 2048)

Generating RSA private key, 2048 bit long modulus

................................................................................................+++

.........+++

e is 65537 (0x10001)

[[email protected] private]# ls

cakey.pem  ccc.pem

这里必须是 在/etc/pki/CA/private目录下，之前已经生成cakey.pem文件，此次用ccc.pem文件。

2 req：生成证书签署请求

-x509 生成签署证书

-day X 有效X天

-new   心情求

-key   /path/to/keyfile:制定私钥文件

-out   /path/to/somefile 指定加密后要保存的文件名

自签证书

[[email protected] private]# openssl req -new -x509 -key /etc/pki/CA/private/ccc.pem -out /etc/pki/CA/cace.pem -days 30

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ‘.‘, the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:HA

Locality Name (eg, city) [Default City]:ZZ

Organization Name (eg, company) [Default Company Ltd]:ZZC

Organizational Unit Name (eg, section) []:SI

Common Name (eg, your name or your server‘s hostname) []:localhost.localdomain

Email Address []:cc.ccc.com

[[email protected] private]# ls

cakey.pem  ccc.pem

3，我们要初始化环境

[[email protected] private]# touch /etc/pki/CA/{index1.txt,serial1}

[[email protected] private]# echo 01 > /etc/pki/CA/serial1

4，节点申请证书

1）生成密钥对

[[email protected] ssl]# (umask 077; openssl genrsa -out /etc/httpd/ssl/htt.key 2048)

Generating RSA private key, 2048 bit long modulus

...................+++

.............+++

e is 65537 (0x10001)

这时是在另外一台主机上建立生成的密钥对

2）生成证书签署请求

[[email protected] ssl]# (umask 077; openssl genrsa -out /etc/httpd/ssl/htt.key 2048)

Generating RSA private key, 2048 bit long modulus

...................+++

.............+++

e is 65537 (0x10001)

[[email protected] ssl]# openssl  req -new -key /etc/httpd/ssl/htt.key  -out /etc/httpd/ssl/htt.csr

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:HA

Locality Name (eg, city) [Default City]:ZZ

Organization Name (eg, company) [Default Company Ltd]:ZZX

Organizational Unit Name (eg, section) []:localhost.localdomain

Common Name (eg, your name or your server‘s hostname) []:cc.ccc.com

Email Address []:

Please enter the following ‘extra‘ attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

3）把签署请求发送给CA服务器

[[email protected] ssl]# scp htt.csr 172.16.249.55:/etc/pki/CA/csr/

[email protected]‘s password:

htt.csr                                                          100% 1009     1.0KB/s   00:00

5 CA签署证书

[[email protected] CA]# openssl ca -in csr/htt.csr -out csr/htt.crt -days 30

Using configuration from /etc/pki/tls/openssl.cnf

Check that the request matches the signature

Signature ok

The stateOrProvinceName field needed to be the same in the

CA certificate (Henan) and the request (HA)  二者不一致的话，是不签署的，所以要在从新生成一个openssl  req -new -key /etc/httpd/ssl/htt.key  -out /etc/httpd/ssl/htt.csr

[[email protected] CA]# openssl ca -in csr/htt.csr -out csr/htt.crt -days 30

Using configuration from /etc/pki/tls/openssl.cnf

Check that the request matches the signature

Signature ok

Certificate Details:

Serial Number: 2 (0x2)

Validity

Not Before: Aug  1 05:37:57 2014 GMT

Not After : Aug 31 05:37:57 2014 GMT

Subject:

countryName               = CN

stateOrProvinceName       = Henan

organizationName          = MageEdu

organizationalUnitName    = Ops

commonName                = localhost.localdomain

X509v3 extensions:

X509v3 Basic Constraints:

CA:FALSE

Netscape Comment:

OpenSSL Generated Certificate

X509v3 Subject Key Identifier:

90:AB:55:BA:57:63:2E:06:93:FD:EA:50:4B:9E:5B:40:C1:56:43:6E

X509v3 Authority Key Identifier:

keyid:59:50:01:C7:01:0A:49:70:21:71:AE:A4:26:94:25:78:1A:EA:35:14

Certificate is to be certified until Aug 31 05:37:57 2014 GMT (30 days)

Sign the certificate? [y/n]:

3 发送给请求者

[[email protected] CA]# scp csr/htt.crt 172.16.31.1:/root

[email protected]‘s password:

htt.crt                                                          100% 4556     4.5KB/s   00:00

[[email protected] ~]# mv htt.crt  /etc/httpd/ssl  验证机在吧证书放到这个/etc/httpd/ssl目录下

一次CA签证结束，祝您成功~~~

通过openssl建立CA