OpenSSL <搭建私有CA>

CA  Server : el7-2 (172.16.1.51)  ,颁发证书

CA  Client  : el7-1 (172.16.1.52)  ,申请证书

1)CA自签证书


###################生成私钥

[[email protected]   ~]# openssl genrsa  -out  /etc/pki/CA/private/cakey.pem 2048

Generating   RSA private key, 2048 bit long modulus

............................................................+++

...................................................................................................................................................................+++

###################自签证书

[[email protected]   ~]# openssl  req  -new -x509    -key  /etc/pki/CA/private/cakey.pem  -out    /etc/pki/CA/cacert.pem

You   are about to be asked to enter information that will be incorporated

into   your certificate request.

What   you are about to enter is what is called a Distinguished Name or a DN.

There   are quite a few fields but you can leave some blank

For   some fields there will be a default value,

If   you enter '.', the field will be left blank.

-----

Country   Name (2 letter code) [XX]:cn

State   or Province Name (full name) []:shandong

Locality   Name (eg, city) [Default City]:yantai

Organization   Name (eg, company) [Default Company Ltd]:jying

Organizational   Unit Name (eg, section) []:tech

Common   Name (eg, your name or your server's hostname) []:cert.jying.com

Email   Address []:

2)客户端创建私钥、证书申请请求


#####################创建私钥

[[email protected]   ~]# openssl  genrsa  -out    ClientPrivateKey  2048

Generating   RSA private key, 2048 bit long modulus

.....+++

...............................................................................................+++

e   is 65537 (0x10001)

#####################创建申请证书请求(有些参数需要与CA一致)

[[email protected]   ~]# openssl  req  -new    -key  ClientPrivateKey  -out    ClientReq.csr

You   are about to be asked to enter information that will be incorporated

into   your certificate request.

What   you are about to enter is what is called a Distinguished Name or a DN.

There   are quite a few fields but you can leave some blank

For   some fields there will be a default value,

If   you enter '.', the field will be left blank.

-----

Country   Name (2 letter code) [XX]:cn

State   or Province Name (full name) []:shandong

Locality   Name (eg, city) [Default City]:yantai

Organization   Name (eg, company) [Default Company Ltd]:jying

Organizational   Unit Name (eg, section) []:web

Common   Name (eg, your name or your server's hostname) []:www.jying.com

Email   Address []:

Please   enter the following 'extra' attributes

to   be sent with your certificate request

A   challenge password []:

An   optional company name []:

#####################将请求传送至CA

[[email protected]   ~]# scp  ClientReq.csr  [email protected]:/etc/pki/CA

The   authenticity of host '172.16.1.52 (172.16.1.52)' can't be established.

ECDSA   key fingerprint is SHA256:P1BfX8LN+/3SzKEugmKlg9VOziuyMiSJosAz1eVwk08.

ECDSA   key fingerprint is MD5:11:f7:ae:b1:0c:6d:6c:19:9a:00:24:bd:f2:1b:22:d1.

Are   you sure you want to continue connecting (yes/no)? yes

Warning:   Permanently added '172.16.1.52' (ECDSA) to the list of known hosts.

[email protected]'s   password:

ClientReq.csr                                                          100%   1005   900.4KB/s   00:00

3)CA颁发证书


#####################创建证书数据库

[[email protected]   CA]# touch  index.txt

#####################创建证书序列号

[[email protected]   CA]# echo  01 >serial

#####################颁发证书

[[email protected]   CA]# openssl  ca -in ClientReq.csr   -out    newcerts/Client.crt

Using   configuration from /etc/pki/tls/openssl.cnf

Check   that the request matches the signature

Signature   ok

Certificate   Details:

Serial Number: 1 (0x1)

Validity

Not Before: May 12 05:11:17 2018   GMT

Not After : May 12 05:11:17 2019   GMT

Subject:

countryName               = cn

stateOrProvinceName       = shandong

organizationName          = jying

organizationalUnitName    = web

commonName                = www.jying.com

X509v3 extensions:

X509v3 Basic Constraints:

CA:FALSE

Netscape Comment:

OpenSSL Generated Certificate

X509v3 Subject Key Identifier:

4E:C0:F2:5D:0B:43:3E:C5:CF:6D:3F:06:14:94:B2:08:87:2E:3D:A9

X509v3 Authority Key Identifier:

keyid:9C:2C:DA:2B:57:98:0B:26:3B:08:52:F2:AF:73:DE:ED:EB:46:97:FA

Certificate   is to be certified until May 12 05:11:17 2019 GMT (365 days)

Sign   the certificate? [y/n]:y

1   out of 1 certificate requests certified, commit? [y/n]y

Write   out database with 1 new entries

Data   Base Updated

########################将证书传递给客户端

[[email protected]   CA]# scp  newcerts/Client.crt   [email protected]:~

The   authenticity of host '172.16.1.51 (172.16.1.51)' can't be established.

ECDSA   key fingerprint is SHA256:P1BfX8LN+/3SzKEugmKlg9VOziuyMiSJosAz1eVwk08.

ECDSA   key fingerprint is MD5:11:f7:ae:b1:0c:6d:6c:19:9a:00:24:bd:f2:1b:22:d1.

Are   you sure you want to continue connecting (yes/no)? yes

Warning:   Permanently added '172.16.1.51' (ECDSA) to the list of known hosts.

[email protected]'s   password:

Client.crt                                     100%   4438     3.7MB/s   00:00

####################客户端查看证书

[[email protected]   ~]# openssl x509 -in Client.crt  -text   -noout

Certificate:

Data:

Version: 3 (0x2)

Serial Number: 1 (0x1)

Signature Algorithm:   sha256WithRSAEncryption

Issuer: C=cn, ST=shandong, L=yantai,   O=jying, OU=1, CN=jying.com

Validity

Not Before: May 12 05:11:17 2018   GMT

Not After : May 12 05:11:17 2019 GMT

Subject: C=cn, ST=shandong, O=jying,   OU=web, CN=www.jying.com

Subject Public Key Info:

Public Key Algorithm:   rsaEncryption

Public-Key: (2048 bit)

Modulus:

00:c4:b2:57:14:ba:a4:ed:b0:14:ed:52:2e:f2:4c:

0e:e9:59:ab:6b:79:8a:ac:95:11:d3:b1:0c:61:12:

08:d6:19:73:6e:63:5b:1c:8e:3e:5c:02:da:95:5a:

b7:58:94:bd:66:c1:eb:22:15:84:7e:73:63:45:ed:

b2:24:e4:fa:c9:6c:6f:80:a0:78:63:bf:03:62:4f:

71:e1:2f:62:98:1e:7c:ab:f7:c3:f3:0d:e1:be:8c:

12:55:bf:82:c4:8c:03:63:ff:31:43:40:45:ac:5e:

fd:d7:3e:bb:a2:89:2c:9a:ea:a1:4f:70:17:29:da:

2c:aa:3b:7b:45:45:f8:c4:fd:b9:71:31:59:17:63:

e5:95:35:7e:55:99:6f:40:5a:63:2f:b1:ae:b5:41:

ad:54:4e:33:e6:c4:49:86:1d:68:23:0a:9a:40:e9:

b4:fd:da:e6:07:7e:71:73:c2:17:d6:8e:af:a8:e7:

39:5f:8e:79:0e:a9:78:13:09:30:df:ba:ff:d1:db:

47:9f:95:7c:fb:24:a4:b8:24:34:ab:a8:25:ec:d2:

e3:64:09:4d:1c:87:ac:de:b9:5c:54:27:c2:56:a3:

22:a2:fb:11:1e:69:57:cf:40:b5:33:69:4d:7c:5b:

e4:4f:a6:1d:73:cd:c0:da:69:cc:59:b6:3b:43:49:

8e:9d

Exponent: 65537 (0x10001)

X509v3 extensions:

X509v3 Basic Constraints:

CA:FALSE

Netscape Comment:

OpenSSL Generated Certificate

X509v3 Subject Key Identifier:

4E:C0:F2:5D:0B:43:3E:C5:CF:6D:3F:06:14:94:B2:08:87:2E:3D:A9

X509v3 Authority Key Identifier:

keyid:9C:2C:DA:2B:57:98:0B:26:3B:08:52:F2:AF:73:DE:ED:EB:46:97:FA

Signature Algorithm:   sha256WithRSAEncryption

65:59:b1:68:14:79:c2:30:07:57:5a:fe:04:9b:bb:c4:b0:d5:

31:bb:70:08:32:14:63:18:79:ea:3d:e7:cc:33:7f:4f:8b:2a:

e4:a5:6c:81:34:99:cb:0e:15:f3:3c:14:96:6a:ea:f7:30:f1:

d3:f4:4d:8e:7d:99:02:c9:a1:10:8c:38:64:52:a7:1e:b6:73:

ac:56:74:1b:25:b6:ab:d3:cd:6d:22:7e:14:8d:aa:63:eb:15:

8b:61:c2:58:6f:0a:6d:a5:e1:c5:32:99:62:04:14:6f:5b:a0:

30:e7:8f:0e:bd:f2:7e:d0:79:69:f1:c7:29:26:87:15:b5:21:

0a:9e:0e:09:98:ab:39:7b:a0:4f:61:5e:da:0d:ab:00:9e:39:

e1:85:c4:9c:9e:ff:bc:74:4c:d9:03:ad:03:3d:d7:3e:56:46:

f3:06:d2:2d:52:f5:27:53:e4:ca:84:24:a6:c8:09:35:9d:28:

90:f7:12:04:df:f6:07:59:c2:ed:85:e8:2f:30:9e:d9:91:d5:

a8:4f:f8:a7:aa:6e:3e:8c:2f:6f:17:15:67:52:69:7d:fa:ce:

e5:64:b5:50:70:d6:30:b4:ad:26:b7:61:c2:9a:5c:64:68:e2:

72:93:6d:a8:d1:8e:26:d4:52:3d:8b:ac:27:5d:73:00:c4:bc:

65:ca:b7:63

吊销证书


######################吊销证书

[[email protected]   CA]# openssl  ca  -revoke    /etc/pki/CA/newcerts/Client.crt

Using   configuration from /etc/pki/tls/openssl.cnf

Revoking   Certificate 01.

#####################生成CRL 序列号

[[email protected]   CA]# echo  01 >/etc/pki/CA/crlnumber

#####################生成CRL

[[email protected]   CA]# openssl  ca -gencrl  -out    /etc/pki/CA/crl/jying_web.crl

#####################查看CRL

[[email protected]   CA]# openssl crl -in    /etc/pki/CA/crl/jying_web.crl     -noout  -text

Certificate   Revocation List (CRL):

Version 2 (0x1)

Signature Algorithm:   sha256WithRSAEncryption

Issuer:   /C=cn/ST=shandong/L=yantai/O=jying/OU=1/CN=jying.com

Last Update: May 12 05:24:41 2018 GMT

Next Update: Jun 11 05:24:41 2018 GMT

CRL extensions:

X509v3 CRL Number:

1

Revoked   Certificates:

Serial Number: 01

Revocation Date: May 12 05:23:39 2018   GMT

Signature Algorithm:   sha256WithRSAEncryption

94:e3:a5:c3:9b:da:f8:d8:38:dd:ca:5c:b5:a2:b6:4b:0f:fc:

3c:a4:07:d5:a4:61:9a:d9:9f:60:74:2f:c2:58:41:67:cc:f4:

b7:03:e1:01:6e:69:ea:a0:8f:be:7a:7f:be:75:90:fd:b5:95:

79:98:9d:02:aa:4e:bb:b1:9d:c4:df:8b:ac:86:8e:b7:da:af:

56:6e:40:57:7e:d2:7d:fe:08:bb:04:54:56:82:0a:17:32:65:

52:41:9f:49:1b:42:c4:c7:5d:4e:83:5c:cc:07:dc:d2:7b:8b:

1c:36:4e:20:5b:af:05:87:07:29:5c:bb:b9:dc:42:e1:54:db:

77:8c:03:96:e2:28:9a:2c:e7:26:1d:be:37:93:5b:7c:96:50:

30:55:ea:54:d4:c9:8d:df:13:21:1c:ff:c2:ae:dd:35:65:a3:

ba:eb:f1:86:13:a1:06:85:40:74:c9:c2:42:b3:5f:ba:8d:0b:

73:33:52:7d:4a:fe:2d:b7:33:20:ce:4f:de:1b:8e:ea:87:40:

e3:fb:79:23:d3:dd:62:65:71:87:d8:fd:cb:36:3e:b8:39:27:

86:de:02:ed:9a:ec:c4:a2:35:08:a0:e4:1f:05:a6:c7:7e:24:

06:18:bc:91:0d:54:fa:18:5d:07:9e:93:6b:3e:0c:13:c2:3a:

2d:02:d1:2a

原文地址:http://blog.51cto.com/jying/2115481

时间: 2024-08-05 16:01:27

OpenSSL <搭建私有CA>的相关文章

php7实现基于openssl的加密解密方法

还需要注意的是加密字符串长度问题,如果加密字符串长度太长需要进行分段加解密,如下代码: 加密:(公匙加密,私密一般用来解密) function encrypt($originalData){ $publicKeyFilePath = '/www/ceshi/rsa_public_key.pem'; extension_loaded('openssl') or die('php需要openssl扩展支持'); file_exists($publicKeyFilePath) or die('公钥的文

基于源码编译openssl

openssh依赖于openssl,由于ssl频繁曝出漏洞,牵扯到openssh.而自身也存在漏洞... 00.下载openssl https://www.openssl.org/source/ https://github.com/openssl/openssl/releases https://www.openssl.org/source/openssl-1.0.2l.tar.gz 01.准备工作 yum -y install perl perl-devel gcc gcc-c++ 02.编

openssl基础

OpenSSL 是一个安全套接字层密码库,囊括主要的密码算法.常用的密钥和证书封装管理功能及SSL协议,并提供丰富的应用程序供测试或其它目的使用. OpenSSL is an open source project that provides a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) prot

OpenSSL Heartbleed “心脏滴血”漏洞简单攻击示例

OpenSSL Heartbleed漏洞的公开和流行让许多人兴奋了一把,也让另一些人惊慌了一把. 单纯从攻击的角度讲,我已知道的,网上公开的扫描工具有: 1.  Nmap脚本ssl-heartbleed.nse: http://nmap.org/nsedoc/scripts/ssl-heartbleed.html 1 nmap -sV --script=ssl-heartbleed <target> 2. Jared Stafford的testssl.py: https://gist.gith

Centos7 httpd+openssl+ssh登录实现过程(爱你就给你写详细点)

上篇已经讲了LAMP的yum简易搭建 http://rexchow.blog.51cto.com/11619161/1885533 我们针对这套服务延伸openssl功能 原理就不多说了,谷X百X去 环境说明: server:CentOS7-192.168.230.202 client: win8.1-192.168.230.59 Apache/2.4.6 php Version 5.4.16 5.5.52-MariaDB 新增签发服务器:192.168.230.204 需要安装openssl

openssl、openssh升级

近期公司应用需要用到https协议:Centos6.5自带的的openssl 1.0.1e版本存在名为"心脏出血"的漏洞. 环境:CentOS6.5_x86_64 准备相关的包openssh下载地址:http://mirror.internode.on.net/pub/OpenBSD/OpenSSH/portable/openssl相关包下载:http://www.openssl.org/source/pam相关包下载:http://pkgs.org/centos-6/centos-x

Windows 一键安装OpenSSL

原理:OpenSSL在github上有开源项目,我们只需要把代码克隆到本地,在本地编译一下就好了 注意事项: 1->在github上获取源码,必须要安装git for windows,网址 https://git-for-windows.github.io 2->OpenSSL的配置文件需要Perl语言来解析,所以本地电脑需要安装Perl脚本运行环境 perl官网下载地址 : https://www.perl.org/get.html  我选择的是草莓版(Strawberry) ,下载后安装P

安全与加密(openssl)

一.安全及威胁 NIST(National Institute of Standard and Technology,美国国家标准与技术研究院)制定了安全的数据应该具备的安全属性: 1)保密性 即认为安全的数据是具有隐私性的 2)完整性:数据不可被篡改,包括: 数据完整性: 系统完整性. 3)可用性 加密过的数据可以被还原且继续被使用 威胁我们数据安全的主要有以下攻击方式:STRIDE 1)Spoofing(假冒),arp欺骗等 2)Tampering(篡改) 3)Repudiation(否认)

Openssl pkcs7命令

一.简介 pkcs7命令用于处理DER或者PEM格式的pkcs#7文件.   二.语法 openssl pkcs7 [-inform PEM|DER] [-outform PEM|DER] [-in filename] [-out filename] [-print] [-print_certs] [-text] [-noout] [-engine id] 选项 -inform arg input format - DER or PEM -outform arg output format -

openssl编译

官网:http://www.openssl.org/ 得到源码: git clone  https://github.com/openssl/openssl 一.用vc编译器编译: 1.下载nasm: http://www.nasm.us/ 2.下载perl: http://www.perl.org/ 3.配置: 运行 Configure . perl Configure VC-WIN32 --prefix=c:\openssl 如不成功会有明显提示. 4.创建Makefile文件. >ms/d