数字证书为实现双方安全通信提供了电子认证。在因特网、公司内部网或外部网中,使用数字证书实现身份识别和电子信息加密。数字证书中含有密钥对(公钥和私钥)所有者的识别信息,通过验证识别信息的真伪实现对证书持有者身份的认证。
证书申请及签署步骤;
1、生成申请请求;
2、RA核验;
3、CA签署;
4、获取证书;
创建私有CA
1、在/etc/pki/CA 下面创建所需的文件
[[email protected] CA]# touch index.txt
[[email protected] CA]# echo 01 > serial
[[email protected] CA]# ls
certs crl index.txt newcerts private serial
2、生成CA自签证书;
[[email protected] CA]# (umask 077; openssl genrsa -out /etc/pki/CA/cakey.pem 4096)
Generating RSA private key, 4096 bit long modulus
..............................++
...............................................................................++
e is 65537 (0x10001)
[[email protected] CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 365 -out cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:Dk
Organizational Unit Name (eg, section) []:Ops
Common Name (eg, your name or your server‘s hostname) []:ca.xiong.cn
Email Address []:[email protected]
一些选项的作用:
-new: 生成新证书签署请求
-x509: 专用于CA生成自签证书;
-key: 生成请求时用到的私钥文件;
-days n: 证书的有效期限;
-out /PATH/TO/SOMECEFTFILE: 证书的保存路径;
查看刚生成的cakey.pem、cacert.pem两个文件
[[email protected] CA]# ls -l
总用量 28
-rw-r--r-- 1 root root 1399 6月 14 19:51 cacert.pem
-rw------- 1 root root 3247 6月 14 19:06 cakey.pem
drwxr-xr-x. 2 root root 4096 6月 14 18:50 certs
drwxr-xr-x. 2 root root 4096 2月 20 23:49 crl
-rw-r--r-- 1 root root 0 6月 14 19:03 index.txt
drwxr-xr-x. 2 root root 4096 6月 14 18:48 newcerts
drwx------. 2 root root 4096 6月 14 18:17 private
-rw-r--r-- 1 root root 3 6月 14 19:03 serial
在客户端上主机生成证书请求
[[email protected] ssl]# (umask 077; openssl genrsa -out /etc/httpd/ssl/httpd.key 4096)
Generating RSA private key, 4096 bit long modulus
..................................................................................++
............................................................................................................++
e is 65537 (0x10001)
[[email protected] ssl]# openssl req -new -key /etc/httpd/ssl/httpd.key -days 369 -out /etc/httpd/ssl/httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:Dk
Organizational Unit Name (eg, section) []:Ops
Common Name (eg, your name or your server‘s hostname) []:www.xiong.cn
Email Address []:[email protected]
Please enter the following ‘extra‘ attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:centos
查看客户端生成的两个文件
[[email protected] ssl]# ls
httpd.csr httpd.key
把httpd.csr这个文件传给CA,然后CA进行授权。实验的话 就上传到CA下的/tmp目录下,按照规范的话 都是传到相对应的文件夹里头去,这里为了方便就放到了/tmp下
[[email protected] ssl]# scp httpd.csr [email protected]:/tmp/
The authenticity of host ‘192.168.2.30 (192.168.2.32)‘ can‘t be established.
ECDSA key fingerprint is 62:d9:92:9a:3a:be:c1:82:6a:96:36:da:b7:9d:e3:a9.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘192.168.2.32‘ (ECDSA) to the list of known hosts.
[email protected]‘s password:
httpd.csr 100% 1801 1.8KB/s 00:00
[[email protected] ssl]#
然后在CA上进行授权并同意
[[email protected] CA]# openssl ca -in /tmp/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jun 14 15:20:46 2017 GMT
Not After : Jun 14 15:20:46 2018 GMT
Subject:
countryName = CN
stateOrProvinceName = Beijing
organizationName = Dk
organizationalUnitName = Ops
commonName = www.xiong.cn
emailAddress = [email protected]
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
37:6B:FF:B5:74:93:4F:ED:36:BC:23:2F:77:66:4D:31:48:BF:23:A6
X509v3 Authority Key Identifier:
keyid:8C:D9:52:FD:D6:EC:86:99:DE:14:D4:A8:D9:C5:01:CF:69:DA:E2:D1
Certificate is to be certified until Jun 14 15:20:46 2018 GMT (365 days)
这块的话它是问你确定要给它授权吗,咱输入y同意即可
Sign the certificate? [y/n]: y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
查看授权证书里头的信息,有点长就复制一丢丢过来了
[[email protected] CA]# openssl x509 -in /etc/pki/CA/certs/httpd.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=CN, ST=Beijing, L=Beijing, O=Dk, OU=Ops, CN=ca.xiong.cn/[email protected]
Validity
Not Before: Jun 14 15:20:46 2017 GMT
Not After : Jun 14 15:20:46 2018 GMT
Subject: C=CN, ST=Beijing, O=Dk, OU=Ops, CN=www.xiong.cn/[email protected]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
再次从CA服务器上把已授权的证书发放到客户端的指定目录下即可
[[email protected] CA]# scp certs/httpd.crt [email protected]:/etc/httpd/ssl/
Address 192.168.2.30 maps to bogon, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
[email protected]‘s password:
httpd.crt 100% 6051 5.9KB/s 00:00
在客户端指定文件夹查看证书
[[email protected] ~]# ls /etc/httpd/ssl/
httpd.crt httpd.csr httpd.key
小白第一次写博客 里头肯定有很多问题,文章里头有什么问题大神们可以帮忙指出来!!十分感谢。