获取证书的两种方法:
- 使用证书授权机构
生成签名请求(csr)
将csr发送给CA
从CA处接收签名
- 自签名证书
自己签发自己的公钥
自建CA颁发机构和自签名
实验用两台机器,一台做CA颁发证书,一台做客户端身申请证书
证书申请以及签署的步骤:
1、生成申请请求
2、CA核验
3、CA签署
4、获取证书
在实验开始之前,我们先来看一下openssl的配置文件:/etc/pki/tls/openssl.cnf
1. [ ca ] 2. default_ca = CA_default # The default ca section(默认的CA配置,是CA_default,下面第一个小节就是) 3. #################################################################### 4. [ CA_default ] 5. dir = /etc/pki/CA # Where everythingis kept (dir变量) 6. certs = $dir/certs # Where the issued certs are kept(认证证书目录) 7. crl_dir = $dir/crl # Where the issued crl are kept(注销证书目录) 8. database = $dir/index.txt # database indexfile.(数据库索引文件) 9. new_certs_dir = $dir/newcerts # default place for new certs.(新证书的默认位置) 10. certificate = $dir/cacert.pem # The CA certificate(CA机构证书) 11. serial = $dir/serial # The current serial number(当前序号,默认为空,可以指定从01开始) 12. crlnumber = $dir/crlnumber # the current crlnumber(下一个吊销证书序号)# must be commented out to leave a V1 CRL 13. crl = $dir/crl.pem # The current CRL(下一个吊销证书) 14. private_key = $dir/private/cakey.pem# The private key(CA机构的私钥) 15. RANDFILE = $dir/private/.rand # private randomnumber file(随机数文件) 16. x509_extensions = usr_cert # The extentions toadd to the cert 17. # Comment out the following two lines for the "traditional" 18. # (and highly broken) format. 19. name_opt = ca_default # Subject Nameoptions(被颁发者,订阅者选项) 20. cert_opt = ca_default # Certificate fieldoptions(认证字段参数) 21. # Extension copying option: use with caution. 22. # copy_extensions = copy 23. # Extensions to add to a CRL. Note: Netscape communicator chokes on V2CRLs 24. # so this is commented out by default to leave a V1 CRL. 25. # crlnumber must also be commented out to leave a V1 CRL. 26. # crl_extensions = crl_ext 27. default_days = 365 # how long to certify for (默认的有效期天数是365) 28. default_crl_days=30 # how long before next CRL 29. default_md = sha256 # use SHA-256 by default 30. preserve = no # keep passed DN ordering 31. # A few difference way of specifying how similar the request should look 32. # For type CA, the listed attributes must be the same, and the optional 33. # and supplied fields are just that :-) 34. policy = policy_match # 是否匹配规则 35. # For the CA policy 36. [ policy_match ] 37. countryName = match # 国家名是否匹配,match为匹配 38. stateOrProvinceName = match # 州或省名是否需要匹配 39. organizationName = match # 组织名是否需要匹配 40. organizationalUnitName = optional # 组织的部门名字是否需要匹配 41. commonName = supplied # 注释 42. emailAddress = optional # 邮箱地址 43. # For the ‘anything‘ policy 44. # At this point in time, you must list all acceptable ‘object‘ 45. # types. 46. [ policy_anything] 47. countryName = optional 48. stateOrProvinceName = optional 49. localityName = optional 50. organizationName = optional 51. organizationalUnitName = optional 52. commonName = supplied 53. emailAddress = optional
1. dir = /etc/pki/CA # Where everything is kept 2. certs = $dir/certs # Where the issued certs are kept 3. database = $dir/index.txt # database index file. 4. new_certs_dir = $dir/newcerts # default place for new certs. 5. certificate = $dir/cacert.pem # The CA certificate 6. serial = $dir/serial # The current serial number 7. private_key = $dir/private/cakey.pem# The private key
1、创建所需要的文件
touch /etc/pki/CA/index.txt 生成证书索引数据库文件
echo 01 > /etc/pki/CA/serial 指定第一个颁发证书的序列号
2、 CA自签证书
生成私钥
(umask 066; openssl genrsa-out /etc/pki/CA/private/cakey.pem -des 2048)
生成自签名证书
openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 7300 -out /etc/pki/CA/cacert.pem
时间: 2024-10-08 07:50:59