实验环境:
CentOS release 6.6(Final) 两台
IP地址:
服务器端:172.16.31.3
客户端:172.16.31.2
查看系统书否已安装openSSL执行命令“rpm –qa openssl”
[[email protected] ~]# rpm -qa openssl
openssl-1.0.1e-30.el6.x86_64
OpenSSL本身是一种ssl的开源方式用以实现https的数据加密传输,但OpenSSL的功能绝不仅限于此,OpenSSL提供了两个重要的库:一个是libcrypto,被称为通用加密库,提供了各种加密函数,任何程序都可以调用此库来实现加密功能;另一个是libssl,是一种基于会话的、实现了身份认证、数据机密性和会话完整性的TLS/SSL协议库。另外OpenSSL还提供了一个命令行工具就叫OpenSSL,是一个多用途的命令行工具,提供了很多子命令,调用不同的子命令可以实现不同的功能,诸如单向加密、对称加密和非对称加密、生成密钥对等。OpenSSL本身并没有提供类似“--help”之类的帮助命令,输入OpenSSL后跟任意一个OpenSSL不能识别的命令就会显示输出所有子命令,比如输入“openssl ?”就会看到所有子命令。
下面介绍使用openssl模拟证书颁发机构构建私有CA。
一.配置OpenSSL配置文件
1.配置OpenSSL的配置文件。
可以编辑/etc/pki/tls/openssl.cnf
将其中的“[CA_default ]”段中定义的CA工作目录默认为“/etc/pki/CA”,证书默认有效期等信息根据具体应用环境更改。
在[ req_distinguished_name ]段中设置一下默认的国家代码、所属省份、市区、公司名称、所属部门等信息。
将国家,省份,城市,组织名称写好,方便下次生成CA时更便捷。
二.创建CA自签署证书
1.为CA生成私钥密钥
#cd/etc/pki/CA
#mkdir private
# (umask 077 ; openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit longmodulus
..........................................................................................+++
...............................................+++
e is 65537 (0x10001)
命令加括号表示命令在子shell中执行,设定子shell的umask为077,子shell生成的文件将是600的权限,-out指定输出文件位置,2048为密钥长度。
2.创建所需目录和文件
创建所需目录
#mkdir certs newcerts crl
创建证书检索文:
#touch index.txt
创建证书序列号文件并赋初值:
#touch serial
#echo 01 > serial
# ls
cacert.pem certs crl index.txt newcerts private serial
3.创建自签署证书,如果没配置/etc/pki/tls/openssl文件,命令创建自签署证书如下所示:
# opensslreq -new -x509 -keyprivate/cakey.pem -days 35600 -out cacert.pem
You are about to be asked to enterinformation that will beincorporated
into your certificate request.
What you are about to enter is what iscalled a Distinguished Nameor a DN.
There are quite a few fields but you canleave some blank
For some fields there will be a defaultvalue,
If you enter ‘.‘, the field will be leftblank.
-----
Country Name (2 letter code) [CN]:CN #国家名称缩写
State or Province Name (full name) []:HA #省份缩写
Locality Name (eg, city) [Default City]:ZZ #省会缩写
Organization Name (eg, company) [DefaultCompany Ltd]:Test #组织或公司名称
Organizational Unit Name (eg, section)[]:OPS #部门
Common Name (eg, your name or your server‘shostname) []:CA.test.com #主机名
Email Address []:[email protected] #邮件地址
至此CA服务器端创建完成。
三.给节点颁发证书
下面介绍使用此CA为其他应用签署证书。以httpd服务为例:
1.节点申请证书,在申请证书的主机上进行,我这里实验的是http服务,所以我的证书在服务路径下
# cd /etc/httpd/conf/
创建一个目录来保持私钥和证书申请文件
#mkdir certs
#cd /etc/httpd/conf/certs
为httpd服务生成私钥:
# (umask 077 ; openssl genrsa -out httpd.key 1024)
Generating RSA private key, 1024 bit longmodulus
.............................++++++
.++++++
e is 65537 (0x10001)
# ll
total 4
-rw------- 1 root root 887 Dec 8 14:00 httpd.key
2.生成签署请求文件
我们直接从CA服务器提取Openssl.cnf文件
[[email protected] certs]# scp [email protected]:/etc/pki/tls/openssl.cnf./
然后生成CA证书签署请求文件:
其中很多值都已经写好了
[[email protected] certs]# scp httpd.csr172.16.31.3:/etc/pki/CA/certs/httpd.csr
[email protected]‘s password:
httpd.csr: No such file or directory
[[email protected] certs]# openssl req -new -keyhttpd.key -out httpd.csr -days 35600
You are about to be asked to enterinformation that will beincorporated
into your certificate request.
What you are about to enter is what iscalled a Distinguished Nameor a DN.
There are quite a few fields but you canleave some blank
For some fields there will be a defaultvalue,
If you enter ‘.‘, the field will be leftblank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [HA]:
Locality Name (eg, city) [ZZ]:
Organization Name (eg, company) [Test]:
这里的名称必须跟服务器输入的名称一致
Organizational Unit Name (eg, section)[]:OPS
Common Name (eg, your name or your server‘shostname) []:stu1.test.com
这里的名称可以是你的主机名称或者服务器的主机名称
EmailAddress []:[email protected]
Please enter the following ‘extra‘attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[[email protected] certs]# ls
httpd.csr httpd.key
查看一下申请文件
[[email protected] certs]# cat httpd.csr
-----BEGIN CERTIFICATE REQUEST-----
MIIBujCCASMCAQAwejELMAkGA1UEBhMCQ04xCzAJBgNVBAgMAkhBMQswCQYDVQQH
DAJaWjENMAsGA1UECgwEVGVzdDEMMAoGA1UECwwDT1BTMRYwFAYDVQQDDA1zdHUx
LnRlc3QuY29tMRwwGgYJKoZIhvcNAQkBFg1zdHUxQHRlc3QuY29tMIGfMA0GCSqG
SIb3DQEBAQUAA4GNADCBiQKBgQCd7fN0pVbrqu8LpgbQuSNs/Q7ddG7/NKYPJOyl
cGx+B9znApdUw9tF2Zr5xAtwghJS1rVyoczqy5YAmVnTIAwoKaEatqt95B8DNfRl
4gGn0LBOLf3V8oR/nYOQwig354ebUtn/ktkoBkI80qdXblAiojIHa/5Ucpak23VW
jSKU+wIDAQABoAAwDQYJKoZIhvcNAQEFBQADgYEAFJc2+os1BYxZvmZqN0D/i2R0
PUaTSZzbV5o0cSOrHZpUhTBQ9LJw0JG43eGQlFoFndyOWBhdptHl+KNg5c/VIBs7
0Vd0fyM3CsoR2ep8PVT1sCWev3LTghpu5WkomGgBpWjTi+SBb4/Mp7Si0LnJfN+u
W3nJz6oNtYMHHckdL0g=
-----END CERTIFICATE REQUEST-----
3.将CA证书申请文件发送给CA
[[email protected] certs]# scp httpd.csr172.16.31.3:/etc/pki/CA/certs/httpd.csr
[email protected]‘s password:
httpd.csr 100% 680 0.7KB/s 00:00
检查一下传输成功与否:
[[email protected] CA]# ls certs/
httpd.csr
[[email protected] CA]# cat certs/httpd.csr
-----BEGIN CERTIFICATE REQUEST-----
MIIBujCCASMCAQAwejELMAkGA1UEBhMCQ04xCzAJBgNVBAgMAkhBMQswCQYDVQQH
DAJaWjENMAsGA1UECgwEVGVzdDEMMAoGA1UECwwDT1BTMRYwFAYDVQQDDA1zdHUx
LnRlc3QuY29tMRwwGgYJKoZIhvcNAQkBFg1zdHUxQHRlc3QuY29tMIGfMA0GCSqG
SIb3DQEBAQUAA4GNADCBiQKBgQCd7fN0pVbrqu8LpgbQuSNs/Q7ddG7/NKYPJOyl
cGx+B9znApdUw9tF2Zr5xAtwghJS1rVyoczqy5YAmVnTIAwoKaEatqt95B8DNfRl
4gGn0LBOLf3V8oR/nYOQwig354ebUtn/ktkoBkI80qdXblAiojIHa/5Ucpak23VW
jSKU+wIDAQABoAAwDQYJKoZIhvcNAQEFBQADgYEAFJc2+os1BYxZvmZqN0D/i2R0
PUaTSZzbV5o0cSOrHZpUhTBQ9LJw0JG43eGQlFoFndyOWBhdptHl+KNg5c/VIBs7
0Vd0fyM3CsoR2ep8PVT1sCWev3LTghpu5WkomGgBpWjTi+SBb4/Mp7Si0LnJfN+u
W3nJz6oNtYMHHckdL0g=
-----END CERTIFICATE REQUEST-----
4.CA签署证书
ca表示签署,-in 指定申请签署文件,-out 指定输出路径和文件名,-days 35600 指定证书有效期
[[email protected]]# openssl ca -in /etc/pki/CA/certs/httpd.csr -out/etc/pki/CA/certs/httpd.crt-days 35600
Using configuration from/etc/pki/tls/openssl.cnf
Check that the request matches thesignature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
NotBefore: Dec 8 06:33:10 2014GMT
NotAfter : May 28 06:33:10 2112 GMT
Subject:
countryName = CN
stateOrProvinceName = HA
organizationName = Test
organizationalUnitName = OPS
commonName = stu1.test.com
emailAddress [email protected]
X509v3 extensions:
X509v3Basic Constraints:
CA:FALSE
NetscapeComment:
OpenSSL Generated Certificate
X509v3Subject Key Identifier:
9E:C9:9A:33:FC:91:A9:34:CA:16:E5:79:5E:11:5B:BB:BA:61:65:75
X509v3Authority Key Identifier:
keyid:CC:33:C7:0E:59:10:F7:14:AF:F6:5E:85:9E:24:D6:81:14:3F:F5:47
Certificate is to be certified until May 2806:33:10 2112 GMT(35600 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified,commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
4.把签署好的证书发送给申请者
[[email protected] CA]# scp certs/httpd.crt172.16.31.2:/etc/httpd/conf/certs/
The authenticity of host ‘172.16.31.2(172.16.31.2)‘ can‘t beestablished.
RSA key fingerprintisa4:1d:39:08:30:8c:17:fd:2a:8e:db:da:15:3f:08:e4.
Are you sure you want to continue connecting(yes/no)? yes
Warning: Permanently added ‘172.16.31.2‘(RSA) to the list of knownhosts.
[email protected]‘s password:
httpd.crt 100%3785 3.7KB/s 00:00
在客户端查看证书:
[[email protected] certs]# ls
httpd.crt httpd.csr httpd.key
[[email protected] certs]# openssl x509 -in httpd.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=CN, ST=HA,L=ZZ, O=Test, OU=OPS, CN=CA.test.com/emailAddress=ca[email protected]
Validity
NotBefore: Dec 8 06:33:10 2014GMT
NotAfter : May 28 06:33:10 2112 GMT
Subject: C=CN, ST=HA,O=Test, OU=OPS,CN=stu1.test.com/[email protected]
Subject Public Key Info:
PublicKey Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:9d:ed:f3:74:a5:56:eb:aa:ef:0b:a6:06:d0:b9:
23:6c:fd:0e:dd:74:6e:ff:34:a6:0f:24:ec:a5:70:
6c:7e:07:dc:e7:02:97:54:c3:db:45:d9:9a:f9:c4:
0b:70:82:12:52:d6:b5:72:a1:cc:ea:cb:96:00:99:
59:d3:20:0c:28:29:a1:1a:b6:ab:7d:e4:1f:03:35:
f4:65:e2:01:a7:d0:b0:4e:2d:fd:d5:f2:84:7f:9d:
83:90:c2:28:37:e7:87:9b:52:d9:ff:92:d9:28:06:
42:3c:d2:a7:57:6e:50:22:a2:32:07:6b:fe:54:72:
96:a4:db:75:56:8d:22:94:fb
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3Basic Constraints:
CA:FALSE
NetscapeComment:
OpenSSL Generated Certificate
X509v3Subject Key Identifier:
9E:C9:9A:33:FC:91:A9:34:CA:16:E5:79:5E:11:5B:BB:BA:61:65:75
X509v3Authority Key Identifier:
keyid:CC:33:C7:0E:59:10:F7:14:AF:F6:5E:85:9E:24:D6:81:14:3F:F5:47
Signature Algorithm: sha1WithRSAEncryption
c6:22:10:06:d2:98:fe:61:c0:cf:a8:9d:c7:50:c1:f9:9c:e8:
f9:a2:04:ba:d9:57:9c:8e:e0:59:51:cc:e3:06:21:ef:60:dd:
2c:6c:09:78:ec:cc:d5:46:26:90:e2:90:f5:3d:74:06:d7:3c:
be:b4:d4:a5:25:59:f0:eb:90:1a:37:d4:27:2b:fa:b3:7d:f2:
37:20:91:94:74:31:53:ff:3b:73:52:73:1c:9a:99:cd:c1:6f:
d2:0a:23:23:36:12:95:66:46:be:76:08:ae:e6:da:d8:6e:be:
84:ad:71:0f:ff:68:07:e2:e5:10:16:fc:13:85:fb:9f:b2:a4:
3b:89:9b:a3:7a:0d:5d:2a:f4:f2:a9:64:e9:38:88:12:2f:7b:
65:f9:18:58:61:93:68:d8:62:b3:4c:d7:6b:56:4e:49:01:a6:
3b:77:7a:40:77:d1:f6:c7:fc:7e:b8:e3:40:76:ea:0e:b2:0f:
c2:23:11:d5:c4:16:95:f7:5b:46:ac:44:aa:ae:c5:96:f0:d6:
96:d4:7d:12:59:d1:5e:ce:d0:52:dc:67:bf:23:c6:01:cd:85:
aa:45:7b:15:72:b0:a0:51:7b:30:ba:39:6c:f9:1a:6f:67:05:
c7:af:86:9e:04:70:b2:c8:91:9d:d8:a7:30:56:d0:ca:0d:f3:
58:9b:f4:f5
注意:每一个需要接收服务器发来的证书,并验证证书合法性的客户端主机,都必须拥有CA的证书才能进行。
我们可以在CA服务器查看索引数据库和serial文件来查看颁发的证书的简要信息:
[[email protected] CA]# cat index.txt
V 21120528063310Z 01 unknown/C=CN/ST=HA/O=Test/OU=OPS/CN=stu1.test.com/[email protected]
[[email protected] CA]# cat serial
02
四.吊销证书
1.在客户端获取证书的serial
[[email protected] certs]# openssl x509 -in httpd.crt -noout -subject -serial
subject=/C=CN/ST=HA/O=Test/OU=OPS/CN=stu1.test.com/[email protected]
serial=01
2.根据证书持有者提供的serial和subject信息来与index.txt数据库文件中的信息比较是否一致
[[email protected] CA]# cat index.txt
V 21120528063310Z 01 unknown /C=CN/ST=HA/O=Test/OU=OPS/CN=stu1.test.com/[email protected]
[[email protected] CA]# ls newcerts/
- pem
3.生成吊销证书的编号(如果第一次吊销)
[[email protected] CA]# echo 01 >/etc/pki/CA/crlnumber
4.吊销证书
[[email protected] CA]# openssl ca -revoke newcerts/01.pem
Using configuration from/etc/pki/tls/openssl.cnf
Revoking Certificate 01.
Data Base Updated
[[email protected] CA]# cat index.txt
R 21120528063310Z 141208065437Z 01 unknown /C=CN/ST=HA/O=Test/OU=OPS/CN=stu1.test.com/[email protected]
5.更新证书吊销列表
[[email protected] crl]# openssl ca -gencrl -out ca.crl
Using configuration from /etc/pki/tls/openssl.cnf
[[email protected] crl]# file ca.crl
ca.crl: ASCII text
[[email protected] crl]# openssl crl -in ca.crl -noout -text
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: /C=CN/ST=HA/L=ZZ/O=Test/OU=OPS/CN=CA.test.com/[email protected]
Last Update: Dec 8 06:57:56 2014GMT
Next Update: Jan 7 06:57:56 2015GMT
CRL extensions:
X509v3 CRL Number:
1
Revoked Certificates:
Serial Number: 01
Revocation Date: Dec 8 06:54:372014 GMT
Signature Algorithm: sha1WithRSAEncryption
85:37:14:3d:b8:aa:8a:82:39:fe:80:20:a0:ec:8f:15:a9:dd:
2e:06:e3:78:63:48:dd:ab:4f:fb:bd:c6:c4:ca:52:dc:d4:aa:
71:6f:70:92:50:bc:39:97:f9:ac:10:4b:50:44:cc:b7:c4:0d:
2c:3c:f2:ce:f5:1e:0a:b7:b0:3a:30:33:62:98:cd:d5:a9:ea:
1e:94:50:32:fc:81:4f:92:27:7e:e7:00:3e:ff:a9:d9:92:a4:
6f:11:7b:42:fe:b7:53:b3:e5:d4:4d:7d:c0:49:46:31:1a:8f:
39:62:95:0b:40:54:f1:ab:4b:80:89:d1:73:26:0f:ff:c7:fa:
12:21:34:c8:97:82:5b:09:e8:e8:42:21:5d:03:71:c3:50:d7:
6e:58:d5:56:b3:c9:89:68:14:6d:7f:09:68:de:9e:e6:ec:e3:
9d:e0:af:72:28:95:36:0f:32:2a:a5:bb:81:e8:63:46:ad:76:
f8:0b:02:df:a7:5e:ab:bf:b4:ae:45:20:1a:de:d6:db:dc:9c:
94:8e:32:e4:76:67:70:96:11:7b:13:12:f2:95:08:da:3f:6b:
68:ed:47:b0:af:a0:ee:de:86:af:66:c3:d6:42:30:8b:05:f8:
7a:45:6d:cc:f3:f4:fb:3c:b8:9a:e9:17:fc:92:18:52:fe:76:
7c:25:18:d6
至此,利用OpenSSL构建私有CA服务器就实验完毕!