NOVOTS KMS 词汇表 Glossary    联系我们 Contact Us
查询 Search  
   
按类别浏览 Browse by Category
NOVOTS KMS .: 操作系统 .: Unix/Linux .: linux搭建ca服务器-

linux搭建ca服务器-

 

linux搭建ca服务器

 

1 CA是什么

 

CACertificate Authority)证书颁发机构主要负责证书的颁发、管理以及归档和吊销。证书内包含了拥有证书者的姓名、地址、电子邮件帐号、公钥、证书有效期、发放证书的CACA的数字签名等信息。证书主要有三大功能:加密、签名、身份验证。

 

搭建CA服务器

 

2.1 配置文件查看

 

default_ca = CA_default # The default ca section # ca的配置使用哪个片段。

 

 

 

####################################################################

 

[ CA_default ]

 

 

 

dir = /etc/pki/CA # Where everything is kept # ca的主目录

 

certs = $dir/certs # Where the issued certs are kept  # 证书的保存位置

 

crl_dir = $dir/crl # Where the issued crl are kept

 

database = $dir/index.txt # database index file. # 证书的索引文件

 

#unique_subject = no # Set to 'no' to allow creation of # 是否运行相同的subject信息的证书请求

 

 # several ctificates with same subject.

 

new_certs_dir = $dir/newcerts # default place for new certs.  # 最新的证书放置位置

 

 

 

certificate = $dir/cacert.pem # The CA certificate # ca的自己给自己签发的证书(自签证书)

 

serial = $dir/serial # The current serial number  # 当前序列号

 

crlnumber = $dir/crlnumber # the current crl number

 

 # must be commented out to leave a V1 CRL

 

crl = $dir/crl.pem # The current CRL  # 当前证书吊销列表

 

private_key = $dir/private/cakey.pem# The private key # ca自己的私钥位置

 

RANDFILE = $dir/private/.rand # private random number file

 

 

 

x509_extensions = usr_cert # The extentions to add to the cert

 

 

 

default_days = 365 # how long to certify for # 默认颁发证书时间

 

 

 

policy = policy_match # 证书办法策略,这个片段下面就有

 

 

 

# For the CA policy

 

[ policy_match ]

 

countryName = match # match代表证书签发单位和证书请求单位的对应项目必须相同,其他的影响不大。

 

stateOrProvinceName = match

 

organizationName = match

 

organizationalUnitName = optional

 

commonName = supplied

 

emailAddress = optional

 

 

 

countryName_default = XX # 默认国家,2为字母。下面还有其他的默认配置项目,比如默认省,默认市,默认公司等等。

 

2.2 生成秘钥

 

[root@localhost CA]# cd /etc/pki/CA/ #切换到CA目录

 

[root@localhost CA]# (umask 077; openssl genrsa -out private/cakey.pem 2048) #调用openssl子命令genrsa生成私钥

 

Generating RSA private key, 2048 bit long modulus

 

..+++

 

...................................................................................................................................................................................................................+++

 

e is 65537 (0x10001)

 

注:上述命令使用()扩着,表示在当前shell的子shell执行,()内的设定只在子shell内生效,每个命令使用“;”分割 , umask指定掩码, -out选项指定了生成的私钥存放位置,不指定是输出到终端的。2048 指定秘钥的长度,默认是1024

 

2.3 生成自签证书

 

[root@localhost CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365

 

You are about to be asked to enter information that will be incorporated

 

into your certificate request.

 

What you are about to enter is what is called a Distinguished Name or a DN.

 

There are quite a few fields but you can leave some blank

 

For some fields there will be a default value,

 

If you enter '.', the field will be left blank.

 

-----

 

Country Name (2 letter code) [GB]:CN

 

State or Province Name (full name) [Berkshire]:ZHENGZHOU

 

Locality Name (eg, city) [Newbury]:

 

[root@localhost CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365

 

You are about to be asked to enter information that will be incorporated

 

into your certificate request.

 

What you are about to enter is what is called a Distinguished Name or a DN.

 

There are quite a few fields but you can leave some blank

 

For some fields there will be a default value,

 

If you enter '.', the field will be left blank.

 

-----

 

Country Name (2 letter code) [GB]:CN

 

State or Province Name (full name) [Berkshire]:HENAN

 

Locality Name (eg, city) [Newbury]:ZHENGZHOU

 

Organization Name (eg, company) [My Company Ltd]:ZKYT

 

Organizational Unit Name (eg, section) []:TECH

 

Common Name (eg, your name or your server's hostname) []:ca.linuxpanda.com

 

Email Address []:caadmin@linuxpanda.com

 
     
  • req:生成证书签署请求
  •  
  • -x509:生成自签署证书
  •  
  • -days n:证书的有效天数
  •  
  • -new:新请求
  •  
  • -key /path/to/keyfile:指定私钥文件
  •  
  • -out /path/to/somefile:输出证书文件位置
  •  
 

2.4 查看自己的证书

 

[root@localhost CA]$ openssl x509 -in cacert.pem -noout -text

 

2.5 初始化工作环境

 

[root@localhost CA]# touch index.txt serial #创建index.txt,serial文件

 

[root@localhost CA]# echo 01 >serial #写入初始值

[root@localhost CA]# mkdir csr crl newcerts #
创建目录csr,crl newcerts

 
     
  • index.txt:索引文件,用于匹配证书编号
  •  
  • serial:证书序列号文件,只在首次生成证书时赋值
  •  
  • csr:证书请求目录
  •  
  • crl:吊销列表目标
  •  
  • newcerts:证书目录
  •  
 

3.节点申请证书

 

3.1生成密钥对

 

[root@localhost CA]# cd /etc/httpd/ssl #进入httpd的配置子目录ssl

 

-bash: cd: /etc/httpd/ssl: No such file or directory

 

[root@localhost CA]# ls

 

cacert.pem index.txt private serial

 

[root@localhost CA]# cd /etc/httpd/               #查看目录情况

 

[root@localhost httpd]# ls

 

conf conf.d logs modules run 

 

[root@localhost httpd]# mkdir ssl               #创建ssl目录,用于存放秘钥

 

[root@localhost httpd]# (umask 077; openssl genrsa -out ssl/httpd.key 2048) #生成私钥

 

Generating RSA private key, 2048 bit long modulus

 

.+++

 

............................+++

 

e is 65537 (0x10001)

 

3.2生成证书请求

 

[root@localhost httpd]# openssl req -new -key ssl/httpd.key -out ssl/httpd.csr

 

You are about to be asked to enter information that will be incorporated

 

into your certificate request.

 

What you are about to enter is what is called a Distinguished Name or a DN.

 

There are quite a few fields but you can leave some blank

 

For some fields there will be a default value,

 

If you enter '.', the field will be left blank.

 

-----

 

Country Name (2 letter code) [GB]:CN

 

State or Province Name (full name) [Berkshire]:HENAN

 

Locality Name (eg, city) [Newbury]:ZHENGZHOU

 

Organization Name (eg, company) [My Company Ltd]:ZKYT

 

Organizational Unit Name (eg, section) []:TECH

 

Common Name (eg, your name or your server's hostname) []:tech1.linuxpanda.com

 

Email Address []:

 

 

 

Please enter the following 'extra' attributes

 

to be sent with your certificate request

 

A challenge password []:

 

An optional company name []:

 

3.3证书请求文件发送到服务器

 

[root@localhost httpd]# scp ssl/httpd.csr 192.168.137.100:/etc/pki/CA/csr/httpd.csr

 

root@192.168.137.100's password:

 

httpd.csr 100% 1013 1.0KB/s 00:00 

 

[root@localhost httpd]# ls /etc/pki/CA/csr

 

httpd.csr

 

4 CA服务器签署证书

 

4.1 CA服务器上签署证书

 

[root@localhost CA]# openssl ca -in csr/httpd.csr -out httpd.crt -days 365

 

Using configuration from /etc/pki/tls/openssl.cnf

 

Error opening CA private key ../../CA/private/cakey.pem

 

12948:error:02001002:system library:fopen:No such file or directory:bss_file.c:352:fopen('../../CA/private/cakey.pem','r')

 

12948:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354:

 

unable to load CA private key

 

[root@localhost CA]# vim /etc/pki/tls/

 

cert.pem certs/  misc/ openssl.cnf private/ 

 

[root@localhost CA]# vim /etc/pki/tls/openssl.cnf #编辑配置文件,修改../../CA /etc/pki/CA 即可

 

[root@localhost CA]# openssl ca -in csr/httpd.csr -out httpd.crt -days 365

 

Using configuration from /etc/pki/tls/openssl.cnf

 

I am unable to access the /etc/pki/CA/newcerts directory #没有创建newcerts 目录

 

/etc/pki/CA/newcerts: No such file or directory

 

[root@localhost CA]# mkdir newcerts #创建目录newcerts

 

[root@localhost CA]# openssl ca -in csr/httpd.csr -out httpd.crt -days 365

 

Using configuration from /etc/pki/tls/openssl.cnf

 

Check that the request matches the signature

 

Signature ok

 

Certificate Details:

 

 Serial Number: 1 (0x1)

 

 Validity

 

 Not Before: Mar 25 02:15:21 2017 GMT

 

 Not After : Mar 25 02:15:21 2018 GMT

 

 Subject:

 

 countryName = CN

 

 stateOrProvinceName = HENAN

 

 organizationName = ZKYT

 

 organizationalUnitName = TECH

 

 commonName = tech1.linuxpanda.com

 

 X509v3 extensions:

 

 X509v3 Basic Constraints:

 

 CA:FALSE

 

 Netscape Comment:

 

 OpenSSL Generated Certificate

 

 X509v3 Subject Key Identifier:

 

 B3:E9:86:1A:74:99:85:F1:A2:79:B4:53:C6:FD:5A:AF:8E:56:CB:C3

 

 X509v3 Authority Key Identifier:

 

 keyid:00:0F:4A:D3:69:3F:20:D7:FA:10:3C:0A:36:9B:6F:6A:97:42:68:29

 

 

 

Certificate is to be certified until Mar 25 02:15:21 2018 GMT (365 days)

 

Sign the certificate? [y/n]:y

 

 

 

 

 

1 out of 1 certificate requests certified, commit? [y/n]y

 

Write out database with 1 new entries

 

4.2将证书发送给请求者

 

[root@localhost CA]# scp httpd.crt 192.168.137.100:/etc/httpd/ssl

 

root@192.168.137.100's password:

 

httpd.crt 

 

5 吊销证书

 

5.1节点请求吊销

 

[root@localhost CA]# openssl x509 -in httpd.crt -noout -serial -subject

 

serial=01

 

subject= /C=CN/ST=HENAN/O=ZKYT/OU=TECH/CN=tech1.linuxpanda.com

 
     
  • x509:证书格式
  •  
  • -in:要吊销的证书
  •  
  • -noout:不输出额外信息
  •  
  • -serial:显示序列号
  •  
  • -subject:显示subject信息
  •  
 

5.2节点提交的serialsubject信息是否和index.txt的信息一致

 

[root@localhost CA]# cat index.txt

 

V 180325021521Z 01 unknown /C=CN/ST=HENAN/O=ZKYT/OU=TECH/CN=tech1.linuxpanda.com

 

5.3 吊销证书

 

[root@localhost CA]# openssl ca -revoke newcerts/01.pem

 

Using configuration from /etc/pki/tls/openssl.cnf

 

Revoking Certificate 01.

 

Data Base Updated

 

5.4生成吊销证书的编号(如果是第一次吊销)

 

root@localhost CA]# echo 00 > crlnumber

 

5.5更新吊销证书列表

 

我们虽然上面已经吊销了证书, 但是别人是无法知道的。 只能通过crl来让别人知道谁谁谁的证书被吊销了。

 

[root@localhost CA]# openssl ca -gencrl -out crl/ca.crl

 

Using configuration from /etc/pki/tls/openssl.cnf

 

5.6查看crl文件内容

 

[root@localhost CA]# openssl crl -in crl/ca.crl -noout -text

 

Certificate Revocation List (CRL):

 

 Version 2 (0x1)

 

 Signature Algorithm: sha1WithRSAEncryption

 

 Issuer: /C=CN/ST=HENAN/L=ZHENGZHOU/O=ZKYT/OU=TECH/CN=ca.linuxpanda.com/emailAddress=caadmin@linuxpanda.com

 

  Last Update: Mar 25 02:30:21 2017 GMT

 

 Next Update: Apr 24 02:30:21 2017 GMT

 

 CRL extensions:

 

 X509v3 CRL Number:

 

 0

 

Revoked Certificates:

 

 Serial Number: 01

 

 Revocation Date: Mar 25 02:26:19 2017 GMT

 

 Signature Algorithm: sha1WithRSAEncryption

 

 63:20:78:c1:0e:9d:f5:57:b9:b5:ae:2b:be:ce:50:28:8d:e7:

 

 7a:17:eb:e0:29:5b:bd:47:aa:76:e5:dd:a6:99:f4:4c:e0:e5:

 

 c2:71:2d:54:ff:2e:44:ad:15:9d:02:75:0f:6d:dc:0f:a7:fc:

 

 e8:95:0e:6f:f2:cf:a8:ed:19:ea:ff:57:bb:4b:62:c7:a1:62:

 

 39:b0:75:67:0c:cc:db:5b:f9:b3:99:49:e5:fd:bd:f7:39:a2:

 

 4a:27:d9:b9:ad:7d:a7:55:59:11:c2:bb:82:54:dd:c3:63:25:

 

 93:b2:f9:dc:7f:4c:d7:09:48:06:ad:bd:04:56:e6:8d:1c:9d:

 

 e1:d8:ab:63:49:a8:49:c7:a1:35:2a:b4:fb:dd:c4:b9:38:38:

 

 47:2c:e5:77:7f:53:33:1d:e5:28:a7:87:53:d7:a8:8b:a5:5f:

 

 da:51:4e:7c:f8:87:59:a7:5e:2a:33:c1:b2:37:c8:c1:71:df:

 

 24:fa:2d:ba:40:e4:b8:70:46:d0:fb:e3:9e:c9:3b:85:6b:ae:

 

 8a:a5:b6:6e:9e:08:ed:5d:74:ab:6f:a9:83:6d:b2:86:5d:23:

 

 ce:0f:05:3e:f6:e6:f5:e8:a5:ef:d2:d1:d7:eb:bc:e7:44:1b:

 

 fc:61:6b:85:b2:14:c2:94:8a:e3:46:59:f9:34:a5:6e:a1:4d:

 

 2d:93:e2:70

 

 


这篇文章对你多有用?

相关文章

article Tips:linux服务器配置,linux服务器配置方法,快速搭建linux服务器环境,linux环境一键安装

(No rating)  3-25-2014    Views: 681   
article Linux服务器安全配置三要点
Linux系统本身的安全漏洞中,更多的

(No rating)  4-25-2013    Views: 633   
article Linux服务器安全配置三要点
Linux系统本身的安全漏洞中,更多的安全问题是由不...

(No rating)  12-24-2012    Views: 738   

用户评语

添加评语
当前还没有评语.


.: .: .: .: .:
[ 登陆 ]
北京护航科技有限公司 2006

Novots Technologies Limited