加密和安全
数字签名
A: pub_A(公钥A), pri_A(私钥)
B: pub_B(公钥B), pri_B(私钥)
签名: A使用hash算法对数据进行hash(获得摘要信息), 使用私钥pri_A对摘要进行加密(数字签名)
验签:B使用A的pub_A对数字签名进行解密, 获得签名(摘要); B使用hash算法对数据内容进行hash得到自己的摘要, 将解密获取的摘要与自己的摘要进行比较,相同数据为真, 不同数据被篡改
数据加密
A: pub_A(公钥A), pri_A(私钥)
B: pub_B(公钥B), pri_B(私钥)
加密: A使用对称加密算法对数据进行加密(因为对称加密解密效率高), 之后使用公钥B对对称秘钥进行加密
解密: B使用私钥B对对称秘钥进行解密, 使用对称秘钥解密数据
其中的对称秘钥使他们通过一系列的随机数和算法协商出来, 其中包含时间随机, 所以在比较短的时间内不能破解, 因此是安全的
CA和证书
如果只有A和B, 各自的私钥和公钥, 呢我们是不是可以使用一个中间人C冒充A对B说我是A, 对B说我是B, 使用C的公钥替换掉双方的公钥进行冒充.
这个时候我们急需要一个机构可以公平公正解决身份认证问题, 这个结构就是CA, 一般来说是一个国家机构(他必须公正, 因为他知道AB双方身份);
A将自己的公钥交给CA, CA使用自己公钥对A的公钥进行加密A1(A的公钥和CA的签名), 之后B通过CA机构的证书对A的A1进行签名认证, 获得A的公钥. 就可以保证A的身份的. 也就是既然有中间人,而且无法避免, 那么我们就找一个双方都信任的人来做中间人.
openssl
# 加密文件
[root@ydzs-master ~]# openssl -enc -d -des3 -a -salt -in a.cipher -out a.txt
# 解密文件
[root@ydzs-master ~]# openssl enc -d -des3 -a -salt -in a.cipher -out a.txt
# 签名
[root@ydzs-master ~]# openssl dgst -md5 a.txt
MD5(a.txt)= 202643e446ef081830c8ac79ec225046
[root@ydzs-master ~]# openssl dgst -sha1 a.txt
SHA1(a.txt)= 034b59416e4d12fcdd23d7ecd2298c5d1f0efc09
[root@ydzs-master ~]# openssl dgst -sha256 a.txt
SHA256(a.txt)= 6fbf35aaabbb8fad6a5b8771e40306349926d9a16b88294a14c083b7ee55e294
[root@ydzs-master ~]# openssl dgst -dss1 a.txt
DSA(a.txt)= 034b59416e4d12fcdd23d7ecd2298c5d1f0efc09
[root@ydzs-master ~]# openssl md5 fstab
fstab: No such file or directory
[root@ydzs-master ~]# openssl md5 a.txt
MD5(a.txt)= 202643e446ef081830c8ac79ec225046
[root@ydzs-master ~]# openssl sha512 a.txt
SHA512(a.txt)= aabff7714ebcea4e4e9a0fb68444af8db9664d64af51784adb9101dfb08a837d630bae7d5d1bb95d00a77e47e87079d6cad4347007373e63cdade2978015fe4a
[root@ydzs-master ~]# sha512sum a.txt
aabff7714ebcea4e4e9a0fb68444af8db9664d64af51784adb9101dfb08a837d630bae7d5d1bb95d00a77e47e87079d6cad4347007373e63cdade2978015fe4a a.txt
# 生成密码
echo 123456|openssl passwd -1 -salt 6$y6kdp/yQ -stdin
echo 123456|openssl passwd -5 -salt 6$y6kdp/yQ -stdin
# 生成私钥文件
openssl genrsa -out app.key 2048
openssl getrsa -out app2.key -des3 2048 # 带密码
# 从私钥文件导出公钥
openssl ras -int app.key -pubout -out app.pub
openssl rsa -in app2.key -pubout -out app2.pub # 如果有密码需要输入密码
# 将带密码私钥文件转成不带密码私钥文件
openssl genrsa -out app.key -des3 2048
openssl rsa -in app.key -out app.key
私钥Ca证书颁发申请
需要有这个包
[root@ydzs-master test]# rpm -ql openssl-libs
三种策略模式: match optional supplied
/etc/pki/tls/openssl.cnf
match: 要求申请填写的信息和CA设置信息必须一致
optional: 可有可无, 可以和CA设置不一致
supplied: 必须填写这项申请信息
- 创建CA必须的文件
[root@ydzs-master test]# touch /etc/pki/CA/index.txt # 证书索引数据库文件
[root@ydzs-master test]# echo 01 > /etc/pki/CA/serial # 指定第一个颁发证书的序列号
- 生成CA私钥
[root@ydzs-master CA]# (umask 066; openssl genrsa -out private/cakey.pem 2048)
- 生成CA自签名证书
# 生成自签名证书
[root@ydzs-master CA]# openssl req -new -x509 -key private/cakey.pem -days 3650 -out ./cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:devops
Common Name (eg, your name or your server's hostname) []:ca.magedu.org
Email Address []:admin@magedu.org
# 查看证书内容
[root@ydzs-master CA]# openssl x509 -in cacert.pem -noout -text
4.用户生成私钥和申请证书
# 生成用户私钥
[root@ydzs-master CA]# mkdir /data/app1
[root@ydzs-master CA]# (umask 066;openssl genrsa -out /data/app1/app1.key 2048)
Generating RSA private key, 2048 bit long modulus
.+++
.................................................................+++
e is 65537 (0x10001)
[root@ydzs-master CA]# ll /data/app1/
total 4
-rw-------. 1 root root 1675 Nov 7 06:33 app1.key
# 生成证书请求文件(在通过ca签发证书时需要要到请求文件)
[root@ydzs-master ~]# openssl req -new -key /data/app1/app1.key -out /data/app1/app1.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN # 国家和省还有组织两个信息必须和CA的信息保持一致
State or Province Name (full name) []:beijing # 省
Locality Name (eg, city) [Default City]:bj #
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:it # 组织
Common Name (eg, your name or your server's hostname) []:app1.magedu.org
Email Address []:root@magedu.org
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@ydzs-master ~]#
[root@ydzs-master ~]#
[root@ydzs-master ~]# ll /data/app1/
total 8
-rw-r--r-- 1 root root 1045 Nov 18 14:23 app1.csr
-rw-------. 1 root root 1675 Nov 7 06:33 app1.key
# 这是正确csr请求出来的数据
[root@ydzs-master ~]# openssl ca -in /data/app1/app1.csr -out /etc/pki/CA/certs/app2.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Nov 18 06:32:10 2021 GMT
Not After : Nov 18 06:32:10 2022 GMT
Subject:
countryName = CN # 国家
stateOrProvinceName = beijing # 省
organizationName = magedu # 组织
organizationalUnitName = it
commonName = app1.magedu.org
emailAddress = root@magedu.org
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
57:6B:4E:33:BF:42:67:15:19:E0:90:2B:AE:BD:78:1C:5D:C0:65:91
X509v3 Authority Key Identifier:
keyid:19:69:54:44:7C:CF:45:46:0D:55:17:53:FF:81:50:EA:3A:6A:AF:82
国家, 省, 组织必须一致, 下面是我用错的app2.csr请求文件, 申请颁发证书报错了
[root@ydzs-master ~]# openssl req -new -key /data/app1/app1.key -out /data/app1/app2.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:bj
Organization Name (eg, company) [Default Company Ltd]:test
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:app1.magedu.org
Email Address []:root@magedu.org
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
# 报错
[root@ydzs-master ~]# openssl ca -in /data/app1/app2.csr -out /etc/pki/CA/certs/app3.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
The organizationName field needed to be the same in the
CA certificate (magedu) and the request (test)
5.看一个完整的证书申请
[root@ydzs-master ~]# openssl ca -in /data/app1/app1.csr -out /etc/pki/CA/certs/app1.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Nov 18 06:46:32 2021 GMT
Not After : Aug 14 06:46:32 2024 GMT
Subject:
countryName = CN
stateOrProvinceName = beijing
organizationName = magedu
organizationalUnitName = it
commonName = app1.magedu.org
emailAddress = root@magedu.org
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
57:6B:4E:33:BF:42:67:15:19:E0:90:2B:AE:BD:78:1C:5D:C0:65:91
X509v3 Authority Key Identifier:
keyid:19:69:54:44:7C:CF:45:46:0D:55:17:53:FF:81:50:EA:3A:6A:AF:82
Certificate is to be certified until Aug 14 06:46:32 2024 GMT (1000 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@ydzs-master ~]# tree /etc/pki/CA/
/etc/pki/CA/
├── cacert.pem
├── certs
│ └── app1.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│ └── 01.pem
├── private
│ └── cakey.pem
├── serial
└── serial.old
4 directories, 9 files
6.查看证书
[root@ydzs-master ~]# cat /etc/pki/CA/certs/app1.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=beijing, L=beijing, O=magedu, OU=devops, CN=ca.magedu.org/emailAddress=admin@magedu.org
Validity
Not Before: Nov 18 06:46:32 2021 GMT
Not After : Aug 14 06:46:32 2024 GMT
Subject: C=CN, ST=beijing, O=magedu, OU=it, CN=app1.magedu.org/emailAddress=root@magedu.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ce:c3:49:f3:83:a8:21:ba:0f:19:99:2a:65:4f:
6a:53:fb:3c:41:0a:ba:6b:36:ad:46:1a:3d:89:1d:
59:8a:f6:a4:b8:b0:d6:c0:c8:77:da:ad:67:2c:35:
b2:8a:6b:94:df:0c:a1:bb:93:a9:9e:43:2d:c1:3f:
93:83:b0:d3:fa:56:d5:16:57:5c:35:0d:07:3f:94:
1c:d4:b6:a6:34:7c:38:b2:29:24:b6:a1:9f:7f:69:
28:d2:57:64:21:56:89:bb:b1:f9:43:e5:1c:26:2a:
1a:c3:b6:e5:a1:f7:b2:a4:62:f2:1b:b2:bf:78:00:
97:0d:c1:81:74:34:0e:14:0b:bc:00:e2:9d:8f:a3:
6d:7c:2a:ce:94:a9:13:26:23:cf:90:f2:33:72:4d:
6f:16:89:92:e5:b3:33:ec:0d:39:16:59:a7:7f:9e:
1a:64:6e:28:f6:c8:07:ce:e1:9a:0e:e6:1c:d0:7d:
16:98:bc:d3:41:47:3e:e8:4d:c6:d4:85:fa:ff:71:
fd:56:a7:66:eb:55:3f:66:d7:ed:af:e1:d5:86:44:
31:dd:3f:a0:01:b1:e9:c3:6a:27:17:45:3f:66:41:
43:d1:54:b4:ec:56:5c:79:6c:fc:45:23:57:0b:4a:
0a:6f:83:81:45:fd:81:8d:d0:4a:a0:05:f1:f3:2f:
7a:9b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
57:6B:4E:33:BF:42:67:15:19:E0:90:2B:AE:BD:78:1C:5D:C0:65:91
X509v3 Authority Key Identifier:
keyid:19:69:54:44:7C:CF:45:46:0D:55:17:53:FF:81:50:EA:3A:6A:AF:82
Signature Algorithm: sha256WithRSAEncryption
6e:7f:6d:1f:84:f2:b6:38:9e:d5:46:5c:51:19:9a:47:66:2c:
2c:62:e8:1f:52:ae:7b:42:dd:34:1c:51:6c:a9:2a:cf:f4:e1:
43:7a:1d:34:69:16:44:05:12:0c:33:ef:b7:06:27:98:55:8b:
c3:ca:2c:97:55:bb:aa:1d:88:79:8c:b3:54:67:5e:3b:1a:64:
62:67:c5:5f:99:56:30:aa:6a:9f:31:12:dc:de:53:1d:c2:7e:
b9:de:c9:e6:c3:58:21:90:46:35:19:23:ff:18:dc:77:0e:8b:
87:c1:6e:6c:e4:b0:8f:86:c9:76:ab:32:dc:d7:9f:e2:a8:13:
5a:fa:af:42:53:dc:4e:dc:5e:d3:d4:0b:f7:d9:1b:56:57:1b:
4f:43:5b:35:4f:40:28:03:9e:98:af:4d:8b:6c:25:14:e3:46:
79:a4:df:88:6b:e6:40:60:f1:35:41:2b:0e:89:ba:dd:d4:28:
8d:c5:32:c7:03:20:8d:3c:b1:6c:39:72:ee:fd:ad:9b:cd:2a:
46:70:c9:b9:3b:a9:56:96:6c:ec:3c:1f:a8:84:5e:59:fd:91:
ba:06:ef:b5:aa:eb:08:5f:86:20:75:7d:9f:45:96:f3:2b:36:
99:36:99:90:47:74:4e:79:a6:16:32:12:2a:28:a5:6a:4e:8c:
77:0a:95:37
-----BEGIN CERTIFICATE-----
MIID+jCCAuKgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBjDELMAkGA1UEBhMCQ04x
EDAOBgNVBAgMB2JlaWppbmcxEDAOBgNVBAcMB2JlaWppbmcxDzANBgNVBAoMBm1h
Z2VkdTEPMA0GA1UECwwGZGV2b3BzMRYwFAYDVQQDDA1jYS5tYWdlZHUub3JnMR8w
HQYJKoZIhvcNAQkBFhBhZG1pbkBtYWdlZHUub3JnMB4XDTIxMTExODA2NDYzMloX
DTI0MDgxNDA2NDYzMlowdzELMAkGA1UEBhMCQ04xEDAOBgNVBAgMB2JlaWppbmcx
DzANBgNVBAoMBm1hZ2VkdTELMAkGA1UECwwCaXQxGDAWBgNVBAMMD2FwcDEubWFn
ZWR1Lm9yZzEeMBwGCSqGSIb3DQEJARYPcm9vdEBtYWdlZHUub3JnMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzsNJ84OoIboPGZkqZU9qU/s8QQq6azat
Rho9iR1ZivakuLDWwMh32q1nLDWyimuU3wyhu5OpnkMtwT+Tg7DT+lbVFldcNQ0H
P5Qc1LamNHw4sikktqGff2ko0ldkIVaJu7H5Q+UcJioaw7blofeypGLyG7K/eACX
DcGBdDQOFAu8AOKdj6NtfCrOlKkTJiPPkPIzck1vFomS5bMz7A05Flmnf54aZG4o
9sgHzuGaDuYc0H0WmLzTQUc+6E3G1IX6/3H9Vqdm61U/Ztftr+HVhkQx3T+gAbHp
w2onF0U/ZkFD0VS07FZceWz8RSNXC0oKb4OBRf2BjdBKoAXx8y96mwIDAQABo3sw
eTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBD
ZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUV2tOM79CZxUZ4JArrr14HF3AZZEwHwYDVR0j
BBgwFoAUGWlURHzPRUYNVRdT/4FQ6jpqr4IwDQYJKoZIhvcNAQELBQADggEBAG5/
bR+E8rY4ntVGXFEZmkdmLCxi6B9SrntC3TQcUWypKs/04UN6HTRpFkQFEgwz77cG
J5hVi8PKLJdVu6odiHmMs1RnXjsaZGJnxV+ZVjCqap8xEtzeUx3CfrneyebDWCGQ
RjUZI/8Y3HcOi4fBbmzksI+GyXarMtzXn+KoE1r6r0JT3E7cXtPUC/fZG1ZXG09D
WzVPQCgDnpivTYtsJRTjRnmk34hr5kBg8TVBKw6Jut3UKI3FMscDII08sWw5cu79
rZvNKkZwybk7qVaWbOw8H6iEXln9kboG77Wq6whfhiB1fZ9FlvMrNpk2mZBHdE55
phYyEioopWpOjHcKlTc=
-----END CERTIFICATE-----
[root@ydzs-master ~]# openssl x509 -in /etc/pki/CA/certs/app1.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=beijing, L=beijing, O=magedu, OU=devops, CN=ca.magedu.org/emailAddress=admin@magedu.org
Validity
Not Before: Nov 18 06:46:32 2021 GMT
Not After : Aug 14 06:46:32 2024 GMT
Subject: C=CN, ST=beijing, O=magedu, OU=it, CN=app1.magedu.org/emailAddress=root@magedu.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ce:c3:49:f3:83:a8:21:ba:0f:19:99:2a:65:4f:
6a:53:fb:3c:41:0a:ba:6b:36:ad:46:1a:3d:89:1d:
59:8a:f6:a4:b8:b0:d6:c0:c8:77:da:ad:67:2c:35:
b2:8a:6b:94:df:0c:a1:bb:93:a9:9e:43:2d:c1:3f:
93:83:b0:d3:fa:56:d5:16:57:5c:35:0d:07:3f:94:
1c:d4:b6:a6:34:7c:38:b2:29:24:b6:a1:9f:7f:69:
28:d2:57:64:21:56:89:bb:b1:f9:43:e5:1c:26:2a:
1a:c3:b6:e5:a1:f7:b2:a4:62:f2:1b:b2:bf:78:00:
97:0d:c1:81:74:34:0e:14:0b:bc:00:e2:9d:8f:a3:
6d:7c:2a:ce:94:a9:13:26:23:cf:90:f2:33:72:4d:
6f:16:89:92:e5:b3:33:ec:0d:39:16:59:a7:7f:9e:
1a:64:6e:28:f6:c8:07:ce:e1:9a:0e:e6:1c:d0:7d:
16:98:bc:d3:41:47:3e:e8:4d:c6:d4:85:fa:ff:71:
fd:56:a7:66:eb:55:3f:66:d7:ed:af:e1:d5:86:44:
31:dd:3f:a0:01:b1:e9:c3:6a:27:17:45:3f:66:41:
43:d1:54:b4:ec:56:5c:79:6c:fc:45:23:57:0b:4a:
0a:6f:83:81:45:fd:81:8d:d0:4a:a0:05:f1:f3:2f:
7a:9b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
57:6B:4E:33:BF:42:67:15:19:E0:90:2B:AE:BD:78:1C:5D:C0:65:91
X509v3 Authority Key Identifier:
keyid:19:69:54:44:7C:CF:45:46:0D:55:17:53:FF:81:50:EA:3A:6A:AF:82
Signature Algorithm: sha256WithRSAEncryption
6e:7f:6d:1f:84:f2:b6:38:9e:d5:46:5c:51:19:9a:47:66:2c:
2c:62:e8:1f:52:ae:7b:42:dd:34:1c:51:6c:a9:2a:cf:f4:e1:
43:7a:1d:34:69:16:44:05:12:0c:33:ef:b7:06:27:98:55:8b:
c3:ca:2c:97:55:bb:aa:1d:88:79:8c:b3:54:67:5e:3b:1a:64:
62:67:c5:5f:99:56:30:aa:6a:9f:31:12:dc:de:53:1d:c2:7e:
b9:de:c9:e6:c3:58:21:90:46:35:19:23:ff:18:dc:77:0e:8b:
87:c1:6e:6c:e4:b0:8f:86:c9:76:ab:32:dc:d7:9f:e2:a8:13:
5a:fa:af:42:53:dc:4e:dc:5e:d3:d4:0b:f7:d9:1b:56:57:1b:
4f:43:5b:35:4f:40:28:03:9e:98:af:4d:8b:6c:25:14:e3:46:
79:a4:df:88:6b:e6:40:60:f1:35:41:2b:0e:89:ba:dd:d4:28:
8d:c5:32:c7:03:20:8d:3c:b1:6c:39:72:ee:fd:ad:9b:cd:2a:
46:70:c9:b9:3b:a9:56:96:6c:ec:3c:1f:a8:84:5e:59:fd:91:
ba:06:ef:b5:aa:eb:08:5f:86:20:75:7d:9f:45:96:f3:2b:36:
99:36:99:90:47:74:4e:79:a6:16:32:12:2a:28:a5:6a:4e:8c:
77:0a:95:37
# 查看发行人DN
[root@ydzs-master ~]# openssl x509 -in /etc/pki/CA/certs/app1.crt -noout -issuer
issuer= /C=CN/ST=beijing/L=beijing/O=magedu/OU=devops/CN=ca.magedu.org/emailAddress=admin@magedu.org
# 主题信息
[root@ydzs-master ~]# openssl x509 -in /etc/pki/CA/certs/app1.crt -noout -subject
subject= /C=CN/ST=beijing/O=magedu/OU=it/CN=app1.magedu.org/emailAddress=root@magedu.org
# 日期信息, 开始以及过期时间
[root@ydzs-master ~]# openssl x509 -in /etc/pki/CA/certs/app1.crt -noout -dates
notBefore=Nov 18 06:46:32 2021 GMT
notAfter=Aug 14 06:46:32 2024 GMT
# 打印序列号值
[root@ydzs-master ~]# openssl x509 -in /etc/pki/CA/certs/app1.crt -noout -serial
serial=01
# 查看01号对应的证书状态
[root@ydzs-master ~]# openssl ca -status 01
Using configuration from /etc/pki/tls/openssl.cnf
01=Valid (V)
# 查看CA颁发信息的索引数据库文件
[root@ydzs-master ~]# cat /etc/pki/CA/index.txt
V 240814064632Z 01 unknown /C=CN/ST=beijing/O=magedu/OU=it/CN=app1.magedu.org/emailAddress=root@magedu.org
[root@ydzs-master ~]# cat /etc/pki/CA/index.txt.old
# CA机构的序列文件
[root@ydzs-master ~]# cat /etc/pki/CA/serial
02
[root@ydzs-master ~]# cat /etc/pki/CA/serial.old
01
- 将申请的证书,发送到客户端使用
# 将申请的证书,
[root@ydzs-master ~]# cp /etc/pki/CA/certs/app1.crt /data/app1/
[root@ydzs-master ~]# ll /data/app1/
total 16
-rw-r--r-- 1 root root 4614 Nov 18 15:10 app1.crt
-rw-r--r-- 1 root root 1045 Nov 18 14:23 app1.csr
-rw-------. 1 root root 1675 Nov 7 06:33 app1.key
8.window信任自己颁发的证书
去百度将我们在下面的
[root@ydzs-master ~]# tree /etc/pki/CA/
/etc/pki/CA/
├── cacert.pem # 这个文件自签名证书, 放到window信任的证书中即可
├── certs
│ └── app1.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│ └── 01.pem
├── private
│ └── cakey.pem
├── serial
└── serial.old
9.吊销证书
[root@ydzs-master ~]# diff /data/app1/app1.crt /etc/pki/CA/newcerts/01.pem # 他们其实内容相同
# 吊销证书
[root@ydzs-master ~]# openssl ca -revoke /etc/pki/CA/newcerts/01.pem
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 01.
Data Base Updated
[root@ydzs-master ~]# openssl ca -status 01
Using configuration from /etc/pki/tls/openssl.cnf
01=Revoked (R)
[root@ydzs-master ~]# cat /etc/pki/CA/index.txt # 看下面已经变成了R
R 240814064632Z 211118071740Z 01 unknown /C=CN/ST=beijing/O=magedu/OU=it/CN=app1.magedu.org/emailAddress=root@magedu.org
- 重复申请证书
[root@ydzs-master ~]# openssl ca -in /data/app1/app1.csr -out /etc/pki/CA/certs/app2.crt -days 999 # 再申请一个看一看/etc/pki/CA目录有啥变化
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 2 (0x2)
Validity
Not Before: Nov 18 07:22:29 2021 GMT
Not After : Aug 13 07:22:29 2024 GMT
Subject:
countryName = CN
stateOrProvinceName = beijing
organizationName = magedu
organizationalUnitName = it
commonName = app1.magedu.org
emailAddress = root@magedu.org
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
57:6B:4E:33:BF:42:67:15:19:E0:90:2B:AE:BD:78:1C:5D:C0:65:91
X509v3 Authority Key Identifier:
keyid:19:69:54:44:7C:CF:45:46:0D:55:17:53:FF:81:50:EA:3A:6A:AF:82
Certificate is to be certified until Aug 13 07:22:29 2024 GMT (999 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@ydzs-master ~]#
[root@ydzs-master ~]#
[root@ydzs-master ~]# tree /etc/pki/CA/certs
/etc/pki/CA/certs
├── app1.crt
└── app2.crt
0 directories, 2 files
[root@ydzs-master ~]# tree /etc/pki/CA/
/etc/pki/CA/
├── cacert.pem
├── certs
│ ├── app1.crt
│ └── app2.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── newcerts
│ ├── 01.pem
│ └── 02.pem
├── private
│ └── cakey.pem
├── serial
└── serial.old
4 directories, 12 files
[root@ydzs-master ~]# cat/etc/pki/CA/index.txt
-bash: cat/etc/pki/CA/index.txt: No such file or directory
[root@ydzs-master ~]# cat/etc/pki/CA/^C
[root@ydzs-master ~]# cat /etc/pki/CA/index.txt # V 表示证书没有吊销
R 240814064632Z 211118071740Z 01 unknown /C=CN/ST=beijing/O=magedu/OU=it/CN=app1.magedu.org/emailAddress=root@magedu.org
V 240813072229Z 02 unknown /C=CN/ST=beijing/O=magedu/OU=it/CN=app1.magedu.org/emailAddress=root@magedu.org
[root@ydzs-master ~]# cat /etc/pki/CA/serial # 序号增加了一个
03
- 生成吊销证书列表文件
[root@ydzs-master ~]# openssl ca -gencrl -out /etc/pki/CA/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf
/etc/pki/CA/crlnumber: No such file or directory # 吊销证书文件序列
error while loading CRL number
140047841879952:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/pki/CA/crlnumber','r')
140047841879952:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:
[root@ydzs-master ~]# echo 01 /etc/pki/CA/crlnumber #
01 /etc/pki/CA/crlnumber
[root@ydzs-master ~]# openssl ca -gencrl -out /etc/pki/CA/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf
/etc/pki/CA/crlnumber: No such file or directory
error while loading CRL number
140649753524112:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/pki/CA/crlnumber','r')
140649753524112:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:
[root@ydzs-master ~]# ll /etc/pki/CA/crlnumber
ls: cannot access /etc/pki/CA/crlnumber: No such file or directory
[root@ydzs-master ~]# ll /etc/pki/CA/crl
crl/ crl.pem
# 没有个这个文件我们直接从创建一个
[root@ydzs-master ~]# echo 01 > /etc/pki/CA/crlnumber
[root@ydzs-master ~]# openssl ca -gencrl -out /etc/pki/CA/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf
[root@ydzs-master ~]# cat /etc/pki/CA/crlnumber
02
[root@ydzs-master ~]# cat /etc/pki/CA/crl.pem
-----BEGIN X509 CRL-----
MIIB/DCB5QIBATANBgkqhkiG9w0BAQsFADCBjDELMAkGA1UEBhMCQ04xEDAOBgNV
BAgMB2JlaWppbmcxEDAOBgNVBAcMB2JlaWppbmcxDzANBgNVBAoMBm1hZ2VkdTEP
MA0GA1UECwwGZGV2b3BzMRYwFAYDVQQDDA1jYS5tYWdlZHUub3JnMR8wHQYJKoZI
hvcNAQkBFhBhZG1pbkBtYWdlZHUub3JnFw0yMTExMTgwNzQxNTNaFw0yMTEyMTgw
NzQxNTNaMBQwEgIBARcNMjExMTE4MDcxNzQwWqAOMAwwCgYDVR0UBAMCAQEwDQYJ
KoZIhvcNAQELBQADggEBADZAuVCl1nELC7h93m9P2FcQMRpEs4kZCI2odPOsEF1L
Ey3v38B+EHyksfk2wFSB+LqajjcB+s/cE7UzpuE/zMa+nanvSY1LrdTKpQOO09uK
g8fG1bDaPfBjNb+g+56J/Q/kKugZ3n7g4A7K7rApk7V2QakcevNZxe00X9cY+wgN
RKb0AzfH5VyhLWhHtD+snmwRlQVF4ZMiP6qILo3HKiLF5Sp8T2r4ayRfAEiylPSf
AySiV5UXwCBL4OdfW5vVeg+djfViMn3W8PDADGPY+T/Fbo6ezrh7byygA2/CQEbo
rf8z5FYDg8m+si8f5AW+1E1rEheN0RgzgxIqhVmkgP8=
-----END X509 CRL-----
# 可以看到被吊销的证书序列文件
[root@ydzs-master ~]# openssl crl -in /etc/pki/CA/crl.pem -noout -text
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: /C=CN/ST=beijing/L=beijing/O=magedu/OU=devops/CN=ca.magedu.org/emailAddress=admin@magedu.org
Last Update: Nov 18 07:41:53 2021 GMT
Next Update: Dec 18 07:41:53 2021 GMT
CRL extensions:
X509v3 CRL Number:
1
Revoked Certificates:
Serial Number: 01
Revocation Date: Nov 18 07:17:40 2021 GMT
Signature Algorithm: sha256WithRSAEncryption
36:40:b9:50:a5:d6:71:0b:0b:b8:7d:de:6f:4f:d8:57:10:31:
1a:44:b3:89:19:08:8d:a8:74:f3:ac:10:5d:4b:13:2d:ef:df:
c0:7e:10:7c:a4:b1:f9:36:c0:54:81:f8:ba:9a:8e:37:01:fa:
cf:dc:13:b5:33:a6:e1:3f:cc:c6:be:9d:a9:ef:49:8d:4b:ad:
d4:ca:a5:03:8e:d3:db:8a:83:c7:c6:d5:b0:da:3d:f0:63:35:
bf:a0:fb:9e:89:fd:0f:e4:2a:e8:19:de:7e:e0:e0:0e:ca:ee:
b0:29:93:b5:76:41:a9:1c:7a:f3:59:c5:ed:34:5f:d7:18:fb:
08:0d:44:a6:f4:03:37:c7:e5:5c:a1:2d:68:47:b4:3f:ac:9e:
6c:11:95:05:45:e1:93:22:3f:aa:88:2e:8d:c7:2a:22:c5:e5:
2a:7c:4f:6a:f8:6b:24:5f:00:48:b2:94:f4:9f:03:24:a2:57:
95:17:c0:20:4b:e0:e7:5f:5b:9b:d5:7a:0f:9d:8d:f5:62:32:
7d:d6:f0:f0:c0:0c:63:d8:f9:3f:c5:6e:8e:9e:ce:b8:7b:6f:
2c:a0:03:6f:c2:40:46:e8:ad:ff:33:e4:56:03:83:c9:be:b2:
2f:1f:e4:05:be:d4:4d:6b:12:17:8d:d1:18:33:83:12:2a:85:
59:a4:80:ff