搭建私有CA服務器

1 CA是什么

CA（Certificate Authority）證書頒發機構主要負責證書的頒發、管理以及歸檔和吊銷。證書內包含了擁有證書者的姓名、地址、電子郵件帳號、公鑰、證書有效期、發放證書的CA、CA的數字簽名等信息。證書主要有三大功能：加密、簽名、身份驗證。

2 搭建CA服務器

2.1 配置文件查看

default_ca      = CA_default            # The default ca section                                          # ca的配置使用哪個片段。

####################################################################
[ CA_default ]

dir             = /etc/pki/CA           # Where everything is kept                                        # ca的主目錄
certs           = $dir/certs            # Where the issued certs are kept                                 # 證書的保存位置
crl_dir         = $dir/crl              # Where the issued crl are kept
database        = $dir/index.txt        # database index file.                                            # 證書的索引文件
#unique_subject = no                    # Set to 'no' to allow creation of                                # 是否運行相同的subject信息的證書請求
                                        # several ctificates with same subject.
new_certs_dir   = $dir/newcerts         # default place for new certs.                                    # 最新的證書放置位置

certificate     = $dir/cacert.pem       # The CA certificate                                              # ca的自己給自己簽發的證書（自簽證書）
serial          = $dir/serial           # The current serial number                                       # 當前序列號
crlnumber       = $dir/crlnumber        # the current crl number
                                        # must be commented out to leave a V1 CRL
crl             = $dir/crl.pem          # The current CRL                                                 # 當前證書吊銷列表
private_key     = $dir/private/cakey.pem# The private key                                                 # ca自己的私鑰位置
RANDFILE        = $dir/private/.rand    # private random number file

x509_extensions = usr_cert              # The extentions to add to the cert

default_days    = 365                   # how long to certify for                                         # 默認頒發證書時間

policy          = policy_match                                                                            # 證書辦法策略，這個片段下面就有

# For the CA policy
[ policy_match ]
countryName             = match                                                                           # match代表證書簽發單位和證書請求單位的對應項目必須相同，其他的影響不大。
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

countryName_default             = XX                                                                      # 默認國家，2為字母。下面還有其他的默認配置項目，比如默認省，默認市，默認公司等等。

2.2 生成秘鑰

[root@localhost CA]# cd /etc/pki/CA/               #切換到CA目錄
[root@localhost CA]# (umask 077; openssl genrsa -out private/cakey.pem 2048)  #調用openssl子命令genrsa生成私鑰
Generating RSA private key, 2048 bit long modulus
..+++
...................................................................................................................................................................................................................+++
e is 65537 (0x10001)

注：上述命令使用（）擴着，表示在當前shell的子shell執行,()內的設定只在子shell內生效，每個命令使用“；”分割 ， umask指定掩碼， -out選項指定了生成的私鑰存放位置，不指定是輸出到終端的。2048 指定秘鑰的長度，默認是1024。

2.2 生成自簽證書

[root@localhost CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:ZHENGZHOU
Locality Name (eg, city) [Newbury]:
[root@localhost CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:HENAN
Locality Name (eg, city) [Newbury]:ZHENGZHOU
Organization Name (eg, company) [My Company Ltd]:ZKYT
Organizational Unit Name (eg, section) []:TECH
Common Name (eg, your name or your server's hostname) []:ca.linuxpanda.com
Email Address []:caadmin@linuxpanda.com

• req：生成證書簽署請求
• -x509：生成自簽署證書
• -days n：證書的有效天數
• -new：新請求
• -key /path/to/keyfile：指定私鑰文件
• -out /path/to/somefile：輸出證書文件位置

2.3 查看自己的證書

[root@localhost CA]$ openssl x509 -in cacert.pem  -noout -text

2.4 初始化工作環境

[root@localhost CA]# touch index.txt serial   #創建index.txt,serial文件
[root@localhost CA]# echo 01 >serial          #寫入初始值

[root@localhost CA]# mkdir csr crl newcerts #創建目錄csr,crl newcerts

• index.txt：索引文件，用於匹配證書編號
• serial：證書序列號文件，只在首次生成證書時賦值
• csr:證書請求目錄
• crl:吊銷列表目標
• newcerts：證書目錄

3.節點申請證書

3.1生成密鑰對

[root@localhost CA]# cd /etc/httpd/ssl                       #進入httpd的配置子目錄ssl
-bash: cd: /etc/httpd/ssl: No such file or directory
[root@localhost CA]# ls
cacert.pem  index.txt  private  serial
[root@localhost CA]# cd /etc/httpd/　　　　　　　　　　　　　　　#查看目錄情況
[root@localhost httpd]# ls
conf  conf.d  logs  modules  run　　
[root@localhost httpd]# mkdir ssl　　　　　　　　　　　　　　    #創建ssl目錄，用於存放秘鑰
[root@localhost httpd]# (umask 077; openssl genrsa -out ssl/httpd.key 2048) #生成私鑰
Generating RSA private key, 2048 bit long modulus
.+++
............................+++
e is 65537 (0x10001)

3.2生成證書請求

[root@localhost httpd]# openssl req -new -key ssl/httpd.key  -out ssl/httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:HENAN 
Locality Name (eg, city) [Newbury]:ZHENGZHOU 
Organization Name (eg, company) [My Company Ltd]:ZKYT
Organizational Unit Name (eg, section) []:TECH
Common Name (eg, your name or your server's hostname) []:tech1.linuxpanda.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

3.3證書請求文件發送到服務器

[root@localhost httpd]# scp ssl/httpd.csr 192.168.137.100:/etc/pki/CA/csr/httpd.csr
root@192.168.137.100's password: 
httpd.csr                                                                                                                                                         100% 1013     1.0KB/s   00:00    
[root@localhost httpd]# ls /etc/pki/CA/csr
httpd.csr

4 CA服務器簽署證書

4.1 CA服務器上簽署證書

[root@localhost CA]# openssl ca -in csr/httpd.csr  -out httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Error opening CA private key ../../CA/private/cakey.pem
12948:error:02001002:system library:fopen:No such file or directory:bss_file.c:352:fopen('../../CA/private/cakey.pem','r')
12948:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354:
unable to load CA private key
[root@localhost CA]# vim /etc/pki/tls/
cert.pem     certs/       misc/        openssl.cnf  private/     
[root@localhost CA]# vim /etc/pki/tls/openssl.cnf      #編輯配置文件，修改../../CA 為 /etc/pki/CA 即可
[root@localhost CA]# openssl ca -in csr/httpd.csr  -out httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
I am unable to access the /etc/pki/CA/newcerts directory          #沒有創建newcerts 目錄
/etc/pki/CA/newcerts: No such file or directory
[root@localhost CA]# mkdir newcerts                               #創建目錄newcerts
[root@localhost CA]# openssl ca -in csr/httpd.csr  -out httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Mar 25 02:15:21 2017 GMT
            Not After : Mar 25 02:15:21 2018 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = HENAN
            organizationName          = ZKYT
            organizationalUnitName    = TECH
            commonName                = tech1.linuxpanda.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                B3:E9:86:1A:74:99:85:F1:A2:79:B4:53:C6:FD:5A:AF:8E:56:CB:C3
            X509v3 Authority Key Identifier: 
                keyid:00:0F:4A:D3:69:3F:20:D7:FA:10:3C:0A:36:9B:6F:6A:97:42:68:29

Certificate is to be certified until Mar 25 02:15:21 2018 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries

4.2將證書發送給請求者

[root@localhost CA]# scp httpd.crt  192.168.137.100:/etc/httpd/ssl
root@192.168.137.100's password: 
httpd.crt      

5 吊銷證書

5.1節點請求吊銷

[root@localhost CA]# openssl x509 -in httpd.crt  -noout -serial -subject
serial=01
subject= /C=CN/ST=HENAN/O=ZKYT/OU=TECH/CN=tech1.linuxpanda.com

• x509：證書格式
• -in：要吊銷的證書
• -noout：不輸出額外信息
• -serial：顯示序列號
• -subject：顯示subject信息

5.2節點提交的serial和subject信息是否和index.txt的信息一致

[root@localhost CA]# cat index.txt
V    180325021521Z        01    unknown    /C=CN/ST=HENAN/O=ZKYT/OU=TECH/CN=tech1.linuxpanda.com

5.3 吊銷證書

[root@localhost CA]# openssl ca -revoke newcerts/01.pem
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 01.
Data Base Updated

5.4生成吊銷證書的編號（如果是第一次吊銷）

root@localhost CA]# echo 00 > crlnumber

5.5更新吊銷證書列表

我們雖然上面已經吊銷了證書， 但是別人是無法知道的。 只能通過crl來讓別人知道誰誰誰的證書被吊銷了。

[root@localhost CA]# openssl ca -gencrl -out crl/ca.crl
Using configuration from /etc/pki/tls/openssl.cnf

5.6查看crl文件內容

[root@localhost CA]# openssl crl -in crl/ca.crl -noout -text
Certificate Revocation List (CRL):
        Version 2 (0x1)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: /C=CN/ST=HENAN/L=ZHENGZHOU/O=ZKYT/OU=TECH/CN=ca.linuxpanda.com/emailAddress=caadmin@linuxpanda.com
        Last Update: Mar 25 02:30:21 2017 GMT
        Next Update: Apr 24 02:30:21 2017 GMT
        CRL extensions:
            X509v3 CRL Number: 
                0
Revoked Certificates:
    Serial Number: 01
        Revocation Date: Mar 25 02:26:19 2017 GMT
    Signature Algorithm: sha1WithRSAEncryption
        63:20:78:c1:0e:9d:f5:57:b9:b5:ae:2b:be:ce:50:28:8d:e7:
        7a:17:eb:e0:29:5b:bd:47:aa:76:e5:dd:a6:99:f4:4c:e0:e5:
        c2:71:2d:54:ff:2e:44:ad:15:9d:02:75:0f:6d:dc:0f:a7:fc:
        e8:95:0e:6f:f2:cf:a8:ed:19:ea:ff:57:bb:4b:62:c7:a1:62:
        39:b0:75:67:0c:cc:db:5b:f9:b3:99:49:e5:fd:bd:f7:39:a2:
        4a:27:d9:b9:ad:7d:a7:55:59:11:c2:bb:82:54:dd:c3:63:25:
        93:b2:f9:dc:7f:4c:d7:09:48:06:ad:bd:04:56:e6:8d:1c:9d:
        e1:d8:ab:63:49:a8:49:c7:a1:35:2a:b4:fb:dd:c4:b9:38:38:
        47:2c:e5:77:7f:53:33:1d:e5:28:a7:87:53:d7:a8:8b:a5:5f:
        da:51:4e:7c:f8:87:59:a7:5e:2a:33:c1:b2:37:c8:c1:71:df:
        24:fa:2d:ba:40:e4:b8:70:46:d0:fb:e3:9e:c9:3b:85:6b:ae:
        8a:a5:b6:6e:9e:08:ed:5d:74:ab:6f:a9:83:6d:b2:86:5d:23:
        ce:0f:05:3e:f6:e6:f5:e8:a5:ef:d2:d1:d7:eb:bc:e7:44:1b:
        fc:61:6b:85:b2:14:c2:94:8a:e3:46:59:f9:34:a5:6e:a1:4d:
        2d:93:e2:70