搭建私有CA服務器
CA是什么
CA(Certificate Authority)證書頒發機構主要負責證書的頒發、管理以及歸檔和吊銷。證書內包含了擁有證書者的姓名、地址、電子郵件帳號、公鑰、證書有效期、發放證書的CA、CA的數字簽名等信息。證書主要有三大功能:加密、簽名、身份驗證。
centos6.x上有關ssl證書的目錄結構如下:
/etc/pki/CA/
├── certs
├── crl 吊銷的證書
├── newcerts 存放CA簽署(頒發)過的數字證書(證書備份目錄)
└── private 用於存放CA的私鑰
/etc/pki/tls/
├── cert.pem -> certs/ca-bundle.crt 軟鏈接到certs/ca-bundle.crt
├── certs 該服務器上的證書存放目錄,可以放置自己的證書和內置證書
│ ├── ca-bundle.crt 內置信任的證書
│ ├── ca-bundle.trust.crt
│ ├── make-dummy-cert
│ └── Makefile
├── misc
│ ├── CA
│ ├── c_hash
│ ├── c_info
│ ├── c_issuer
│ └── c_name
├── openssl.cnf openssl的CA主配置文件
└── private 證書密鑰存放目錄
CA要給別人頒發證書,首先自己得有一個作為根證書,我們得在一切工作之前修改好CA的配置文件、序列號、索引等等。
vi /etc/pki/tls/openssl.cnf
一.建立CA服務器
1.生成根密鑰
為了安全起見,修改cakey.pem私鑰文件權限為600或400,也可以使用子shell生成( umask 077; openssl genrsa -out private/cakey.pem 2048 ),下面不再重復。
cd /etc/pki/CA/
openssl genrsa -out private/cakey.pem 2048
或使用命令
( umask 077; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048 )
執行結果如下:
[root@localhost CA]# ( umask 077; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048 )
Generating RSA private key, 2048 bit long modulus
..................+++
...+++
e is 65537 (0x10001)
參數說明:
():表示此命令在子進程中運行,其目的是為了不改變當前Shell中的umask值;
genrsa:生成私鑰;
-out:私鑰的存放路徑,cakey.pem:為密鑰名,與配置文件中保持一致;
2048:密鑰長度,默認為1024。
2.生成根證書
使用req命令生成自簽證書:會提示輸入一些內容,因為是私有的,所以可以隨便輸入(之前修改的openssl.cnf會在這里呈現),最好記住能與后面保持一致
自簽證書cacert.pem應該生成在/etc/pki/CA下。
openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out cacert.pem -days 3650
執行結果如下:
[root@localhost CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:home
Organizational Unit Name (eg, section) []:homepart
Common Name (eg, your name or your server's hostname) []:home.home
Email Address []:home@home.home
參數說明:
req:生成證書簽署請求;
-x509:生成自簽署證書;
-days n:證書的有效天數;
-new:新請求;
-key /path/to/keyfile:指定私鑰文件;
-out /path/to/somefile:輸出文件位置。
3.初始化工作環境
touch /etc/pki/CA/index.txt /etc/pki/CA/serial 創建index.txt,serial文件
echo 01 > /etc/pki/CA/serial
mkdir -p /etc/pki/CA/csr/ 用來存放節點上傳過來的csr證書請求目錄
index.txt:索引文件,用於匹配證書編號;
serial:證書序列號文件,只在首次生成證書時賦值。
二.節點生成證書
以上都是在CA服務器上做的操作,而且只需進行一次,現在轉到nginx服務器上執行:
1.生成密鑰對:
為我們的nginx web服務器生成ssl密鑰
mkdir -p /etc/nginx/ssl
cd /etc/nginx/ssl
(umask 077; openssl genrsa -out /etc/nginx/ssl/nginx.key 2048) 生成私鑰
執行結果:
[root@localhost ssl]# (umask 077; openssl genrsa -out /etc/nginx/ssl/nginx.key 2048)
Generating RSA private key, 2048 bit long modulus
..................+++
.................+++
e is 65537 (0x10001)
2.生成證書請求:
為nginx生成證書簽署請求
openssl req -new -key /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.csr
同樣會提示輸入一些內容,其它隨便,除了Commone Name一定要是你要授予證書的服務器域名或主機名,challenge password不填。
執行結果如下:
[root@localhost ssl]# openssl req -new -key /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:shanghai
Locality Name (eg, city) [Default City]:shanghai
Organization Name (eg, company) [Default Company Ltd]:mycompany
Organizational Unit Name (eg, section) []:tech
Common Name (eg, your name or your server's hostname) []:myweb.com
Email Address []:myweb@myweb.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
3.把簽署請求文件發送給CA服務器
接下來要把上一步生成的證書請求csr文件,發到CA服務器上(其中192.168.1.80為CA服務器)
scp /etc/nginx/ssl/nginx.csr 192.168.1.80:/etc/pki/CA/csr/nginx.csr
測試時節點和CA服務器是同一台,故使用如下命令
cp /etc/nginx/ssl/nginx.csr /etc/pki/CA/csr/nginx.csr
三.簽署證書
1.在CA服務器上簽署證書
私有CA根據請求來簽署證書,在CA服務器上執行
openssl ca -in /etc/pki/CA/csr/nginx.csr -out /etc/pki/CA/nginx.crt -days 3650
另外在極少數情況下,上面的命令生成的證書不能識別,試試下面的命令:
# openssl x509 -req -in /etc/pki/CA/csr/nginx.csr -CA /etc/pki/CA/cacert.pem -CAkey /etc/pki/CA/private/cakey.pem -CAcreateserial -out /etc/pki/CA/nginx2.crt
這里出錯了,由於根證書是beijing而節點是shanghai
[root@localhost CA]# openssl ca -in /etc/pki/CA/csr/nginx.csr -out /etc/pki/CA/nginx.crt -days 3650
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
The stateOrProvinceName field needed to be the same in the
CA certificate (beijing) and the request (shanghai)
重新生成節點csr證書請求,設置區域為beijing
執行結果如下(成功):
[root@localhost CA]# openssl ca -in /etc/pki/CA/csr/nginx.csr -out /etc/pki/CA/nginx.crt -days 3650 Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jun 2 10:21:22 2017 GMT
Not After : May 31 10:21:22 2027 GMT
Subject:
countryName = CN
stateOrProvinceName = beijing
organizationName = home
organizationalUnitName = home
commonName = *.test.com
emailAddress = my@test.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
96:D7:60:53:1E:52:3E:89:4F:A0:A4:3D:81:CA:97:D5:D8:67:AE:93
X509v3 Authority Key Identifier:
keyid:D5:71:B2:72:16:62:03:09:BB:6D:B2:14:5F:F2:3C:B5:AE:C1:BD:08
Certificate is to be certified until May 31 10:21:22 2027 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
上面簽發過程其實默認使用了-cert cacert.pem -keyfile cakey.pem,這兩個文件就是前兩步生成的位於/etc/pki/CA下的根密鑰和根證書。
2.將crt證書發送給請求者
將生成的crt證書發回nginx服務器使用。192.168.137.61為nginx服務器地址
scp /etc/pki/CA/csr/nginx.crt 192.168.137.61:/etc/nginx/ssl/
同一台本機使用
cp /etc/pki/CA/nginx.crt /etc/nginx/ssl/
到此我們已經擁有了建立ssl安全連接所需要的所有文件,並且服務器的crt和key都位於配置的目錄下,剩下的是如何使用證書的問題。
四.吊銷證書
1.節點請求吊銷
[root@localhost CA]# openssl x509 -in /etc/nginx/ssl/nginx.crt -noout -serial -subject
serial=01
subject= /C=CN/ST=beijing/O=home/OU=home/CN=*.test.com/emailAddress=my@test.com
參數說明:
x509:證書格式
-in:要吊銷的證書
-noout:不輸出額外信息
-serial:顯示序列號
-subject:顯示subject信息
2.CA驗證信息
2.1 節點提交的serial和subject信息來驗證與index.txt文件中的信息是否一致
[root@localhost CA]# cat /etc/pki/CA/index.txt
V 270531102122Z 01 unknown /C=CN/ST=beijing/O=home/OU=home/CN=*.17coolz.com/emailAddress=my@test.com
2.2 吊銷證書
openssl ca -revoke /etc/pki/CA/newcerts/01.pem
參數說明 -revoke:刪除證書。
執行結果
[root@localhost CA]# openssl ca -revoke /etc/pki/CA/newcerts/01.pem
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 01.
Data Base Updated
2.3 查看被吊銷的證書列表
[root@localhost CA]# cat /etc/pki/CA/index.txt
R 270531102122Z 170602103652Z 01 unknown /C=CN/ST=beijing/O=home/OU=home/CN=*.17coolz.com/emailAddress=my@test.com
2.4 生成吊銷證書的編號(如果是第一次吊銷)
echo 00 > /etc/pki/CA/crlnumber
2.5 更新證書吊銷列表
openssl ca -gencrl -out /etc/pki/CA/crl/ca.crl
執行結果:
[root@localhost CA]# openssl ca -gencrl -out /etc/pki/CA/crl/ca.crl
Using configuration from /etc/pki/tls/openssl.cnf
2.6 查看吊消crl文件內容
openssl crl -in crl/ca.crl -noout -text
執行結果
[root@localhost CA]# openssl crl -in /etc/pki/CA/crl/ca.crl -noout -text
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: /C=CN/ST=beijing/L=beijing/O=home/OU=homepart/CN=home.home/emailAddress=home@home.home
Last Update: Jun 2 10:41:24 2017 GMT
Next Update: Jul 2 10:41:24 2017 GMT
CRL extensions:
X509v3 CRL Number:
0
Revoked Certificates:
Serial Number: 01
Revocation Date: Jun 2 10:36:52 2017 GMT
Signature Algorithm: sha1WithRSAEncryption
a3:fc:cf:fd:08:44:d9:c0:fd:78:75:5f:79:3a:c3:16:17:da:
b8:b1:cc:d8:67:28:73:75:4a:e1:11:e3:04:de:0a:36:4f:d6:
de:ec:37:3b:0b:18:0f:24:18:d1:8b:c9:6a:f8:e0:d3:c6:cc:
42:67:5b:15:34:da:f9:49:eb:19:73:33:4e:ef:eb:cb:82:12:
4c:27:ee:5e:9d:50:5f:8b:0c:51:3a:05:e3:0f:fb:3c:0d:0b:
8e:af:17:5e:b2:7d:30:af:e6:60:f2:6e:7f:b5:b5:9b:b1:f7:
5e:d4:80:73:d3:cc:30:e1:78:71:db:81:a0:ad:49:6a:dc:5c:
12:bf:31:0f:11:59:54:80:e9:74:36:f7:98:e2:86:f2:29:3f:
b0:69:b8:a4:32:9d:1c:61:01:ed:0f:09:b0:10:be:f4:07:ac:
32:91:9c:cc:35:cf:c3:cb:44:6b:86:22:81:7d:7a:71:9d:5c:
34:da:30:47:5a:ce:0f:10:bc:2a:56:8f:41:85:de:95:48:5c:
d3:b2:90:ae:4f:7e:7c:d1:53:5c:6f:67:cb:aa:cc:78:5b:1a:
f6:31:5b:7e:04:03:73:da:6e:8d:00:d7:bf:db:75:6a:0e:44:
be:c1:20:0f:72:40:4c:29:fc:aa:87:30:9e:84:55:e1:76:a2:
00:05:39:18
參數說明
-text:以文本形式顯示。
參考:
http://www.178linux.com/12742
http://www.cnblogs.com/zhaojiedi1992/p/zhaojiedi_linux_011_ca.html
http://seanlook.com/2015/01/18/openssl-self-sign-ca/