加密和安全
數字簽名
A: pub_A(公鑰A), pri_A(私鑰)
B: pub_B(公鑰B), pri_B(私鑰)
簽名: A使用hash算法對數據進行hash(獲得摘要信息), 使用私鑰pri_A對摘要進行加密(數字簽名)
驗簽:B使用A的pub_A對數字簽名進行解密, 獲得簽名(摘要); B使用hash算法對數據內容進行hash得到自己的摘要, 將解密獲取的摘要與自己的摘要進行比較,相同數據為真, 不同數據被篡改
數據加密
A: pub_A(公鑰A), pri_A(私鑰)
B: pub_B(公鑰B), pri_B(私鑰)
加密: A使用對稱加密算法對數據進行加密(因為對稱加密解密效率高), 之后使用公鑰B對對稱秘鑰進行加密
解密: B使用私鑰B對對稱秘鑰進行解密, 使用對稱秘鑰解密數據
其中的對稱秘鑰使他們通過一系列的隨機數和算法協商出來, 其中包含時間隨機, 所以在比較短的時間內不能破解, 因此是安全的
CA和證書
如果只有A和B, 各自的私鑰和公鑰, 呢我們是不是可以使用一個中間人C冒充A對B說我是A, 對B說我是B, 使用C的公鑰替換掉雙方的公鑰進行冒充.
這個時候我們急需要一個機構可以公平公正解決身份認證問題, 這個結構就是CA, 一般來說是一個國家機構(他必須公正, 因為他知道AB雙方身份);
A將自己的公鑰交給CA, CA使用自己公鑰對A的公鑰進行加密A1(A的公鑰和CA的簽名), 之后B通過CA機構的證書對A的A1進行簽名認證, 獲得A的公鑰. 就可以保證A的身份的. 也就是既然有中間人,而且無法避免, 那么我們就找一個雙方都信任的人來做中間人.
openssl
# 加密文件
[root@ydzs-master ~]# openssl -enc -d -des3 -a -salt -in a.cipher -out a.txt
# 解密文件
[root@ydzs-master ~]# openssl enc -d -des3 -a -salt -in a.cipher -out a.txt
# 簽名
[root@ydzs-master ~]# openssl dgst -md5 a.txt
MD5(a.txt)= 202643e446ef081830c8ac79ec225046
[root@ydzs-master ~]# openssl dgst -sha1 a.txt
SHA1(a.txt)= 034b59416e4d12fcdd23d7ecd2298c5d1f0efc09
[root@ydzs-master ~]# openssl dgst -sha256 a.txt
SHA256(a.txt)= 6fbf35aaabbb8fad6a5b8771e40306349926d9a16b88294a14c083b7ee55e294
[root@ydzs-master ~]# openssl dgst -dss1 a.txt
DSA(a.txt)= 034b59416e4d12fcdd23d7ecd2298c5d1f0efc09
[root@ydzs-master ~]# openssl md5 fstab
fstab: No such file or directory
[root@ydzs-master ~]# openssl md5 a.txt
MD5(a.txt)= 202643e446ef081830c8ac79ec225046
[root@ydzs-master ~]# openssl sha512 a.txt
SHA512(a.txt)= aabff7714ebcea4e4e9a0fb68444af8db9664d64af51784adb9101dfb08a837d630bae7d5d1bb95d00a77e47e87079d6cad4347007373e63cdade2978015fe4a
[root@ydzs-master ~]# sha512sum a.txt
aabff7714ebcea4e4e9a0fb68444af8db9664d64af51784adb9101dfb08a837d630bae7d5d1bb95d00a77e47e87079d6cad4347007373e63cdade2978015fe4a a.txt
# 生成密碼
echo 123456|openssl passwd -1 -salt 6$y6kdp/yQ -stdin
echo 123456|openssl passwd -5 -salt 6$y6kdp/yQ -stdin
# 生成私鑰文件
openssl genrsa -out app.key 2048
openssl getrsa -out app2.key -des3 2048 # 帶密碼
# 從私鑰文件導出公鑰
openssl ras -int app.key -pubout -out app.pub
openssl rsa -in app2.key -pubout -out app2.pub # 如果有密碼需要輸入密碼
# 將帶密碼私鑰文件轉成不帶密碼私鑰文件
openssl genrsa -out app.key -des3 2048
openssl rsa -in app.key -out app.key
私鑰Ca證書頒發申請
需要有這個包
[root@ydzs-master test]# rpm -ql openssl-libs
三種策略模式: match optional supplied
/etc/pki/tls/openssl.cnf
match: 要求申請填寫的信息和CA設置信息必須一致
optional: 可有可無, 可以和CA設置不一致
supplied: 必須填寫這項申請信息
- 創建CA必須的文件
[root@ydzs-master test]# touch /etc/pki/CA/index.txt # 證書索引數據庫文件
[root@ydzs-master test]# echo 01 > /etc/pki/CA/serial # 指定第一個頒發證書的序列號
- 生成CA私鑰
[root@ydzs-master CA]# (umask 066; openssl genrsa -out private/cakey.pem 2048)
- 生成CA自簽名證書
# 生成自簽名證書
[root@ydzs-master CA]# openssl req -new -x509 -key private/cakey.pem -days 3650 -out ./cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:devops
Common Name (eg, your name or your server's hostname) []:ca.magedu.org
Email Address []:admin@magedu.org
# 查看證書內容
[root@ydzs-master CA]# openssl x509 -in cacert.pem -noout -text
4.用戶生成私鑰和申請證書
# 生成用戶私鑰
[root@ydzs-master CA]# mkdir /data/app1
[root@ydzs-master CA]# (umask 066;openssl genrsa -out /data/app1/app1.key 2048)
Generating RSA private key, 2048 bit long modulus
.+++
.................................................................+++
e is 65537 (0x10001)
[root@ydzs-master CA]# ll /data/app1/
total 4
-rw-------. 1 root root 1675 Nov 7 06:33 app1.key
# 生成證書請求文件(在通過ca簽發證書時需要要到請求文件)
[root@ydzs-master ~]# openssl req -new -key /data/app1/app1.key -out /data/app1/app1.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN # 國家和省還有組織兩個信息必須和CA的信息保持一致
State or Province Name (full name) []:beijing # 省
Locality Name (eg, city) [Default City]:bj #
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:it # 組織
Common Name (eg, your name or your server's hostname) []:app1.magedu.org
Email Address []:root@magedu.org
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@ydzs-master ~]#
[root@ydzs-master ~]#
[root@ydzs-master ~]# ll /data/app1/
total 8
-rw-r--r-- 1 root root 1045 Nov 18 14:23 app1.csr
-rw-------. 1 root root 1675 Nov 7 06:33 app1.key
# 這是正確csr請求出來的數據
[root@ydzs-master ~]# openssl ca -in /data/app1/app1.csr -out /etc/pki/CA/certs/app2.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Nov 18 06:32:10 2021 GMT
Not After : Nov 18 06:32:10 2022 GMT
Subject:
countryName = CN # 國家
stateOrProvinceName = beijing # 省
organizationName = magedu # 組織
organizationalUnitName = it
commonName = app1.magedu.org
emailAddress = root@magedu.org
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
57:6B:4E:33:BF:42:67:15:19:E0:90:2B:AE:BD:78:1C:5D:C0:65:91
X509v3 Authority Key Identifier:
keyid:19:69:54:44:7C:CF:45:46:0D:55:17:53:FF:81:50:EA:3A:6A:AF:82
國家, 省, 組織必須一致, 下面是我用錯的app2.csr請求文件, 申請頒發證書報錯了
[root@ydzs-master ~]# openssl req -new -key /data/app1/app1.key -out /data/app1/app2.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:bj
Organization Name (eg, company) [Default Company Ltd]:test
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:app1.magedu.org
Email Address []:root@magedu.org
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
# 報錯
[root@ydzs-master ~]# openssl ca -in /data/app1/app2.csr -out /etc/pki/CA/certs/app3.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
The organizationName field needed to be the same in the
CA certificate (magedu) and the request (test)
5.看一個完整的證書申請
[root@ydzs-master ~]# openssl ca -in /data/app1/app1.csr -out /etc/pki/CA/certs/app1.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Nov 18 06:46:32 2021 GMT
Not After : Aug 14 06:46:32 2024 GMT
Subject:
countryName = CN
stateOrProvinceName = beijing
organizationName = magedu
organizationalUnitName = it
commonName = app1.magedu.org
emailAddress = root@magedu.org
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
57:6B:4E:33:BF:42:67:15:19:E0:90:2B:AE:BD:78:1C:5D:C0:65:91
X509v3 Authority Key Identifier:
keyid:19:69:54:44:7C:CF:45:46:0D:55:17:53:FF:81:50:EA:3A:6A:AF:82
Certificate is to be certified until Aug 14 06:46:32 2024 GMT (1000 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@ydzs-master ~]# tree /etc/pki/CA/
/etc/pki/CA/
├── cacert.pem
├── certs
│ └── app1.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│ └── 01.pem
├── private
│ └── cakey.pem
├── serial
└── serial.old
4 directories, 9 files
6.查看證書
[root@ydzs-master ~]# cat /etc/pki/CA/certs/app1.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=beijing, L=beijing, O=magedu, OU=devops, CN=ca.magedu.org/emailAddress=admin@magedu.org
Validity
Not Before: Nov 18 06:46:32 2021 GMT
Not After : Aug 14 06:46:32 2024 GMT
Subject: C=CN, ST=beijing, O=magedu, OU=it, CN=app1.magedu.org/emailAddress=root@magedu.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ce:c3:49:f3:83:a8:21:ba:0f:19:99:2a:65:4f:
6a:53:fb:3c:41:0a:ba:6b:36:ad:46:1a:3d:89:1d:
59:8a:f6:a4:b8:b0:d6:c0:c8:77:da:ad:67:2c:35:
b2:8a:6b:94:df:0c:a1:bb:93:a9:9e:43:2d:c1:3f:
93:83:b0:d3:fa:56:d5:16:57:5c:35:0d:07:3f:94:
1c:d4:b6:a6:34:7c:38:b2:29:24:b6:a1:9f:7f:69:
28:d2:57:64:21:56:89:bb:b1:f9:43:e5:1c:26:2a:
1a:c3:b6:e5:a1:f7:b2:a4:62:f2:1b:b2:bf:78:00:
97:0d:c1:81:74:34:0e:14:0b:bc:00:e2:9d:8f:a3:
6d:7c:2a:ce:94:a9:13:26:23:cf:90:f2:33:72:4d:
6f:16:89:92:e5:b3:33:ec:0d:39:16:59:a7:7f:9e:
1a:64:6e:28:f6:c8:07:ce:e1:9a:0e:e6:1c:d0:7d:
16:98:bc:d3:41:47:3e:e8:4d:c6:d4:85:fa:ff:71:
fd:56:a7:66:eb:55:3f:66:d7:ed:af:e1:d5:86:44:
31:dd:3f:a0:01:b1:e9:c3:6a:27:17:45:3f:66:41:
43:d1:54:b4:ec:56:5c:79:6c:fc:45:23:57:0b:4a:
0a:6f:83:81:45:fd:81:8d:d0:4a:a0:05:f1:f3:2f:
7a:9b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
57:6B:4E:33:BF:42:67:15:19:E0:90:2B:AE:BD:78:1C:5D:C0:65:91
X509v3 Authority Key Identifier:
keyid:19:69:54:44:7C:CF:45:46:0D:55:17:53:FF:81:50:EA:3A:6A:AF:82
Signature Algorithm: sha256WithRSAEncryption
6e:7f:6d:1f:84:f2:b6:38:9e:d5:46:5c:51:19:9a:47:66:2c:
2c:62:e8:1f:52:ae:7b:42:dd:34:1c:51:6c:a9:2a:cf:f4:e1:
43:7a:1d:34:69:16:44:05:12:0c:33:ef:b7:06:27:98:55:8b:
c3:ca:2c:97:55:bb:aa:1d:88:79:8c:b3:54:67:5e:3b:1a:64:
62:67:c5:5f:99:56:30:aa:6a:9f:31:12:dc:de:53:1d:c2:7e:
b9:de:c9:e6:c3:58:21:90:46:35:19:23:ff:18:dc:77:0e:8b:
87:c1:6e:6c:e4:b0:8f:86:c9:76:ab:32:dc:d7:9f:e2:a8:13:
5a:fa:af:42:53:dc:4e:dc:5e:d3:d4:0b:f7:d9:1b:56:57:1b:
4f:43:5b:35:4f:40:28:03:9e:98:af:4d:8b:6c:25:14:e3:46:
79:a4:df:88:6b:e6:40:60:f1:35:41:2b:0e:89:ba:dd:d4:28:
8d:c5:32:c7:03:20:8d:3c:b1:6c:39:72:ee:fd:ad:9b:cd:2a:
46:70:c9:b9:3b:a9:56:96:6c:ec:3c:1f:a8:84:5e:59:fd:91:
ba:06:ef:b5:aa:eb:08:5f:86:20:75:7d:9f:45:96:f3:2b:36:
99:36:99:90:47:74:4e:79:a6:16:32:12:2a:28:a5:6a:4e:8c:
77:0a:95:37
-----BEGIN CERTIFICATE-----
MIID+jCCAuKgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBjDELMAkGA1UEBhMCQ04x
EDAOBgNVBAgMB2JlaWppbmcxEDAOBgNVBAcMB2JlaWppbmcxDzANBgNVBAoMBm1h
Z2VkdTEPMA0GA1UECwwGZGV2b3BzMRYwFAYDVQQDDA1jYS5tYWdlZHUub3JnMR8w
HQYJKoZIhvcNAQkBFhBhZG1pbkBtYWdlZHUub3JnMB4XDTIxMTExODA2NDYzMloX
DTI0MDgxNDA2NDYzMlowdzELMAkGA1UEBhMCQ04xEDAOBgNVBAgMB2JlaWppbmcx
DzANBgNVBAoMBm1hZ2VkdTELMAkGA1UECwwCaXQxGDAWBgNVBAMMD2FwcDEubWFn
ZWR1Lm9yZzEeMBwGCSqGSIb3DQEJARYPcm9vdEBtYWdlZHUub3JnMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzsNJ84OoIboPGZkqZU9qU/s8QQq6azat
Rho9iR1ZivakuLDWwMh32q1nLDWyimuU3wyhu5OpnkMtwT+Tg7DT+lbVFldcNQ0H
P5Qc1LamNHw4sikktqGff2ko0ldkIVaJu7H5Q+UcJioaw7blofeypGLyG7K/eACX
DcGBdDQOFAu8AOKdj6NtfCrOlKkTJiPPkPIzck1vFomS5bMz7A05Flmnf54aZG4o
9sgHzuGaDuYc0H0WmLzTQUc+6E3G1IX6/3H9Vqdm61U/Ztftr+HVhkQx3T+gAbHp
w2onF0U/ZkFD0VS07FZceWz8RSNXC0oKb4OBRf2BjdBKoAXx8y96mwIDAQABo3sw
eTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBD
ZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUV2tOM79CZxUZ4JArrr14HF3AZZEwHwYDVR0j
BBgwFoAUGWlURHzPRUYNVRdT/4FQ6jpqr4IwDQYJKoZIhvcNAQELBQADggEBAG5/
bR+E8rY4ntVGXFEZmkdmLCxi6B9SrntC3TQcUWypKs/04UN6HTRpFkQFEgwz77cG
J5hVi8PKLJdVu6odiHmMs1RnXjsaZGJnxV+ZVjCqap8xEtzeUx3CfrneyebDWCGQ
RjUZI/8Y3HcOi4fBbmzksI+GyXarMtzXn+KoE1r6r0JT3E7cXtPUC/fZG1ZXG09D
WzVPQCgDnpivTYtsJRTjRnmk34hr5kBg8TVBKw6Jut3UKI3FMscDII08sWw5cu79
rZvNKkZwybk7qVaWbOw8H6iEXln9kboG77Wq6whfhiB1fZ9FlvMrNpk2mZBHdE55
phYyEioopWpOjHcKlTc=
-----END CERTIFICATE-----
[root@ydzs-master ~]# openssl x509 -in /etc/pki/CA/certs/app1.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=beijing, L=beijing, O=magedu, OU=devops, CN=ca.magedu.org/emailAddress=admin@magedu.org
Validity
Not Before: Nov 18 06:46:32 2021 GMT
Not After : Aug 14 06:46:32 2024 GMT
Subject: C=CN, ST=beijing, O=magedu, OU=it, CN=app1.magedu.org/emailAddress=root@magedu.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ce:c3:49:f3:83:a8:21:ba:0f:19:99:2a:65:4f:
6a:53:fb:3c:41:0a:ba:6b:36:ad:46:1a:3d:89:1d:
59:8a:f6:a4:b8:b0:d6:c0:c8:77:da:ad:67:2c:35:
b2:8a:6b:94:df:0c:a1:bb:93:a9:9e:43:2d:c1:3f:
93:83:b0:d3:fa:56:d5:16:57:5c:35:0d:07:3f:94:
1c:d4:b6:a6:34:7c:38:b2:29:24:b6:a1:9f:7f:69:
28:d2:57:64:21:56:89:bb:b1:f9:43:e5:1c:26:2a:
1a:c3:b6:e5:a1:f7:b2:a4:62:f2:1b:b2:bf:78:00:
97:0d:c1:81:74:34:0e:14:0b:bc:00:e2:9d:8f:a3:
6d:7c:2a:ce:94:a9:13:26:23:cf:90:f2:33:72:4d:
6f:16:89:92:e5:b3:33:ec:0d:39:16:59:a7:7f:9e:
1a:64:6e:28:f6:c8:07:ce:e1:9a:0e:e6:1c:d0:7d:
16:98:bc:d3:41:47:3e:e8:4d:c6:d4:85:fa:ff:71:
fd:56:a7:66:eb:55:3f:66:d7:ed:af:e1:d5:86:44:
31:dd:3f:a0:01:b1:e9:c3:6a:27:17:45:3f:66:41:
43:d1:54:b4:ec:56:5c:79:6c:fc:45:23:57:0b:4a:
0a:6f:83:81:45:fd:81:8d:d0:4a:a0:05:f1:f3:2f:
7a:9b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
57:6B:4E:33:BF:42:67:15:19:E0:90:2B:AE:BD:78:1C:5D:C0:65:91
X509v3 Authority Key Identifier:
keyid:19:69:54:44:7C:CF:45:46:0D:55:17:53:FF:81:50:EA:3A:6A:AF:82
Signature Algorithm: sha256WithRSAEncryption
6e:7f:6d:1f:84:f2:b6:38:9e:d5:46:5c:51:19:9a:47:66:2c:
2c:62:e8:1f:52:ae:7b:42:dd:34:1c:51:6c:a9:2a:cf:f4:e1:
43:7a:1d:34:69:16:44:05:12:0c:33:ef:b7:06:27:98:55:8b:
c3:ca:2c:97:55:bb:aa:1d:88:79:8c:b3:54:67:5e:3b:1a:64:
62:67:c5:5f:99:56:30:aa:6a:9f:31:12:dc:de:53:1d:c2:7e:
b9:de:c9:e6:c3:58:21:90:46:35:19:23:ff:18:dc:77:0e:8b:
87:c1:6e:6c:e4:b0:8f:86:c9:76:ab:32:dc:d7:9f:e2:a8:13:
5a:fa:af:42:53:dc:4e:dc:5e:d3:d4:0b:f7:d9:1b:56:57:1b:
4f:43:5b:35:4f:40:28:03:9e:98:af:4d:8b:6c:25:14:e3:46:
79:a4:df:88:6b:e6:40:60:f1:35:41:2b:0e:89:ba:dd:d4:28:
8d:c5:32:c7:03:20:8d:3c:b1:6c:39:72:ee:fd:ad:9b:cd:2a:
46:70:c9:b9:3b:a9:56:96:6c:ec:3c:1f:a8:84:5e:59:fd:91:
ba:06:ef:b5:aa:eb:08:5f:86:20:75:7d:9f:45:96:f3:2b:36:
99:36:99:90:47:74:4e:79:a6:16:32:12:2a:28:a5:6a:4e:8c:
77:0a:95:37
# 查看發行人DN
[root@ydzs-master ~]# openssl x509 -in /etc/pki/CA/certs/app1.crt -noout -issuer
issuer= /C=CN/ST=beijing/L=beijing/O=magedu/OU=devops/CN=ca.magedu.org/emailAddress=admin@magedu.org
# 主題信息
[root@ydzs-master ~]# openssl x509 -in /etc/pki/CA/certs/app1.crt -noout -subject
subject= /C=CN/ST=beijing/O=magedu/OU=it/CN=app1.magedu.org/emailAddress=root@magedu.org
# 日期信息, 開始以及過期時間
[root@ydzs-master ~]# openssl x509 -in /etc/pki/CA/certs/app1.crt -noout -dates
notBefore=Nov 18 06:46:32 2021 GMT
notAfter=Aug 14 06:46:32 2024 GMT
# 打印序列號值
[root@ydzs-master ~]# openssl x509 -in /etc/pki/CA/certs/app1.crt -noout -serial
serial=01
# 查看01號對應的證書狀態
[root@ydzs-master ~]# openssl ca -status 01
Using configuration from /etc/pki/tls/openssl.cnf
01=Valid (V)
# 查看CA頒發信息的索引數據庫文件
[root@ydzs-master ~]# cat /etc/pki/CA/index.txt
V 240814064632Z 01 unknown /C=CN/ST=beijing/O=magedu/OU=it/CN=app1.magedu.org/emailAddress=root@magedu.org
[root@ydzs-master ~]# cat /etc/pki/CA/index.txt.old
# CA機構的序列文件
[root@ydzs-master ~]# cat /etc/pki/CA/serial
02
[root@ydzs-master ~]# cat /etc/pki/CA/serial.old
01
- 將申請的證書,發送到客戶端使用
# 將申請的證書,
[root@ydzs-master ~]# cp /etc/pki/CA/certs/app1.crt /data/app1/
[root@ydzs-master ~]# ll /data/app1/
total 16
-rw-r--r-- 1 root root 4614 Nov 18 15:10 app1.crt
-rw-r--r-- 1 root root 1045 Nov 18 14:23 app1.csr
-rw-------. 1 root root 1675 Nov 7 06:33 app1.key
8.window信任自己頒發的證書
去百度將我們在下面的
[root@ydzs-master ~]# tree /etc/pki/CA/
/etc/pki/CA/
├── cacert.pem # 這個文件自簽名證書, 放到window信任的證書中即可
├── certs
│ └── app1.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│ └── 01.pem
├── private
│ └── cakey.pem
├── serial
└── serial.old
9.吊銷證書
[root@ydzs-master ~]# diff /data/app1/app1.crt /etc/pki/CA/newcerts/01.pem # 他們其實內容相同
# 吊銷證書
[root@ydzs-master ~]# openssl ca -revoke /etc/pki/CA/newcerts/01.pem
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 01.
Data Base Updated
[root@ydzs-master ~]# openssl ca -status 01
Using configuration from /etc/pki/tls/openssl.cnf
01=Revoked (R)
[root@ydzs-master ~]# cat /etc/pki/CA/index.txt # 看下面已經變成了R
R 240814064632Z 211118071740Z 01 unknown /C=CN/ST=beijing/O=magedu/OU=it/CN=app1.magedu.org/emailAddress=root@magedu.org
- 重復申請證書
[root@ydzs-master ~]# openssl ca -in /data/app1/app1.csr -out /etc/pki/CA/certs/app2.crt -days 999 # 再申請一個看一看/etc/pki/CA目錄有啥變化
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 2 (0x2)
Validity
Not Before: Nov 18 07:22:29 2021 GMT
Not After : Aug 13 07:22:29 2024 GMT
Subject:
countryName = CN
stateOrProvinceName = beijing
organizationName = magedu
organizationalUnitName = it
commonName = app1.magedu.org
emailAddress = root@magedu.org
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
57:6B:4E:33:BF:42:67:15:19:E0:90:2B:AE:BD:78:1C:5D:C0:65:91
X509v3 Authority Key Identifier:
keyid:19:69:54:44:7C:CF:45:46:0D:55:17:53:FF:81:50:EA:3A:6A:AF:82
Certificate is to be certified until Aug 13 07:22:29 2024 GMT (999 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@ydzs-master ~]#
[root@ydzs-master ~]#
[root@ydzs-master ~]# tree /etc/pki/CA/certs
/etc/pki/CA/certs
├── app1.crt
└── app2.crt
0 directories, 2 files
[root@ydzs-master ~]# tree /etc/pki/CA/
/etc/pki/CA/
├── cacert.pem
├── certs
│ ├── app1.crt
│ └── app2.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── newcerts
│ ├── 01.pem
│ └── 02.pem
├── private
│ └── cakey.pem
├── serial
└── serial.old
4 directories, 12 files
[root@ydzs-master ~]# cat/etc/pki/CA/index.txt
-bash: cat/etc/pki/CA/index.txt: No such file or directory
[root@ydzs-master ~]# cat/etc/pki/CA/^C
[root@ydzs-master ~]# cat /etc/pki/CA/index.txt # V 表示證書沒有吊銷
R 240814064632Z 211118071740Z 01 unknown /C=CN/ST=beijing/O=magedu/OU=it/CN=app1.magedu.org/emailAddress=root@magedu.org
V 240813072229Z 02 unknown /C=CN/ST=beijing/O=magedu/OU=it/CN=app1.magedu.org/emailAddress=root@magedu.org
[root@ydzs-master ~]# cat /etc/pki/CA/serial # 序號增加了一個
03
- 生成吊銷證書列表文件
[root@ydzs-master ~]# openssl ca -gencrl -out /etc/pki/CA/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf
/etc/pki/CA/crlnumber: No such file or directory # 吊銷證書文件序列
error while loading CRL number
140047841879952:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/pki/CA/crlnumber','r')
140047841879952:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:
[root@ydzs-master ~]# echo 01 /etc/pki/CA/crlnumber #
01 /etc/pki/CA/crlnumber
[root@ydzs-master ~]# openssl ca -gencrl -out /etc/pki/CA/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf
/etc/pki/CA/crlnumber: No such file or directory
error while loading CRL number
140649753524112:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/pki/CA/crlnumber','r')
140649753524112:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:
[root@ydzs-master ~]# ll /etc/pki/CA/crlnumber
ls: cannot access /etc/pki/CA/crlnumber: No such file or directory
[root@ydzs-master ~]# ll /etc/pki/CA/crl
crl/ crl.pem
# 沒有個這個文件我們直接從創建一個
[root@ydzs-master ~]# echo 01 > /etc/pki/CA/crlnumber
[root@ydzs-master ~]# openssl ca -gencrl -out /etc/pki/CA/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf
[root@ydzs-master ~]# cat /etc/pki/CA/crlnumber
02
[root@ydzs-master ~]# cat /etc/pki/CA/crl.pem
-----BEGIN X509 CRL-----
MIIB/DCB5QIBATANBgkqhkiG9w0BAQsFADCBjDELMAkGA1UEBhMCQ04xEDAOBgNV
BAgMB2JlaWppbmcxEDAOBgNVBAcMB2JlaWppbmcxDzANBgNVBAoMBm1hZ2VkdTEP
MA0GA1UECwwGZGV2b3BzMRYwFAYDVQQDDA1jYS5tYWdlZHUub3JnMR8wHQYJKoZI
hvcNAQkBFhBhZG1pbkBtYWdlZHUub3JnFw0yMTExMTgwNzQxNTNaFw0yMTEyMTgw
NzQxNTNaMBQwEgIBARcNMjExMTE4MDcxNzQwWqAOMAwwCgYDVR0UBAMCAQEwDQYJ
KoZIhvcNAQELBQADggEBADZAuVCl1nELC7h93m9P2FcQMRpEs4kZCI2odPOsEF1L
Ey3v38B+EHyksfk2wFSB+LqajjcB+s/cE7UzpuE/zMa+nanvSY1LrdTKpQOO09uK
g8fG1bDaPfBjNb+g+56J/Q/kKugZ3n7g4A7K7rApk7V2QakcevNZxe00X9cY+wgN
RKb0AzfH5VyhLWhHtD+snmwRlQVF4ZMiP6qILo3HKiLF5Sp8T2r4ayRfAEiylPSf
AySiV5UXwCBL4OdfW5vVeg+djfViMn3W8PDADGPY+T/Fbo6ezrh7byygA2/CQEbo
rf8z5FYDg8m+si8f5AW+1E1rEheN0RgzgxIqhVmkgP8=
-----END X509 CRL-----
# 可以看到被吊銷的證書序列文件
[root@ydzs-master ~]# openssl crl -in /etc/pki/CA/crl.pem -noout -text
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: /C=CN/ST=beijing/L=beijing/O=magedu/OU=devops/CN=ca.magedu.org/emailAddress=admin@magedu.org
Last Update: Nov 18 07:41:53 2021 GMT
Next Update: Dec 18 07:41:53 2021 GMT
CRL extensions:
X509v3 CRL Number:
1
Revoked Certificates:
Serial Number: 01
Revocation Date: Nov 18 07:17:40 2021 GMT
Signature Algorithm: sha256WithRSAEncryption
36:40:b9:50:a5:d6:71:0b:0b:b8:7d:de:6f:4f:d8:57:10:31:
1a:44:b3:89:19:08:8d:a8:74:f3:ac:10:5d:4b:13:2d:ef:df:
c0:7e:10:7c:a4:b1:f9:36:c0:54:81:f8:ba:9a:8e:37:01:fa:
cf:dc:13:b5:33:a6:e1:3f:cc:c6:be:9d:a9:ef:49:8d:4b:ad:
d4:ca:a5:03:8e:d3:db:8a:83:c7:c6:d5:b0:da:3d:f0:63:35:
bf:a0:fb:9e:89:fd:0f:e4:2a:e8:19:de:7e:e0:e0:0e:ca:ee:
b0:29:93:b5:76:41:a9:1c:7a:f3:59:c5:ed:34:5f:d7:18:fb:
08:0d:44:a6:f4:03:37:c7:e5:5c:a1:2d:68:47:b4:3f:ac:9e:
6c:11:95:05:45:e1:93:22:3f:aa:88:2e:8d:c7:2a:22:c5:e5:
2a:7c:4f:6a:f8:6b:24:5f:00:48:b2:94:f4:9f:03:24:a2:57:
95:17:c0:20:4b:e0:e7:5f:5b:9b:d5:7a:0f:9d:8d:f5:62:32:
7d:d6:f0:f0:c0:0c:63:d8:f9:3f:c5:6e:8e:9e:ce:b8:7b:6f:
2c:a0:03:6f:c2:40:46:e8:ad:ff:33:e4:56:03:83:c9:be:b2:
2f:1f:e4:05:be:d4:4d:6b:12:17:8d:d1:18:33:83:12:2a:85:
59:a4:80:ff