一、CA簡介
CA是什麼?CA是Certificate Authority的簡寫,從字面意思翻譯過來是憑證管理中心,認證授權。它有點類似我們生活中的身份證頒發機構,這裡的CA就相當于生活中頒發身份證的機構。不同于生活中的頒發機構,這裡的CA是給伺服器頒發證書。頒發證書的目的同生活中的辦理身份證的目的類似,都是為了證明一件事,生活中的身份證可以證明我們是一個合法的公民,而伺服器頒發證書的目的也是證明我們服務是一個合法的伺服器,換句話說就是有了證書我們就可以清楚知道我們通路的伺服器到底是不是我們真正想通路的伺服器。進而識别我們通路的伺服器的真假。
二、中間人攻擊原理
如上圖所示,我們在和對方伺服器通信的過程,存在着中間人攻擊的情況。所謂中間人攻擊,就是攻擊者站在通訊雙方的中間,對于用戶端它充當着伺服器的角色,對于伺服器端它又充當着用戶端的角色。簡單說它就是兩邊欺騙。當我們向伺服器發起通信請求時,中間人會截獲我們發向伺服器端的封包,進而進行修改,然後把修改後的封包發送給服務端,服務端收到中間人篡改的資料封包,進行響應,把響應封包發送給中間人,然後中間人再發給用戶端。這樣一個過程就是中間人攻擊的過程。可以看到用戶端服務端雙方直接通信是不安全的。如上圖所示,通信雙方交換密鑰,直接交換就存在中間人欺騙,因為我們不能夠确定遠端伺服器的真僞和用戶端的真僞。為了解決這一問題,由此衍生出CA。CA在這裡的充當的角色相當于中間人角色,不同的是CA是一個權威的中間人。它可以證明用戶端和服務端的真僞。
三、加密解密以及擷取公鑰過程
衆所周知常用的加密方式有三種,單向加密,對稱加密,和非對稱加密。單向加密從字面意思了解就是一方加密,在加密過程中不使用密鑰,我們把單向加密也叫不可逆加密,通常用于驗證檔案的真假,或者驗證檔案是否改動,進而驗證檔案的完整性。常用的單向加密算法有md5,sha。對稱加密講的是加密和解密用的同一密鑰。換句話說對稱加密隻有一個密鑰,隻要拿到對應的密鑰就可以解密。常用的對稱加密有des。非對稱加密講的是公鑰加密私鑰解密,私鑰加密公鑰解密,且公鑰和私鑰是一對,加密解密都需要的是一對密鑰裡的任意一個。這種加密比前兩種更加安全和适用,缺點是加解密大檔案速度慢。
了解了非對稱加密的特性,我們再來說說它的過程。通信雙方要進行非對稱加密通信,前提是需要拿到對方的公鑰,私鑰放在各自手裡,各自的公鑰則存放在對方的手上。換句話講,用戶端需要拿到服務端的公鑰,才能和服務端通信,服務端需要拿到用戶端的公鑰,才能主動和用戶端通信。進而才可以實作非對稱加密通信。那麼用戶端怎麼得到服務端的公鑰呢?如果用戶端直接向服務端發送公鑰,上面我們說過,這種方式存在中間人攻擊,因為直接交換公鑰是不都能确定對方身份的。這個時候就需要說說CA憑證的作用了。
證書裡面存放了申請證書機構伺服器的公鑰和CA的資訊以及有效期。通訊雙方在建立加密通信的時候,需要驗證證書的合法性,進而實作驗證身份的目的。通常情況我們要驗證證書的合法性就需要證書頒發機構的公鑰來對證書解密,因為證書在頒發的時候,裡面的公鑰是通過頒發機構的私鑰對其進行加密的。隻要我們能夠用頒發機構的公鑰解開證書,那麼就說明這個證書就是一個合法的證書,至少它證明了這個證書是權威機構(我們信任的)CA頒發的。同理通信雙方要進行加密通信也是通過證書來擷取密鑰的。具體過程是這樣的,用戶端向服務端發起通信請求,服務端發送證書給用戶端,用戶端拿到證書進行解密,如果能夠用信任CA機構的公鑰解開,說明伺服器發送過來的證書沒有問題,然後把服務端公鑰給存起來。用戶端有了服務端的公鑰後就可以向服務端發送用服務端的公鑰加密的資料了,但是服務端沒有用戶端的公鑰,它不能夠用自己的私鑰來加密資料發送給用戶端,因為它的公鑰是公開的,不光用戶端上有服務端的公鑰,中間人也有。是以為了確定資料的安全,用戶端需要随機生成一個密碼,然後通過伺服器的公鑰,把随機生成的密碼加密後發送給服務端,服務端收到用戶端發來的加密資料後,用自己的私鑰解開,進而拿到用戶端發來的随機密碼,有了這個随機密碼後,服務端就拿這個随機密碼對稱加密資料,然後發送給用戶端。用戶端收到服務端發送過來的加密封包,用剛才發送給服務端的随機密碼解密,進而得到真正的資料。後續雙方就是通過這個随機密碼來加密解密傳輸資料。這裡還需要說明的是,這個随機密碼不是一直不變的,每隔一段時間後,用戶端和服務端就會協商,重複上面的過程,生成新的随機密碼進行加密解密通信。
從上面的通信過程我們可以知道,證書的作用就是為了驗證其伺服器的真實合法性,以及傳輸服務端的公鑰的作用。而伺服器的公鑰就是用來用戶端向服務端發送随機密碼,用來加密随機密碼的作用,進而實作,隻有服務端可以拿到這個随機密碼的作用,實作安全加密通信。
四、CA伺服器的實作
1、安裝openssl軟體
[root@test ~]# yum install openssl -y 說明:通常情況下openssl是系統預設安裝的有,如果沒有需要安裝。
2、檢視配置檔案,以及比對政策
36 [ ca ]
37 default_ca = CA_default # The default ca section
38
39 ####################################################################
40 [ CA_default ]
41
42 dir = /etc/pki/CA # Where everything is kept
43 certs = $dir/certs # Where the issued certs are kept
44 crl_dir = $dir/crl # Where the issued crl are kept
45 database = $dir/index.txt # database index file.
46 #unique_subject = no # Set to 'no' to allow creation of
47 # several ctificates with same subject.
48 new_certs_dir = $dir/newcerts # default place for new certs.
49
50 certificate = $dir/cacert.pem # The CA certificate
51 serial = $dir/serial # The current serial number
52 crlnumber = $dir/crlnumber # the current crl number
53 # must be commented out to leave a V1 CRL
54 crl = $dir/crl.pem # The current CRL
55 private_key = $dir/private/cakey.pem# The private key
56 RANDFILE = $dir/private/.rand # private random number file
57
58 x509_extensions = usr_cert # The extentions to add to the cert
59
60 # Comment out the following two lines for the "traditional"
61 # (and highly broken) format.
62 name_opt = ca_default # Subject Name options
63 cert_opt = ca_default # Certificate field options
64
65 # Extension copying option: use with caution.
66 # copy_extensions = copy
67
68 # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
69 # so this is commented out by default to leave a V1 CRL.
70 # crlnumber must also be commented out to leave a V1 CRL.
71 # crl_extensions = crl_ext
72
73 default_days = 365 # how long to certify for
74 default_crl_days= 30 # how long before next CRL
75 default_md = sha256 # use SHA-256 by default
76 preserve = no # keep passed DN ordering
77
78 # A few difference way of specifying how similar the request should look
79 # For type CA, the listed attributes must be the same, and the optional
80 # and supplied fields are just that :-)
81 policy = policy_match
82
83 # For the CA policy
84 [ policy_match ]
85 countryName = match
86 stateOrProvinceName = match
87 organizationName = match
88 organizationalUnitName = optional
89 commonName = supplied
90 emailAddress = optional
91
92 # For the 'anything' policy
93 # At this point in time, you must list all acceptable 'object'
94 # types.
95 [ policy_anything ]
96 countryName = optional
97 stateOrProvinceName = optional
98 localityName = optional
99 organizationName = optional
100 organizationalUnitName = optional
101 commonName = supplied
102 emailAddress = optional
103
104 ####################################################################
說明:可看到openssl預設配置裡面指定了證書存放相關檔案的路徑,和CA預設比對政策,其中國家名稱、省州名稱、組織名稱是必須同CA設定的資訊一緻,當然這些比對是否和CA設定的一樣,是通過配置檔案來判斷的可自行設定。通用名稱是必須要填寫的,其他都是可選。
3、建立CA自簽名證書
3.1、生成私鑰
[root@test ~]# cd /etc/pki/CA/
[root@test CA]# tree
.
├── certs
├── crl
├── newcerts
└── private
4 directories, 0 files
[root@test CA]# (umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
..............................+++
............+++
e is 65537 (0x10001)
[root@test CA]# tree
.
├── certs
├── crl
├── newcerts
└── private
└── cakey.pem
4 directories, 1 file
[root@test CA]# cat private/cakey.pem
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAmM8gDY90zksYI2myhqsGgMBGAPnlLbIBwiqYnte2PJZRnEJv
aYRzCgw9wSca9oI5rUGu1wLOk8NlAkE6W4hXu6JaAp/eMZcqzYVU2a6VhxPQLBP3
5dvfZT4vps737OR+l8gcJRX2VPcfJuMU+r4KbBT4F3gP79hz/JxwK0yShlIGCnPP
cCK5xS6jKBH3ezdLsRy0ZCRUwX+ivlAJ8zJ/bV4m2OesiDW1LFPrvotRo+aBwexI
1vk01Yww1x/DUnxiYCrOPS0V3wWpSS6r2qXVv0FyZGS1ZP/+Jf1ZfbvL2w9kcmlQ
0wadHkx3M4HJyvWinOEpMsrTr3p9RK67oNs48QIDAQABAoIBADUWQBx16i6BCDHF
VrBSWkAAjFFqf6QQY2wBQGRurHEAB/oxWmNeEFk9R3cDDur08vSuDP/Fid7r0vul
jZCfHVuiW4Lt51NzIPulhoTZkjkLORcXGNhSOpoBsKxS2u8BsrkoXB7GMn3yHHB2
E6PIwfYqksYUf/TjTehEsPNZ9s2Sx/ioscHfnIRd7Uct0Gu5mI5C6qP/7BhEyNRb
bnFGGB0dSFDtFPqGUIfTeWApJUH1/vUTUXrrZLH4FEubMuf4k0ZIV3cGyvdZVVQ+
iyoWTTetPOhFbRMnKtqgJ+yVhck7uEAgIB/JrMI3x768JoJpyAgxGlZFmxS86mdr
TzDzZcECgYEAxwv/Jcrb3E5gGC77qSEWlq+IVomAgHRVU4M81byw6YV7wAssW10t
X8pm84H3G8yJMuxGYdHdXpl9PzxwXaS7Qh82uZVQbGALiWyhHloEIoI+oH9pGtXf
uWqQKmrYURtq8AoULhALn03zCjJINGfY9/WlYX6qi32UpnKg6snmDD8CgYEAxIhA
u+By9YazW/YVgEHoh5UmWL0yfX8rBEn1fRwwhjfhQtfs50zoL83SVKpKY8VtfR/r
/YcIaWx8+R5g+g/aAYDeKHO1x+uW2yqWMdXjdkY/kzoM0G7gPvSC7F3vr6dWuHUC
6v4839EElIKHyCK0NMumnPvoUUDrbP1YlJ1cLs8CgYBsGU/QLoOI+eemOp3iFF44
J8xbcwGewY81c6iuS3Oo3x1+BpNoawohY8LVrFePeV1pkngG1/rpTWJ/3UsJEFXC
a0FFOJocwWyCjcRSv4BPXXy1nXxvXofKIt14q94e7kz9X/vlqEEnmyXK+9PK4jsr
LvVKJYhpiSIZ41cRK+UL8QKBgF0S3f1b3XWTtkt97k7QZ8wWAZQS/d9bI0cjs4Pt
nrlhq2eZlNMxo+BHzC1WfGZlsGWKgZuOoJg0zba5AVpLuYXuvsdPjS5Bzy66K2ks
j02LFT6nRjxL1h1adMp17jY0vKgcmiYqAzBH77BZZO6OKOO78orz7eDVKulxzcqL
/4UXAoGAKk1Yfa8ZVJGlzjZHl/imvce2B+78ALJItw8hUAOxjU3780vzuppyG5o/
Zg25XbW9FbOUXt+8Tyd3/yFBBGdZ1OvL9YSngtGyLX7X3aWbg9xwR7fz8bheI+J7
QcLouNuHoUis+3EHbQIcQM9CTrP7sjFMM2LxPzxz7qPuV0ru2bg=
-----END RSA PRIVATE KEY-----
[root@test CA]# 說明:為了建立的私鑰的安全,建議把其權限修改成600。當然建立私鑰的時候也可以用對稱加密算法對其私鑰加密,這樣更加安全。需要注意的是加密後的私鑰,我們要用的時候就需要對其輸入對稱加密的密碼。如果需要把私鑰用對稱加密算法加密,需要指定其加密算法即可。生成的私鑰名稱必須同配置檔案中的名稱相同。
3.2、簽發自簽名證書
[root@test CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 1000
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:SICHUAN
Locality Name (eg, city) [Default City]:GUANGYUAN
Organization Name (eg, company) [Default Company Ltd]:TEST
Organizational Unit Name (eg, section) []:DEVOPS
Common Name (eg, your name or your server's hostname) []:ca.test.com
Email Address []:
[root@test CA]# tree
.
├── cacert.pem
├── certs
├── crl
├── newcerts
└── private
└── cakey.pem
4 directories, 2 files
[root@test CA]# cat cacert.pem
-----BEGIN CERTIFICATE-----
MIIDpTCCAo2gAwIBAgIJANCoyQ6AYK/SMA0GCSqGSIb3DQEBCwUAMGkxCzAJBgNV
BAYTAkNOMRAwDgYDVQQIDAdTSUNIVUFOMRIwEAYDVQQHDAlHVUFOR1lVQU4xDTAL
BgNVBAoMBFRFU1QxDzANBgNVBAsMBkRFVk9QUzEUMBIGA1UEAwwLY2EudGVzdC5j
b20wHhcNMjAwMTI5MTAzNjM2WhcNMjIxMDI1MTAzNjM2WjBpMQswCQYDVQQGEwJD
TjEQMA4GA1UECAwHU0lDSFVBTjESMBAGA1UEBwwJR1VBTkdZVUFOMQ0wCwYDVQQK
DARURVNUMQ8wDQYDVQQLDAZERVZPUFMxFDASBgNVBAMMC2NhLnRlc3QuY29tMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmM8gDY90zksYI2myhqsGgMBG
APnlLbIBwiqYnte2PJZRnEJvaYRzCgw9wSca9oI5rUGu1wLOk8NlAkE6W4hXu6Ja
Ap/eMZcqzYVU2a6VhxPQLBP35dvfZT4vps737OR+l8gcJRX2VPcfJuMU+r4KbBT4
F3gP79hz/JxwK0yShlIGCnPPcCK5xS6jKBH3ezdLsRy0ZCRUwX+ivlAJ8zJ/bV4m
2OesiDW1LFPrvotRo+aBwexI1vk01Yww1x/DUnxiYCrOPS0V3wWpSS6r2qXVv0Fy
ZGS1ZP/+Jf1ZfbvL2w9kcmlQ0wadHkx3M4HJyvWinOEpMsrTr3p9RK67oNs48QID
AQABo1AwTjAdBgNVHQ4EFgQUQ/0tcuVAvzoOA13SD2x8W9Brx0EwHwYDVR0jBBgw
FoAUQ/0tcuVAvzoOA13SD2x8W9Brx0EwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0B
AQsFAAOCAQEAAl/gUsSCgKjeSq5K2TyLc3VUP2KN1m+Wu9qWKAgXiaMxY8iWj3I8
AxfNkTAqNGz66BpXh9G4hDL844spvnomjdUbCufFlNLnrkxCIyWPNVKk69fCa61T
ANzgvTbIfh/xfdfyctZpU3q9Ptcra9ksYUg7mY7209xJ+emqsBnKwYKigCCrQTT3
dxvRHFOV3Z0wJgHCtTetMI25OcpEXk3Tk75k+ayEmiTdMp2Zdk00qmOtZfCmtHO9
KdHVTAOCAOaQtd4aOZMsgADBWXVP2NPmosUm2onvrKTFB6tYXXhj5j6tPVFunCZE
R2w2VMa+Q+Pgmmt5AeqoALQaBdR31IFj0Q==
-----END CERTIFICATE-----
[root@test CA]#
說明:頒發的證書預設是沒法用cat指令來檢視證書裡面的資訊的,我們可以通過把證書導出到windows上檢視,也可以通過openssl來檢視。ca的私鑰和證書存放路徑需要參考其配置檔案中的定義來指定存放。
在windows上檢視頒發的證書
說明:在Windows上檢視,需要把其字尾更改為.crt才可以輕按兩下檢視。之是以它提示我們說此CA根目錄證書不受信用,是因為windows上沒有将其證書導入,沒有該根CA的資訊。預設情況下,Windows裡面内置了一些權威CA的證書,是以我們在權威的CA下申請的證書,放在windows上就不會報不信任的CA憑證了。
用openssl檢視證書
[root@test CA]# openssl x509 -in cacert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
d0:a8:c9:0e:80:60:af:d2
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=SICHUAN, L=GUANGYUAN, O=TEST, OU=DEVOPS, CN=ca.test.com
Validity
Not Before: Jan 29 10:36:36 2020 GMT
Not After : Oct 25 10:36:36 2022 GMT
Subject: C=CN, ST=SICHUAN, L=GUANGYUAN, O=TEST, OU=DEVOPS, CN=ca.test.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:98:cf:20:0d:8f:74:ce:4b:18:23:69:b2:86:ab:
06:80:c0:46:00:f9:e5:2d:b2:01:c2:2a:98:9e:d7:
b6:3c:96:51:9c:42:6f:69:84:73:0a:0c:3d:c1:27:
1a:f6:82:39:ad:41:ae:d7:02:ce:93:c3:65:02:41:
3a:5b:88:57:bb:a2:5a:02:9f:de:31:97:2a:cd:85:
54:d9:ae:95:87:13:d0:2c:13:f7:e5:db:df:65:3e:
2f:a6:ce:f7:ec:e4:7e:97:c8:1c:25:15:f6:54:f7:
1f:26:e3:14:fa:be:0a:6c:14:f8:17:78:0f:ef:d8:
73:fc:9c:70:2b:4c:92:86:52:06:0a:73:cf:70:22:
b9:c5:2e:a3:28:11:f7:7b:37:4b:b1:1c:b4:64:24:
54:c1:7f:a2:be:50:09:f3:32:7f:6d:5e:26:d8:e7:
ac:88:35:b5:2c:53:eb:be:8b:51:a3:e6:81:c1:ec:
48:d6:f9:34:d5:8c:30:d7:1f:c3:52:7c:62:60:2a:
ce:3d:2d:15:df:05:a9:49:2e:ab:da:a5:d5:bf:41:
72:64:64:b5:64:ff:fe:25:fd:59:7d:bb:cb:db:0f:
64:72:69:50:d3:06:9d:1e:4c:77:33:81:c9:ca:f5:
a2:9c:e1:29:32:ca:d3:af:7a:7d:44:ae:bb:a0:db:
38:f1
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
43:FD:2D:72:E5:40:BF:3A:0E:03:5D:D2:0F:6C:7C:5B:D0:6B:C7:41
X509v3 Authority Key Identifier:
keyid:43:FD:2D:72:E5:40:BF:3A:0E:03:5D:D2:0F:6C:7C:5B:D0:6B:C7:41
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
02:5f:e0:52:c4:82:80:a8:de:4a:ae:4a:d9:3c:8b:73:75:54:
3f:62:8d:d6:6f:96:bb:da:96:28:08:17:89:a3:31:63:c8:96:
8f:72:3c:03:17:cd:91:30:2a:34:6c:fa:e8:1a:57:87:d1:b8:
84:32:fc:e3:8b:29:be:7a:26:8d:d5:1b:0a:e7:c5:94:d2:e7:
ae:4c:42:23:25:8f:35:52:a4:eb:d7:c2:6b:ad:53:00:dc:e0:
bd:36:c8:7e:1f:f1:7d:d7:f2:72:d6:69:53:7a:bd:3e:d7:2b:
6b:d9:2c:61:48:3b:99:8e:f6:d3:dc:49:f9:e9:aa:b0:19:ca:
c1:82:a2:80:20:ab:41:34:f7:77:1b:d1:1c:53:95:dd:9d:30:
26:01:c2:b5:37:ad:30:8d:b9:39:ca:44:5e:4d:d3:93:be:64:
f9:ac:84:9a:24:dd:32:9d:99:76:4d:34:aa:63:ad:65:f0:a6:
b4:73:bd:29:d1:d5:4c:03:82:00:e6:90:b5:de:1a:39:93:2c:
80:00:c1:59:75:4f:d8:d3:e6:a2:c5:26:da:89:ef:ac:a4:c5:
07:ab:58:5d:78:63:e6:3e:ad:3d:51:6e:9c:26:44:47:6c:36:
54:c6:be:43:e3:e0:9a:6b:79:01:ea:a8:00:b4:1a:05:d4:77:
d4:81:63:d1
[root@test CA]#
4、在用戶端建立證書申請
4.1、生成私鑰資訊
[root@test-node3 ~]# mkdir ssl
[root@test-node3 ~]# cd ssl/
[root@test-node3 ssl]# (umask 077;openssl genrsa -out /root/ssl/app.key 2048)
Generating RSA private key, 2048 bit long modulus
.............................................................+++
.........................+++
e is 65537 (0x10001)
[root@test-node3 ssl]# ls
app.key
[root@test-node3 ssl]# cat app.key
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEA6XtScxyxgI7gC+1xYQFSXIF9RqCTAZ4WpWGQYzs30XLT1cxl
/hJ8McxMQ137H1g+PeEFbNV3oyBjEt3feCck5sb9TP4tsIhT6Lt3Zt6PIqOfDZ8k
OxWDJp/DNXHwuC8ME/mfv3CleJbL5Clyb9ovYeZkEQPK9TgG7pCHU0AxTw0r7ELP
A29Ugd/lFGQNTJt39Kmy7uBOPhKEQ+fHVaMqtmy1q/SpnM92vGvR40xRgl+HJ17A
0ACAEjbf3wK+qoQ/WBCCpMkeTLoFEn/Sa7SmZZt2F0k2cTyxSzVKadPQUlrpWVHb
zX4IDI/ssS9weiDsLL5eScj/CWWRFhKu7z98YQIDAQABAoIBAQDKu6RqA741DNqK
QNC0FHu5i06GJyO+wdCUJdVD9MWQ/o3mFSdyqAZjDywhStek7fCNtngJeon5gUPF
vBYwtHycTqjfU83EfXuumCkjj5jl0QFoyIijLRjGTu8n1xnYNDHenmAR0PQ9c2Lz
aPHPIbsG3RCCnbJ7nvyV5bU7mn+2TOb41csMVjLJoK2N91QEljkAn+4oqpTVJgJa
TnUKvafBjCn+ctZDKcsZ0H/yFhGbt0ZFEXql3WFM5AOE5tBmlmqrQY/4CzeqlPCX
zYpuUCHQBj9UYj58SfVUEoaN+gNX82amUqBOablJMpGR0vDh0CxsAxnPYF7O1o6P
hXIjjmPJAoGBAPg74aMUMoG3o91NpoedLdRrMOYcYBdd3H7KwPyXzHMoYHQjfHEm
hJKqZgE53U+TfxdFr8EJcR8aoDzDLp3+5F1ANCZD2FgvWptAyABx+I09J0OES0VB
M3hhp0pOYot1ylBbFrvGGANFa8WAnO+yyNU91CFUhp7kmQ5TuUUHt2kzAoGBAPDJ
SiXn30hQO8zVCHXzCrcltKfSnU4LiceI0jhneHfW8b42/tEegXVTEOIBiPmhLA8x
8xeIC/fS1B0ih7Uus9MUBJUN7RhlWSxGPcxA//JAxffGJwmxoYxYFkwvoTyTQrJE
igBmE6+PdSb7JOB4c3nt/YwPYvjQOieNolRMIwwbAoGBAOoNhA2AwLKAVVgXnBoo
QIsV2pBNVukRThKa1+YStuopuvAmeXIysDOdyPoE9j/OwblOso2fenKqZ0WDf1Pn
fqjSHZmqxLU5SQQzy6Bn1cROUdQeS95rwL0TzmmIiPAXyv+DM2cvO3ryHNCnGNIF
T8mIN5iJmzj8L7hLhteok+3zAoGAbot7RzvU/tYXHksPv1b9rGfbMNE49wPFFZ5z
JQIcBKjiA3osMsXWmY6xSZF62WBtYeyEtmD3XaelSlr4Au6WEGo4UFY8a97bub/l
z0hoOUgTm1WVxpWOnWgzlHaph630CPP+h4BVuVwbZPIYVBX4rhndNdg6kBDJIi+c
PydVT9ECgYEAwF5U/YS9IIb8n1NXARXA3nWmfqdJM2JcYwh33ILFB0+2gm4nr4Ie
xb14BlFMl8mYVKqykHpdE73/LYZWu/inkti8APmHyP3+7QHMWagpCucCHxGzagWy
sdo8HSqbkcQJoB0pTLPZGHEGuLMzzAII6fc+sZsHPi2NLbZZFPGdWjk=
-----END RSA PRIVATE KEY-----
[root@test-node3 ssl]#
4.2、生成證書申請檔案
[root@test-node3 ssl]# ll
total 4
-rw------- 1 root root 1679 Jan 29 18:55 app.key
[root@test-node3 ssl]# openssl req -new -key app.key -out app.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:SICHUAN
Locality Name (eg, city) [Default City]:CHENGDU
Organization Name (eg, company) [Default Company Ltd]:TEST
Organizational Unit Name (eg, section) []:DEVOPS
Common Name (eg, your name or your server's hostname) []:www.test.org
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@test-node3 ssl]# ll
total 8
-rw-r--r-- 1 root root 1005 Jan 29 19:02 app.csr
-rw------- 1 root root 1679 Jan 29 18:55 app.key
[root@test-node3 ssl]
4.3、把檔案傳給CA,在CA上進行證書頒發
[root@test CA]# rz
rz waiting to receive.
zmodem trl+C ȡ
100% 1005 bytes 1005 bytes/s 00:00:01 0 Errors
[root@test CA]# ls
app.csr cacert.pem certs crl newcerts private
[root@test CA]# openssl ca -in app.csr -out /etc/pki/CA/certs/app.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
/etc/pki/CA/index.txt: No such file or directory
unable to open '/etc/pki/CA/index.txt'
140645247747984:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/pki/CA/index.txt','r')
140645247747984:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:
[root@test CA]# touch /etc/pki/CA/index.txt
[root@test CA]# openssl ca -in app.csr -out /etc/pki/CA/certs/app.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
/etc/pki/CA/serial: No such file or directory
error while loading serial number
140572255938448:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/pki/CA/serial','r')
140572255938448:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:
[root@test CA]# echo 00 > /etc/pki/CA/serial
[root@test CA]# openssl ca -in app.csr -out /etc/pki/CA/certs/app.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Jan 29 11:06:08 2020 GMT
Not After : Jan 28 11:06:08 2021 GMT
Subject:
countryName = CN
stateOrProvinceName = SICHUAN
organizationName = TEST
organizationalUnitName = DEVOPS
commonName = www.test.org
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
AE:E9:31:DE:B1:86:4F:68:AB:D7:BB:E3:1B:74:AD:7A:44:D2:60:BB
X509v3 Authority Key Identifier:
keyid:43:FD:2D:72:E5:40:BF:3A:0E:03:5D:D2:0F:6C:7C:5B:D0:6B:C7:41
Certificate is to be certified until Jan 28 11:06:08 2021 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@test CA]# tree
.
├── app.crs
├── cacert.pem
├── certs
│ └── app.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│ └── 00.pem
├── private
│ └── cakey.pem
├── serial
└── serial.old
4 directories, 10 files
[root@test CA]#
說明:在跟用戶端頒發證書的時候需要依賴兩個檔案/etc/pki/CA/index.txt和/etc/pki/CA/serial,前者檔案主要存放已經頒發的證書資訊,後者存放下一個将要頒發的證書的序列号。這裡說一下/etc/pki/CA下的各個檔案和目錄的作用吧,certs目錄存放頒發證書的目錄,crl存放吊銷證書清單檔案的目錄,index.txt.attr存放證書subject資訊是否唯一的配置資訊,index.txt.old存放上一次頒發證書的資訊,newcerts目錄存放已經頒發的證書,并且以序列号命名的證書,每頒發一次證書,在我們指定的路徑下生成指定名稱的證書後,newcerts目錄下會自動生成一個以序列号為名稱的證書,這個證書同我們指定路徑下存放的證書資訊一模一樣。private目錄存放私鑰檔案。serial.old存放上一次頒發證書的序列号。
4.4、檢視頒發證書的資訊
Windows上檢視
Linux上檢視
[root@test CA]# openssl x509 -in certs/app.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=SICHUAN, L=GUANGYUAN, O=TEST, OU=DEVOPS, CN=ca.test.com
Validity
Not Before: Jan 29 11:06:08 2020 GMT
Not After : Jan 28 11:06:08 2021 GMT
Subject: C=CN, ST=SICHUAN, O=TEST, OU=DEVOPS, CN=www.test.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:e9:7b:52:73:1c:b1:80:8e:e0:0b:ed:71:61:01:
52:5c:81:7d:46:a0:93:01:9e:16:a5:61:90:63:3b:
37:d1:72:d3:d5:cc:65:fe:12:7c:31:cc:4c:43:5d:
fb:1f:58:3e:3d:e1:05:6c:d5:77:a3:20:63:12:dd:
df:78:27:24:e6:c6:fd:4c:fe:2d:b0:88:53:e8:bb:
77:66:de:8f:22:a3:9f:0d:9f:24:3b:15:83:26:9f:
c3:35:71:f0:b8:2f:0c:13:f9:9f:bf:70:a5:78:96:
cb:e4:29:72:6f:da:2f:61:e6:64:11:03:ca:f5:38:
06:ee:90:87:53:40:31:4f:0d:2b:ec:42:cf:03:6f:
54:81:df:e5:14:64:0d:4c:9b:77:f4:a9:b2:ee:e0:
4e:3e:12:84:43:e7:c7:55:a3:2a:b6:6c:b5:ab:f4:
a9:9c:cf:76:bc:6b:d1:e3:4c:51:82:5f:87:27:5e:
c0:d0:00:80:12:36:df:df:02:be:aa:84:3f:58:10:
82:a4:c9:1e:4c:ba:05:12:7f:d2:6b:b4:a6:65:9b:
76:17:49:36:71:3c:b1:4b:35:4a:69:d3:d0:52:5a:
e9:59:51:db:cd:7e:08:0c:8f:ec:b1:2f:70:7a:20:
ec:2c:be:5e:49:c8:ff:09:65:91:16:12:ae:ef:3f:
7c:61
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
AE:E9:31:DE:B1:86:4F:68:AB:D7:BB:E3:1B:74:AD:7A:44:D2:60:BB
X509v3 Authority Key Identifier:
keyid:43:FD:2D:72:E5:40:BF:3A:0E:03:5D:D2:0F:6C:7C:5B:D0:6B:C7:41
Signature Algorithm: sha256WithRSAEncryption
46:94:4f:ab:6f:43:43:fb:0d:d1:e2:71:ff:5d:5b:0e:39:59:
c2:3f:92:47:88:84:2f:80:e4:00:a1:94:86:9a:bc:19:bb:22:
22:e1:2f:93:d1:1b:19:92:5f:de:46:47:30:e4:f5:b7:d8:b4:
e7:62:37:9c:17:cc:e7:8c:f4:b7:8a:cc:09:62:fd:6f:56:e3:
a3:22:1d:d8:01:e2:34:87:45:86:04:be:c7:91:b4:e9:49:f6:
39:c9:c4:67:6a:f7:8b:96:09:2f:d3:d4:a4:e5:a3:f0:d9:1d:
e6:dc:28:65:da:70:27:9b:70:5a:6a:a5:5a:77:c3:51:e0:54:
b0:7f:e4:a1:9a:4c:b5:d2:82:84:d9:3f:c8:57:dd:25:0a:80:
81:61:c6:a4:d1:5b:19:21:5d:19:1e:7d:b4:4f:a2:54:f4:bf:
f9:d0:2e:ba:4a:94:f1:93:be:54:cc:3b:19:7a:ae:fd:bd:4a:
b5:e3:55:a3:2a:a0:69:0e:08:78:9d:91:d5:df:02:bd:ec:c9:
cc:d2:6e:68:bf:48:3c:73:df:e9:62:92:8f:6c:9d:2f:2c:32:
85:46:a7:30:22:22:9c:2d:af:d0:cf:02:e0:21:3b:1d:6a:a3:
f7:81:0b:63:10:8c:f1:30:4a:05:08:4b:52:ad:4a:1d:14:9c:
0c:64:2b:71
[root@test CA]#
到此私有CA伺服器的搭建、證書的申請和頒發就完成了,後續使用證書,就需要把證書放到對應的應用目錄,配置其應用服務來使用其證書即可。通常申請證書不用在用戶端申請,在服務端建立私鑰,建立申請證書檔案,然後簽發證書,生成證書檔案,然後把私鑰和證書發給用戶端即可。
5、吊銷證書
[root@test CA]# openssl x509 -in certs/app.crt -noout -serial -subject
serial=00
subject= /C=CN/ST=SICHUAN/O=TEST/OU=DEVOPS/CN=www.test.org
[root@test CA]#
說明:以上指令是對要吊銷的證書擷取其序列号和subject資訊,這個操作一般是用戶端上檢視,然後把資訊發送給CA
[root@test CA]# openssl ca -revoke /etc/pki/CA/newcerts/00.pem
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 00.
Data Base Updated
[root@test CA]#
說明:在CA上,根據用戶端送出的serial與subject資訊,對比檢驗是否與index.txt檔案的資訊一緻,然後在進行吊銷證書操作
6、更新證書吊銷清單crl檔案
[root@test CA]# openssl ca -gencrl -out /etc/pki/CA/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf
/etc/pki/CA/crlnumber: No such file or directory
error while loading CRL number
140437997475728:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/pki/CA/crlnumber','r')
140437997475728:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:
[root@test CA]# echo 00 > /etc/pki/CA/crlnumber
[root@test CA]# openssl ca -gencrl -out /etc/pki/CA/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf
[root@test CA]#
說明:第一次更新證書吊銷清單,它會提示我們說缺少crlnumber檔案,這個檔案同serial的作用類似,都是存放的是版本号,我們需要建立其檔案,并寫一個16進制的編号,通常是從00或者01開始。(這個檔案同serial一樣都會自動增長,一般後續不需要怎麼維護它)
[root@test CA]# openssl crl -in /etc/pki/CA/crl.pem -noout -text
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: /C=CN/ST=SICHUAN/L=GUANGYUAN/O=TEST/OU=DEVOPS/CN=ca.test.com
Last Update: Jan 29 11:48:03 2020 GMT
Next Update: Feb 28 11:48:03 2020 GMT
CRL extensions:
X509v3 CRL Number:
0
Revoked Certificates:
Serial Number: 00
Revocation Date: Jan 29 11:41:28 2020 GMT
Signature Algorithm: sha256WithRSAEncryption
87:12:f8:b2:ec:b7:77:94:4b:bc:e4:ea:69:03:27:78:d3:b5:
43:8d:45:c5:a4:50:53:d7:3b:81:48:a1:cf:5d:43:4e:13:01:
91:5e:a2:f2:87:44:87:84:16:b2:1d:0e:28:81:88:d4:1a:c2:
a4:55:22:9f:d0:b9:6b:3c:80:e2:6e:98:fb:c3:18:3e:d3:a0:
49:a3:0e:19:64:2f:03:51:4b:ec:32:1c:c8:41:62:46:e8:4f:
8c:ec:a2:07:1c:fc:4b:20:61:ca:04:0e:31:8b:b9:4e:ce:42:
81:66:d6:09:3e:1e:15:44:76:33:27:07:fd:17:10:6d:d0:12:
cf:4f:ce:cb:3d:b4:6d:68:f1:5a:1a:4f:44:a6:65:cd:f6:3b:
4e:2e:3f:6d:2a:f8:d5:8a:52:5a:b0:8d:b1:8f:73:08:50:9c:
89:d3:c0:97:0e:13:89:37:cc:13:ad:d9:db:61:06:6d:4f:0a:
6b:58:a0:53:0a:2b:e8:23:18:cd:3b:0c:5d:9e:77:c3:85:3e:
e3:3c:ab:ad:45:9e:3c:18:7a:85:b0:51:7e:4d:8e:c6:18:e7:
fc:4d:f1:01:ac:b3:89:2c:eb:f7:0e:f9:3c:ea:5a:42:ff:43:
6b:98:9f:a0:89:59:28:92:c9:ed:d3:59:87:ca:04:8c:8c:92:
c0:a1:72:8a
[root@test CA]# cat /etc/pki/CA/index.txt
R 210128110608Z 200129114128Z 00 unknown /C=CN/ST=SICHUAN/O=TEST/OU=DEVOPS/CN=www.test.org
[root@test CA]# cat /etc/pki/CA/crlnumber
01
[root@test CA]#
說明:證書吊銷後其index.txt裡的資訊會發生變化,R表示該證書已經被吊銷,V表示該證書未吊銷。
在windows上檢視證書吊銷清單crl檔案
作者:Linux-1874
出處:https://www.cnblogs.com/qiuhom-1874/
本文版權歸作者和部落格園共有,歡迎轉載,但未經作者同意必須保留此段聲明,且在文章頁面明顯位置給出原文連接配接,否則保留追究法律責任的權利.