建立私有CA:
OpenCA:OpenCA開源組織使用Perl對OpenSSL進行二次開發而成的一套完善的PKI免費軟體openssl:相關包 openssl和openssl-libs
證書申請及簽署步驟:
1、生成證書申請請求
2、RA核驗
3、CA簽署
4、獲驗證書
[root@C8-8 ~]# whereis openssl
openssl: /usr/bin/openssl /usr/share/man/man1/openssl.1ssl.gz
1.openssl-libs包
[root@C8-8 ~]# rpm -ql openssl-libs
/etc/pki/tls
/etc/pki/tls/certs
/etc/pki/tls/ct_log_list.cnf
/etc/pki/tls/misc
/etc/pki/tls/openssl.cnf
/etc/pki/tls/private
/usr/lib/.build-id
/usr/lib/.build-id/00
/usr/lib/.build-id/00/2a6b0c4063f20cd80099a3b4d9e3732e0bbc73
/usr/lib/.build-id/32
/usr/lib/.build-id/32/e275760859214d906dab89c9ab008bc40f6e6f
/usr/lib/.build-id/39
/usr/lib/.build-id/39/da39ce3c907073d0e69f48906646b3e288ca78
/usr/lib/.build-id/54
....
2.openssl的配置檔案:
/etc/pki/tls/openssl.cnf
三種政策:match比對、optional可選、supplied提供match:要求申請填寫的資訊跟CA設定資訊必須一緻optional:可有可無,跟CA設定資訊可不一緻supplied:必須填寫這項申請資訊
[root@C8-8 ~]# cat /etc/pki/tls/openssl.cnf
#
####################################################################
[ ca ]
default_ca = CA_default
# The default ca section
####################################################################
[ CA_default ]
dir = /etc/pki/CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several certs with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extensions to add to the cert
#Comment out the following two lines for the "traditional"
#(and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = sha256 # use SHA-256 by default
preserve = no # keep passed DN ordering
policy = policy_match
#For the CA policy [ policy_match ]
countryName = match stateOrProvinceName = match
organizationName = match organizationalUnitName = optional
commonName= supplied
emailAddress= optional
#For the 'anything' policy
#At this point in time, you must list all acceptable 'object'
#types.
[policy_anything ]
countryName = optional stateOrProvinceName = optional
localityName= optional
organizationName = optional organizationalUnitName = optional
commonName= supplied
emailAddress= optional
......
....
CentOS 8 預設沒有
3.建立私有CA
1.建立檔案夾,CentOS8預設沒有
2.建立私鑰
3.用建立的私鑰生成證書
4.浏覽證書的内容,也可以下載下傳到Windows浏覽
下載下傳到windows上也可以檢視的
1、建立CA所需要的檔案
#生成證書索引資料庫檔案
touch /etc/pki/CA/index.txt
#指定第一個頒發證書的序列号
echo 01 > /etc/pki/CA/serial
2、 生成CA私鑰
cd /etc/pki/CA/
(umask 066; openssl genrsa -out private/cakey.pem 2048)
3、生成CA自簽名證書
openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem
選項說明:
-new:生成新證書簽署請求
-x509:專用于CA生成自簽證書
-key:生成請求時用到的私鑰檔案
-days n:證書的有效期限
-out /PATH/TO/SOMECERTFILE: 證書的儲存路徑
國家代碼:https://country-code.cl/
範例:生成自簽名證書
[root@centos8 ~]#openssl req -utf8 -newkey rsa:1024 -subj "/CN=www.magedu.org" - keyout app.key -nodes -x509 -out app.crt
Generating a RSA private key
...........................+++++
...+++++
writing new private key to 'app.key'
-----
[root@centos8 ~]#openssl x509 -in app.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
39:9e:7c:e3:9a:0f:e3:d3:62:ea:8f:02:c9:cd:1e:f3:4a:77:cb:ff
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = www.magedu.org
Validity
Not Before: Feb 4 15:51:39 2020 GMT
Not After : Mar 5 15:51:39 2020 GMT
Subject: CN = www.magedu.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (1024 bit)
Modulus:
00:e1:7e:41:d5:50:03:07:73:13:b2:62:a6:cf:c0:
61:b1:25:1c:54:56:3e:8f:b3:aa:0e:97:49:50:de:
de:ed:7f:2f:0f:fd:17:22:72:f5:36:19:29:65:ff:
ad:ce:81:10:f3:23:8c:fb:af:32:7b:da:bc:3a:a5:
62:1c:8d:e3:f8:1b:a8:1d:82:86:e0:bc:d6:e1:28:
e0:37:33:16:6c:55:89:76:13:0e:50:37:65:39:da:
90:99:a0:d3:6f:af:4e:8d:34:6c:21:e1:ba:10:86: 8e:fd:fb:e2:83:fe:e7:8c:18:14:dc:f2:7d:6c:37: fe:4e:e0:8d:99:65:d4:f6:9f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
1F:67:31:48:D6:DA:6E:36:C9:6B:EC:3C:61:85:6A:52:C2:B2:06:17
X509v3 Authority Key Identifier:
keyid:1F:67:31:48:D6:DA:6E:36:C9:6B:EC:3C:61:85:6A:52:C2:B2:06:17
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
4f:75:d5:f8:99:ea:dc:4f:fd:57:05:ba:1e:ad:72:23:ae:b8:
ea:93:1d:43:21:f8:66:cb:85:49:6c:b8:8f:1e:f4:a0:e5:ac:
e5:2e:45:03:33:2f:6a:4a:28:97:30:f0:18:dd:c1:f7:46:0b:
3c:b0:b6:d6:bf:23:7d:3b:74:52:75:61:96:f9:b0:04:99:6c:
52:f4:5d:1c:76:33:52:48:4f:d4:1f:4e:5e:00:0c:18:75:c3: ef:75:bc:c7:ea:37:6e:34:36:b2:a0:f6:6f:06:69:0a:c6:74: d8:67:4c:16:81:2a:0b:ea:1c:16:ea:8e:48:dd:ba:0b:67:69: 19:1e
[root@centos8 ~]#
4. 申請證書并頒發證書
1、為需要使用證書的主機生成生成私鑰
2、為需要使用證書的主機生成證書申請檔案
3、CA頒發證書之前建立兩個檔案
3.頒發證書
=================================
給另外的一個app2申請證書
1.生成私鑰,然後申請證書
2 頒發證書
預設國家省份組織三項要是一樣的,否則報錯,處理辦法:
方法1:
方法二,修改預設政策
unique_subject =no 以後一個證書申請檔案可以申請多個證書
5. 吊銷證書
例如:使用此證書的伺服器下線了,使用此證書的人辭職了,要吊銷證書
在用戶端擷取要吊銷的證書的serial