CA认证和证书
获取证书的两种方法:
使用证书授权机构
生成签名请求(csr)
将csr发送给CA
从CA处接收签名
自签名证书
自己签发自己的公钥
自建CA颁发机构和自签名
实验用两台机器,一台做CA颁发证书,一台做客户端身申请证书
证书申请以及签署的步骤:
1、生成申请请求
2、CA核验
3、CA签署
4、获取证书
在实验开始之前,我们先来看一下openssl的配置文件:/etc/pki/tls/openssl.cnf
1. [ ca ] 2. default_ca = CA_default # The default ca section(默认的CA配置,是CA_default,下面第一个小节就是) 3. #################################################################### 4. [ CA_default ] 5. dir = /etc/pki/CA # Where everythingis kept (dir变量) 6. certs = $dir/certs # Where the issued certs are kept(认证证书目录) 7. crl_dir = $dir/crl # Where the issued crl are kept(注销证书目录) 8. database = $dir/index.txt # database indexfile.(数据库索引文件) 9. new_certs_dir = $dir/newcerts # default place for new certs.(新证书的默认位置) 10. certificate = $dir/cacert.pem # The CA certificate(CA机构证书) 11. serial = $dir/serial # The current serial number(当前序号,默认为空,可以指定从01开始) 12. crlnumber = $dir/crlnumber # the current crlnumber(下一个吊销证书序号) 13. crl = $dir/crl.pem # The current CRL(下一个吊销证书) 14. private_key = $dir/private/cakey.pem# The private key(CA机构的私钥) 15. RANDFILE = $dir/private/.rand # private randomnumber file(随机数文件) 16. x509_extensions = usr_cert # The extentions toadd to the cert 17. # Comment out the following two lines for the "traditional" 18. # (and highly broken) format. 19. name_opt = ca_default # Subject Nameoptions(被颁发者,订阅者选项) 20. cert_opt = ca_default # Certificate fieldoptions(认证字段参数) 21. # Extension copying option: use with caution. 22. # copy_extensions = copy 23. # Extensions to add to a CRL. Note: Netscape communicator chokes on V2CRLs 24. # so this is commented out by default to leave a V1 CRL. 25. # crlnumber must also be commented out to leave a V1 CRL. 26. # crl_extensions = crl_ext 27. default_days = 365 # how long to certify for (默认的有效期天数是365) 28. default_crl_days=30 # how long before next CRL 29. default_md = sha256 # use SHA-256 by default 30. preserve = no # keep passed DN ordering 31. # A few difference way of specifying how similar the request should look 32. # For type CA, the listed attributes must be the same, and the optional 33. # and supplied fields are just that :-) 34. policy = policy_match # 是否匹配规则 35. # For the CA policy 36. [ policy_match ] 37. countryName = match # 国家名是否匹配,match为匹配 38. stateOrProvinceName = match # 州或省名是否需要匹配 39. organizationName = match # 组织名是否需要匹配 40. organizationalUnitName = optional # 组织的部门名字是否需要匹配 41. commonName = supplied # 注释 42. emailAddress = optional # 邮箱地址 43. # For the 'anything' policy 44. # At this point in time, you must list all acceptable 'object' 45. # types. 46. [ policy_anything] 47. countryName = optional 48. stateOrProvinceName = optional 49. localityName = optional 50. organizationName = optional 51. organizationalUnitName = optional 52. commonName = supplied 53. emailAddress = optional
重点关注以下几个参数:
1. dir = /etc/pki/CA # Where everything is kept 2. certs = $dir/certs # Where the issued certs are kept 3. database = $dir/index.txt # database index file. 4. new_certs_dir = $dir/newcerts # default place for new certs. 5. certificate = $dir/cacert.pem # The CA certificate 6. serial = $dir/serial # The current serial number 7. private_key = $dir/private/cakey.pem# The private key
1、创建所需要的文件
touch /etc/pki/CA/index.txt 生成证书索引数据库文件
echo 01 > /etc/pki/CA/serial 指定第一个颁发证书的***
2、 CA自签证书
生成私钥
(umask 066; openssl genrsa-out /etc/pki/CA/private/cakey.pem -des 2048)
生成自签名证书
openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 7300 -out /etc/pki/CA/cacert.pem
选项分析:
-new: 生成新证书签署请求
-x509: 专用于CA生成自签证书
-key: 生成请求时用到的私钥文件
-days n:证书的有效期限
-out /PATH/TO/SOMECERTFILE: 证书的保存路径
3、颁发证书
A 在需要使用证书的主机上生成证书请求
给web服务器生成私钥
(umask066; openssl genrsa-out /etc/pki/tls/private/test.key 2048)
生成证书申请文件
openssl req -new -key /etc/pki/tls/private/blog.key -days 3560 -out /etc/pki/tls/app.csr
和CA生成证书的区别是没有-x509
参数,加了-x509
就是CA自签名证书
B 将证书申请文件传输给CA
scp /etc/pki/tls/app.csr [email protected]:/etc/pki/CA/
C CA签署证书,并将证书颁发给请求者
openssl ca -in /etc/pki/tls/app/csr -out /etc.pki/CA/certs/app.crt -days 365
签署之后的证书放在certs目录下,同时在newcerts目录下有一个相同的文件
4、证书吊销
在客户端获取要吊销的证书的serial
openssl x509 -in /PATH/FROM/CERT_FILE -noout -serial -subject
在CA上,根据客户提交的serial与subject信息,对比检验是否与index.txt文件中的信息一致,吊销证书
openssl ca -revoke /etc/pki/CA/newcerts/SERIAL.pem
指定第一个吊销证书的编号
echo 01 > /etc/pki/CA/crlnumber
注意:这里只有在第一次更新证书吊销列表前,才需要执行指定编号。
更新证书吊销列表
openssl ca -gencrl -out /etc/pki/CA/crl/crl.pem
查看crl文件
openssl crl -in /etc/pki/CA/crl/crl.pem -noout -text
转载于:https://blog.51cto.com/13136984/1969924