獲取證書的兩種方法:
使用證書授權機構
生成簽名請求(csr)
將csr發送給CA
從CA處接收簽名
自簽名證書
自己簽發自己的公鑰
自建CA頒發機構和自簽名
實驗用兩臺機器,一臺做CA頒發證書,一臺做客戶端身申請證書
證書申請以及簽署的步驟:
1、生成申請請求
2、CA覈驗
3、CA簽署
4、獲取證書
在實驗開始之前,我們先來看一下openssl的配置文件:/etc/pki/tls/openssl.cnf
1. [ ca ] 2. default_ca = CA_default # The default ca section(默認的CA配置,是CA_default,下面第一個小節就是) 3. #################################################################### 4. [ CA_default ] 5. dir = /etc/pki/CA # Where everythingis kept (dir變量) 6. certs = $dir/certs # Where the issued certs are kept(認證證書目錄) 7. crl_dir = $dir/crl # Where the issued crl are kept(註銷證書目錄) 8. database = $dir/index.txt # database indexfile.(數據庫索引文件) 9. new_certs_dir = $dir/newcerts # default place for new certs.(新證書的默認位置) 10. certificate = $dir/cacert.pem # The CA certificate(CA機構證書) 11. serial = $dir/serial # The current serial number(當前序號,默認爲空,可以指定從01開始) 12. crlnumber = $dir/crlnumber # the current crlnumber(下一個吊銷證書序號) 13. crl = $dir/crl.pem # The current CRL(下一個吊銷證書) 14. private_key = $dir/private/cakey.pem# The private key(CA機構的私鑰) 15. RANDFILE = $dir/private/.rand # private randomnumber file(隨機數文件) 16. x509_extensions = usr_cert # The extentions toadd to the cert 17. # Comment out the following two lines for the "traditional" 18. # (and highly broken) format. 19. name_opt = ca_default # Subject Nameoptions(被頒發者,訂閱者選項) 20. cert_opt = ca_default # Certificate fieldoptions(認證字段參數) 21. # Extension copying option: use with caution. 22. # copy_extensions = copy 23. # Extensions to add to a CRL. Note: Netscape communicator chokes on V2CRLs 24. # so this is commented out by default to leave a V1 CRL. 25. # crlnumber must also be commented out to leave a V1 CRL. 26. # crl_extensions = crl_ext 27. default_days = 365 # how long to certify for (默認的有效期天數是365) 28. default_crl_days=30 # how long before next CRL 29. default_md = sha256 # use SHA-256 by default 30. preserve = no # keep passed DN ordering 31. # A few difference way of specifying how similar the request should look 32. # For type CA, the listed attributes must be the same, and the optional 33. # and supplied fields are just that :-) 34. policy = policy_match # 是否匹配規則 35. # For the CA policy 36. [ policy_match ] 37. countryName = match # 國家名是否匹配,match爲匹配 38. stateOrProvinceName = match # 州或省名是否需要匹配 39. organizationName = match # 組織名是否需要匹配 40. organizationalUnitName = optional # 組織的部門名字是否需要匹配 41. commonName = supplied # 註釋 42. emailAddress = optional # 郵箱地址 43. # For the 'anything' policy 44. # At this point in time, you must list all acceptable 'object' 45. # types. 46. [ policy_anything] 47. countryName = optional 48. stateOrProvinceName = optional 49. localityName = optional 50. organizationName = optional 51. organizationalUnitName = optional 52. commonName = supplied 53. emailAddress = optional
重點關注以下幾個參數:
1. dir = /etc/pki/CA # Where everything is kept 2. certs = $dir/certs # Where the issued certs are kept 3. database = $dir/index.txt # database index file. 4. new_certs_dir = $dir/newcerts # default place for new certs. 5. certificate = $dir/cacert.pem # The CA certificate 6. serial = $dir/serial # The current serial number 7. private_key = $dir/private/cakey.pem# The private key
1、創建所需要的文件
touch /etc/pki/CA/index.txt 生成證書索引數據庫文件
echo 01 > /etc/pki/CA/serial 指定第一個頒發證書的序列號
2、 CA自簽證書
生成私鑰
(umask 066; openssl genrsa-out /etc/pki/CA/private/cakey.pem -des 2048)
生成自簽名證書
openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 7300 -out /etc/pki/CA/cacert.pem
選項分析:
-new: 生成新證書籤署請求
-x509: 專用於CA生成自簽證書
-key: 生成請求時用到的私鑰文件
-days n:證書的有效期限
-out /PATH/TO/SOMECERTFILE: 證書的保存路徑
3、頒發證書
A 在需要使用證書的主機上生成證書請求
給web服務器生成私鑰
(umask066; openssl genrsa-out /etc/pki/tls/private/test.key 2048)
生成證書申請文件
openssl req -new -key /etc/pki/tls/private/blog.key -days 3560 -out /etc/pki/tls/app.csr
和CA生成證書的區別是沒有-x509
參數,加了-x509
就是CA自簽名證書
B 將證書申請文件傳輸給CA
scp /etc/pki/tls/app.csr [email protected]:/etc/pki/CA/
C CA簽署證書,並將證書頒發給請求者
openssl ca -in /etc/pki/tls/app/csr -out /etc.pki/CA/certs/app.crt -days 365
簽署之後的證書放在certs目錄下,同時在newcerts目錄下有一個相同的文件
4、證書吊銷
在客戶端獲取要吊銷的證書的serial
openssl x509 -in /PATH/FROM/CERT_FILE -noout -serial -subject
在CA上,根據客戶提交的serial與subject信息,對比檢驗是否與index.txt文件中的信息一致,吊銷證書
openssl ca -revoke /etc/pki/CA/newcerts/SERIAL.pem
指定第一個吊銷證書的編號
echo 01 > /etc/pki/CA/crlnumber
注意:這裏只有在第一次更新證書吊銷列表前,才需要執行指定編號。
更新證書吊銷列表
openssl ca -gencrl -out /etc/pki/CA/crl/crl.pem
查看crl文件
openssl crl -in /etc/pki/CA/crl/crl.pem -noout -text