Centos8上搭建CA證書
要在centos8上實現自建CA證書要利用openssl,首先查看openssl配置文件
[root@Centos8 data]#vim /etc/pki/tls/openssl.cnf
[ CA_default ]
dir = /etc/pki/CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several certs with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extensions to add to the cert 這段配置代表了CA的目錄結構,和每個目錄是放置什麼文件,有什麼作用,做出了一些解釋。
因爲centos7上CA相關的目錄是系統自帶的,但是centos8上只有CA家目錄,也就是 /etc/pki/CA,這個目錄,所以參考centos7上的目錄結構來新建CA相關目錄
centos7上目錄結構:
[root@centos7 ~]#cd /etc/pki/CA/
[root@centos7 CA]#tree
.
├── certs
├── crl
├── newcerts
└── private
4 directories, 0 files在centos8上運行:
[root@Centos8 data]mkdir -p /etc/pki/CA/{certs,crl,newcerts,private}
cd private/
生成私鑰:
(umask 077; openssl genrsa -out cakey.pem 4096)
生成自籤的CA證書:
openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650
[root@Centos8 CA]#openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:wj02
Organizational Unit Name (eg, section) []:M39
Common Name (eg, your name or your server's hostname) []:www.wj02.com
Email Address []:
[root@Centos8 CA]#要輸入的內容依次爲:
輸入:(國家代碼)CN
輸入:(所在省份)beijing
輸入:(所在城市)beijing
輸入:(公司名稱)wj02
輸入:(部門名稱)M39
輸入:(用戶名或主機名)www.wj02.com
輸入:(郵箱地址)可留空,直接回車
根據提示,輸入相應信息即可。
查看自簽證書詳細內容命令:
[root@Centos8 CA]#openssl x509 -in cacert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
43:cf:75:6e:3a:94:cc:98:38:c1:48:c7:d9:37:70:e3:fb:71:19:e6
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CN, ST = beijing, L = beijing, O = wj02, OU = M39, CN = www.wj02.com
Validity
Not Before: Nov 12 06:50:53 2019 GMT
Not After : Nov 9 06:50:53 2029 GMT
Subject: C = CN, ST = beijing, L = beijing, O = wj02, OU = M39, CN = www.wj02.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit)
Modulus:可以看到證書的詳細信息
然後在另一臺機器,因爲要重新生成私鑰,所以要至少兩臺機器。
生成私鑰:
(umask 077; openssl genrsa -out app.key 1024)
生成ca證書請求文件:
openssl req -new -key app.key -out app.csr
值得注意的是,有三項,就是國家,所在省,公司名稱這三項一定要和自簽證書一致
因爲在配置文件裏有規定:
policy = policy_match
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional這三項是強制一樣的,當然也可以修改配置文件
利用scp將cs請求文件發送到server
scp test.csr 192.168.38.120:/etc/pki/CA
接下來就是server給test.csr簽署證書:
[root@Centos8 CA]#openssl ca -in test.csr -out test.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
140011092936512:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:72:fopen('/etc/pki/CA/index.txt','r')
140011092936512:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:79:
[root@Centos8 CA]#額,報錯了?莫慌,這個是因爲缺少文件導致的,報錯信息可以看到,我們缺少/etc/pki/CA/index.txt這個文件
touch /etc/pki/CA/index.txt
再次運行:
[root@Centos8 CA]#openssl ca -in test.csr -out test.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Can't open /etc/pki/CA/index.txt.attr for reading, No such file or directory
140275620157248:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:72:fopen('/etc/pki/CA/index.txt.attr','r')
140275620157248:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:79:
/etc/pki/CA/serial: No such file or directory
error while loading serial number
140275620157248:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:72:fopen('/etc/pki/CA/serial','r')
140275620157248:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:79:
[root@Centos8 CA]#還錯?現在是缺少/etc/pki/CA/serial這個文件,但是這個文件不能是空文件,它裏面是有東西的。
查看配置文件我們發現這個文件是記錄證書序列號的,所以,,,,
[root@Centos8 CA]#echo 01 > /etc/pki/CA/serial
我們給他指定一個序列號不就好啦
再次運行
[root@Centos8 CA]#openssl ca -in test.csr -out test.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Can't open /etc/pki/CA/index.txt.attr for reading, No such file or directory
140145607882560:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:72:fopen('/etc/pki/CA/index.txt.attr','r')
140145607882560:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:79:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Nov 12 07:26:38 2019 GMT
Not After : Nov 11 07:26:38 2020 GMT
Subject:
countryName = CN
stateOrProvinceName = beijing
organizationName = wj02
organizationalUnitName = M39
commonName = www.wj02.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
A2:A8:2B:77:95:4C:E8:80:0C:50:DF:0E:89:ED:17:94:4E:DF:AC:71
X509v3 Authority Key Identifier:
keyid:D8:E4:A8:09:2A:2D:13:39:29:63:83:5E:CF:8D:EA:99:A6:79:0B:67
Certificate is to be certified until Nov 11 07:26:38 2020 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@Centos8 CA]#成功。嗯,記得輸入兩次y
到此,自建CA證書生成完成,可以使用了。