使用openssl生成密鑰對
使用 genrsa 子命令生成私鑰
[root@CentOS7 data]# (umask 066;openssl genrsa -out private.key -des 1024) #在子shell中生成私鑰
Generating RSA private key, 1024 bit long modulus
.......++++++
.......................++++++
e is 65537 (0x10001)
Enter pass phrase for private.key:
Verifying - Enter pass phrase for private.key:
[root@CentOS7 data]# ll private.key
-rw------- 1 root root 946 May 20 20:07 private.key
[root@CentOS7 data]# cat private.key
-----BEGIN RSA PRIVATE KEY----- #說明這是私鑰
Proc-Type: 4,ENCRYPTED #說明私鑰已經被加密過
DEK-Info: DES-CBC,A8D5413C36EB6057 #說明使用的加密算法
qa7VvzrQmttQW/TSDG7uCh3l6xoobQJ12zwEPSd+meHd8MCUfjxefOmxPYRUFFI3
zGPjiqVC4RqR8qt76QJEtsdi7x9WewpHkAQEzyMex0vxCnsp75l8PmKn1zqD+zdc
...
命令中選項:
-out 指定輸出私鑰的文件名
-des 指定使用 des 對稱加密私鑰文件,選填,也可以使用其他加密算法
1024 指定密鑰長度
[root@CentOS7 data]# (umask 066;openssl rsa -in private.key -pubout -out public.key) #在子shell中推導生成公鑰
Enter pass phrase for private.key: #輸入私鑰文件的加密口令
writing RSA key
[root@CentOS7 data]# ll *.key
-rw------- 1 root root 946 May 20 20:07 private.key
-rw-r--r-- 1 root root 272 May 20 20:19 public.key
[root@CentOS7 data]# cat public.key
-----BEGIN PUBLIC KEY----- #說明這是公鑰
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDWPKYeK49RUxZgpva51gNtkRBh
P1SazmeDWAbFai0cLBboATK/4mZRq1ow1ylNPcJ+b6cyp6SGmmughmjLdXi9aRwm
gzXM70CuYNYVnJ94gkeTP1fApcPjJ09f2Iw99KV+kVytcPONTAiwAXipUE4mWN5J
wBwy/qXUB+JGBGIS4QIDAQAB
-----END PUBLIC KEY-----
命令中選項:
-in 指定要被處理的文件,這裏是私鑰文件
-pubout 推導公鑰
-out 指定輸出的文件名
PKI
一個典型、完整、有效的PKI應用系統至少應具有以下部分:RA:註冊中心負責審覈證書申請者的真實身份
CRL:黑名單的發佈和管理
CA:即數字證書的申請及簽發機關,CA必須具備權威性的特徵
數字證書庫:用於存儲已簽發的數字證書及公鑰,用戶可由此獲得所需的其他用戶的證書及公鑰
創建CA和申請證書
查看搭建CA的配置文件 /etc/pki/tls/openssl.cnf
####################################################################
[ ca ] #從這裏開始是CA的配置
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = /etc/pki/CA # Where everything is kept #定義CA的工作目錄
certs = $dir/certs # Where the issued certs are kept #存放證書的目錄
crl_dir = $dir/crl # Where the issued crl are kept #存放證書吊銷列表的目錄
database = $dir/index.txt # database index file. #數據庫索引文件,需要手工創建
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs. #新建證書的存放目錄
certificate = $dir/cacert.pem # The CA certificate #CA的證書文件
serial = $dir/serial # The current serial number #下一個頒發證書的序列號,需要手工創建
crlnumber = $dir/crlnumber # the current crl number #下一個吊銷證書的序列號,需要手工創建
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL #私鑰吊銷列表
private_key = $dir/private/cakey.pem # The private key #CA私鑰文件
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
# Extension copying option: use with caution.
# copy_extensions = copy
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 365 # how long to certify for #默認證書有效值
default_crl_days= 30 # how long before next CRL #吊銷證書列表發佈間隔
default_md = sha256 # use SHA-256 by default #默認加密算法
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match #默認策略匹配
# For the CA policy
[ policy_match ]
countryName = match #必須一致
stateOrProvinceName = match #必須一致
organizationName = match #必須一致
organizationalUnitName = optional #可選
commonName = supplied #必須填寫
emailAddress = optional #可選
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
1)創建CA,自簽名數字證書
1、新建需要手工創建的文件
[root@CentOS7 CA]# touch index.txt serial crlnumber
[root@CentOS7 CA]# ll
total 0
drwxr-xr-x. 2 root root 6 Aug 4 2017 certs
drwxr-xr-x. 2 root root 6 Aug 4 2017 crl
-rw-r--r-- 1 root root 0 May 21 20:04 crlnumber
-rw-r--r-- 1 root root 0 May 21 20:04 index.txt
drwxr-xr-x. 2 root root 6 Aug 4 2017 newcerts
drwx------. 2 root root 6 Aug 4 2017 private
-rw-r--r-- 1 root root 0 May 21 20:04 serial
2、生成名爲 cakey.pem 的私鑰文件[root@CentOS7 CA]# ll private/
total 4
-rw------- 1 root root 946 May 20 20:07 cakey.pem
3、使用 req 子命令生成CA的證書文件[root@CentOS7 CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650
Enter pass phrase for private/cakey.pem: #輸入私鑰的口令
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:Linux
Organizational Unit Name (eg, section) []:CentOS7
Common Name (eg, your name or your server's hostname) []:www.jiangbowen.com
Email Address []:
[root@CentOS7 CA]# ll cacert.pem
-rw-r--r-- 1 root root 989 May 21 20:22 cacert.pem
命令中選項:
-new 新建證書
-x509 使用 X.509 協議進行自簽名
-key 指定私鑰文件
-out 指定證書文件名
-days 設置證書有效期
4、查看證書內容
因爲證書文件默認由 base64 編碼顯示,所以需要使用 -text 選項來進行查看
[root@CentOS7 CA]# openssl x509 -in cacert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
e6:0a:0d:5e:78:57:e3:54
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=beijing, L=beijing, O=Linux, OU=CentOS7, CN=www.jiangbowen.com
Validity
Not Before: May 21 12:22:58 2018 GMT
Not After : May 18 12:22:58 2028 GMT
Subject: C=CN, ST=beijing, L=beijing, O=Linux, OU=CentOS7, CN=www.jiangbowen.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:d6:3c:a6:1e:2b:8f:51:53:16:60:a6:f6:b9:d6:
03:6d:91:10:61:3f:54:9a:ce:67:83:58:06:c5:6a:
2d:1c:2c:16:e8:01:32:bf:e2:66:51:ab:5a:30:d7:
29:4d:3d:c2:7e:6f:a7:32:a7:a4:86:9a:6b:a0:86:
...
[root@CentOS7 CA]# openssl x509 -in cacert.pem -noout -issuer
issuer= /C=CN/ST=beijing/L=beijing/O=Linux/OU=CentOS7/CN=www.jiangbowen.com
[root@CentOS7 CA]# openssl x509 -in cacert.pem -noout -subject
subject= /C=CN/ST=beijing/L=beijing/O=Linux/OU=CentOS7/CN=www.jiangbowen.com
[root@CentOS7 CA]# openssl x509 -in cacert.pem -noout -dates
notBefore=May 21 12:22:58 2018 GMT
notAfter=May 18 12:22:58 2028 GMT
2)使用私鑰申請CA證書
1、生成私鑰
[root@CentOS6 data]# (umask 066;openssl genrsa -out test.pem 2048)
Generating RSA private key, 2048 bit long modulus
...........................+++
..............................................................................+++
e is 65537 (0x10001)
[root@CentOS6 data]# ll test.pem
-rw------- 1 root root 1679 May 21 20:40 test.pem
2、使用 req 子命令生成證書的申請文件[root@CentOS6 data]# openssl req -new -key test.pem -out test.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:Linux
Organizational Unit Name (eg, section) []:CentOS
Common Name (eg, your name or your server's hostname) []:www.Miriam.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@CentOS6 data]# ll test.csr
-rw-r--r-- 1 root root 1009 May 21 20:45 test.csr
3、將證書申請文件發送給CA,CA審覈後頒發證書[root@CentOS7 CA]# echo 01 > serial #指定證書序列號
[root@CentOS7 CA]# openssl ca -in test.csr -out certs/test.crt -days 30
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: May 21 13:04:46 2018 GMT
Not After : Jun 20 13:04:46 2018 GMT
Subject:
countryName = CN
stateOrProvinceName = beijing
organizationName = Linux
organizationalUnitName = CentOS
commonName = www.Miriam.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
C4:F8:48:FD:4A:E7:E7:0F:5A:E3:B8:CC:7B:21:9A:BB:6C:25:6E:4B
X509v3 Authority Key Identifier:
keyid:24:BA:29:B4:64:57:4D:BC:E6:C5:7F:CD:61:69:EA:16:65:A0:D7:DE
Certificate is to be certified until Jun 20 13:04:46 2018 GMT (30 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
查看 /etc/pki/CA 下文件
[root@CentOS7 CA]# tree
.
├── cacert.pem #CA的證書
├── certs #證書目錄
│ └── test.crt #證書
├── crl #吊銷的證書目錄
├── crlnumber #吊銷證書的序列號
├── index.txt #證書數據庫
├── index.txt.attr
├── index.txt.old #證書數據庫備份
├── newcerts #證書私鑰目錄
│ └── 01.pem #證書私鑰
├── private #CA私鑰目錄
│ └── cakey.pem #CA私鑰
├── serial #證書序列號
├── serial.old #證書序列號備份
└── test.csr #證書申請文件
4 directories, 11 files
在 policy_match 策略下,有些選項必須一致
[root@CentOS7 CA]# openssl ca -in test2.csr -out certs/test.crt -days 30
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
The countryName field needed to be the same in the
CA certificate (CN) and the request (US)
但是在 policy_anything 策略下就可以寬鬆很多
吊銷證書
1、查看需要吊銷的證書序列號,並使用 ca 子命令吊銷證書
[root@CentOS7 CA]# cat index.txt
V 180620130446Z 01 unknown /C=CN/ST=beijing/O=Linux/OU=CentOS/CN=www.Miriam.com
V 180620132623Z 02 unknown /C=US/ST=NY/L=New York/O=Unix/OU=unix/CN=www.unix.com
V 180620132727Z 03 unknown /C=CN/ST=beijing/L=beijing/O=Linux/OU=CentOS/CN=www.Miriam.com
[root@CentOS7 CA]#⮀openssl ca -revoke /etc/pki/CA/newcerts/03.pem
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 03.
Data Base Updated
2、更新證書吊銷列表[root@CentOS7 CA]#⮀openssl ca -gencrl -out /etc/pki/CA/crl.pem #更新證書吊銷列表
Using configuration from /etc/pki/tls/openssl.cnf
[root@CentOS7 CA]#⮀openssl crl -in /etc/pki/CA/crl.pem -noout -issuer #查看被吊銷的證書信息
issuer=/C=CN/ST=beijing/L=beijing/O=Linux/OU=CentOS7/CN=www.jiangbowen.com
3、將被吊銷的證書移動到 /etc/pki/CA/crl 目錄中[root@CentOS7 CA]#⮀mv newcerts/03.pem crl/
[root@CentOS7 CA]#⮀tree
.
├── cacert.pem
├── certs
│ ├── test2.crt
│ └── test.crt
├── crl
│ └── 03.pem
├── crlnumber
├── crlnumber.old
├── crl.pem
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── newcerts
│ ├── 01.pem
│ └── 02.pem
├── private
│ └── cakey.pem
├── serial
├── serial.old
├── test2.csr
└── test.csr
4 directories, 18 files