構建私有的 CA 認證機構

CA中心申請證書的流程:

過程：
1、web服務器,生成一對非對稱加密密鑰（web公鑰，web私鑰）
2、web服務器使用 web私鑰生成 web服務器的證書請求，並將證書請求發給CA服務器
3、CA服務器使用 CA的私鑰 對 web 服務器的證書請求 進行數字簽名得到 web服務器的數字證書，並將web服務器的數字證書頒發給web服務器。

1、CA 介紹

CA（Certificate Authority）證書頒發機構主要負責證書的頒發、管理以及歸檔和吊銷。證書內包含了擁有證書者的姓名、地址、電子郵件帳號、公鑰、證書有效期、發放證書的CA、CA的數字簽名等信息。
證書主要有三大功能：加密、簽名、身份驗證。

2、構建私有 CA

1、檢查安裝 openssl

[root@https-ca ~]# rpm -qa openssl

如果未安裝

[root@https-ca ~]# yum install openssl openssl-devel -y

2、查看配置文件

openssl 配置/etc/pki/tls/openssl.cnf有關CA的配置。如果服務器爲證書籤署者的身份那麼就會用到此配置文件，此配置文件對於證書申請者是無作用的。

[root@https-ca ~]# vim /etc/pki/tls/openssl.cnf
####################################################################
[ ca ]
default_ca      = CA_default            # 默認的CA配置；CA_default指向下面配置塊

####################################################################
[ CA_default ]

dir             = /etc/pki/CA           # CA的默認工作目錄
certs           = $dir/certs            # 認證證書的目錄
crl_dir         = $dir/crl              # 證書吊銷列表的路徑
database        = $dir/index.txt        # 數據庫的索引文件


new_certs_dir   = $dir/newcerts         # 新頒發證書的默認路徑

certificate     = $dir/cacert.pem       # 此服務認證證書，如果此服務器爲根CA那麼這裏爲自頒發證書
serial          = $dir/serial           # 下一個證書的證書編號
crlnumber       = $dir/crlnumber        # 下一個吊銷的證書編號
                                        
crl             = $dir/crl.pem          # The current CRL
private_key     = $dir/private/cakey.pem# CA的私鑰
RANDFILE        = $dir/private/.rand    # 隨機數文件

x509_extensions = usr_cert              # The extentions to add to the cert

name_opt        = ca_default            # 命名方式，以ca_default定義爲準
cert_opt        = ca_default            # 證書參數，以ca_default定義爲準


default_days    = 365                   # 證書默認有效期
default_crl_days= 30                    # CRl的有效期
default_md      = sha256                # 加密算法
preserve        = no                    # keep passed DN ordering


policy          = policy_match          #policy_match策略生效

# For the CA policy
[ policy_match ]
countryName             = match         #國家；match表示申請者的申請信息必須與此一致
stateOrProvinceName     = match         #州、省
organizationName        = match         #組織名、公司名
organizationalUnitName  = optional      #部門名稱；optional表示申請者可以的信息與此可以不一致
commonName              = supplied
emailAddress            = optional

# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]                     #由於定義了policy_match策略生效，所以此策略暫未生效
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

3、根證書服務器目錄

根CA服務器：因爲只有 CA 服務器的角色，所以用到的目錄只有/etc/pki/CA

網站服務器：只是證書申請者的角色，所以用到的目錄只有/etc/pki/tls

4、創建所需要的文件

[root@https-ca ~]# cd /etc/pki/CA/
[root@https-ca CA]# ls
certs  crl  newcerts  private
[root@https-ca CA]# touch index.txt   #創建生成證書索引數據庫文件
[root@https-ca CA]# ls
certs  crl  index.txt  newcerts  private
[root@https-ca CA]# echo 01 > serial   #指定第一個頒發證書的序列號
[root@https-ca CA]# ls
certs  crl  index.txt  newcerts  private  serial
[root@https-ca CA]# 

5、創建密鑰

在根CA服務器上創建密鑰，密鑰的位置必須爲/etc/pki/CA/private/cakey.pem，這個是openssl.cnf中中指定的路徑，只要與配置文件中指定的匹配即可。

[root@https-ca CA]# (umask 066; openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
...........+++
...............+++	
e is 65537 (0x10001)

6、生成自簽名證書

根CA自簽名證書，根CA是最頂級的認證機構，沒有人能夠認證他，所以只能自己認證自己生成自簽名證書。

[root@https-ca CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 7300 -out /etc/pki/CA/cacert.pem -days 7300
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BEIJING
Locality Name (eg, city) [Default City]:BEIJING
Organization Name (eg, company) [Default Company Ltd]:CA
Organizational Unit Name (eg, section) []:OPT
Common Name (eg, your name or your server's hostname) []:ca.qf.com
Email Address []:
[root@https-ca CA]# ls
cacert.pem  certs  crl  index.txt  newcerts  private  serial

-new: 	生成新證書籤署請求
-x509: 	專用於CA生成自簽證書
-key: 	生成請求時用到的私鑰文件
-days n：	證書的有效期限
-out /PATH/TO/SOMECERTFILE: 	證書的保存路徑

7、下載安裝證書

/etc/pki/CA/cacert.pem就是生成的自簽名證書文件，使用 SZ/xftp工具將他導出到窗口機器中。然後雙擊安裝此證書到受信任的根證書頒發機構

[root@https-ca CA]# yum install -y lrzsz
[root@https-ca CA]# sz cacert.pem

3、客戶端CA 證書申請及簽名

1、檢查安裝 openssl

[root@nginx-server ~]# rpm -qa openssl

如果未安裝，安裝 openssl

[root@nginx-server ~]# yum install openssl openssl-devel  -y

2、客戶端生成私鑰文件

[root@nginx-server ~]# (umask 066; openssl genrsa -out /etc/pki/tls/private/www.qf.com.key 2048)
Generating RSA private key, 2048 bit long modulus
..............................+++
..........+++
e is 65537 (0x10001)
[root@nginx-server ~]# cd /etc/pki/tls/private/
[root@nginx-server private]# ls
www.qf.com.key
[root@nginx-server private]#

3、客戶端用私鑰加密生成證書請求

[root@nginx-server private]# ls ../
cert.pem  certs  misc  openssl.cnf  private
[root@nginx-server private]# openssl req -new -key /etc/pki/tls/private/www.qf.com.key -days 365 -out /etc/pki/tls/www.qf.com.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BEIJING
Locality Name (eg, city) [Default City]:BEIJING
Organization Name (eg, company) [Default Company Ltd]:QF
Organizational Unit Name (eg, section) []:OPT
Common Name (eg, your name or your server's hostname) []:www.qf.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@nginx-server private]# ls ../
cert.pem  certs  misc  openssl.cnf  private  www.qf.com.csr
[root@nginx-server private]#

CSR(Certificate Signing Request)包含了公鑰和名字信息。通常以.csr爲後綴，是網站向CA發起認證請求的文件，是中間文件。

在這一命令執行的過程中，系統會要求填寫如下信息：

最後把生成的請求文件（/etc/pki/tls/www.qf.com.csr）傳輸給CA ,這裏我使用scp命令，通過ssh協議，將該文件傳輸到CA下的/etc/pki/CA/private/目錄

[root@nginx-server private]# cd ../
[root@nginx-server tls]# scp www.qf.com.csr 192.168.62.163:/etc/pki/CA/private
[email protected]'s password: 
www.qf.com.csr                                                           100%  997   331.9KB/s   00:00 

4、CA 簽署證書（在ca服務器上面操作）

使用/etc/pki/tls/openssl.cnf，修改organizationName=supplied

修改 /etc/pki/tls/openssl.cnf

[root@https-ca ~]# vim /etc/pki/tls/openssl.cnf
policy          = policy_match
 82 
 83 # For the CA policy
 84 [ policy_match ]
 85 countryName             = match
 86 stateOrProvinceName     = match
 87 organizationName        = supplied
 88 organizationalUnitName  = optional
 89 commonName              = supplied
 90 emailAddress            = optional

CA 簽署證書

[root@https-ca ~]# openssl ca -in /etc/pki/CA/private/www.qf.com.csr -out /etc/pki/CA/certs/www.qf.com.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Jul  3 10:12:23 2019 GMT
            Not After : Jul  2 10:12:23 2020 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = BEIJING
            organizationName          = QF
            organizationalUnitName    = OPT
            commonName                = www.qf.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                E3:AC:1A:55:2B:28:B9:80:DC:9C:C2:13:70:53:27:AD:3D:44:8F:D3
            X509v3 Authority Key Identifier: 
                keyid:5D:2A:81:B2:E7:8D:D8:88:E5:7B:94:CA:75:65:9C:82:2B:A9:B2:3C

Certificate is to be certified until Jul  2 10:12:23 2020 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

證書通常以.crt爲後綴，表示證書文件

2、查看生成的證書的信息

[root@https-ca ~]# openssl x509 -in /etc/pki/CA/certs/www.qf.com.crt -noout -subject
subject= /C=CN/ST=BEIJING/O=QF/OU=OPT/CN=www.qf.com

3、將生成的證書發放給請求客戶端(web服務端)

[root@https-ca ~]# cd /etc/pki/CA/certs/
[root@https-ca certs]# scp www.qf.com.ctr 192.168.62.162:/etc/pki/CA/certs/
[email protected]'s password: 
www.qf.com.ctr                                                           100% 4422   998.3KB/s   00:00 

測試:

nginx-server(充當服務端)：
[root@nginx-server ~]# cd /etc/pki/CA/certs/
[root@nginx-server certs]# ls
www.qf.com.crt
[root@nginx-server certs]# find / -name *.key
/etc/pki/tls/private/www.qf.com.key
/usr/share/doc/openssh-7.4p1/PROTOCOL.key

還是在這臺機器安裝nginx並且配置證書:
root@nginx-server conf.d]# pwd
/etc/nginx/conf.d
[root@nginx-server conf.d]# vim nginx.conf
server {
        listen       443 ssl;
        server_name  localhost;

        ssl_certificate         /etc/pki/CA/certs/www.qf.com.crt;  #指定證書路徑
        ssl_certificate_key  /etc/pki/tls/private/www.qf.com.key;  #指定私鑰路徑
        ssl_session_timeout  5m;   #配置用於SSL會話的緩存
        ssl_protocols  SSLv2 SSLv3 TLSv1;   #指定使用的協議
        ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP; # //密碼指定爲OpenSSL支持的格式
        ssl_prefer_server_ciphers   on;  #設置協商加密算法時，優先使用服務端的加密，而不是客戶端瀏覽器的。

        location / {
                root /usr/share/nginx/html;
                index index.html index.htm;
                }
}
保存重啓
[root@nginx-server conf.d]# nginx -t 
[root@nginx-server conf.d]# nginx -s reload

瀏覽器測試訪問: