如何使用openssl工具创建私有CA

CA及证书

#

非对称加密是为了保证互联网中通讯信息安全使用的一种算法，密钥是成对出现(公钥和私钥），它的特点是发送方A使用接收方B的公钥加密数据，所有只有B拥有与之配对的私钥解密该数据，反之亦然。那么，A和B之间怎么交换得到对方的真实安全的公钥呢？此时就需要一个权威的机构来验证公钥的合法性，这个机构称之为CA(Certification Authority)。CA为每个使用公开密钥的客户发放数字证书，数字证书的作用是证明证书中列出的客户合法拥有证书中列出的公开密钥。

获取证书两种方法

#

使用证书授权机构：

#

生成签名请求(csr) –>将csr发送给CA –> 从CA处接收签名 。参考下图： CA证书颁发过程(假设只有一级CA)

很多权威的根CA会被内置到操作系统里面，用户安装系统之后也就会拥有根CA的公钥，所以可以获得上级CA的公钥，进而可以申请证书。参考下图：主机通过RootCA获得上级CA的公钥

自签名的证书

#

OpenSSL是一个免费开源的库，它提供了构建数字证书的命令行工具，其中一些可以用来自建RootCA并签发自己的公钥

1.创建私有CA

#

创建之前要了解一下openssl的配置文件： /etc/pki/tls/openssl.cnf

[ ca ] default_ca      = CA_default            # The default ca section           <--启用的CA名字

[ CA_default ]
dir             = /etc/pki/CA           # Where everything is kept         <--相关文件存放目录
certs           = $dir/certs            # Where the issued certs are kept  <--存档颁发证书文件
crl_dir         = $dir/crl              # Where the issued crl are kept    <--吊销证书列表
database        = $dir/index.txt        # database index file.             <--证书索引数据库
#unique_subject = no                    # Set to 'no' to allow creation of <--是否允许创建具有相同主题的多个证书
                                        # several certificates with same subject.

new_certs_dir   = $dir/newcerts         # default place for new certs.    
certificate     = $dir/cacert.pem       # The CA certificate               <--自签名的证书
serial          = $dir/serial           # The current serial number        <--当前可用的序列号(下一个要颁发证书的序列号)
crlnumber       = $dir/crlnumber        # the current crl number           <--吊销证书编号
                                        # must be commented out to leave a V1 CRL
crl             = $dir/crl.pem          # The current CRL
private_key     = $dir/private/cakey.pem# The private key                  <--CA的私钥文件
RANDFILE        = $dir/private/.rand    # private random number file

default_days    = 365                   # how long to certify for          <--证书有效期
default_crl_days= 30                    # how long before next CRL         <--发布吊销证书列表周期
default_md      = sha256                # use SHA-256 by default           <--算法

policy          = policy_match                                             <--使用哪个策略

# For the CA policy
[ policy_match ]
countryName             = match                                            <--CA与客户端的申请信息必须一致
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional                                         <--可填可不填
commonName              = supplied                                         <--必须填
emailAddress            = optional

# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

a.在CentOS7上创建CA的私钥

#

[root@centos7 ~]#(umask 066;openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048) <--私钥文件只对属主有权限
Generating RSA private key, 2048 bit long modulus
...+++
.............+++
e is 65537 (0x10001)
[root@centos7 ~]#tree /etc/pki/CA
/etc/pki/CA
├── certs
├── crl
├── newcerts
└── private
    └── cakey.pem
4 directories, 1 file

b.生成自签名证书

#

[root@centos7 ~]#openssl req -new -x509 \                                    <-- -x509 专用于CA生成自签证书
>         -key  /etc/pki/CA/private/cakey.pem \                              <-- 生成请求时用到的私钥文件
>         -out  /etc/pki/CA/cacert.pem \                                     <-- 证书的保存路径
>         -days 365                                                          <-- 证书的有效期限
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BeiJing   
Locality Name (eg, city) [Default City]:BeiJing
Organization Name (eg, company) [Default Company Ltd]:ffu
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:ca.ffu.com      
Email Address []:ffu@outlook.com

c.查看自签名证书信息

#

[root@centos7 ~]#openssl x509 -in /etc/pki/CA/cacert.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 14141409927417363425 (0xc440616792e4fbe1)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=BeiJing, L=BeiJing, O=ffu, OU=IT, CN=ca.ffu.com/emailAddress=ffu@outlook.com
        Validity
            Not Before: Jul 16 08:57:27 2017 GMT
            Not After : Jul 16 08:57:27 2018 GMT
        Subject: C=CN, ST=BeiJing, L=BeiJing, O=ffu, OU=IT, CN=ca.ffu.com/emailAddress=ffu@outlook.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                 ....后面省略....

d.创建所需数据库文件

#

[root@centos7 CA]#touch /etc/pki/CA/index.txt                    <--生成证书索引数据库文件
[root@centos7 CA]#echo 01 > /etc/pki/CA/serial                   <--指定第一个颁发证书的序列号;十六进制，必须是两位数

2.颁发证书

#

a.生成CentOS6主机的私钥

#

[root@centos6 ~]#(umask 066;openssl genrsa -out /app/service.key 2048)
Generating RSA private key, 2048 bit long modulus
.............+++
.................................+++
e is 65537 (0x10001)

b.生成证书申请文件

#

[root@centos6 app]#openssl req -new -key /app/service.key -out /app/service.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN                                       <--按照所选policy，必须和申请CA的信息一致
State or Province Name (full name) []:BeiJing                              <--按照所选policy，必须和申请CA的信息一致
Locality Name (eg, city) [Default City]:Zhengzhou   
Organization Name (eg, company) [Default Company Ltd]:ffu                  <--按照所选policy，必须和申请CA的信息一致
Organizational Unit Name (eg, section) []:cs
Common Name (eg, your name or your server's hostname) []:*.ffu.com        
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

c.将证书请求文件传输给CA

#

[root@centos6 app]#scp service.csr 192.168.196.166:/etc/pki/CA/

d.CA签署证书，并将证书颁发给请求者

#

[root@centos7 CA]#openssl ca -in /etc/pki/CA/service.csr -out /etc/pki/CA/certs/service.crt -days 100
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Jul 16 09:44:51 2017 GMT
            Not After : Oct 24 09:44:51 2017 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = BeiJing
            organizationName          = ffu
            organizationalUnitName    = cs
            commonName                = *.ffu.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
    89:01:83:51:84:C8:1F:A9:1F:E7:F5:60:6E:6E:5D:5A:2B:59:5A:F2
            X509v3 Authority Key Identifier: 
keyid:A9:5F:1B:D6:F6:7E:99:5D:2F:EE:7D:40:F7:DA:61:AE:29:EE:D1:6F
Certificate is to be certified until Oct 24 09:44:51 2017 GMT (100 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@centos7 CA]#ll certs/service.crt newcerts/01.pem 
-rw-r--r--. 1 root root 4456 Jul 16 17:45 certs/service.crt
-rw-r--r--. 1 root root 4456 Jul 16 17:45 newcerts/01.pem         <--自动生成以证书序列号命名的文件，内容与证书一致
[root@centos7 CA]#cat index.txt  serial
V       171024094451Z           01      unknown /C=CN/ST=BeiJing/O=ffu/OU=cs/CN=ffu     <--自动生成数据库
02  <--自动更新下一个颁发证书的序列号

然后，CA就可以把证书发送给主机，主机相关Web服务就可以使用了

3.如何吊销证书

#

a.在客户端上先查看证书serial

#

openssl x509 -in /etc/pki/CA/service.crt -noout -text

b.吊销证书

#

在CA上，根据客户提交的serial与subject信息，对比检验是否与index.txt文件中的信息一致，吊销证书

[root@centos7 CA]#openssl ca -revoke /etc/pki/CA/newcerts/01.pem 
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 01.
Data Base Updated
[root@centos7 CA]#cat index.txt
R       171024094451Z   170716112929Z   01      unknown /C=CN/ST=BeiJing/O=ffu/OU=cs/CN=ffu  <--R代表removed

c.指定第一个吊销证书的编号

#

[root@centos7 CA]#echo 01 > /etc/pki/CA/crlnumber    <--第一次更新证书吊销列表前，才需要执行

d.更新证书吊销列表

#

[root@centos7 CA]#openssl ca -gencrl -out /etc/pki/CA/crl/crl.pem  
Using configuration from /etc/pki/tls/openssl.cnf
[root@centos7 CA]#cat crlnumber
02                                                                                      <--自动更新下一个吊销证书的序列号
[root@centos7 CA]#openssl crl -in /etc/pki/CA/crl/crl.pem -noout -text <--查看吊销证书文件详情
Certificate Revocation List (CRL):
        Version 2 (0x1)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: /C=CN/ST=BeiJing/L=BeiJing/O=ffu/OU=IT/CN=ffu/emailAddress=ffu@outloo.co
        Last Update: Jul 16 11:35:48 2017 GMT
        Next Update: Aug 15 11:35:48 2017 GMT
        CRL extensions:
            X509v3 CRL Number: 
                1
Revoked Certificates:
    Serial Number: 01
        Revocation Date: Jul 16 11:29:29 2017 GMT
    Signature Algorithm: sha256WithRSAEncryption
            .....后面省略.....