使用openssl模拟CA和CA证书的签发
使用openssl模拟CA和CA证书的签发
当使用ssl/tls进行加密通信时,必须要有数字证书。若通信只限制在局域网内,可以不向第三方机构申请签发证书,可以通过openssl模拟CA(Certificate Authority),并通过该CA签发证书。下文讲述在Centos7.3上使用openssl工具签发证书的具体步骤。
1 生成模拟CA
1.1 修改配置文件/etc/pki/tls/openssl.cnf
打开openssl的配置文件/etc/pki/tls/openssl.cnf,修改CA机构的默认信息,具体修改内容如下
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = CN
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = JangSu
localityName = Locality Name (eg, city)
localityName_default = NanJing
0.organizationName = Organization Name (eg, company)
0.organizationName_default = ZTE
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = Tech
commonName = Common Name (eg, your name or your server\'s hostname)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64配置项说明:
- countryName_default 默认的国家名称简写,这里配置为CN;
- stateOrProvinceName_default,默认的省份名,这里配置为JangS;
- localityName_default,默认的城市名称,这里配置为NanJing;
- 0.organizationName_default,默认的组织名称,这里配置为ZTE;
- organizationalUnitName_default,默认的部门名称,这里配置为Tech;
1.2 生成CA自签证书
生成CA的私钥
(umask 077; openssl genrsa -out private/cakey.pem 2048)- 1
[root@localhost CA]# pwd
/etc/pki/CA
[root@localhost CA]# (umask 077; openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
.......................................................................................................+++
..........+++
e is 65537 (0x10001)生成自签证书
openssl req -new -x509 -key private/cakey.pem -out cacert.pem - 1
[root@localhost CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [JangSu]:
Locality Name (eg, city) [NanJing]:
Organization Name (eg, company) [ZTE]:
Organizational Unit Name (eg, section) [Tech]:
Common Name (eg, your name or your server's hostname) []:ca.xiaojie.com
Email Address []:xiaojie@163.com
[root@localhost CA]# ls private
cacert.pem cakey.pem- cakey.pem为CA的私钥;
- cacert.pem为CA的自签证书;
查看签发证书中的内容
openssl x509 -text -in cacert.pem - 1
[root@localhost CA]# openssl x509 -text -in cacert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 13441978108521887108 (0xba8b7fdefd063584)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=JS, L=NanJing, O=ZTE, OU=Tech, CN=ca.xiaojie.com/emailAddress=caxiaojie@163.com
Validity
Not Before: Jun 2 03:30:22 2018 GMT
Not After : Jun 2 03:30:22 2019 GMT
Subject: C=CN, ST=JS, L=NanJing, O=Ztesoft, OU=Tech, CN=ca.xiaojie.com/emailAddress=caxiaojie@163.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:d2:ce:94:8e:26:52:bd:6e:7d:54:31:02:20:57:
01:81:1b:fc:24:3b:b1:e8:f1:4c:5d:e2:49:d8:5f:
5c:5e:02:89:76:29:f5:8d:33:17:98:06:80:06:ee:
37:dd:87:47:0d:f1:56:f0:cb:5e:5a:30:dc:31:46:
5a:cb:74:4c:76:8c:58:0b:bd:85:ff:15:16:67:64:
99:dd:53:3b:d0:6b:23:e3:35:3d:56:4a:ea:5d:89:
ab:f3:dc:75:ee:b6:5e:71:c6:f9:f6:ae:53:72:ba:
41:b4:06:0d:4f:80:1c:83:ab:5b:68:4f:78:eb:aa:
c0:f2:af:c4:b5:ac:f2:e8:f5
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
3E:E1:CC:F3:0D:53:2C:E3:DC:42:16:1D:DF:7B:A6:64:0F:E7:85:0B
X509v3 Authority Key Identifier:
keyid:3E:E1:CC:F3:0D:53:2C:E3:DC:42:16:1D:DF:7B:A6:64:0F:E7:85:0B
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
be:5a:44:22:98:bb:cc:8a:15:32:ef:7c:ef:cb:2d:0f:6e:95:
42:f4:1f:54:23:40:02:63:7e:52:e3:97:2d:e2:77:fb:20:3b:
b3:b4:9f:b5:d7:01:05:5f:c2:9d:a9:2d:e8:93:48:33:ed:4c:
8a:3c:e2:a0:f1:d3:9e:b0:37:af:4a:75:aa:4a:42:3c:4e:a6:
c7:07:dc:98:75:84:3a:fe:8a:65:ab:4b:39:29:02:57:5b:30:
eb:1f:26:13:cc:65:39:65:83:47:cc:e6:da:89:9d:61:3c:57:
65:66:1d:c6:06:cb:b5:da:ae:4c:22:d0:f0:4d:ed:4c:4e:f9:
ea:d8创建公共目录
[root@localhost CA]# mkdir certs crl newcerts private
[root@localhost CA]# touch index.txt
[root@localhost CA]# touch serial
[root@localhost CA]# echo 01 > serial
[root@localhost CA]# ls
certs crl index.txt newcerts private serial- private,CA的私钥;
- newcerts, 保存CA新签发的证书;
- crl , 被吊销的证书列表;
- index.txt,保存签发的证书信息;
- serial,保存证书签发的序列号;
2. 机构A请求CA签发证书
生成机构A的私钥
(umask 077; openssl genrsa -out httpd.key 1024)- 1
生成证书签发请求
openssl req -new -key httpd.key -out httpd.csr- 1
[root@localhost ssl]# openssl req -new -key httpd.key -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [JangSu]:
Locality Name (eg, city) [NanJing]:
Organization Name (eg, company) [ZTE]:
Organizational Unit Name (eg, section) [Tech]:
Common Name (eg, your name or your server's hostname) []:www.xiaojie.com
Email Address []:xiaojie@123.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@localhost ssl]# ls
httpd.csr httpd.key将httpd.csr发送给CA,CA根据httpd.csr签发证书
openssl ca -in httpd.csr -out httpd.crt -days 365- 1
- -in,指定证书签发请求文件;
- -out, 指定生成的证书文件;
- -days, 指定证书的有效期;
[root@localhost ssl]# openssl ca -in httpd.csr -out httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jun 2 04:07:48 2018 GMT
Not After : Jun 2 04:07:48 2019 GMT
Subject:
countryName = CN
stateOrProvinceName = JangSu
organizationName = Ztesoft
organizationalUnitName = Tech
commonName = www.xiaojie.com
emailAddress = xiaojie@123.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
3F:8F:5F:80:F1:C4:77:0A:2E:4D:9C:75:16:FC:8B:6E:77:EF:6A:35
X509v3 Authority Key Identifier:
keyid:75:D5:93:C0:53:3F:B1:DE:90:E0:9A:CC:92:BE:EF:F0:38:F4:20:C8
Certificate is to be certified until Jun 2 04:07:48 2019 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updatedhttpd.crt 就是签发的证书,可以直接使用httpd.crt证书了。
3. 在httpd中使用证书
安装mod_ssl模块
yum install mod_ssl- 1
配置/etc/httpd/conf.d/ssl.conf
- 修改DocumentRoot ,DocumentRoot “/work/www/html”【网站的目录】;
- 修改ServerName, ServerName www.YOUR_DOMAIN:443【域名+443端口】;
- 配置SSLCertificateFile ,即CA证书文件httpd.crt,SSLCertificateFile /etc/ssl/certs/httpd.crt;
- 配置SSLCertificateKeyFile, 即私钥文件httpd.key, SSLCertificateKeyFile /etc/ssl/private/httpd.key;
- 配置 SSLCertificateChainFile,证书信任链,也就是根证书, 这里配置的就是CA的证书。SSLCertificateChainFile /etc/ssl/certs/cacert.pem;
参考
使用openssl模拟CA和CA证书的签发的更多相关文章
- Https、OpenSSL自建CA证书及签发证书、nginx单向认证、双向认证及使用Java访问
0.环境 本文的相关源码位于 https://github.com/dreamingodd/CA-generation-demo 必须安装nginx,必须安装openssl,(用apt-get upd ...
- openSSL命令、PKI、CA、SSL证书原理
相关学习资料 http://baike.baidu.com/view/7615.htm?fr=aladdin http://www.ibm.com/developerworks/cn/security ...
- 基于 OpenSSL 的 CA 建立及证书签发 【转】
建立 CA 建立 CA 目录结构 按照 OpenSSL 的默认配置建立 CA ,需要在文件系统中建立相应的目录结构.相关的配置内容一般位于 /usr/ssl/openssl.cnf 内,详情可参见 c ...
- 用openssl为WEB服务器生成证书(自签名CA证书,服务器证书)
用openssl为WEB服务器生成证书(自签名CA证书,服务器证书) 来源: https://www.cnblogs.com/osnosn/p/10608455.html 来自osnosn的博客 写于 ...
- 基于 OpenSSL 的 CA 建立及证书签发
http://rhythm-zju.blog.163.com/blog/static/310042008015115718637/ 建立 CA 建立 CA 目录结构 按照 OpenSSL 的默认配置建 ...
- linux下使用openssl生成 csr crt CA证书
证书文件生成:一.服务器端1.生成服务器端 私钥(key文件);openssl genrsa -des3 -out server.key 1024运行时会提示输入密码,此密码用于加密key文件( ...
- 自签名证书和私有CA签名的证书的区别 创建自签名证书 创建私有CA 证书类型 证书扩展名【转】
自签名的证书无法被吊销,CA签名的证书可以被吊销 能不能吊销证书的区别在于,如果你的私钥被黑客获取,如果证书不能被吊销,则黑客可以伪装成你与用户进行通信 如果你的规划需要创建多个证书,那么使用私有 ...
- 数字证书的理解以及自建CA机构颁发证书
一.理解什么是数字证书 http://www.cnblogs.com/JeffreySun/archive/2010/06/24/1627247.html 理解数字证书等概念,无数次想好好看 ...
- Centos7创建CA和申请证书
转载:http://rackie386.blog.51cto.com/11279229/1947999 Centos7.3创建CA和申请证书 openssl 的配置文件:/etc/pki/tls/op ...
随机推荐
- 独立的android开发者开发app如何盈利?
对立android开发者开发app如何盈利?android开发日益兴隆,随着google的大力推广和技术及其android培训的支持,android个人开发者或者android独立开发者也都匆匆欲动加 ...
- win7重命名文件时 提示 “指定的设备名无效”的解决办法
同事从mac上传一个文件夹到win7上,但是少了一张图片con.jpg.查了半天发现将备份文件改名为con.jpg时提示 “指定的设备名无效”. 谷歌了下,发现了问题所在.坑爹的win7. 从不同的系 ...
- MySQL 示例数据库 employees 详解
[引子] IT这一行在我看来是比较要求动手能力的,但是人非生而知之:人们身上的技能除了一些本能之外,大多都是通过学习而得到的. 前一段时间一直在整理素材,写一个关于explain 的系列文章:在一开始 ...
- linux分享三:文件操作
查找文件命令: which 查看可执行文件的位置 whereis 查看文件的位置 locate 配 合数据库查看文件位置 find 实际搜寻硬盘查询文件 ...
- [Kubernetes]Kubernetes的网络模型
Kubernetes的网络模型从内至外由四个部分组成: Pod内部容器所在的网络 Pod所在的网络 Pod和Service之间通信的网络 外界与Service之间通信的网络 建议在阅读本文之前先了解D ...
- Java:多线程,CyclicBarrier同步器
1. 背景 CyclicBarrier类,它允许一组线程互相等待,直到到达某个公共屏障点 (common barrier point).在涉及一组固定大小的线程的程序中,这些线程必须不时地互相等待,此 ...
- Android应用的基本原理
原文:http://android.eoe.cn/topic/android_sdk 应用基础-Application Fundamentals Android应用程序以java作为开发语言.用And ...
- Atitit 架构的原则attilax总结
Atitit 架构的原则attilax总结 1.1. Rule of three称为"三次原则",指的是当某个功能第三次出现时,才进行"抽象化".是DRY原则和 ...
- 有用的 JS 和 CSS 库
1. Moon Moon 是一个灵感源于 Vue.js 的 JavaScript UI 库,但它却更轻量.简单.它具备优化的虚拟 DOM 引擎,对用户友好的 API,并且在 gzip 压缩后仅有 6K ...
- WinEdt 6+SumatraPDF -- 实现TeX文档和PDF文件正反向搜索
这几天试用了新出不久的WinEdt 6,结合PDF文件的阅读器SumatraPDF,感觉实现TeX文档和PDF文件之间的正反向搜索十分便利,故此向大家特别推荐! CTeX v2.8版本的一项重要功能是 ...