搭建私有CA服务器
1 CA是什么
CA(Certificate Authority)证书颁发机构主要负责证书的颁发、管理以及归档和吊销。证书内包含了拥有证书者的姓名、地址、电子邮件帐号、公钥、证书有效期、发放证书的CA、CA的数字签名等信息。证书主要有三大功能:加密、签名、身份验证。
2 搭建CA服务器
2.1 配置文件查看
default_ca = CA_default # The default ca section # ca的配置使用哪个片段。 ####################################################################
[ CA_default ] dir = /etc/pki/CA # Where everything is kept # ca的主目录
certs = $dir/certs # Where the issued certs are kept # 证书的保存位置
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file. # 证书的索引文件
#unique_subject = no # Set to 'no' to allow creation of # 是否运行相同的subject信息的证书请求
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs. # 最新的证书放置位置 certificate = $dir/cacert.pem # The CA certificate # ca的自己给自己签发的证书(自签证书)
serial = $dir/serial # The current serial number # 当前序列号
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL # 当前证书吊销列表
private_key = $dir/private/cakey.pem# The private key # ca自己的私钥位置
RANDFILE = $dir/private/.rand # private random number file x509_extensions = usr_cert # The extentions to add to the cert default_days = # how long to certify for # 默认颁发证书时间 policy = policy_match # 证书办法策略,这个片段下面就有 # For the CA policy
[ policy_match ]
countryName = match # match代表证书签发单位和证书请求单位的对应项目必须相同,其他的影响不大。
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional countryName_default = XX # 默认国家,2为字母。下面还有其他的默认配置项目,比如默认省,默认市,默认公司等等。
2.2 生成秘钥
[root@localhost CA]# cd /etc/pki/CA/ #切换到CA目录
[root@localhost CA]# (umask ; openssl genrsa -out private/cakey.pem ) #调用openssl子命令genrsa生成私钥
Generating RSA private key, bit long modulus
..+++
...................................................................................................................................................................................................................+++
e is (0x10001)
注:上述命令使用()扩着,表示在当前shell的子shell执行,()内的设定只在子shell内生效,每个命令使用“;”分割 , umask指定掩码, -out选项指定了生成的私钥存放位置,不指定是输出到终端的。2048 指定秘钥的长度,默认是1024。
2.2 生成自签证书
[root@localhost CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name ( letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:ZHENGZHOU
Locality Name (eg, city) [Newbury]:
[root@localhost CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name ( letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:HENAN
Locality Name (eg, city) [Newbury]:ZHENGZHOU
Organization Name (eg, company) [My Company Ltd]:ZKYT
Organizational Unit Name (eg, section) []:TECH
Common Name (eg, your name or your server's hostname) []:ca.linuxpanda.com
Email Address []:caadmin@linuxpanda.com
- req:生成证书签署请求
- -x509:生成自签署证书
- -days n:证书的有效天数
- -new:新请求
- -key /path/to/keyfile:指定私钥文件
- -out /path/to/somefile:输出证书文件位置
2.3 查看自己的证书
[root@localhost CA]$ openssl x509 -in cacert.pem -noout -text
2.4 初始化工作环境
[root@localhost CA]# touch index.txt serial #创建index.txt,serial文件
[root@localhost CA]# echo >serial #写入初始值 [root@localhost CA]# mkdir csr crl newcerts #创建目录csr,crl newcerts
- index.txt:索引文件,用于匹配证书编号
- serial:证书序列号文件,只在首次生成证书时赋值
- csr:证书请求目录
- crl:吊销列表目标
- newcerts:证书目录
3.节点申请证书
3.1生成密钥对
[root@localhost CA]# cd /etc/httpd/ssl #进入httpd的配置子目录ssl
-bash: cd: /etc/httpd/ssl: No such file or directory
[root@localhost CA]# ls
cacert.pem index.txt private serial
[root@localhost CA]# cd /etc/httpd/ #查看目录情况
[root@localhost httpd]# ls
conf conf.d logs modules run
[root@localhost httpd]# mkdir ssl #创建ssl目录,用于存放秘钥
[root@localhost httpd]# (umask ; openssl genrsa -out ssl/httpd.key ) #生成私钥
Generating RSA private key, bit long modulus
.+++
............................+++
e is (0x10001)
3.2生成证书请求
[root@localhost httpd]# openssl req -new -key ssl/httpd.key -out ssl/httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name ( letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:HENAN
Locality Name (eg, city) [Newbury]:ZHENGZHOU
Organization Name (eg, company) [My Company Ltd]:ZKYT
Organizational Unit Name (eg, section) []:TECH
Common Name (eg, your name or your server's hostname) []:tech1.linuxpanda.com
Email Address []: Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
3.3证书请求文件发送到服务器
[root@localhost httpd]# scp ssl/httpd.csr 192.168.137.100:/etc/pki/CA/csr/httpd.csr
root@192.168.137.100's password:
httpd.csr % .0KB/s :
[root@localhost httpd]# ls /etc/pki/CA/csr
httpd.csr
4 CA服务器签署证书
4.1 CA服务器上签署证书
[root@localhost CA]# openssl ca -in csr/httpd.csr -out httpd.crt -days
Using configuration from /etc/pki/tls/openssl.cnf
Error opening CA private key ../../CA/private/cakey.pem
:error::system library:fopen:No such file or directory:bss_file.c::fopen('../../CA/private/cakey.pem','r')
:error::BIO routines:FILE_CTRL:system lib:bss_file.c::
unable to load CA private key
[root@localhost CA]# vim /etc/pki/tls/
cert.pem certs/ misc/ openssl.cnf private/
[root@localhost CA]# vim /etc/pki/tls/openssl.cnf #编辑配置文件,修改../../CA 为 /etc/pki/CA 即可
[root@localhost CA]# openssl ca -in csr/httpd.csr -out httpd.crt -days
Using configuration from /etc/pki/tls/openssl.cnf
I am unable to access the /etc/pki/CA/newcerts directory #没有创建newcerts 目录
/etc/pki/CA/newcerts: No such file or directory
[root@localhost CA]# mkdir newcerts #创建目录newcerts
[root@localhost CA]# openssl ca -in csr/httpd.csr -out httpd.crt -days
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: (0x1)
Validity
Not Before: Mar :: GMT
Not After : Mar :: GMT
Subject:
countryName = CN
stateOrProvinceName = HENAN
organizationName = ZKYT
organizationalUnitName = TECH
commonName = tech1.linuxpanda.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
B3:E9::1A::::F1:A2::B4::C6:FD:5A:AF:8E::CB:C3
X509v3 Authority Key Identifier:
keyid::0F:4A:D3::3F::D7:FA::3C:0A::9B:6F:6A:::: Certificate is to be certified until Mar :: GMT ( days)
Sign the certificate? [y/n]:y out of certificate requests certified, commit? [y/n]y
Write out database with new entries
4.2将证书发送给请求者
[root@localhost CA]# scp httpd.crt 192.168.137.100:/etc/httpd/ssl
root@192.168.137.100's password:
httpd.crt
5 吊销证书
5.1节点请求吊销
[root@localhost CA]# openssl x509 -in httpd.crt -noout -serial -subject
serial=
subject= /C=CN/ST=HENAN/O=ZKYT/OU=TECH/CN=tech1.linuxpanda.com
- x509:证书格式
- -in:要吊销的证书
- -noout:不输出额外信息
- -serial:显示序列号
- -subject:显示subject信息
5.2节点提交的serial和subject信息是否和index.txt的信息一致
[root@localhost CA]# cat index.txt
V 180325021521Z unknown /C=CN/ST=HENAN/O=ZKYT/OU=TECH/CN=tech1.linuxpanda.com
5.3 吊销证书
[root@localhost CA]# openssl ca -revoke newcerts/.pem
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate .
Data Base Updated
5.4生成吊销证书的编号(如果是第一次吊销)
root@localhost CA]# echo > crlnumber
5.5更新吊销证书列表
我们虽然上面已经吊销了证书, 但是别人是无法知道的。 只能通过crl来让别人知道谁谁谁的证书被吊销了。
[root@localhost CA]# openssl ca -gencrl -out crl/ca.crl
Using configuration from /etc/pki/tls/openssl.cnf
5.6查看crl文件内容
[root@localhost CA]# openssl crl -in crl/ca.crl -noout -text
Certificate Revocation List (CRL):
Version (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: /C=CN/ST=HENAN/L=ZHENGZHOU/O=ZKYT/OU=TECH/CN=ca.linuxpanda.com/emailAddress=caadmin@linuxpanda.com
Last Update: Mar :: GMT
Next Update: Apr :: GMT
CRL extensions:
X509v3 CRL Number: Revoked Certificates:
Serial Number:
Revocation Date: Mar :: GMT
Signature Algorithm: sha1WithRSAEncryption
:::c1:0e:9d:f5::b9:b5:ae:2b:be:ce:::8d:e7:
7a::eb:e0::5b:bd::aa::e5:dd:a6::f4:4c:e0:e5:
c2::2d::ff:2e::ad::9d:::0f:6d:dc:0f:a7:fc:
e8::0e:6f:f2:cf:a8:ed::ea:ff::bb:4b::c7:a1::
:b0:::0c:cc:db:5b:f9:b3:::e5:fd:bd:f7::a2:
4a::d9:b9:ad:7d:a7::::c2:bb:::dd:c3:::
:b2:f9:dc:7f:4c:d7::::ad:bd:::e6:8d:1c:9d:
e1:d8:ab:::a8::c7:a1::2a:b4:fb:dd:c4:b9:::
:2c:e5::7f:::1d:e5::a7:::d7:a8:8b:a5:5f:
da::4e:7c:f8:::a7:5e:2a::c1:b2::c8:c1::df:
:fa:2d:ba::e4:b8:::d0:fb:e3:9e:c9:3b::6b:ae:
8a:a5:b6:6e:9e::ed:5d::ab:6f:a9::6d:b2::5d::
ce:0f::3e:f6:e6:f5:e8:a5:ef:d2:d1:d7:eb:bc:e7::1b:
fc::6b::b2::c2::8a:e3:::f9::a5:6e:a1:4d:
2d::e2:
搭建私有CA服务器的更多相关文章
- linux下安装EJBCA 搭建私有CA服务器
linux下安装EJBCA 搭建私有CA服务器 EJBCA是一个全功能的JAVA的CA系统软件,我们可以用此搭建私有CA服务器: 一:首先我的测试环境: 1. linux mint18.3 62位: ...
- 搭建私有CA并实现证书颁发
一.搭建私有CA服务器 1.安装包 # yum -y install openssl 2.生成密钥对儿 # cd /etc/pki/CA # (umask 077;openssl genrsa -ou ...
- Linux系统搭建私有CA证书服务器
一.CA简介 CA是什么?CA是Certificate Authority的简写,从字面意思翻译过来是凭证管理中心,认证授权.它有点类似我们生活中的身份证颁发机构,这里的CA就相当于生活中颁发身份证的 ...
- 搭建私有CA
一.实验目的 搭建私有CA并使其可以实现公司内部的的签名服务. 二.实验环境: 系统架构:Centos7(服务器).Centos6(需要申请证书的服务器)需要的软件包:openssl.openssl- ...
- 搭建私有CA并基于OpenSSL实现双向身份认证
0x00 前言 互联网上的Web应用由于用户数目广泛,都是采用单向身份认证的,只需要客户端验证服务端的身份.但如果是企业内部的应用对接,客户端数量有限,可能就会要求对客户端也做身份验证,这时就需要一个 ...
- 利用阿里云搭建私有Git服务器
服务器系统:Centos 6 (查看centos版本命令:lsb_release -a) 客户端系统:Windows 7 一.服务器端安装Git ==通常centos上使用yum源安装的git版本过低 ...
- 使用BaGet 搭建私有nuget 服务器
使用BaGet 搭建私有nuget 服务器 netNugetBaGet 引言 为了增强代码的安全性和企业团队开发的高效性,搭建私有的package 包管理服务器是很有必要的,搭建私有的类库管理服务有以 ...
- NET Core:搭建私有Nuget服务器以及打包发布Nuget包
docker 安装 https://www.cnblogs.com/liuxiaoji/p/11014329.html 1.使用docker搭建私有Nuget服务器 docker run -d -p ...
- 搭建私有 Nuget 服务器教程(1)
对于 .NET 开发者来说,nuget 是必不可少的程序包管理工具.相应地,大部分开发团队都需要在内部搭建 Nuget 服务器,以管理私有 nupkg 包.本教程所使用的 Nuget 服务器,不是微软 ...
随机推荐
- 使用Python脚本分析你的网站上的SEO元素
撰稿马尼克斯德芒克 上2019年1月, Sooda internetbureau Python就是自动执行重复性任务,为您的其他搜索引擎优化(SEO)工作留出更多时间.没有多少SEO使用Python来 ...
- centos firewall使用笔记
Centos7.x firewalld配置详解推荐文章文章地址:https://blog.csdn.net/jsonxiang/article/details/87873493 一.firewalld ...
- 一. IntelliJ IDEA详细配置文档之初始环境搭建
前言 对于用惯了eclipse的同学来说, 突然切换为idea不是一件那么容易的事情, 所以我会发布一系列只讲解idea使用技巧的文章, 请大家多多关注. 本系列文章的配置参考网上某教程的讲解, 本 ...
- ps最最基础的文档
因为学习PHP,但是公司没有前端工程师,修图的时候只好找被人帮忙,一个简答的问题,其实几分钟就搞定了,还要麻烦别人,就自己学了一下ps.一共花了3天时间.学习了一些简单的操作. 工具:Adobe Ph ...
- gensim自然语言处理
参考代码 ChineseClean_demo1.py: # -*- coding:utf-8 -*- import xlrd import xlwt ''' python3.4 ''' # file ...
- Unity加载外部图片
在这里记录一下在 Unity3D 中分别使用 WWW 和 IO 流加载外部图片 使用 WWW 加载 /// <summary> /// 使用 WWW 加载图片,并赋值给 _rawImage ...
- dva-counter
dva实例Counter. import dva, { connect } from 'dva'; import { Router, Route } from 'dva/router'; import ...
- Centos 安装 mysql yum
http://www.cnblogs.com/007sx/p/7083143.html https://www.linode.com/docs/databases/mysql/how-to-insta ...
- C# 自动程序 windows 无法启动 XXXX 服务 错误5 拒绝访问
遇到过两次 这样的问题了,所以记录一下 原因可能是服务所在文件的目录权限不够 解决方法: 1是查看服务对应的程序所在的目录 2是设置目录的安全权限 右击–属性–安全–添加相应的帐号,给予除完全控制外的 ...
- Charles 学习笔记
之前接触过抓包工具Fiddler,一直在Windows下使用,感觉还是挺好用的.今天接触了Charles才有了了解,首先Charles设计的比较美丽,而且页面布局也是简单易学的,但这两款抓包工具本质的 ...