私有CA建立和证书申请
发表于:2024-11-16 作者:千家信息网编辑
千家信息网最后更新 2024年11月16日,私有CA建立和证书申请CA在创建时有规定的格式,详细需要参考/etc/pki/tls/openssl.cnf此文件存放了CA相关的一些配置信息。以下为比较重要的2个相关配置:1.此段为CA的详细目录结
千家信息网最后更新 2024年11月16日私有CA建立和证书申请
私有CA建立和证书申请
CA在创建时有规定的格式,详细需要参考/etc/pki/tls/openssl.cnf此文件存放了CA相关的一些配置信息。
以下为比较重要的2个相关配置:
1.此段为CA的详细目录结构
####################################################################[ ca ]default_ca = CA_default # The default ca section####################################################################[ CA_default ]dir = /etc/pki/CA # Where everything is keptcerts = $dir/certs # Where the issued certs are keptcrl_dir = $dir/crl # Where the issued crl are keptdatabase = $dir/index.txt # database index file.#unique_subject = no # Set to 'no' to allow creation of # several ctificates with same subject.new_certs_dir = $dir/newcerts # default place for new certs.certificate = $dir/cacert.pem # The CA certificateserial = $dir/serial # The current serial numbercrlnumber = $dir/crlnumber # the current crl number # must be commented out to leave a V1 CRLcrl = $dir/crl.pem # The current CRLprivate_key = $dir/private/cakey.pem# The private keyRANDFILE = $dir/private/.rand # private random number filex509_extensions = usr_cert # The extentions to add to the cert2.此段为证书签署的相关规则,其中标记为match的表示客户端在提交证书签署申请时必须和CA相同的部分。若要不同也可以修改policy规则
# A few difference way of specifying how similar the request should look# For type CA, the listed attributes must be the same, and the optional# and supplied fields are just that :-)policy = policy_match #此处若修改为policy_anything就能实现客户端申请证书时countryName、stateOrProvinceName、organizationName和CA不同也能签署。# For the CA policy[ policy_match ]countryName = matchstateOrProvinceName = matchorganizationName = matchorganizationalUnitName = optionalcommonName = suppliedemailAddress = optional# For the 'anything' policy# At this point in time, you must list all acceptable 'object'# types.[ policy_anything ]countryName = optionalstateOrProvinceName = optionallocalityName = optionalorganizationName = optionalorganizationalUnitName = optionalcommonName = suppliedemailAddress = optional一、创建私有CA
1.生成证书索引数据库文件
[root@centos7 CA]# touch index.txt2.指定证书颁发序列号
[root@centos7 CA]# echo 01 > serial3.生成私钥
私钥必须存放在/etc/pki/CA/private下取名为cakey.pem
[root@centos7 CA]# (umask 066;openssl genrsa -out private/cakey.pem 4096) #生成私钥,指定长度为4096位Generating RSA private key, 4096 bit long modulus.........................................++.....................++e is 65537 (0x10001)4.生成自签证书
自签证书的存放位置和命名也有规定,必须存放在/etc/pki/CA/下,取名为cacert.pem
[root@centos7 CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650 #生成自签证书,指定有效时长为3650天You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:CNState or Province Name (full name) []:beijing Locality Name (eg, city) [Default City]:beijingOrganization Name (eg, company) [Default Company Ltd]:mageduOrganizational Unit Name (eg, section) []:opsCommon Name (eg, your name or your server's hostname) []:ca.magedu.comEmail Address []:二、客户端申请证书
1.在客户端生成私钥文件
客户端的私钥一般在需要生成私钥的应用下生成
[root@centos7 data]# (umask 066;openssl genrsa -out test.key 1024)Generating RSA private key, 1024 bit long modulus....................................................................................................................++++++.....++++++e is 65537 (0x10001)2.利用私钥生成证书签署请求
签署请求中Country Name、State or Provice Name、Organization Name必须相同。
[root@centos7 data]# openssl req -new -key test.key -out test.csrYou are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:CNState or Province Name (full name) []:beijingLocality Name (eg, city) [Default City]:beijingOrganization Name (eg, company) [Default Company Ltd]:mageduOrganizational Unit Name (eg, section) []:opsCommon Name (eg, your name or your server's hostname) []:www.mylinuxops.comEmail Address []:Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:3.将证书签署请求发给CA
[root@centos7 data]# scp test.csr 192.168.73.132:/tmpThe authenticity of host '192.168.73.132 (192.168.73.132)' can't be established.ECDSA key fingerprint is SHA256:YNlH0VBV0kp4lAClVvfMWVx/bHcbKKHXQwyd13d+MME.ECDSA key fingerprint is MD5:8a:1c:3d:c2:04:b1:be:05:95:33:9e:16:e8:ad:6c:25.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added '192.168.73.132' (ECDSA) to the list of known hosts.root@192.168.73.132's password: test.csr 100% 660 220.9KB/s 00:00 三、CA服务器端签署证书
CA服务器签署证书时,需要指定证书有效时长
[root@centos7 CA]# openssl ca -in /tmp/test.csr -out certs/test.crt -days 365Using configuration from /etc/pki/tls/openssl.cnfCheck that the request matches the signatureSignature okCertificate Details: Serial Number: 1 (0x1) Validity Not Before: Apr 15 22:42:33 2019 GMT Not After : Apr 14 22:42:33 2020 GMT Subject: countryName = CN stateOrProvinceName = beijing organizationName = magedu organizationalUnitName = ops commonName = www.mylinuxops.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 6F:FE:2A:6D:CA:54:71:43:EC:58:54:8B:94:8E:92:BC:04:9B:6D:91 X509v3 Authority Key Identifier: keyid:EE:25:E6:80:F8:8A:68:3F:E5:5E:C4:38:FB:1C:B9:93:C9:2B:5B:ADCertificate is to be certified until Apr 14 22:42:33 2020 GMT (365 days)Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base Updated四、其他
1.查看证书中的信息:
[root@centos7 CA]# openssl x509 -in certs/test.crt -noout -textCertificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, ST=beijing, L=beijing, O=magedu, OU=ops, CN=ca.magedu.com Validity Not Before: Apr 15 22:42:33 2019 GMT Not After : Apr 14 22:42:33 2020 GMT Subject: C=CN, ST=beijing, O=magedu, OU=ops, CN=www.mylinuxops.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:d1:ab:99:29:51:31:e8:2d:69:e6:04:25:89:61: 2d:81:71:c6:cf:b0:a2:a2:8a:94:6f:b3:ab:40:fa: 1f:da:40:33:7b:46:0f:f7:61:21:18:be:3b:5d:b8: 18:a2:8a:9e:99:66:9c:9c:7c:68:2e:ab:73:00:87: 3a:91:aa:b5:a0:f0:2c:ec:d0:f2:44:15:86:74:2a: 39:d0:64:42:a8:d5:69:ca:c2:79:a1:5a:e3:c9:dc: 6e:9e:1e:ab:89:cf:47:62:57:67:17:d3:9f:09:4f: 0d:ed:f3:b7:d1:99:b0:49:95:99:25:0b:70:30:ef: a2:72:8d:42:90:8b:51:bb:41 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 6F:FE:2A:6D:CA:54:71:43:EC:58:54:8B:94:8E:92:BC:04:9B:6D:91 X509v3 Authority Key Identifier: keyid:EE:25:E6:80:F8:8A:68:3F:E5:5E:C4:38:FB:1C:B9:93:C9:2B:5B:AD Signature Algorithm: sha256WithRSAEncryption a0:b9:ac:ef:a6:cb:9c:af:99:5b:f8:f2:dd:f4:0b:dc:63:51: 99:16:3d:b9:53:91:5e:e5:61:f0:9d:85:cb:57:19:b8:fd:fd: 6e:3a:9c:f2:2a:d0:69:90:89:ff:75:90:20:f6:25:d0:d2:f9: 4f:23:34:fd:b7:3c:25:00:7c:a3:7f:f3:14:2b:54:54:3e:cf: 19:fa:80:48:b2:f3:3a:c7:cf:20:7a:91:3e:43:6f:88:2d:36: 9a:50:23:12:d1:0c:fa:78:c3:3a:7e:90:85:b1:ba:a8:4a:f0: c9:a1:6c:e9:7c:ff:e5:8a:f1:30:8d:36:33:1c:22:03:5b:37: 73:95:a8:6f:2d:68:42:5d:78:e2:9c:24:c4:b2:f7:59:37:1e: af:90:ea:1e:bc:73:d7:95:83:42:64:f5:e1:fb:45:e6:9c:e3: 2b:04:6f:de:d0:de:01:d9:dc:af:9c:47:2d:31:5e:c3:71:6d: 23:a6:f3:e0:77:65:c9:a3:39:c0:f2:c5:d2:21:df:84:64:cd: 0f:4b:19:ea:b4:d5:75:2a:52:54:38:e4:d6:6a:e0:9e:61:c6: 3a:04:21:cb:d5:2f:c9:f3:21:15:a6:bf:48:ea:06:f4:a8:20: 43:49:e9:e5:d5:c6:74:06:6a:53:c6:31:48:08:89:6f:af:9a: aa:d7:62:e3:9b:60:f2:55:1e:0d:e0:e2:ab:02:76:ab:f0:2f: c5:39:fe:11:e3:1d:51:19:96:2d:57:6b:a6:d1:97:8d:fb:cb: 4f:08:b5:29:af:c8:b8:c7:c9:32:7d:a6:30:ee:ad:c7:13:af: d9:9f:c4:09:f1:57:6b:aa:66:de:ad:28:c9:ea:a3:52:26:9b: 29:e2:0a:14:30:c5:fb:06:70:89:69:f2:5a:de:49:bd:4a:f3: af:20:f0:b6:c5:97:37:9a:b4:35:03:5e:75:6c:a0:82:1e:bb: 0c:68:fe:f4:ee:06:3b:0a:2e:e1:72:0c:b1:32:f4:f3:0f:c0: ee:66:1e:5b:9b:e5:02:72:8a:f4:f8:94:3b:c3:85:5f:53:38: 47:b4:47:61:1a:a1:fd:36:9d:40:81:0a:65:37:47:ad:9e:d5: a3:0f:58:87:d5:2f:7f:b5:bc:15:e8:cc:f4:16:c0:67:fa:a2: b6:f1:2b:4e:5d:ac:8f:fe:c5:20:3a:b5:49:18:5d:be:29:01: 67:5f:2f:e9:77:31:34:5c:e2:12:78:1c:a2:c8:3a:67:d1:90: 3b:24:ed:49:68:5d:c4:f3:f7:8f:4c:bf:02:88:15:3b:11:90: 9e:f0:fc:d2:41:48:8b:6c:53:22:8d:b0:1b:53:67:05:dc:f5: 72:37:19:1b:05:24:4b:3b2.查看指定编号的证书状态
[root@centos7 CA]# openssl ca -status 01Using configuration from /etc/pki/tls/openssl.cnf01=Valid (V)CA证书的吊销
一、在客户机上查看索要吊销的证书的serial和subject
[root@centos7 certs]# openssl x509 -in test.crt -noout -serial -subjectserial=01subject= /C=CN/ST=beijing/O=magedu/OU=ops/CN=www.mylinuxops.com二、根据客户端所提交的信息,在CA服务器端比对index.txt内的信息
[root@centos7 CA]# cat index.txtV 200414224233Z 01 unknown /C=CN/ST=beijing/O=magedu/OU=ops/CN=www.mylinuxops.com 三、吊销证书
[root@centos7 CA]# openssl ca -revoke /etc/pki/CA/newcerts/01.pem Using configuration from /etc/pki/tls/openssl.cnfRevoking Certificate 01.Data Base Updated四、指定第一个证书吊销的编号(第一次执行吊销时需要执行此步骤)
[root@centos7 CA]# echo 01 > /etc/pki/CA/crlnumber五、生成证书吊销列表
[root@centos7 CA]# openssl ca -gencrl -out /etc/pki/CA/crl.pemUsing configuration from /etc/pki/tls/openssl.cnf六、查看证书吊销列表
[root@centos7 CA]# openssl crl -in crl.pem -noout -textCertificate Revocation List (CRL): Version 2 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: /C=CN/ST=beijing/L=beijing/O=magedu/OU=ops/CN=ca.magedu.com Last Update: Apr 16 08:41:46 2019 GMT Next Update: May 16 08:41:46 2019 GMT CRL extensions: X509v3 CRL Number: 1Revoked Certificates: Serial Number: 01 Revocation Date: Apr 16 08:38:37 2019 GMT Signature Algorithm: sha256WithRSAEncryption a3:07:8f:b4:a8:ec:76:fb:d1:6c:88:f6:1d:ba:e6:79:5e:19: 59:3a:38:8d:26:d0:15:d2:22:b1:2f:a5:b0:b0:fc:49:11:00: 0a:2a:93:22:8d:44:ec:18:c9:5d:ad:66:60:32:36:8a:55:77: 03:9e:fb:51:b4:8e:9d:b7:d8:3b:d1:da:64:9e:ae:9f:5a:04: 19:69:f6:e9:de:94:75:92:f4:f4:33:b6:2b:e9:8e:27:dd:40: 9f:90:11:0f:36:d4:4a:ef:af:55:08:ec:87:81:c6:7c:38:02: fb:e2:d9:77:61:dc:2a:2c:61:c5:36:aa:6e:34:59:77:fe:47: 81:6d:02:15:e5:4b:f2:1f:ae:b3:e0:2e:5e:49:9d:c1:51:f9: 2e:69:d5:5f:9b:26:25:20:d9:88:ac:30:94:e2:25:e5:ee:17: f4:62:ca:ea:be:af:aa:7a:07:e7:e5:91:24:80:cc:52:9b:30: e2:3e:59:66:2a:77:28:7b:6a:10:99:a3:a3:27:30:17:a1:94: 49:bb:ae:eb:7f:53:d9:07:a5:0c:8f:b0:97:0a:cb:42:d8:37: 22:d9:0b:48:5e:a9:a0:13:78:0d:71:5b:76:25:11:f2:62:7b: e7:a5:f5:52:03:a6:25:ea:3a:da:d6:37:5a:55:ed:89:3e:67: 6f:b7:d7:a9:75:94:e8:17:af:cc:87:ed:bb:4d:19:3c:ee:af: a5:4d:fe:5e:f9:80:7a:16:4d:8c:99:36:77:75:e7:81:03:05: 92:91:01:5c:5e:d7:d0:d3:2b:ef:62:cd:20:5b:1b:40:30:29: 41:83:c6:7b:cc:29:2a:c3:6c:76:88:ed:a8:ac:be:83:00:7b: 56:c6:de:97:cf:6a:a5:bd:38:1e:84:b1:00:37:e5:85:15:eb: 86:51:f8:51:f6:e4:7e:2e:25:e2:8b:10:7d:3e:a6:4d:e5:bd: cb:8b:1e:2f:71:60:83:e5:75:1b:91:87:90:39:4a:67:88:87: 51:d3:b9:ff:0a:f6:36:3c:ba:a0:ae:32:6d:48:d7:e0:3d:20: 06:b5:ae:05:74:ab:13:84:49:dc:d7:91:c3:48:38:2d:b3:e9: b7:f0:13:9d:54:44:f1:5c:52:35:95:f5:da:9c:85:62:3f:28: 3a:c1:8a:32:e9:f6:f6:93:d2:40:7f:8a:71:20:6e:04:2f:2f: 33:2b:ac:2a:bb:33:b1:09:4d:4b:67:69:a9:48:a7:a7:a4:cb: 7e:61:fb:3e:85:dd:1f:99:8b:35:d6:7d:75:9d:34:61:84:8e: 46:39:e7:4b:09:e3:00:44:69:24:73:ac:37:82:73:1b:42:0d: 1f:60:5a:e7:47:6c:5f:a6使用脚本创建私有CA
#!/bin/bashPS3="plese choose a nember: "select menu in 创建CA 申请证书 签发证书 退出;do case $menu in 创建CA) cd /etc/pki/CA touch serial echo 01 > index.txt (umask 066;openssl genrsa -out private/cakey.pem 4096) openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650 ;; 申请证书) read -p "please input your need crt appdir: " APPDIR read -p "please input your need crt app name: " NAME read -p "please input CA server ip: " IP cd $APPDIR (unmask 066;openssl genrsa -out $NAME.key 2048) openssl req -new -key ${NAME}.key -out ${NAME}.csr scp ${NAME}.csr ${IP}:/tmp unset IP ;; 签发证书) read -p "please input client ip: " IP NAME=`cd /tmp;ls *.csr` openssl ca -in /tmp/${NAME}.csr -out /etc/pki/CA/certs/${NAME}.crt rm -rf /tmp/*.csr scp /etc/pki/CA/certs/${NAME}.crt $IP:/tmp unset IP ;; 退出) break ;; esacdone~
证书
生成
客户
客户端
信息
私有
文件
服务器
签证
服务
不同
有效
相同
时长
规则
配置
重要
位置
序列
序列号
数据库的安全要保护哪些东西
数据库安全各自的含义是什么
生产安全数据库录入
数据库的安全性及管理
数据库安全策略包含哪些
海淀数据库安全审计系统
建立农村房屋安全信息数据库
易用的数据库客户端支持安全管理
连接数据库失败ssl安全错误
数据库的锁怎样保障安全
网络技术公司的营销模式
网页的代码可以看到服务器地址吗
冬奥网络安全卫士徐舒扬
惠州无限软件开发
网络安全风险分析报告范文
软件开发风险进行量化分析
软件开发行业设计开发的案例
数据库导表失败
福建网络技术经验丰富
网络安全费用性质
电脑如何装多个服务器
数据库安装出现要安装其他的
设置数据库
数据库并发控制主要技术
软件开发企业上游
怎样看数据库常用脚本
腾讯云服务器安全组删除
总体国家安全以网络安全为
视频网属于什么网络技术
mysql重置数据库
大话2 克火服务器
校园网络安全文献综述
qgis数据库
网络道德和网络安全论文
70周年大庆网络安全
江苏现代软件开发价格表
阿里的网络安全主任
大型组网数据库
网络技术与舆情传播
软件开发项目经理薪酬
