What is the CA ?
CA中心又称CA机构,即证书授权中心(Certificate Authority ),或称证书授权机构,作为电子商务交易中受信任的第三方,承担公钥体系中公钥的合法性检验的责任,在这个互联网社会中,更是充当了安全认证的重要一环,因此,对于运维人员而言,掌握CA构建、签署及请求CA证书,也是一门基本技术要求。
本实验中,我们将通过开源工具OpenSSL构建一个私有CA中心,并以其为根CA,设立一个子CA机构,并为Client提供证书签署服务。
环境说明:
1. 首先,我们需要在各个主机上安装OpenSSL组件,即openssl, openssl-libs及nss; 绝大部分类Unix系统都默认安装该组件,如不确定可以运行以下命令
rpm -qa "openssl*" "nss"
# openssl-libs-1.0.1e-60.el7.x86_64
# openssl-1.0.1e-60.el7.x86_64
# nss-3.21.0-17.el7.x86_64
如果没有安装,再运行以下命令即可:
yum -y install openssl openssl-libs nss
2. 现在,我们来搭建根CA
[root@rootCA ~]# touch /etc/pki/CA/index.txt
[root@rootCA ~]# echo "01" > /etc/pki/CA/serial
[root@rootCA ~]# tree /etc/pki/CA//etc/pki/CA/
├── certs
├── crl
├── csr
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
├── private
├── serial
└── serial.old
5 directories, 5 files
[root@rootCA ~]# (umask 066; openssl genrsa -out /etc/pki/CA/private/cakey
.pem -des 2048) #这里指定了使用2048位密钥,并使用des加密算法。
Generating RSA private key, 2048 bit long modulus
...........+++
........+++
e is 65537 (0x10001)
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Verifying - Enter pass phrase for /etc/pki/CA/private/cakey.pem:
[root@rootCA ~]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 7000 -out /etc/pki/CA/cacert.pem #-x509: 专用于CA生成自签证书,非CA不可用该选项*
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN #自建CA时,该选项值必须都一样
State or Province Name (full name) []:FUJIAN #自建CA时,该选项值必须都一样
Locality Name (eg, city) [Default City]:XIAMEN
Organization Name (eg, company) [Default Company Ltd]:zhimajihua.cn #自建CA时,该选项值必须都一样
Organizational Unit Name (eg, section) []:ca #部门
Common Name (eg, your name or your server's hostname) []:ca.zhimajihua.cn #主机名,必须唯一
Email Address []:
[root@rootCA ~]# tree /etc/pki/CA/
/etc/pki/CA/
├── cacert.pem
├── certs
├── crl
├── csr
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
├── private
│ └── cakey.pem
├── serial
└── serial.old
5 directories, 7 files
至此,根CA搭建完成,但是子CA还需要从零构建。我们继续。
3. 搭建子CA
[root@childCA ~]# touch /etc/pki/CA/index.txt
[root@childCA ~]# echo "01" > /etc/pki/CA/serial
[root@childCA ~]# (umask 066; openssl genrsa -out /etc/pki/CA/private/cakey.
pem 2048)
Generating RSA private key, 2048 bit long modulus
.......................................+++
....................................+++
e is 65537 (0x10001)
[root@childCA ~]# openssl req -new -key /etc/pki/CA/private/cakey.pem -out /
etc/pki/CA/childCA.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN #此处参看CA自签的要求部分
State or Province Name (full name) []:FUJIAN
Locality Name (eg, city) [Default City]:XIAMEN
Organization Name (eg, company) [Default Company Ltd]:zhimajihua.cn
Organizational Unit Name (eg, section) []:2ca
Common Name (eg, your name or your server's hostname) []:2ca.zhimajihua.cn
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@childCA ~]# scp /etc/pki/CA/childCA.csr root@172.18.1.100:/etc/pki/CA/
[root@rootCA ~]# openssl ca -in /etc/pki/CA/childCA.csr -out /etc/pki/CA/cer
ts/2ca.crt -days 3500
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Sep 10 15:43:40 2017 GMT
Not After : Apr 11 15:43:40 2027 GMT
Subject:
countryName = CN
stateOrProvinceName = FUJIAN
organizationName = zhimajihua.cn
organizationalUnitName = 2ca
commonName = 2ca.zhimajihua.cn
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
3E:34:D5:4D:46:2F:79:00:15:3B:A8:FF:65:DE:64:D8:AD:DC:AF:CC
X509v3 Authority Key Identifier:
keyid:05:86:32:6A:21:23:31:6C:D9:3B:7A:0D:DB:66:84:69:79:14:
81:E4
Certificate is to be certified until Apr 11 15:43:40 2027 GMT (3500 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@rootCA ~]# tree /etc/pki/CA/
/etc/pki/CA/
├── cacert.pem
├── certs
│ └── 2ca.crt
├── childCA.csr
├── crl
├── csr
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── newcerts
│ └── 01.pem
├── private
│ └── cakey.pem
├── serial
└── serial.old
5 directories, 11 files
[root@rootCA ~]# scp /etc/pki/CA/certs/2ca.crt root@172.18.254.127:/etc/pki/CA/cacert.pem
[root@childCA ~]# tree /etc/pki/CA
/etc/pki/CA
├── cacert.pem
├── certs
├── childCA.csr
├── crl
├── index.txt
├── newcerts
├── private
│ └── cakey.pem
└── serial
[root@childCA ~]# openssl x509 -in /etc/pki/CA/cacert.pem -noout -text
4. 现在我们可以在客户端向二级CA申请签发证书
[root@Client ~]# (umask 066; openssl genrsa -out opt.key 2048)
Generating RSA private key, 2048 bit long modulus
........+++
........................+++
e is 65537 (0x10001)
[root@Client ~]# openssl req -new -key opt.key -out opt.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN #此处参看CA自签的要求部分
State or Province Name (full name) []:FUJIAN
Locality Name (eg, city) [Default City]:XIAMEN
Organization Name (eg, company) [Default Company Ltd]:zhimajihua.cn
Organizational Unit Name (eg, section) []:opt
Common Name (eg, your name or your server's hostname) []:opt.zhimajihua.cn
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@Client ~]# scp opt.csr root@172.18.254.127:/etc/pki/CA/opt.csr
[root@childCA CA]# openssl ca -in opt.csr -out certs/opt.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 2 (0x2)
Validity
Not Before: Sep 10 09:26:18 2017 GMT
Not After : Sep 10 09:26:18 2018 GMT
Subject:
countryName = CN
stateOrProvinceName = FUJIAN
organizationName = zhimajihua.cn
organizationalUnitName = opt
commonName = opt.zhimajihua.cn
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
CC:A2:E1:95:C6:1D:61:FA:9A:D6:A9:AE:88:FE:99:BC:1C:D3:6C:A8
X509v3 Authority Key Identifier:
keyid:3E:34:D5:4D:46:2F:79:00:15:3B:A8:FF:65:DE:64:D8:AD:DC:
AF:CC
Certificate is to be certified until Sep 10 09:26:18 2018 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@childCA CA]# scp certs/opt.crt root@172.18.254.125:/root
[root@Client ~]# tree
└── opt.crt
5. 至此,CA中心的构建和证书申请就全部结束了。如果想确认证书是否生效,可以将对应证书导入IE的证书项中,导入后,你应该可以看到类似这样的证书层级关系。