CA中心构建及证书签发实录

What is the CA ?

CA中心又称CA机构,即证书授权中心(Certificate Authority ),或称证书授权机构,作为电子商务交易中受信任的第三方,承担公钥体系中公钥的合法性检验的责任,在这个互联网社会中,更是充当了安全认证的重要一环,因此,对于运维人员而言,掌握CA构建、签署及请求CA证书,也是一门基本技术要求。

本实验中,我们将通过开源工具OpenSSL构建一个私有CA中心,并以其为根CA,设立一个子CA机构,并为Client提供证书签署服务。

环境说明:

  • rootCA, IP:172.18.1.100
  • childCA, IP:172.18.254.127
  • Client, IP:172.18.254.125

1. 首先,我们需要在各个主机上安装OpenSSL组件,即openssl, openssl-libs及nss; 绝大部分类Unix系统都默认安装该组件,如不确定可以运行以下命令

rpm -qa "openssl*" "nss"
# openssl-libs-1.0.1e-60.el7.x86_64
# openssl-1.0.1e-60.el7.x86_64
# nss-3.21.0-17.el7.x86_64

如果没有安装,再运行以下命令即可:

yum -y install openssl openssl-libs nss

2. 现在,我们来搭建根CA

  • 构建证书索引数据库文件和指明第一个颁发的证书的序列号
[root@rootCA ~]# touch /etc/pki/CA/index.txt
[root@rootCA ~]# echo "01" > /etc/pki/CA/serial
[root@rootCA ~]# tree /etc/pki/CA//etc/pki/CA/
├── certs
├── crl
├── csr
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
├── private
├── serial
└── serial.old

5 directories, 5 files
  • 生成根CA私钥文件。这里特别需要注意的是*CA的密钥文件名称必须为cakey .pem,且路径应在/etc/pki/CA/private下*
[root@rootCA ~]# (umask 066; openssl genrsa -out /etc/pki/CA/private/cakey
.pem -des 2048)  #这里指定了使用2048位密钥,并使用des加密算法。
Generating RSA private key, 2048 bit long modulus
...........+++
........+++
e is 65537 (0x10001)
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Verifying - Enter pass phrase for /etc/pki/CA/private/cakey.pem:
  • 生成自签署证书。这里特别需要注意的是CA的密钥文件名称必须为cacert.pem,且路径应在/etc/pki/CA/下
[root@rootCA ~]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 7000 -out /etc/pki/CA/cacert.pem  #-x509: 专用于CA生成自签证书,非CA不可用该选项*
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN  #自建CA时,该选项值必须都一样
State or Province Name (full name) []:FUJIAN  #自建CA时,该选项值必须都一样
Locality Name (eg, city) [Default City]:XIAMEN
Organization Name (eg, company) [Default Company Ltd]:zhimajihua.cn  #自建CA时,该选项值必须都一样
Organizational Unit Name (eg, section) []:ca  #部门
Common Name (eg, your name or your server's hostname) []:ca.zhimajihua.cn  #主机名,必须唯一
Email Address []:
[root@rootCA ~]# tree /etc/pki/CA/
/etc/pki/CA/
├── cacert.pem
├── certs
├── crl
├── csr
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
├── private
│   └── cakey.pem
├── serial
└── serial.old

5 directories, 7 files

至此,根CA搭建完成,但是子CA还需要从零构建。我们继续。

3. 搭建子CA

  • 同构建根CA类似,我们需要先创建必要文件
[root@childCA ~]# touch /etc/pki/CA/index.txt
[root@childCA ~]# echo "01" > /etc/pki/CA/serial
  • 创建子CA的私钥
[root@childCA ~]# (umask 066; openssl genrsa -out /etc/pki/CA/private/cakey.
pem 2048)
Generating RSA private key, 2048 bit long modulus
.......................................+++
....................................+++
e is 65537 (0x10001)
  • 生成证书签署请求。注意:由于这是子CA,而子CA的证书同普通用户一样,都是由上级机构签发的,所以此处不带 -x509
[root@childCA ~]# openssl req -new -key /etc/pki/CA/private/cakey.pem -out /
etc/pki/CA/childCA.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN  #此处参看CA自签的要求部分
State or Province Name (full name) []:FUJIAN
Locality Name (eg, city) [Default City]:XIAMEN
Organization Name (eg, company) [Default Company Ltd]:zhimajihua.cn
Organizational Unit Name (eg, section) []:2ca
Common Name (eg, your name or your server's hostname) []:2ca.zhimajihua.cn
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
  • 将请求文件传送给根CA
[root@childCA ~]# scp /etc/pki/CA/childCA.csr root@172.18.1.100:/etc/pki/CA/
  • 在根CA上核对并签发证书(如确认信息准确无误)
[root@rootCA ~]# openssl ca -in /etc/pki/CA/childCA.csr -out /etc/pki/CA/cer
ts/2ca.crt -days 3500
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Sep 10 15:43:40 2017 GMT
            Not After : Apr 11 15:43:40 2027 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = FUJIAN
            organizationName          = zhimajihua.cn
            organizationalUnitName    = 2ca
            commonName                = 2ca.zhimajihua.cn
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                3E:34:D5:4D:46:2F:79:00:15:3B:A8:FF:65:DE:64:D8:AD:DC:AF:CC
            X509v3 Authority Key Identifier:
                keyid:05:86:32:6A:21:23:31:6C:D9:3B:7A:0D:DB:66:84:69:79:14:
81:E4

Certificate is to be certified until Apr 11 15:43:40 2027 GMT (3500 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@rootCA ~]# tree /etc/pki/CA/
/etc/pki/CA/
├── cacert.pem
├── certs
│   └── 2ca.crt
├── childCA.csr
├── crl
├── csr
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── newcerts
│   └── 01.pem
├── private
│   └── cakey.pem
├── serial
└── serial.old

5 directories, 11 files
  • 将签署后的证书回传给子CA
[root@rootCA ~]# scp /etc/pki/CA/certs/2ca.crt root@172.18.254.127:/etc/pki/CA/cacert.pem
  • 在子CA上查看证书,确认无误即生效
[root@childCA ~]# tree /etc/pki/CA
/etc/pki/CA
├── cacert.pem
├── certs
├── childCA.csr
├── crl
├── index.txt
├── newcerts
├── private
│   └── cakey.pem
└── serial
[root@childCA ~]# openssl x509 -in /etc/pki/CA/cacert.pem -noout -text

4. 现在我们可以在客户端向二级CA申请签发证书

  • 首先,当然是先生成客户端自身的密钥文件,以便生成证书签署请求的使用
[root@Client ~]# (umask 066; openssl genrsa -out opt.key 2048)
Generating RSA private key, 2048 bit long modulus
........+++
........................+++
e is 65537 (0x10001)
  • 生成证书请求
[root@Client ~]# openssl req -new -key opt.key -out opt.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN  #此处参看CA自签的要求部分
State or Province Name (full name) []:FUJIAN
Locality Name (eg, city) [Default City]:XIAMEN
Organization Name (eg, company) [Default Company Ltd]:zhimajihua.cn
Organizational Unit Name (eg, section) []:opt
Common Name (eg, your name or your server's hostname) []:opt.zhimajihua.cn
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
  • 将请求文件传送给二级CA机构
[root@Client ~]# scp opt.csr root@172.18.254.127:/etc/pki/CA/opt.csr
  • 二级CA签署证书
[root@childCA CA]# openssl ca -in opt.csr -out certs/opt.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 2 (0x2)
        Validity
            Not Before: Sep 10 09:26:18 2017 GMT
            Not After : Sep 10 09:26:18 2018 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = FUJIAN
            organizationName          = zhimajihua.cn
            organizationalUnitName    = opt
            commonName                = opt.zhimajihua.cn
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                CC:A2:E1:95:C6:1D:61:FA:9A:D6:A9:AE:88:FE:99:BC:1C:D3:6C:A8
            X509v3 Authority Key Identifier:
                keyid:3E:34:D5:4D:46:2F:79:00:15:3B:A8:FF:65:DE:64:D8:AD:DC:
AF:CC

Certificate is to be certified until Sep 10 09:26:18 2018 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
  • 将签署后的证书回传给客户端
[root@childCA CA]# scp certs/opt.crt root@172.18.254.125:/root
  • 客户端查收证书文件,然后可以根据实际需求使用该证书。

[root@Client ~]# tree

└── opt.crt

5. 至此,CA中心的构建和证书申请就全部结束了。如果想确认证书是否生效,可以将对应证书导入IE的证书项中,导入后,你应该可以看到类似这样的证书层级关系。


本文参与腾讯云自媒体分享计划,欢迎正在阅读的你也加入,一起分享。

发表于

我来说两句

0 条评论
登录 后参与评论

扫码关注云+社区

领取腾讯云代金券