CA中心构建及证书签发实录

用户1456517

发布于 2019-03-05 16:14:11

1.2K0

发布于 2019-03-05 16:14:11

What is the CA ?

CA中心又称CA机构，即证书授权中心(Certificate Authority )，或称证书授权机构，作为电子商务交易中受信任的第三方，承担公钥体系中公钥的合法性检验的责任，在这个互联网社会中，更是充当了安全认证的重要一环，因此，对于运维人员而言，掌握CA构建、签署及请求CA证书，也是一门基本技术要求。

本实验中，我们将通过开源工具OpenSSL构建一个私有CA中心，并以其为根CA，设立一个子CA机构，并为Client提供证书签署服务。

环境说明：

rootCA, IP：172.18.1.100
childCA, IP：172.18.254.127
Client, IP：172.18.254.125

1. 首先，我们需要在各个主机上安装OpenSSL组件，即openssl, openssl-libs及nss; 绝大部分类Unix系统都默认安装该组件，如不确定可以运行以下命令

rpm -qa "openssl*" "nss"
# openssl-libs-1.0.1e-60.el7.x86_64
# openssl-1.0.1e-60.el7.x86_64
# nss-3.21.0-17.el7.x86_64

如果没有安装，再运行以下命令即可：

yum -y install openssl openssl-libs nss

2. 现在，我们来搭建根CA

构建证书索引数据库文件和指明第一个颁发的证书的序列号

[root@rootCA ~]# touch /etc/pki/CA/index.txt
[root@rootCA ~]# echo "01" > /etc/pki/CA/serial
[root@rootCA ~]# tree /etc/pki/CA//etc/pki/CA/
├── certs
├── crl
├── csr
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
├── private
├── serial
└── serial.old

5 directories, 5 files

生成根CA私钥文件。这里特别需要注意的是*CA的密钥文件名称必须为cakey .pem，且路径应在/etc/pki/CA/private下*

[root@rootCA ~]# (umask 066; openssl genrsa -out /etc/pki/CA/private/cakey
.pem -des 2048)  #这里指定了使用2048位密钥，并使用des加密算法。
Generating RSA private key, 2048 bit long modulus
...........+++
........+++
e is 65537 (0x10001)
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Verifying - Enter pass phrase for /etc/pki/CA/private/cakey.pem:

生成自签署证书。这里特别需要注意的是CA的密钥文件名称必须为cacert.pem，且路径应在/etc/pki/CA/下

[root@rootCA ~]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 7000 -out /etc/pki/CA/cacert.pem  #-x509: 专用于CA生成自签证书，非CA不可用该选项*
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN  #自建CA时，该选项值必须都一样
State or Province Name (full name) []:FUJIAN  #自建CA时，该选项值必须都一样
Locality Name (eg, city) [Default City]:XIAMEN
Organization Name (eg, company) [Default Company Ltd]:zhimajihua.cn  #自建CA时，该选项值必须都一样
Organizational Unit Name (eg, section) []:ca  #部门
Common Name (eg, your name or your server's hostname) []:ca.zhimajihua.cn  #主机名，必须唯一
Email Address []:

[root@rootCA ~]# tree /etc/pki/CA/
/etc/pki/CA/
├── cacert.pem
├── certs
├── crl
├── csr
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
├── private
│   └── cakey.pem
├── serial
└── serial.old

5 directories, 7 files

至此，根CA搭建完成，但是子CA还需要从零构建。我们继续。

3. 搭建子CA

同构建根CA类似，我们需要先创建必要文件

[root@childCA ~]# touch /etc/pki/CA/index.txt
[root@childCA ~]# echo "01" > /etc/pki/CA/serial

创建子CA的私钥

[root@childCA ~]# (umask 066; openssl genrsa -out /etc/pki/CA/private/cakey.
pem 2048)
Generating RSA private key, 2048 bit long modulus
.......................................+++
....................................+++
e is 65537 (0x10001)

生成证书签署请求。注意：由于这是子CA，而子CA的证书同普通用户一样，都是由上级机构签发的，所以此处不带 -x509

[root@childCA ~]# openssl req -new -key /etc/pki/CA/private/cakey.pem -out /
etc/pki/CA/childCA.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN  #此处参看CA自签的要求部分
State or Province Name (full name) []:FUJIAN
Locality Name (eg, city) [Default City]:XIAMEN
Organization Name (eg, company) [Default Company Ltd]:zhimajihua.cn
Organizational Unit Name (eg, section) []:2ca
Common Name (eg, your name or your server's hostname) []:2ca.zhimajihua.cn
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

将请求文件传送给根CA

[root@childCA ~]# scp /etc/pki/CA/childCA.csr root@172.18.1.100:/etc/pki/CA/

在根CA上核对并签发证书(如确认信息准确无误)

[root@rootCA ~]# openssl ca -in /etc/pki/CA/childCA.csr -out /etc/pki/CA/cer
ts/2ca.crt -days 3500
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Sep 10 15:43:40 2017 GMT
            Not After : Apr 11 15:43:40 2027 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = FUJIAN
            organizationName          = zhimajihua.cn
            organizationalUnitName    = 2ca
            commonName                = 2ca.zhimajihua.cn
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                3E:34:D5:4D:46:2F:79:00:15:3B:A8:FF:65:DE:64:D8:AD:DC:AF:CC
            X509v3 Authority Key Identifier:
                keyid:05:86:32:6A:21:23:31:6C:D9:3B:7A:0D:DB:66:84:69:79:14:
81:E4

Certificate is to be certified until Apr 11 15:43:40 2027 GMT (3500 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@rootCA ~]# tree /etc/pki/CA/
/etc/pki/CA/
├── cacert.pem
├── certs
│   └── 2ca.crt
├── childCA.csr
├── crl
├── csr
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── newcerts
│   └── 01.pem
├── private
│   └── cakey.pem
├── serial
└── serial.old

5 directories, 11 files

将签署后的证书回传给子CA

[root@rootCA ~]# scp /etc/pki/CA/certs/2ca.crt root@172.18.254.127:/etc/pki/CA/cacert.pem

在子CA上查看证书，确认无误即生效

[root@childCA ~]# tree /etc/pki/CA
/etc/pki/CA
├── cacert.pem
├── certs
├── childCA.csr
├── crl
├── index.txt
├── newcerts
├── private
│   └── cakey.pem
└── serial
[root@childCA ~]# openssl x509 -in /etc/pki/CA/cacert.pem -noout -text

4. 现在我们可以在客户端向二级CA申请签发证书

首先，当然是先生成客户端自身的密钥文件，以便生成证书签署请求的使用

[root@Client ~]# (umask 066; openssl genrsa -out opt.key 2048)
Generating RSA private key, 2048 bit long modulus
........+++
........................+++
e is 65537 (0x10001)

生成证书请求

[root@Client ~]# openssl req -new -key opt.key -out opt.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN  #此处参看CA自签的要求部分
State or Province Name (full name) []:FUJIAN
Locality Name (eg, city) [Default City]:XIAMEN
Organization Name (eg, company) [Default Company Ltd]:zhimajihua.cn
Organizational Unit Name (eg, section) []:opt
Common Name (eg, your name or your server's hostname) []:opt.zhimajihua.cn
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

将请求文件传送给二级CA机构

[root@Client ~]# scp opt.csr root@172.18.254.127:/etc/pki/CA/opt.csr

二级CA签署证书

[root@childCA CA]# openssl ca -in opt.csr -out certs/opt.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 2 (0x2)
        Validity
            Not Before: Sep 10 09:26:18 2017 GMT
            Not After : Sep 10 09:26:18 2018 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = FUJIAN
            organizationName          = zhimajihua.cn
            organizationalUnitName    = opt
            commonName                = opt.zhimajihua.cn
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                CC:A2:E1:95:C6:1D:61:FA:9A:D6:A9:AE:88:FE:99:BC:1C:D3:6C:A8
            X509v3 Authority Key Identifier:
                keyid:3E:34:D5:4D:46:2F:79:00:15:3B:A8:FF:65:DE:64:D8:AD:DC:
AF:CC

Certificate is to be certified until Sep 10 09:26:18 2018 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

将签署后的证书回传给客户端

[root@childCA CA]# scp certs/opt.crt root@172.18.254.125:/root

客户端查收证书文件，然后可以根据实际需求使用该证书。

[root@Client ~]# tree

└── opt.crt

5. 至此，CA中心的构建和证书申请就全部结束了。如果想确认证书是否生效，可以将对应证书导入IE的证书项中，导入后，你应该可以看到类似这样的证书层级关系。

本文参与腾讯云自媒体分享计划，分享自作者个人站点/博客。

原始发表：2017/09/10，如有侵权请联系 cloudcommunity@tencent.com 删除

https

本文分享自作者个人站点/博客前往查看

如有侵权，请联系 cloudcommunity@tencent.com 删除。

本文参与腾讯云自媒体分享计划，欢迎热爱写作的你一起参与！

https

登录后参与评论

0 条评论

热度

CA中心构建及证书签发实录

CA中心构建及证书签发实录

社区

活动

资源

关于

腾讯云开发者

热门产品

热门推荐

更多推荐