专栏首页咻一咻自建CA认证和证书

自建CA认证和证书

一些概念:

PKI:Public Key Infrastructure

  • 签证机构:CA(Certificate Authority)
  • 注册机构:RA(Register Authority)
  • 证书吊销列表:CRL(Certificate Revoke Lists)
  • 证书存取库

X.509:定义了证书的结构和认证协议的标准。包括版本号、序列号、签名算法、颁发者、有效期限、主体名称、主体公钥、CRL分发点、扩展信息、发行者签名等

获取证书的两种方法:

  • 使用证书授权机构
  • 生成签名请求(csr)
  • 将csr发送给CA
  • 从CA处接收签名
  • 自签名的证书
  • 自已签发自己的公钥重点介绍一下自建CA颁发机构和自签名。

自建CA颁发机构和自签名

实验用两台服务器,一台做ca颁发证书,一台去请求签名证书。

证书申请及签署步骤:

  1. 生成申请请求
  2. CA核验
  3. CA签署
  4. 获取证书

我们先看一下openssl的配置文件:/etc/pki/tls/openssl.cnf

####################################################################
[ ca ]
default_ca  = CA_default        # The default ca section(默认的CA配置,是CA_default,下面第一个小节就是)
####################################################################
[ CA_default ]
dir     = /etc/pki/CA       # Where everything is kept (dir变量)
certs       = $dir/certs       # Where the issued certs are kept(认证证书目录)
crl_dir     = $dir/crl     # Where the issued crl are kept(注销证书目录)
database    = $dir/index.txt   # database index file.(数据库索引文件)
new_certs_dir   = $dir/newcerts        # default place for new certs.(新证书的默认位置)
certificate = $dir/cacert.pem  # The CA certificate(CA机构证书)
serial      = $dir/serial      # The current serial number(当前序号,默认为空,可以指定从01开始)
crlnumber   = $dir/crlnumber   # the current crl number(下一个吊销证书序号)
                    # must be commented out to leave a V1 CRL
crl     = $dir/crl.pem         # The current CRL(下一个吊销证书)
private_key = $dir/private/cakey.pem# The private key(CA机构的私钥)
RANDFILE    = $dir/private/.rand   # private random number file(随机数文件)
x509_extensions = usr_cert      # The extentions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt    = ca_default        # Subject Name options(被颁发者,订阅者选项)
cert_opt    = ca_default        # Certificate field options(认证字段参数)
# Extension copying option: use with caution.
# copy_extensions = copy
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions    = crl_ext
default_days    = 365           # how long to certify for (默认的有效期天数是365)
default_crl_days= 30            # how long before next CRL
default_md  = sha256        # use SHA-256 by default
preserve    = no            # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy      = policy_match  # 是否匹配规则
# For the CA policy
[ policy_match ]
countryName     = match   # 国家名是否匹配,match为匹配
stateOrProvinceName = match  # 州或省名是否需要匹配
organizationName    = match  # 组织名是否需要匹配
organizationalUnitName  = optional # 组织的部门名字是否需要匹配
commonName      = supplied # 注释
emailAddress        = optional # 邮箱地址
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName     = optional
stateOrProvinceName = optional
localityName        = optional
organizationName    = optional
organizationalUnitName  = optional
commonName      = supplied
emailAddress        = optional
####################################################################

重点关注下面的几个参数:

dir             = /etc/pki/CA           # Where everything is kept (dir变量)
certs           = $dir/certs            # Where the issued certs are kept(认证证书目录)
database        = $dir/index.txt        # database index file.(数据库索引文件)
new_certs_dir   = $dir/newcerts         # default place for new certs.(新证书的默认位置)
certificate     = $dir/cacert.pem       # The CA certificate(CA机构证书)
serial          = $dir/serial           # The current serial number(当前序号,默认为空,可以指定从01开始)
private_key     = $dir/private/cakey.pem# The private key(CA机构的私钥)

1、创建所需要的文件

touch /etc/pki/CA/index.txt生成证书索引数据库文件

echo 01 > /etc/pki/CA/serial指定第一个颁发证书的序列号,16进制数,比如可以从1a开始,一般从01开始。

2、CA自签证书

在作为CA的服务器上操作:

  • 生成私钥
[root@aliyun ~]#(umask 066;openssl genrsa -out /etc/pki/CA/private/cakey.pem 4096)
Generating RSA private key, 4096 bit long modulus
.....++
..............................................++
  • 生成自签名证书 [root@aliyun ~]#openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 7300 -out /etc/pki/CA/cacert.pem You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. <hr /> Country Name (2 letter code) [XX]:CN (国名(2个字母代码)[XX]:CN) State or Province Name (full name) []:Beijing (州或省名称(全称)北京) Locality Name (eg, city) [Default City]:Beijing (地区名称(如城市)[默认城市]:北京) Organization Name (eg, company) [Default Company Ltd]:shangdigongsi (组织名称(如公司):上帝公司) Organizational Unit Name (eg, section) []:opt (组织单位名称:opt) Common Name (eg, your name or your server's hostname) []:centos (通用名称(例如,您的名字或您的服务器的主机名)[]:centos) Email Address []:1353250703@qq.com (电子邮件地址[]:1353250703@qq.com) 参数解析: -new: 生成新证书签署请求 -x509: 专用于CA生成自签证书 -key: 生成请求时用到的私钥文件 -days n:证书的有效期限 -out /PATH/TO/SOMECERTFILE: 证书的保存路径 3、颁发证书
  • 在需要使用证书的主机生成证书请求。(比如给一台作为博客web服务的服务器生成私钥) [root@aliyun ~]#(umask 066; openssl genrsa -out /etc/pki/tls/private/blog.key 4096) Generating RSA private key, 4096 bit long modulus .....................................++ ......................................................................................................................++ e is 65537 (0x10001)
  • 生成证书申请文件
[root@aliyun ~]#openssl req -new -key /etc/pki/tls/private/blog.key -days 3560 -out /etc/pki/tls/blog.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN (国名(2个字母代码)[XX]:CN)
State or Province Name (full name) []:Beijing(州或省名称(全称)北京)
Locality Name (eg, city) [Default City]:Bejing (地区名称(如城市)[默认城市]:北京)
Organization Name (eg, company) [Default Company Ltd]:shangdigongsi(组织名称(如公司):上帝公司)
Organizational Unit Name (eg, section) []:centos(组织单位名称:opt)
Common Name (eg, your name or your server's hostname) []:opt (通用名称(例如,您的名字或您的服务器的主机名)[]:centos)
Email Address []:(电子邮件地址[]:1353250703@qq.com)

Please enter the following 'extra' attributes (请输入以下“额外”属性)
to be sent with your certificate request(要发送您的证书请求)
A challenge password []:(密码[ ]:)
An optional company name []:(可选的公司名称)
  • 将证书请求文件传输给CA “`bash [root@aliyun ~]#scp /etc/pki/tls/blog.csr root@172.16.111.100:/tmp/ root@172.16.111.100s password blog.csr 100% 1773 1.7Mb/s
 - CA签署证书,并将证书颁发给请求者
<center><img src="http://zhangqifei.top/picture/ifeier/data/ca.jpg" width = "500" height = "200" alt="openssl" align=center /></center>

> 注意:默认国家,省,公司名称三项必须和CA一致

 - 把blog.crt证书回传给申请者,申请者可以使用此证书。

> 证书可以放在网站里,比如tomacat服务有专门存放证书的地方,还有可能需要转化格式,此处使用方法暂略

### 4、吊销证书
 - 在客户端获取要吊销的证书的serial
```bash
openssl x509 -in /PATH/FROM/CERT_FILE -noout -serial -subject




<div class="se-preview-section-delimiter"></div>
  • 在CA上,根据客户提交的serial与subject信息,对比检验是否与index.txt文件中的信息一致,吊销证书:
openssl ca -revoke /etc/pki/CA/newcerts/SERIAL.pem




<div class="se-preview-section-delimiter"></div>
  • 指定第一个吊销证书的编号
echo 01 > /etc/pki/CA/crlnumber




<div class="se-preview-section-delimiter"></div>

注意:这里只有在第一次更新证书吊销列表前,才需要执行指定编号。

  • 更新证书吊销列表
openssl ca -gencrl -out /etc/pki/CA/crl/crl.pem




<div class="se-preview-section-delimiter"></div>
  • 查看crl文件:
openssl crl -in /etc/pki/CA/crl/crl.pem -noout -text

更加详细的步骤以及代码实现hexo

本文参与腾讯云自媒体分享计划,欢迎正在阅读的你也加入,一起分享。

我来说两句

0 条评论
登录 后参与评论

相关文章

  • Internet与中国

    咻一咻
  • 深入理解“软链接”和“硬链接”的区别?

    链接简单说实际上是一种文件共享的方式,是 POSIX 中的概念,主流文件系统都支持链接文件。

    咻一咻
  • mysql 查看与修改字符集?

    咻一咻
  • Golang TLS双向身份认证DoS漏洞分析(CVE-2018-16875)

    如果程序源代码使用Go语言编写,并且用到了单向或者双向TLS认证,那么就容易受到CPU拒绝服务(DoS)攻击。Go语言的crypto/x509标准库中的校验算法...

    李海彬
  • Nginx转发指向数据库端口并对外开放访问权限

    1. 首先检查mysql所在服务器的防火墙,如果限制了外网对3306端口的连接,那么放开限制Linux服务器中执行,如下:

    半条命专刊
  • MySQL Error "Incorrect integer value" for column 'name' at row 1″解决方法

    在使用typecho的插件时遇到了数据库的错误,通过日志回溯之后发现错误原因是MySQL Error "Incorrect integer value" for...

    idealclover
  • 腾讯云 CVM 标签实践分享

    随着腾讯云用户资源数量的增加,用户管理资源的难度也随之增加。为方便用户更快速有效地查询和管理各种资源,腾讯云推出标签这一产品。腾讯云主机 CVM 目前也已经接入...

  • 性能下降的不定时炸弹_过旧的sql_profile(r3笔记第9天)

    最近这一周以来,生产环境像是得了重病的病人一样,小问题没有修好,大问题不断。IO的等待极为严重。数据库的负载达到了几十倍,上百倍。 weblogic和tuxed...

    jeanron100
  • 宜信开源|手把手教你安装第一个LAIN应用

    三者都需要从 GitHub 获取已经发布的 LAIN 版本源代码: https://github.com/laincloud/lain/releases

    宜信技术学院
  • jenkins相关shell命令

    npm install -g cnpm --registry=https://registry.npm.taobao.org &&

    Java程序员也要new个对象

扫码关注云+社区

领取腾讯云代金券