数字证书系列-CA以及用CA 签发用户证书
我们如何由证书请求文件获得证书呢? 我们的证书请求文件一般发送给相应(取决于CSR文件创建向导中填写的X.509信息)的可信任“证书签发”机构,他们会给我们生成对应的证书文件(签发证书是收费的哦);对于我们的个人小站,还需要去付费买“签名数字证书”,这个可怎么办?还好,我们可以自己创建CA证书,然后用CA证书来为自己CSR签发数字证书,只是这个证书不是“可信任”机构签发的,而是我们自己签发的; 废话不多说,我们还是用openssl来创建CA证书:
创建CA证书所需要的私钥:
[root@localhost cert_test]# openssl genrsa -out CA_Key.key 2048
Generating RSA private key, 2048 bit long modulus
...........................................................................................................................................................................+++
..............................+++
e is 65537 (0x10001)
[root@localhost cert_test]# ls
CA_Key.key my_cert.csr myprivate.key #CA_Key.key 便是新生成的私钥;我们会用该私钥来创建CA证书;CA证书虽然特殊,但是也是证书,和“证书请求文件(.CSR)”创建的命令几乎一样,唯一不同的是:CA证书是自签证书,为了表示这个证书是自签证书,需要指定证书的格式为 X.509, 只有CA证书采用这种格式:
[root@localhost cert_test]# openssl req -new -x509 -key CA_Key.key -out CA_Cert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:GuangDong
Locality Name (eg, city) [Default City]:GuanagZhou
Organization Name (eg, company) [Default Company Ltd]:mycompany
Organizational Unit Name (eg, section) []:Tech_depart
Common Name (eg, your name or your server's hostname) []:www.my.com
Email Address []:
[root@localhost cert_test]# ls
CA_Cert.pem CA_Key.key my_cert.csr myprivate.key #CA_Cert.pem 就是我们的CA证书了;
[root@localhost cert_test]#注意在创建CA证书guide中提供的信息,这些信息是我们 创建 CSR所必须的哦;至此我们的CA证书就创建完成了;那么让我们查看刚刚创建的CA证书把:
[root@localhost cert_test]# openssl x509 -in ./CA_Cert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
c8:bd:28:89:97:82:a7:84
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=GuangDong, L=GuanagZhou, O=mycompany, OU=Tech_depart, CN=www.my.com
Validity
Not Before: Aug 18 13:31:12 2019 GMT
Not After : Aug 17 13:31:12 2020 GMT
Subject: C=CN, ST=GuangDong, L=GuanagZhou, O=mycompany, OU=Tech_depart, CN=www.my.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b5:85:d4:13:07:0b:f2:5a:6f:f1:7b:ff:14:46:
d8:cc:ae:c1:43:8c:79:d6:b4:71:c1:bf:37:84:b5:
ab:f0:36:5a:b3:3a:57:38:82:a3:90:e4:b1:6f:b8:
90:be:ba:f1:77:2f:ef:72:02:0e:c3:22:5c:04:2d:
a8:bd:aa:e4:b6:06:b2:eb:7c:b1:da:d5:f7:12:47:
91:46:e2:91:fe:29:e0:e1:71:47:05:44:c0:7c:66:
cd:f3:d8:6f:db:6e:66:c5:11:5a:fb:64:5d:a2:1b:
9f:97:96:e3:ba:a3:d7:a7:b1:cd:d7:1c:50:52:fa:
ad:09:68:1e:a0:b3:47:42:2e:71:e4:62:e5:26:21:
51:38:a8:08:67:6a:d4:78:b1:77:01:5c:3e:8d:fc:
72:27:79:4c:02:8a:d7:3d:4d:fe:fb:d8:ff:23:ee:
4c:1e:7b:5e:40:45:11:29:2e:73:37:c3:a2:a6:f9:
6f:8a:d0:36:91:0e:ab:2b:f5:d6:6e:24:fa:68:f2:
77:96:55:b7:d0:d2:da:de:c8:f9:5b:b2:fd:90:4f:
bb:fc:51:b6:da:f1:16:db:ee:12:2d:69:25:ba:79:
8e:27:d3:96:ef:72:61:65:e5:f2:8f:30:d2:23:b0:
d8:db:13:0b:22:2d:57:af:a3:4c:f6:6b:36:59:2e:
40:dd
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
49:F6:DD:70:70:0E:AA:87:A5:7A:C1:A7:C1:A8:A3:40:DF:91:8C:89
X509v3 Authority Key Identifier:
keyid:49:F6:DD:70:70:0E:AA:87:A5:7A:C1:A7:C1:A8:A3:40:DF:91:8C:89
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
a2:22:fe:09:e9:5d:21:e0:d5:eb:fd:a3:4e:5b:97:8c:5d:0f:
de:8f:23:16:a2:13:b2:d6:a1:0e:1a:21:8d:a9:18:b0:dc:ab:
3f:43:32:56:91:07:aa:ae:8d:a6:11:59:77:38:9a:f5:63:b0:
d1:6a:e2:ad:65:63:c1:86:22:bb:91:8a:d2:f3:91:73:8f:0f:
3a:e2:8f:6d:46:fb:72:ad:a7:1f:01:e8:9d:72:1b:ea:b5:0b:
1e:5c:cd:fe:8c:9c:88:97:21:b0:a0:b5:48:83:72:83:25:b9:
73:af:5d:d7:06:c2:2b:66:4e:a4:3c:b1:7c:a3:86:14:e6:91:
d3:1f:30:be:51:04:b6:28:66:61:9b:f7:05:17:47:11:91:dc:
cb:9c:73:70:1b:94:9e:89:ce:5a:95:6b:a2:db:fd:f0:b2:ee:
2a:e8:54:51:2c:be:3d:5b:67:79:1e:e1:85:59:2b:20:1b:58:
dc:86:e6:29:a9:eb:bf:74:72:2c:f4:fe:55:b4:07:b8:9c:80:
4c:1e:ac:73:55:44:28:40:c2:3a:29:0f:30:2f:d6:41:fa:d4:
db:4c:e0:80:bc:3e:94:20:71:0b:1d:ef:4b:dd:87:3e:f0:e8:
1e:50:5c:8c:48:6a:bb:44:01:bd:9a:5c:d1:f8:db:77:e4:71:
89:ef:97:9b
[root@localhost cert_test]# 到这里我们要明白: 如果我们创建证书的时候请求的是X.509 格式的证书,那么就是CA证书,否则就是证书请求文件(CSR).
CA证书创建完成了,我们创建CA的目的是用来给用户证书签名的,下面看怎么进行签名了,所谓的签名: 在检查确认CSR文件的内容没有被篡改/破坏后(因为CSR里面含有公钥,所以用公钥解密那个被私钥加密的hash值,得到一个解密后的hash1,然后对CSR中明文的概要做hash,得到hash2 ,如果hash1,hash2相同就表示内容没有被篡改或者破坏),就开始对CSR文件进行签名,首先会摘取概要信息,然后对概要进行hash, 获得hash值,然后用CA自己的私钥把hash进行加密,加密完成后,和概要等一起写入新的文件,完成签名;在这个过程中涉及到如下的4个文件: 被签名的CSR文件(含有证书的公钥) , 签名者的证书文件(这里是CA证书,含有签名者的公钥),签名使用的私钥(签名者的私钥,这里是CA证书的私钥);签名完成后输出的文件)
[root@localhost cert_test]# ls
CA_Cert.pem CA_Key.key my_cert.csr myprivate.key
#下面是证书签名的命令,需要指定四个文件的路径,如果没有指定CA证书以及CA的key, 那么会默认读取openssl的配置;另外两个文件参数是必须指定的
[root@localhost cert_test]# openssl ca -in ./my_cert.csr -out ./my.crt -days 365 -cert ./CA_Cert.pem -keyfile ./CA_Key.key
Using configuration from /etc/pki/tls/openssl.cnf
/etc/pki/CA/serial: No such file or directory
error while loading serial number
140233124767648:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('/etc/pki/CA/serial','r')
140233124767648:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
#据网上搜索,这个错误的原因是格式不对,用下面的命令解决:
[root@localhost cert_test]# echo 01 > /etc/pki/CA/serial
#重新执行签名
[root@localhost cert_test]# openssl ca -in ./my_cert.csr -out ./my.crt -days 365 -cert ./CA_Cert.pem -keyfile ./CA_Key.key
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Aug 18 13:50:52 2019 GMT
Not After : Aug 17 13:50:52 2020 GMT
Subject:
countryName = CN
stateOrProvinceName = GuangDong
organizationName = mycompany
organizationalUnitName = Tech_depart
commonName = www.my.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
B8:21:FC:86:07:E3:80:24:31:FD:0C:5C:B5:26:6B:5A:ED:CA:F3:FF
X509v3 Authority Key Identifier:
keyid:49:F6:DD:70:70:0E:AA:87:A5:7A:C1:A7:C1:A8:A3:40:DF:91:8C:89
Certificate is to be certified until Aug 17 13:50:52 2020 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@localhost cert_test]#
[root@localhost cert_test]# ls -l
total 24
-rw-------. 1 root root 1359 Aug 18 21:31 CA_Cert.pem
-rw-------. 1 root root 1675 Aug 18 21:20 CA_Key.key
-rw-r--r--. 1 root root 1021 Aug 18 17:23 my_cert.csr
-rw-------. 1 root root 4509 Aug 18 22:12 my.crt #该文件就是签名之后的证书文件
-rw-r--r--. 1 root root 1679 Aug 18 17:18 myprivate.key至此,成功完成了用自己的CA对CSR的签名操作; 你get到了吗?_ 本文原创,转载请注明出处
本文参与 腾讯云自媒体同步曝光计划,分享自作者个人站点/博客。
如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读
腾讯云开发者
