Linux CA

CA（Certificate Authority）证书颁发机构主要负责证书的颁发、管理以及归档和吊销。证书内包含了拥有证书者的姓名、地址、电子邮件帐号、公钥、证书有效期、发放证书的CA、CA的数字签名等信息。证书主要有三大功能：加密、签名、身份验证。

1.什么是CA认证？

CA认证，即CA认证机构，为电子签名相关各方提供真实性、可靠性验证的行为。

2.什么是CA证书？

证书实际是由证书签证机关（CA）签发的对用户的公钥的认证。

3.CA证书类型？

• 证书颁发机构自签名证书
• 服务器证书
• 用户证书

二. CA服务器部署

1. 部署环境

[root@linux-ca ~]# touch /etc/pki/CA/index.txt  #index.txt：索引文件，用于匹配证书编号；
[root@linux-ca ~]# echo 01 >/etc/pki/CA/serial  #serial：证书序列号文件，只在首次生成证书时赋值。
[root@linux-ca ~]# cat /etc/pki/CA/serial 
01

2. 生成密钥

[root@linux-ca private]# (umask 077; openssl genrsa -out /etc/pki/CA/private/cakay.pem 2048)

     genrsa：生成私钥；

     -out：私钥的存放路径，cakey.pem：为密钥名，与配置文件中保持一致；

     2048：密钥长度，默认为1024。

3. 修改配置文件/etc/pki/tls/openssl.cnf

40 [ CA_default ]
 41 
 42 dir             = /etc/pki/CA           # Where everything is kept
 43 certs           = $dir/certs            # Where the issued certs are kept
 44 crl_dir         = $dir/crl              # Where the issued crl are kept
 45 database        = $dir/index.txt        # database index file.
 46 #unique_subject = no                    # Set to 'no' to allow creation of
 47                                         # several ctificates with same subject.
 48 new_certs_dir   = $dir/newcerts         # default place for new certs.
 49 
 50 certificate     = $dir/cacert.pem       # The CA certificate
 51 serial          = $dir/serial           # The current serial number
 52 crlnumber       = $dir/crlnumber        # the current crl number
 53                                         # must be commented out to leave a V1 CRL
 54 crl             = $dir/crl.pem          # The current CRL
 55 private_key     = $dir/private/cakey.pem# The private key
 56 RANDFILE        = $dir/private/.rand    # private random number file
 
 83 # For the CA policy
 84 [ policy_match ]
 85 countryName             = match
 86 stateOrProvinceName     = match
 87 organizationName        = match
 88 organizationalUnitName  = optional
 89 commonName              = supplied
 90 emailAddress            = optional

128 [ req_distinguished_name ]
129 countryName                     = Country Name (2 letter code)
130 countryName_default             = US
131 countryName_min                 = 2
132 countryName_max                 = 2
133 
134 stateOrProvinceName             = State or Province Name (full name)
135 stateOrProvinceName_default     = California
136 
137 localityName                    = Locality Name (eg, city)
138 localityName_default            = Redwood City
139 
140 0.organizationName              = Organization Name (eg, company)
141 0.organizationName_default      = Electronic Arts, Inc.
142 
143 # we can do this but it is not needed normally :-)
144 #1.organizationName             = Second Organization Name (eg, company)
145 #1.organizationName_default     = World Wide Web Pty Ltd
146 
147 organizationalUnitName          = Organizational Unit Name (eg, section)
148 organizationalUnitName_default  = EA Online/pogo.com
149 
150 commonName                      = Common Name (eg, your name or your server's hostname)
151 commonName_max                  = 64
152 commonName_default              =
153 
154 emailAddress                    = Email Address
155 emailAddress_max                = 64
156 emailAddress_default            =

4. CA 创建自签根证书

[root@linux-ca CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakay.pem -out /etc/pki/CA/cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [California]:
Locality Name (eg, city) [Redwood City]:
Organization Name (eg, company) [Electronic Arts, Inc.]:
Organizational Unit Name (eg, section) [EA Online/pogo.com]:
Common Name (eg, your name or your server's hostname) []:cacert
Email Address []:vxxxxxxxxxxxxxxxxx

   req：生成证书签署请求；

   -x509：生成自签署证书；

   -days n：证书的有效天数；

   -new：新请求；

   -key /path/to/keyfile：指定私钥文件；

   -out /path/to/somefile：输出文件位置。

三. 客户端申请证书

1. 生成客户端私钥

[root@web ~]# mkdir ssl
[root@web ~]# cd ssl/
[root@web ssl]# (umask 077; openssl genrsa -out /root/ssl/web.key 2048)
Generating RSA private key, 2048 bit long modulus
.......................................+++
.................................................+++
e is 65537 (0x10001)

2. 生成证书请求文件

[root@web ssl]# openssl req -new -key /root/ssl/web.key -out /root/ssl/web.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:California
Locality Name (eg, city) [Default City]:Redwood City
Organization Name (eg, company) [Default Company Ltd]:Electronic Arts, Inc.
Organizational Unit Name (eg, section) []:EA Online/pogo.com
Common Name (eg, your name or your server's hostname) []:web
Email Address []:xxxxxxxxxxx

3. 将生成的申请文件发送到CA颁发服务器

[root@web ssl]# scp web.csr root@10.17.160.241:/etc/pki/CA/csr/

四. CA服务器为客户端颁发证书

1.为客户端颁发证书

[root@linux-ca CA]# openssl ca -in /etc/pki/CA/csr/web.csr -out /etc/pki/CA/certs/web.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: May 15 06:58:48 2019 GMT
            Not After : May 14 06:58:48 2020 GMT
        Subject:
            countryName               = US
            stateOrProvinceName       = California
            organizationName          = Electronic Arts, Inc.
            organizationalUnitName    = EA Online/pogo.com
            commonName                = web
            emailAddress              = vli@contractor.ea.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                4E:FE:C1:E2:17:92:C6:D1:48:42:70:1F:59:95:FA:9D:49:76:B0:47
            X509v3 Authority Key Identifier: 
                keyid:82:81:30:91:40:F8:D2:FD:B4:D5:A8:52:DF:FE:D2:62:12:38:53:7F

Certificate is to be certified until May 14 06:58:48 2020 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

2. 将生成的证书发送给申请的客户端

五. 吊销证书

1. 获取证书serial

[root@linux-ca CA]# openssl x509 -in certs/web.crt -noout -serial -subject
serial=01
subject= /C=US/ST=California/O=Electronic Arts, Inc./OU=EA Online/pogo.com/CN=web/emailAddress=xxxxxxxxxxxxxx

   x509：证书格式；

   -in：要吊销的证书；

   -noout：不输出额外信息；

   -serial：显示序列号；

   -subject：显示subject信息。

二） CA验证信息

1、节点提交的serial和subject信息来验证与index.txt文件中的信息是否一致

2、吊销证书

-revoke：删除证书。

查看被吊销的证书列表

3、生成吊销证书的编号（如果是第一次吊销）

4、更新证书吊销列表

-gencrl：生成证书吊销列表；
5、查看crl文件内容

-text：以文本形式显示。

参考： https://www.linuxprobe.com/private-ca.html