zoukankan      html  css  js  c++  java
  • Linux CA

    CA(Certificate Authority)证书颁发机构主要负责证书的颁发、管理以及归档和吊销。证书内包含了拥有证书者的姓名、地址、电子邮件帐号、公钥、证书有效期、发放证书的CA、CA的数字签名等信息。证书主要有三大功能:加密、签名、身份验证。

    1.什么是CA认证?

    CA认证,即CA认证机构,为电子签名相关各方提供真实性、可靠性验证的行为。

    2.什么是CA证书?

    证书实际是由证书签证机关(CA)签发的对用户的公钥的认证。

    3.CA证书类型?

    • 证书颁发机构自签名证书
    • 服务器证书
    • 用户证书

    二. CA服务器部署

    1. 部署环境

    [root@linux-ca ~]# touch /etc/pki/CA/index.txt  #index.txt:索引文件,用于匹配证书编号;
    [root@linux-ca ~]# echo 01 >/etc/pki/CA/serial  #serial:证书序列号文件,只在首次生成证书时赋值。
    [root@linux-ca ~]# cat /etc/pki/CA/serial 
    01

    2. 生成密钥

    [root@linux-ca private]# (umask 077; openssl genrsa -out /etc/pki/CA/private/cakay.pem 2048)

         genrsa:生成私钥;

         -out:私钥的存放路径,cakey.pem:为密钥名,与配置文件中保持一致;

         2048:密钥长度,默认为1024。

    3. 修改配置文件/etc/pki/tls/openssl.cnf

    40 [ CA_default ]
     41 
     42 dir             = /etc/pki/CA           # Where everything is kept
     43 certs           = $dir/certs            # Where the issued certs are kept
     44 crl_dir         = $dir/crl              # Where the issued crl are kept
     45 database        = $dir/index.txt        # database index file.
     46 #unique_subject = no                    # Set to 'no' to allow creation of
     47                                         # several ctificates with same subject.
     48 new_certs_dir   = $dir/newcerts         # default place for new certs.
     49 
     50 certificate     = $dir/cacert.pem       # The CA certificate
     51 serial          = $dir/serial           # The current serial number
     52 crlnumber       = $dir/crlnumber        # the current crl number
     53                                         # must be commented out to leave a V1 CRL
     54 crl             = $dir/crl.pem          # The current CRL
     55 private_key     = $dir/private/cakey.pem# The private key
     56 RANDFILE        = $dir/private/.rand    # private random number file
     
     83 # For the CA policy
     84 [ policy_match ]
     85 countryName             = match
     86 stateOrProvinceName     = match
     87 organizationName        = match
     88 organizationalUnitName  = optional
     89 commonName              = supplied
     90 emailAddress            = optional
    
    128 [ req_distinguished_name ]
    129 countryName                     = Country Name (2 letter code)
    130 countryName_default             = US
    131 countryName_min                 = 2
    132 countryName_max                 = 2
    133 
    134 stateOrProvinceName             = State or Province Name (full name)
    135 stateOrProvinceName_default     = California
    136 
    137 localityName                    = Locality Name (eg, city)
    138 localityName_default            = Redwood City
    139 
    140 0.organizationName              = Organization Name (eg, company)
    141 0.organizationName_default      = Electronic Arts, Inc.
    142 
    143 # we can do this but it is not needed normally :-)
    144 #1.organizationName             = Second Organization Name (eg, company)
    145 #1.organizationName_default     = World Wide Web Pty Ltd
    146 
    147 organizationalUnitName          = Organizational Unit Name (eg, section)
    148 organizationalUnitName_default  = EA Online/pogo.com
    149 
    150 commonName                      = Common Name (eg, your name or your server's hostname)
    151 commonName_max                  = 64
    152 commonName_default              =
    153 
    154 emailAddress                    = Email Address
    155 emailAddress_max                = 64
    156 emailAddress_default            =

    4. CA 创建自签根证书

    [root@linux-ca CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakay.pem -out /etc/pki/CA/cacert.pem -days 365
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [US]:
    State or Province Name (full name) [California]:
    Locality Name (eg, city) [Redwood City]:
    Organization Name (eg, company) [Electronic Arts, Inc.]:
    Organizational Unit Name (eg, section) [EA Online/pogo.com]:
    Common Name (eg, your name or your server's hostname) []:cacert
    Email Address []:vxxxxxxxxxxxxxxxxx

       req:生成证书签署请求;

       -x509:生成自签署证书;

       -days n:证书的有效天数;

       -new:新请求;

       -key /path/to/keyfile:指定私钥文件;

       -out /path/to/somefile:输出文件位置。

    三. 客户端申请证书

    1. 生成客户端私钥

    [root@web ~]# mkdir ssl
    [root@web ~]# cd ssl/
    [root@web ssl]# (umask 077; openssl genrsa -out /root/ssl/web.key 2048)
    Generating RSA private key, 2048 bit long modulus
    .......................................+++
    .................................................+++
    e is 65537 (0x10001)

    2. 生成证书请求文件

    [root@web ssl]# openssl req -new -key /root/ssl/web.key -out /root/ssl/web.csr
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [XX]:US
    State or Province Name (full name) []:California
    Locality Name (eg, city) [Default City]:Redwood City
    Organization Name (eg, company) [Default Company Ltd]:Electronic Arts, Inc.
    Organizational Unit Name (eg, section) []:EA Online/pogo.com
    Common Name (eg, your name or your server's hostname) []:web
    Email Address []:xxxxxxxxxxx

    3. 将生成的申请文件发送到CA颁发服务器

    [root@web ssl]# scp web.csr root@10.17.160.241:/etc/pki/CA/csr/

    四. CA服务器为客户端颁发证书

    1.为客户端颁发证书

    [root@linux-ca CA]# openssl ca -in /etc/pki/CA/csr/web.csr -out /etc/pki/CA/certs/web.crt -days 365
    Using configuration from /etc/pki/tls/openssl.cnf
    Check that the request matches the signature
    Signature ok
    Certificate Details:
            Serial Number: 1 (0x1)
            Validity
                Not Before: May 15 06:58:48 2019 GMT
                Not After : May 14 06:58:48 2020 GMT
            Subject:
                countryName               = US
                stateOrProvinceName       = California
                organizationName          = Electronic Arts, Inc.
                organizationalUnitName    = EA Online/pogo.com
                commonName                = web
                emailAddress              = vli@contractor.ea.com
            X509v3 extensions:
                X509v3 Basic Constraints: 
                    CA:FALSE
                Netscape Comment: 
                    OpenSSL Generated Certificate
                X509v3 Subject Key Identifier: 
                    4E:FE:C1:E2:17:92:C6:D1:48:42:70:1F:59:95:FA:9D:49:76:B0:47
                X509v3 Authority Key Identifier: 
                    keyid:82:81:30:91:40:F8:D2:FD:B4:D5:A8:52:DF:FE:D2:62:12:38:53:7F
    
    Certificate is to be certified until May 14 06:58:48 2020 GMT (365 days)
    Sign the certificate? [y/n]:y
    
    
    1 out of 1 certificate requests certified, commit? [y/n]y
    Write out database with 1 new entries
    Data Base Updated

    2. 将生成的证书发送给申请的客户端

    五. 吊销证书

    1. 获取证书serial

    [root@linux-ca CA]# openssl x509 -in certs/web.crt -noout -serial -subject
    serial=01
    subject= /C=US/ST=California/O=Electronic Arts, Inc./OU=EA Online/pogo.com/CN=web/emailAddress=xxxxxxxxxxxxxx

       x509:证书格式;

       -in:要吊销的证书;

       -noout:不输出额外信息;

       -serial:显示序列号;

       -subject:显示subject信息。

    二) CA验证信息

    1、节点提交的serial和subject信息来验证与index.txt文件中的信息是否一致
    搭建私有CA服务器搭建私有CA服务器
    2、吊销证书
    搭建私有CA服务器搭建私有CA服务器
    -revoke:删除证书。

    查看被吊销的证书列表
    搭建私有CA服务器搭建私有CA服务器
    3、生成吊销证书的编号(如果是第一次吊销)
    搭建私有CA服务器搭建私有CA服务器
    4、更新证书吊销列表
    搭建私有CA服务器搭建私有CA服务器
    -gencrl:生成证书吊销列表;
    5、查看crl文件内容
    搭建私有CA服务器搭建私有CA服务器

    -text:以文本形式显示。

    参考: https://www.linuxprobe.com/private-ca.html

  • 相关阅读:
    CPU
    CentOS7 Tomcat 环境部署
    CentOS7 NTP 安装配置
    CISCO VLAN ACL
    ESXI6.0启用 snmp
    编译安装 varnish-4.1.2和yum 安装 varnish-4.0.3
    CentOS7 安装中文帮助手册
    CentOS7 学习笔记
    CentOS7 编译安装 nginx-1.10.0
    CentOS7 cacti 安装
  • 原文地址:https://www.cnblogs.com/lixinjjy/p/10869538.html
Copyright © 2011-2022 走看看