Loading... <p><span xml:lang="zh-cn">一、</span><span xml:lang="en-us">OpenSSL</span><span xml:lang="zh-cn">:</span><span xml:lang="en-us">CA</span><span xml:lang="zh-cn">默认配置信息</span><br style="padding: 0px" /></p> <p><span xml:lang="en-us" style="padding: 0px;font-weight: bold;font-family: Calibri"> 1.</span><span xml:lang="zh-cn" style="padding: 0px;font-weight: bold;font-family: SimSun">证书签发机构</span><span xml:lang="en-us" style="padding: 0px;font-weight: bold;font-family: Calibri">CA</span><span xml:lang="zh-cn" style="padding: 0px;font-weight: bold;font-family: SimSun">:</span><span xml:lang="zh-cn" style="padding: 0px;font-weight: bold;font-family: 宋体">公共信任</span><span xml:lang="en-us" style="padding: 0px;font-weight: bold;font-family: Calibri">CA</span><span xml:lang="zh-cn" style="padding: 0px;font-weight: bold;font-family: 宋体">、私有</span><span xml:lang="en-us" style="padding: 0px;font-weight: bold;font-family: Calibri">CA</span></p> <p><span xml:lang="en-us" style="padding: 0px;font-weight: bold;font-family: Calibri"> </span><span xml:lang="zh-cn" style="padding: 0px;font-weight: bold;font-family: 宋体">建立私有</span><span xml:lang="en-us" style="padding: 0px;font-weight: bold;font-family: Calibri">CA</span><span xml:lang="zh-cn" style="padding: 0px;font-weight: bold;font-family: 宋体">方式如下:</span></p> <p><span xml:lang="zh-cn" style="padding: 0px;font-family: 宋体">小范围测试使用</span><span xml:lang="en-us" style="padding: 0px;font-family: Calibri">openssl</span><span xml:lang="zh-cn" style="padding: 0px;font-family: 宋体">、</span></p> <p><span xml:lang="zh-cn" style="padding: 0px;font-family: 宋体">大范围维护大量证书企业使用</span><span xml:lang="en-us" style="padding: 0px;font-family: Calibri">OpenCA(</span><span xml:lang="zh-cn" style="padding: 0px;font-family: 宋体">对</span><span xml:lang="en-us" style="padding: 0px;font-family: Calibri">openssl</span><span xml:lang="zh-cn" style="padding: 0px;font-family: 宋体">进行了二次封装,更加方便使用</span><span xml:lang="en-us" style="padding: 0px;font-family: Calibri">)</span></p> <p xml:lang="en-us"> </p> <p><span xml:lang="en-us" style="padding: 0px;font-weight: bold;font-family: Calibri"> 2.openssl </span><span xml:lang="zh-cn" style="padding: 0px;font-weight: bold;font-family: 宋体">配置文件:</span><span xml:lang="en-us" style="padding: 0px;font-weight: bold;font-family: Calibri">/etc/pki/tls/openssl.cnf</span></p> <p><span xml:lang="en-us" style="padding: 0px;font-weight: bold"> </span><span xml:lang="zh-cn" style="padding: 0px;font-weight: bold">[root@localhost tmp]# cat </span><span xml:lang="en-us" style="padding: 0px;font-weight: bold"> </span><span xml:lang="zh-cn" style="padding: 0px;font-weight: bold">/etc/pki/tls/openssl.cnf</span></p> <p><span xml:lang="zh-cn" style="padding: 0px;font-weight: bold;font-family: 宋体">该配置文件中以</span><span xml:lang="en-us" style="padding: 0px;font-weight: bold;font-family: Calibri"> "[</span><span xml:lang="zh-cn" style="padding: 0px;font-weight: bold;font-family: 宋体">配置段</span><span xml:lang="en-us" style="padding: 0px;font-weight: bold;font-family: Calibri">]",</span><span xml:lang="zh-cn" style="padding: 0px;font-weight: bold;font-family: 宋体">的形式配置相关信息</span></p> <p xml:lang="en-us"><span style="padding: 0px;font-weight: bold">===============================================================================================</span></p> <p><span xml:lang="en-us" style="padding: 0px;font-weight: bold;font-family: Calibri">====================================</span><span xml:lang="en-us" style="padding: 0px;font-family: Calibri"> </span><span xml:lang="en-us">openssl.cnf</span><span xml:lang="zh-cn">部分内容摘要</span><span xml:lang="en-us" style="padding: 0px;font-family: Calibri">=====================================</span></p> <p># OpenSSL example configuration file.</p> <p># This is mostly being used for generation of certificate requests.</p> <p><span xml:lang="zh-cn" style="padding: 0px">####################################################################</span><span xml:lang="en-us" style="padding: 0px">##################</span></p> <p><span xml:lang="zh-cn" style="padding: 0px;font-family: Calibri">[ ca ]</span><span xml:lang="en-us" style="padding: 0px;font-family: Calibri"> #CA</span><span xml:lang="zh-cn" style="padding: 0px;font-family: 宋体">相关配置段</span></p> <p><span xml:lang="zh-cn" style="padding: 0px;font-family: Calibri">default_ca = CA_default # The default ca section</span><span xml:lang="en-us" style="padding: 0px;font-family: Calibri"> # </span><span xml:lang="zh-cn" style="padding: 0px;font-family: 宋体">默认</span><span xml:lang="en-us" style="padding: 0px;font-family: Calibri">CA</span><span xml:lang="zh-cn" style="padding: 0px;font-family: 宋体">在</span><span xml:lang="zh-cn" style="padding: 0px;font-family: Calibri">[ CA_default ]</span><span xml:lang="zh-cn" style="padding: 0px;font-family: 宋体">配置</span></p> <p><span xml:lang="zh-cn" style="padding: 0px">####################################################################</span><span xml:lang="en-us" style="padding: 0px">##################</span></p> <p><span xml:lang="zh-cn" style="padding: 0px;font-family: Calibri">[ CA_default ]</span><span xml:lang="en-us" style="padding: 0px;font-family: Calibri"> # </span><span xml:lang="zh-cn" style="padding: 0px;font-family: 宋体">默认当做</span><span xml:lang="en-us" style="padding: 0px;font-family: Calibri">CA</span><span xml:lang="zh-cn" style="padding: 0px;font-family: 宋体">的工作环境</span></p> <p><span style="padding: 0px;font-family: Calibri">dir = /etc/pki/CA # Where everything is kept</span><span style="padding: 0px;font-family: 宋体">默认工作目录,变量形式</span></p> <p><span style="padding: 0px;font-family: Calibri">certs = $dir/certs # Where the issued certs are kept</span><span style="padding: 0px;font-family: 宋体">签发的证书位置</span></p> <p><span style="padding: 0px;font-family: Calibri">crl_dir = $dir/crl # Where the issued crl are kept</span><span style="padding: 0px;font-family: 宋体">吊销的证书位置</span></p> <p><span xml:lang="zh-cn" style="padding: 0px;font-family: Calibri">database = $dir/index.txt</span><span xml:lang="en-us" style="padding: 0px;font-family: Calibri"> </span><span xml:lang="zh-cn" style="padding: 0px;font-family: Calibri"> # database index file.</span><span xml:lang="zh-cn" style="padding: 0px;font-family: 宋体">颁发过的证书索引文件</span></p> <p>new_certs_dir = $dir/newcerts # default place for new certs.</p> <p> </p> <p><span xml:lang="zh-cn" style="padding: 0px;font-family: Calibri">certificate = $dir/cacert.pem # The CA certificate</span><span xml:lang="zh-cn" style="padding: 0px;font-family: 宋体">指明</span><span xml:lang="en-us" style="padding: 0px;font-family: Calibri">CA</span><span xml:lang="zh-cn" style="padding: 0px;font-family: 宋体">的自签证书</span></p> <p><span style="padding: 0px;font-family: Calibri">serial = $dir/serial # The current serial number</span><span style="padding: 0px;font-family: 宋体">指明当前证书序列号,第一次要指定</span></p> <p>crlnumber = $dir/crlnumber # the current crl number</p> <p># must be commented out to leave a V1 CRL</p> <p>crl = $dir/crl.pem # The current CRL</p> <p><span xml:lang="zh-cn" style="padding: 0px;font-family: Calibri">private_key = $dir/private/cakey.pem# The private key</span><span xml:lang="zh-cn" style="padding: 0px;font-family: 宋体">,</span><span xml:lang="en-us" style="padding: 0px;font-family: Calibri">CA</span><span xml:lang="zh-cn" style="padding: 0px;font-family: 宋体">自己的私钥</span></p> <p>RANDFILE = $dir/private/.rand # private random number file</p> <p> </p> <p>x509_extensions = usr_cert # The extentions to add to the cert</p> <p> </p> <p># Comment out the following two lines for the "traditional"</p> <p># (and highly broken) format.</p> <p>name_opt = ca_default # Subject Name options</p> <p>cert_opt = ca_default # Certificate field options</p> <p> </p> <p><span style="padding: 0px;font-family: Calibri">default_days = 365 # how long to certify for</span><span style="padding: 0px;font-family: 宋体">证书的默认有效期</span></p> <p><span style="padding: 0px;font-family: Calibri">default_crl_days= 30 # how long before next CRL</span><span style="padding: 0px;font-family: 宋体">默认声明有效期</span></p> <p><span style="padding: 0px;font-family: Calibri">default_md = sha256 # use SHA-256 by default</span><span style="padding: 0px;font-family: 宋体">默认的生成算法</span></p> <p>preserve = no # keep passed DN ordering</p> <p>####################################################################</p> <p><span xml:lang="zh-cn" style="padding: 0px;font-family: Calibri">[ req ]</span><span xml:lang="en-us" style="padding: 0px;font-family: Calibri"> # </span><span xml:lang="zh-cn" style="padding: 0px;font-family: 宋体">向</span><span xml:lang="en-us" style="padding: 0px;font-family: Calibri">CA</span><span xml:lang="zh-cn" style="padding: 0px;font-family: 宋体">证书签署发起注册请求相关属性</span></p> <p>default_bits = 2048</p> <p>default_md = sha256</p> <p>default_keyfile = privkey.pem</p> <p>distinguished_name = req_distinguished_name</p> <p>attributes = req_attributes</p> <p>x509_extensions = v3_ca # The extentions to add to the self signed cert</p> <p xml:lang="en-us">===============================================================================================</p> <p> </p> <p> </p> <p> </p> <p> </p> <p><span xml:lang="zh-cn" style="padding: 0px;font-weight: bold;font-family: 宋体">二、</span><span xml:lang="en-us" style="padding: 0px;font-weight: bold;font-family: Calibri">OpenSSL</span><span xml:lang="zh-cn" style="padding: 0px;font-weight: bold;font-family: 宋体">:创建私有证书签发机构</span><span xml:lang="en-us" style="padding: 0px;font-weight: bold;font-family: Calibri">CA</span><span xml:lang="zh-cn" style="padding: 0px;font-weight: bold;font-family: 宋体">步骤</span></p> <p><span style="padding: 0px;font-family: Calibri">在确定配置为CA的服务</span><span style="padding: 0px;font-family: 宋体">器主机</span><span style="padding: 0px;font-family: Calibri">上生成一个自签证书,并为CA提供所需要的目录及文件;</span></p> <p><span xml:lang="zh-cn" style="padding: 0px;font-family: 宋体">在真正的通信过程中</span><span xml:lang="en-us" style="padding: 0px;font-family: Calibri">CA</span><span xml:lang="zh-cn" style="padding: 0px;font-family: 宋体">服务器主机不需要网络参与,只需要参与到签名中,不需要提供服务</span></p> <p><span xml:lang="en-us" style="padding: 0px;font-weight: bold"> 1.</span><span xml:lang="zh-cn" style="padding: 0px;font-weight: bold">生成私钥;</span></p> <p>~]# (umask 077; openssl genrsa -out /etc/pki/CA/private/cakey.pem 4096)</p> <p><span xml:lang="en-us" style="padding: 0px;font-family: Calibri"> </span><span xml:lang="zh-cn" style="padding: 0px;font-family: 宋体">因为在默认配置文件中默认配置</span><span xml:lang="zh-cn" style="padding: 0px;font-family: Calibri">/etc/pki/CA/private/cakey.pem</span><span xml:lang="zh-cn" style="padding: 0px;font-family: 宋体">,所以指定目录和文件名要和配置文件一致</span></p> <p><img src="//cto.wang/usr/uploads/2016/07/20160703161948-14.jpg" title="1.jpg" alt="wKioL1aPCOWTno1lAAHDWpax0Kw301.jpg" width="650" style="padding: 0px;vertical-align: top;border: none;float: none" /></p> <p xml:lang="en-us"><span style="padding: 0px;font-weight: bold"> </span></p> <p><span xml:lang="en-us" style="padding: 0px;font-weight: bold"> 2.</span><span xml:lang="zh-cn" style="padding: 0px;font-weight: bold">生成</span><span xml:lang="en-us" style="padding: 0px;font-weight: bold">CA</span><span xml:lang="zh-cn" style="padding: 0px;font-weight: bold">自签证书;</span></p> <p><span xml:lang="en-us" style="padding: 0px;font-family: Calibri"> </span><span xml:lang="zh-cn" style="padding: 0px;font-family: Calibri">req – PKCS#10 certificate request and certificate generating utility</span><span xml:lang="zh-cn" style="padding: 0px;font-family: 宋体">,证书请求及生成工具;</span></p> <p><span xml:lang="en-us" style="padding: 0px"> </span><span xml:lang="zh-cn" style="padding: 0px">[root@localhost tmp]# man req</span></p> <p><img src="//cto.wang/usr/uploads/2016/07/20160703161948-33.jpg" title="2.jpg" alt="wKiom1aPCL6xJ27aAADQWnrHrbY384.jpg" width="650" style="padding: 0px;vertical-align: top;border: none;float: none" /></p> <p><span xml:lang="en-us" style="padding: 0px"> </span><span xml:lang="zh-cn" style="padding: 0px">~]# openssl req </span><span xml:lang="en-us" style="padding: 0px"> </span><span xml:lang="zh-cn" style="padding: 0px">-new</span><span xml:lang="en-us" style="padding: 0px"> </span><span xml:lang="zh-cn" style="padding: 0px"> -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3655</span></p> <p><span xml:lang="en-us" style="padding: 0px;font-family: Calibri"> </span><span xml:lang="zh-cn" style="padding: 0px;font-family: Calibri">/etc/pki/CA/cacert.pem</span><span xml:lang="zh-cn" style="padding: 0px;font-family: 宋体">:配置文件中第一的目录及文件名称</span><span xml:lang="en-us" style="padding: 0px;font-family: Calibri"> </span></p> <p><span xml:lang="en-us" style="padding: 0px"> </span><span xml:lang="zh-cn" style="padding: 0px">-new:生成新证书签署请求;</span></p> <p><span xml:lang="en-us" style="padding: 0px"> </span><span xml:lang="zh-cn" style="padding: 0px">-x509:生成自签格式证书,专用于创建私有CA时;</span></p> <p><span xml:lang="en-us" style="padding: 0px"> </span><span xml:lang="zh-cn" style="padding: 0px">-key:生成请求时用到的私有文件路径;</span></p> <p><span xml:lang="en-us" style="padding: 0px"> </span><span xml:lang="zh-cn" style="padding: 0px">-out:生成的请求文件路径;如果自签操作将直接生成签署过的证书;</span></p> <p><span xml:lang="en-us" style="padding: 0px"> </span><span xml:lang="zh-cn" style="padding: 0px">-days:证书的有效时长,单位是day;</span></p> <p><span xml:lang="en-us" style="padding: 0px;font-family: Calibri"> </span><span xml:lang="zh-cn" style="padding: 0px;font-weight: bold;font-family: 宋体">注意:</span></p> <p><span xml:lang="en-us" style="padding: 0px;font-family: Calibri">1)</span><span xml:lang="zh-cn" style="padding: 0px;font-family: Calibri">-key /etc/pki/CA/private/cakey.pem</span><span xml:lang="zh-cn" style="padding: 0px;font-family: 宋体">指明的是私钥的位置,知识因为此处会自动抽取出私钥中的公钥</span></p> <p><span xml:lang="en-us" style="padding: 0px;font-family: Calibri">2)req</span><span xml:lang="zh-cn" style="padding: 0px;font-family: 宋体">只能发起签署请求,需要加</span><span xml:lang="en-us" style="padding: 0px;font-family: Calibri">-x509</span><span xml:lang="zh-cn" style="padding: 0px;font-family: 宋体">参数实现自己发出请求,自己签署。非自签无需增加此参数</span></p> <p><img src="//cto.wang/usr/uploads/2016/07/20160703161948-100.jpg" title="3.jpg" alt="wKiom1aPCMjBB-SEAAPoGzliXHo264.jpg" width="650" style="padding: 0px;vertical-align: top;border: none;float: none" /></p> <p>[root@localhost tmp]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3655</p> <p><span xml:lang="en-us" style="padding: 0px;font-family: Calibri"> ====================================</span><span xml:lang="zh-cn" style="padding: 0px;font-family: 宋体">填写证书请求相关信息</span><span xml:lang="en-us" style="padding: 0px;font-family: Calibri">=======================================</span></p> <p><span xml:lang="zh-cn" style="padding: 0px">You are about to be asked to enter information that will be incorporated</span><span xml:lang="en-us" style="padding: 0px"> </span><span xml:lang="zh-cn" style="padding: 0px">into your certificate request.</span></p> <p>What you are about to enter is what is called a Distinguished Name or a DN.</p> <p>There are quite a few fields but you can leave some blank</p> <p>For some fields there will be a default value,</p> <p>If you enter '.', the field will be left blank.</p> <p>—–</p> <p><span xml:lang="zh-cn" style="padding: 0px;font-family: Calibri">Country Name (2 letter code) [XX]:</span><span xml:lang="en-us" style="padding: 0px;font-family: Calibri"> # </span><span xml:lang="zh-cn" style="padding: 0px;font-family: 宋体">两个字符表示的国家代码,</span><span xml:lang="en-us" style="padding: 0px;font-family: Calibri">CN</span><span xml:lang="zh-cn" style="padding: 0px;font-family: 宋体">为中国</span></p> <p><span xml:lang="zh-cn" style="padding: 0px;font-family: Calibri">State or Province Name (full name) []:</span><span xml:lang="en-us" style="padding: 0px;font-family: Calibri"> # </span><span xml:lang="zh-cn" style="padding: 0px;font-family: 宋体">省或洲的完整名称</span></p> <p><span xml:lang="zh-cn" style="padding: 0px;font-family: Calibri">Locality Name (eg, city) [Default City]:</span><span xml:lang="en-us" style="padding: 0px;font-family: Calibri"> # </span><span xml:lang="zh-cn" style="padding: 0px;font-family: 宋体">所在位置的名称</span><span xml:lang="en-us" style="padding: 0px;font-family: Calibri">(</span><span xml:lang="zh-cn" style="padding: 0px;font-family: 宋体">默认为城市</span><span xml:lang="en-us" style="padding: 0px;font-family: Calibri">)</span></p> <p><span xml:lang="zh-cn" style="padding: 0px;font-family: Calibri">Organization Name (eg, company) [Default Company Ltd]:</span><span xml:lang="en-us" style="padding: 0px;font-family: Calibri"> # </span><span xml:lang="zh-cn" style="padding: 0px;font-family: 宋体">组织机构名称</span><span xml:lang="en-us" style="padding: 0px;font-family: Calibri">(</span><span xml:lang="zh-cn" style="padding: 0px;font-family: 宋体">默认为公司</span><span xml:lang="en-us" style="padding: 0px;font-family: Calibri">)</span></p> <p><span xml:lang="zh-cn" style="padding: 0px;font-family: Calibri">Organizational Unit Name (eg, section) []:</span><span xml:lang="en-us" style="padding: 0px;font-family: Calibri"> # </span><span xml:lang="zh-cn" style="padding: 0px;font-family: 宋体">组织机构单元名称</span><span xml:lang="en-us" style="padding: 0px;font-family: Calibri">(eg.</span><span xml:lang="zh-cn" style="padding: 0px;font-family: 宋体">部门</span><span xml:lang="en-us" style="padding: 0px;font-family: Calibri">)</span></p> <p><span xml:lang="zh-cn" style="padding: 0px;font-family: Calibri">Common Name (eg, your name or your server's hostname) []:</span><span xml:lang="en-us" style="padding: 0px;font-family: Calibri"> # </span><span xml:lang="zh-cn" style="padding: 0px;font-family: 宋体">持有者名或者所在服务器主机名</span><span xml:lang="en-us" style="padding: 0px;font-family: Calibri">(</span><span xml:lang="zh-cn" style="padding: 0px;font-family: 宋体">即域名</span><span xml:lang="en-us" style="padding: 0px;font-family: Calibri">)</span></p> <p><span xml:lang="zh-cn" style="padding: 0px;font-family: Calibri">Email Address []:</span><span xml:lang="en-us" style="padding: 0px;font-family: Calibri"> # </span><span xml:lang="zh-cn" style="padding: 0px;font-family: 宋体">管理员邮件地址,可以省略</span></p> <p xml:lang="en-us"> ================================================================================================</p> <p xml:lang="en-us"><span style="padding: 0px;font-weight: bold"> </span></p> <p><span xml:lang="en-us" style="padding: 0px;font-weight: bold"> 3.</span><span xml:lang="zh-cn" style="padding: 0px;font-weight: bold">为CA提供所需的目录及文件;</span></p> <p><span xml:lang="en-us" style="padding: 0px;font-family: Calibri"> </span><span xml:lang="zh-cn" style="padding: 0px;font-family: Calibri">~]# mkdir -pv /etc/pki/CA/{certs,crl,newcerts}</span><span xml:lang="en-us" style="padding: 0px;font-family: Calibri"> #</span><span xml:lang="zh-cn" style="padding: 0px;font-family: 宋体">当不存在时需要创建签发证书、吊销证书、新证书目录</span></p> <p><span xml:lang="en-us" style="padding: 0px;font-family: Calibri"> </span><span xml:lang="zh-cn" style="padding: 0px;font-family: Calibri">~]# touch /etc/pki/CA/{serial,index.txt}</span><span xml:lang="en-us" style="padding: 0px;font-family: Calibri"> #</span><span xml:lang="zh-cn" style="padding: 0px;font-family: 宋体">创建证书序列号文件、证书索引文件</span></p> <p><span xml:lang="en-us" style="padding: 0px;font-family: Calibri"> </span><span xml:lang="zh-cn" style="padding: 0px;font-family: Calibri">~]# echo 01 > /etc/pki/CA/serial</span><span xml:lang="en-us" style="padding: 0px;font-family: Calibri"> # </span><span xml:lang="zh-cn" style="padding: 0px;font-family: 宋体">第一次创建的时候需要给予证书序列号</span></p> <p><img src="//cto.wang/usr/uploads/2016/07/20160703161948-58.jpg" title="4.jpg" alt="wKiom1aPCNGROuarAALaFb1jY-0436.jpg" style="padding: 0px;vertical-align: top;border: none;float: none" /></p> <p> </p> <p> </p> <p> </p> <p> </p> <p><span xml:lang="zh-cn" style="padding: 0px;font-weight: bold;font-family: 宋体">三、</span><span xml:lang="en-us" style="padding: 0px;font-weight: bold;font-family: Calibri">OpenSSL</span><span xml:lang="zh-cn" style="padding: 0px;font-weight: bold;font-family: 宋体">;服务申请证书签署实现</span><span xml:lang="en-us" style="padding: 0px;font-weight: bold;font-family: Calibri">SSL</span><span xml:lang="zh-cn" style="padding: 0px;font-weight: bold;font-family: 宋体">安全通信</span></p> <p><span xml:lang="en-us" style="padding: 0px"> </span><span xml:lang="zh-cn" style="padding: 0px">要用到证书进行安全通信的服务器,需要向CA请求签署证书</span><span xml:lang="en-us" style="padding: 0px">;</span></p> <p><span xml:lang="en-us" style="padding: 0px;font-family: Calibri"> </span><span xml:lang="zh-cn" style="padding: 0px;font-family: 宋体">需要签署的服务无需和</span><span xml:lang="en-us" style="padding: 0px;font-family: Calibri">CA</span><span xml:lang="zh-cn" style="padding: 0px;font-family: 宋体">证书签署机构主机在同一台服务器上。</span></p> <p><span xml:lang="en-us" style="padding: 0px;font-family: Calibri"> </span><span xml:lang="zh-cn" style="padding: 0px;font-family: 宋体">此处以</span><span xml:lang="en-us" style="padding: 0px;font-family: Calibri">httpd</span><span xml:lang="zh-cn" style="padding: 0px;font-family: 宋体">服务为例进行演示,步骤如下:</span></p> <p><span style="padding: 0px;font-weight: bold">演示环境:</span></p> <p><span xml:lang="en-us" style="padding: 0px;font-weight: bold;font-family: Calibri">httpd</span><span xml:lang="zh-cn" style="padding: 0px;font-weight: bold;font-family: 宋体">服务放置</span><span xml:lang="en-us" style="padding: 0px;font-weight: bold;font-family: Calibri">172.16.249.210</span><span xml:lang="zh-cn" style="padding: 0px;font-weight: bold;font-family: 宋体">主机</span><span xml:lang="en-us" style="padding: 0px;font-weight: bold;font-family: Calibri">(</span><span xml:lang="zh-cn" style="padding: 0px;font-weight: bold;font-family: 宋体">此处为</span><span xml:lang="en-us" style="padding: 0px;font-weight: bold;font-family: Calibri">rpm</span><span xml:lang="zh-cn" style="padding: 0px;font-weight: bold;font-family: 宋体">包安装</span><span xml:lang="en-us" style="padding: 0px;font-weight: bold;font-family: Calibri">)</span></p> <p><img src="//cto.wang/usr/uploads/2016/07/20160703161948-10.jpg" title="5.jpg" alt="wKioL1aPCQDDWkCEAAEYveFMHKI944.jpg" style="padding: 0px;vertical-align: top;border: none;float: none" /></p> <p><span xml:lang="en-us" style="padding: 0px;font-weight: bold;font-family: Calibri;font-size: 19px"> CA</span><span xml:lang="zh-cn" style="padding: 0px;font-weight: bold;font-family: 宋体;font-size: 19px">私有签机构放置</span><span xml:lang="en-us" style="padding: 0px;font-weight: bold;font-family: Calibri;font-size: 19px">172.16. 249.18</span><span xml:lang="zh-cn" style="padding: 0px;font-weight: bold;font-family: 宋体;font-size: 19px">主机</span><span xml:lang="zh-cn" style="padding: 0px;font-weight: bold;font-family: 宋体;font-size: 21px">:</span></p> <p><img src="//cto.wang/usr/uploads/2016/07/20160703161948-42.jpg" title="6.jpg" alt="wKioL1aPCQrwsRifAAIBzb8XPA0330.jpg" style="padding: 0px;vertical-align: top;border: none;float: none" /></p> <p xml:lang="en-us"><span style="padding: 0px;font-weight: bold"> </span></p> <p><span xml:lang="en-us" style="padding: 0px;font-weight: bold;font-family: Calibri"> 1.</span><span xml:lang="zh-cn" style="padding: 0px;font-weight: bold;font-family: Calibri">用到证书的</span><span xml:lang="zh-cn" style="padding: 0px;font-weight: bold;font-family: 宋体">服务器</span><span xml:lang="zh-cn" style="padding: 0px;font-weight: bold;font-family: Calibri">生成私钥;</span></p> <p><span xml:lang="en-us" style="padding: 0px"> </span><span xml:lang="zh-cn" style="padding: 0px">~]# mkdir /etc/httpd/ssl </span><span xml:lang="en-us" style="padding: 0px"> </span></p> <p><span xml:lang="en-us" style="padding: 0px"> </span><span xml:lang="zh-cn" style="padding: 0px">~]# cd /etc/httpd/ssl</span></p> <p><span xml:lang="en-us" style="padding: 0px;font-family: Calibri"> </span><span xml:lang="zh-cn" style="padding: 0px;font-family: Calibri">~]# (umask 077; openssl genrsa -out /etc/httpd/ssl/httpd.key 2048)</span><span xml:lang="en-us" style="padding: 0px;font-family: Calibri"> # </span><span xml:lang="zh-cn" style="padding: 0px;font-family: 宋体">生成私钥</span></p> <p><span xml:lang="en-us" style="padding: 0px;font-family: Calibri"> </span><span xml:lang="zh-cn" style="padding: 0px;font-family: 宋体">生成</span><span xml:lang="en-us" style="padding: 0px;font-family: Calibri">httpd</span><span xml:lang="zh-cn" style="padding: 0px;font-family: 宋体">服务的私钥创建时候无需在</span><span xml:lang="en-us" style="padding: 0px;font-family: Calibri">/etc/pki/CA</span><span xml:lang="zh-cn" style="padding: 0px;font-family: 宋体">创建,</span><span xml:lang="en-us" style="padding: 0px;font-family: Calibri">/etc/pki/CA</span><span xml:lang="zh-cn" style="padding: 0px;font-family: 宋体">目录仅在创建</span><span xml:lang="en-us" style="padding: 0px;font-family: Calibri">CA</span><span xml:lang="zh-cn" style="padding: 0px;font-family: 宋体">主机时候</span></p> <p><img src="//cto.wang/usr/uploads/2016/07/20160703161948-60.jpg" title="7.jpg" alt="wKiom1aPCOThiloPAAGASNpnvNM524.jpg" style="padding: 0px;vertical-align: top;border: none;float: none" /></p> <p xml:lang="en-us"> </p> <p><span xml:lang="en-us" style="padding: 0px;font-weight: bold"> 2.</span><span xml:lang="zh-cn" style="padding: 0px;font-weight: bold">生成证书签署请求</span></p> <p><span xml:lang="en-us" style="padding: 0px"> </span><span xml:lang="zh-cn" style="padding: 0px">~]# openssl req -new -key /etc/httpd/ssl/httpd.key -out /etc/httpd/ssl/httpd.csr -days 365</span></p> <p><span xml:lang="en-us" style="padding: 0px;font-family: Calibri"> 1) *.csr</span><span xml:lang="zh-cn" style="padding: 0px;font-family: 宋体">表示证书签署请求文件</span></p> <p><span xml:lang="en-us" style="padding: 0px;font-family: Calibri"> 2)</span><span xml:lang="zh-cn" style="padding: 0px;font-family: 宋体">要保证和签署机构</span><span xml:lang="en-us" style="padding: 0px;font-family: Calibri">CA</span><span xml:lang="zh-cn" style="padding: 0px;font-family: 宋体">签署机构信息一致</span></p> <p><img src="//cto.wang/usr/uploads/2016/07/20160703161948-15.jpg" title="8.jpg" alt="wKiom1aPCO3TjJrZAANreKGDHqE787.jpg" width="650" style="padding: 0px;vertical-align: top;border: none;float: none" /></p> <p xml:lang="en-us"> </p> <p><span xml:lang="en-us" style="padding: 0px;font-weight: bold"> 3.</span><span xml:lang="zh-cn" style="padding: 0px;font-weight: bold">将请求通过可靠方式发送给CA主机</span></p> <p><span xml:lang="en-us" style="padding: 0px"> </span><span xml:lang="zh-cn" style="padding: 0px">~]#</span><span xml:lang="en-us" style="padding: 0px"> scp /etc/httpd/ssl/httpd.csr root@172.16.249.18:/tmp/</span></p> <p><img src="//cto.wang/usr/uploads/2016/07/20160703161948-79.jpg" title="9.jpg" alt="wKioL1aPCRjDvPN2AACu_WHGEiM513.jpg" style="padding: 0px;vertical-align: top;border: none;float: none" /></p> <p xml:lang="en-us"> </p> <p><span xml:lang="en-us" style="padding: 0px;font-weight: bold"> 4.</span><span xml:lang="zh-cn" style="padding: 0px;font-weight: bold">在CA主机上签署证书</span></p> <p><span xml:lang="en-us" style="padding: 0px"> </span><span xml:lang="zh-cn" style="padding: 0px">~]# openssl ca -in</span><span xml:lang="en-us" style="padding: 0px"> </span><span xml:lang="zh-cn" style="padding: 0px">/tmp/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365</span></p> <p><span xml:lang="en-us" style="padding: 0px;font-family: Calibri"> *.crt</span><span xml:lang="zh-cn" style="padding: 0px;font-family: 宋体">:表示证书文件</span></p> <p><span xml:lang="en-us" style="padding: 0px;font-family: Calibri"> -days </span><span xml:lang="zh-cn" style="padding: 0px;font-family: 宋体">:签署证书的有效期</span></p> <p><span xml:lang="en-us" style="padding: 0px;font-family: Calibri"> </span><span xml:lang="zh-cn" style="padding: 0px;font-family: 宋体">注意:此处需要自己去查看信息是否正确,并确定是否给予签署证书</span></p> <p><img src="//cto.wang/usr/uploads/2016/07/20160703161948-52.jpg" title="10.jpg" alt="wKioL1aPCSLiKmtaAAPZ6a-sqPs536.jpg" style="padding: 0px;vertical-align: top;border: none;float: none" /></p> <p xml:lang="en-us"> </p> <p><span xml:lang="en-us" style="padding: 0px;font-weight: bold;font-family: Calibri"> 5.</span><span xml:lang="zh-cn" style="padding: 0px;font-weight: bold;font-family: 宋体">查看所签署的证书信息</span></p> <p><span xml:lang="en-us" style="padding: 0px;font-weight: bold;font-family: Calibri"> </span><span xml:lang="zh-cn" style="padding: 0px;font-weight: bold;font-family: 宋体">方法一:</span><span xml:lang="zh-cn" style="padding: 0px;font-weight: bold;font-family: Calibri">~]</span><span xml:lang="en-us" style="padding: 0px;font-weight: bold;font-family: Calibri"># cat /etc/pki/CA/index.txt</span></p> <p><img src="//cto.wang/usr/uploads/2016/07/20160703161948-2.jpg" title="11.jpg" alt="wKiom1aPCPvjdxCfAAC8VggKWf0855.jpg" width="650" style="padding: 0px;vertical-align: top;border: none;float: none" /></p> <p><span xml:lang="en-us" style="padding: 0px;font-family: Calibri"> V</span><span xml:lang="zh-cn" style="padding: 0px;font-family: 宋体">:表示已经签署的</span></p> <p><span xml:lang="en-us" style="padding: 0px;font-family: Calibri"> 01</span><span xml:lang="zh-cn" style="padding: 0px;font-family: 宋体">:表示证书序列号</span></p> <p><span xml:lang="en-us" style="padding: 0px;font-family: Calibri"> </span><span xml:lang="zh-cn" style="padding: 0px;font-family: Calibri">/C=CN/ST=Beijing/O=</span><span xml:lang="en-us" style="padding: 0px;font-family: Calibri">… …</span><span xml:lang="zh-cn" style="padding: 0px;font-family: 宋体">:</span><span xml:lang="en-us" style="padding: 0px;font-family: Calibri"> </span><span xml:lang="zh-cn" style="padding: 0px;font-family: 宋体">表示主题信息</span><span xml:lang="en-us" style="padding: 0px;font-family: Calibri">(</span><span xml:lang="zh-cn" style="padding: 0px;font-family: 宋体">主题标示</span><span xml:lang="en-us" style="padding: 0px;font-family: Calibri">)</span></p> <p><span xml:lang="en-us" style="padding: 0px;font-weight: bold;font-family: Calibri"> </span><span xml:lang="zh-cn" style="padding: 0px;font-weight: bold;font-family: 宋体">方法二:</span><span xml:lang="zh-cn" style="padding: 0px;font-weight: bold;font-family: Calibri">查看证书中的信息</span><span xml:lang="en-us" style="padding: 0px;font-weight: bold;font-family: Calibri">(CA</span><span xml:lang="zh-cn" style="padding: 0px;font-weight: bold;font-family: 宋体">或者服务端均可</span><span xml:lang="en-us" style="padding: 0px;font-weight: bold;font-family: Calibri">)</span><span xml:lang="zh-cn" style="padding: 0px;font-weight: bold;font-family: Calibri">:</span></p> <p><span xml:lang="en-us" style="padding: 0px;font-weight: bold"> </span><span xml:lang="zh-cn" style="padding: 0px;font-weight: bold">~]# openssl x509 -in /etc/pki/CA/certs/httpd.crt -noout -serial -subject</span></p> <p><span xml:lang="en-us" style="padding: 0px;font-family: Calibri"> </span><span xml:lang="zh-cn" style="padding: 0px;font-family: Calibri">-serial </span><span xml:lang="zh-cn" style="padding: 0px;font-family: 宋体">:序列号</span><span xml:lang="zh-cn" style="padding: 0px;font-family: Calibri"> </span><span xml:lang="en-us" style="padding: 0px;font-family: Calibri"> </span><span xml:lang="zh-cn" style="padding: 0px;font-family: Calibri">-subject</span><span xml:lang="zh-cn" style="padding: 0px;font-family: 宋体">:主题信息</span></p> <p><img src="//cto.wang/usr/uploads/2016/07/20160703161948-16.jpg" title="12.jpg" alt="wKiom1aPCP-gmS13AADaLgDGKfE704.jpg" style="padding: 0px;vertical-align: top;border: none;float: none" /></p> <p xml:lang="en-us"><span style="padding: 0px;font-weight: bold"> </span></p> <p><span xml:lang="en-us" style="padding: 0px;font-weight: bold;font-family: Calibri"> 6.</span><span xml:lang="zh-cn" style="padding: 0px;font-weight: bold;font-family: 宋体">将</span><span xml:lang="en-us" style="padding: 0px;font-weight: bold;font-family: Calibri">CA</span><span xml:lang="zh-cn" style="padding: 0px;font-weight: bold;font-family: 宋体">签署机构的</span><span xml:lang="en-us" style="padding: 0px;font-weight: bold;font-family: Calibri">.crt</span><span xml:lang="zh-cn" style="padding: 0px;font-weight: bold;font-family: 宋体">证书发送给服务器</span></p> <p><span xml:lang="en-us" style="padding: 0px"> </span><span xml:lang="zh-cn" style="padding: 0px">~]# </span><span xml:lang="en-us" style="padding: 0px"> scp /etc/pki/CA/certs/httpd.crt root@172.16.249.210:/etc/httpd/ssl</span></p> <p><span xml:lang="en-us" style="padding: 0px;font-family: Calibri"> </span><span xml:lang="zh-cn" style="padding: 0px;font-family: 宋体">注意:第一次进行主机间基于</span><span xml:lang="en-us" style="padding: 0px;font-family: Calibri">ssh</span><span xml:lang="zh-cn" style="padding: 0px;font-family: 宋体">的</span><span xml:lang="en-us" style="padding: 0px;font-family: Calibri">scp</span><span xml:lang="zh-cn" style="padding: 0px;font-family: 宋体">操作会接收一个证书,</span><span xml:lang="en-us" style="padding: 0px;font-family: Calibri">Queue</span><span xml:lang="zh-cn" style="padding: 0px;font-family: 宋体">要你那认证</span></p> <p><img src="//cto.wang/usr/uploads/2016/07/20160703161948-54.jpg" title="13.jpg" alt="wKioL1aPCTDz4NpfAAIKbQcNO1s991.jpg" width="650" style="padding: 0px;vertical-align: top;border: none;float: none" /></p> <p xml:lang="en-us"><span style="padding: 0px;font-weight: bold"> </span></p> <p><span xml:lang="en-us" style="padding: 0px;font-weight: bold;font-family: Calibri"> 7.</span><span xml:lang="zh-cn" style="padding: 0px;font-weight: bold;font-family: 宋体">删除服务器和</span><span xml:lang="en-us" style="padding: 0px;font-weight: bold;font-family: Calibri">CA</span><span xml:lang="zh-cn" style="padding: 0px;font-weight: bold;font-family: 宋体">主机上签署前的</span><span xml:lang="en-us" style="padding: 0px;font-weight: bold;font-family: Calibri">*.csr</span><span xml:lang="zh-cn" style="padding: 0px;font-weight: bold;font-family: 宋体">文件,确保安全</span></p> <p><span xml:lang="en-us" style="padding: 0px;font-family: Calibri">httpd</span><span xml:lang="zh-cn" style="padding: 0px;font-family: 宋体">主机:</span><span xml:lang="zh-cn" style="padding: 0px;font-family: Calibri">~]</span><span xml:lang="en-us" style="padding: 0px;font-family: Calibri"># rm -rf /etc/httpd/ssl/httpd.csr</span></p> <p><span xml:lang="en-us" style="padding: 0px;font-family: Calibri">CA</span><span xml:lang="zh-cn" style="padding: 0px;font-family: 宋体">主机:</span><span xml:lang="zh-cn" style="padding: 0px;font-family: Calibri">~]</span><span xml:lang="en-us" style="padding: 0px;font-family: Calibri"># rm -rf /tmp/httpd.csr</span></p> <p> </p> <p> </p> <p> </p> <p> </p> <p><span xml:lang="zh-cn" style="padding: 0px;font-weight: bold;font-family: 宋体">四、</span><span xml:lang="en-us" style="padding: 0px;font-weight: bold;font-family: Calibri">OpenSSL</span><span xml:lang="zh-cn" style="padding: 0px;font-weight: bold;font-family: 宋体">:私有</span><span xml:lang="en-us" style="padding: 0px;font-weight: bold;font-family: Calibri">CA</span><span xml:lang="zh-cn" style="padding: 0px;font-weight: bold;font-family: 宋体">证书签署机构</span><span xml:lang="zh-cn" style="padding: 0px;font-weight: bold;font-family: Calibri">吊销证书</span></p> <p><span xml:lang="en-us" style="padding: 0px;font-weight: bold;font-family: Calibri"> 1.</span><span xml:lang="zh-cn" style="padding: 0px;font-weight: bold;font-family: Calibri">客户端获取要吊销的证书的serial</span><span xml:lang="en-us" style="padding: 0px;font-weight: bold;font-family: Calibri">(</span><span xml:lang="zh-cn" style="padding: 0px;font-weight: bold;font-family: Calibri">在使用证书的主机</span><span xml:lang="zh-cn" style="padding: 0px;font-weight: bold;font-family: 宋体">上</span><span xml:lang="zh-cn" style="padding: 0px;font-weight: bold;font-family: Calibri">执行</span><span xml:lang="en-us" style="padding: 0px;font-weight: bold;font-family: Calibri">)</span></p> <p>~]# openssl x509 -in /etc/pki/CA/certs/httpd.crt -noout -serial -subject</p> <p><img src="//cto.wang/usr/uploads/2016/07/20160703161948-66.jpg" title="14.jpg" alt="wKioL1aPCTTiBKRtAAGKNLOArLQ073.jpg" width="650" style="padding: 0px;vertical-align: top;border: none;float: none" /></p> <p xml:lang="en-us"><span style="padding: 0px;font-weight: bold"> </span></p> <p><span xml:lang="en-us" style="padding: 0px;font-weight: bold"> 2.</span><span xml:lang="zh-cn" style="padding: 0px;font-weight: bold">CA主机吊销证书</span></p> <p><span xml:lang="en-us" style="padding: 0px"> </span><span xml:lang="zh-cn" style="padding: 0px">先根据客户提交的serial和subject信息,对比其与本机数据库index.txt中存储的是否一致;</span></p> <p><span xml:lang="en-us" style="padding: 0px;font-family: Calibri"> </span><span xml:lang="zh-cn" style="padding: 0px;font-family: 宋体">在</span><span xml:lang="en-us" style="padding: 0px;font-family: Calibri">/etc/pki/CA/crets/*</span><span xml:lang="zh-cn" style="padding: 0px;font-family: 宋体">下生成证书后,会在</span><span xml:lang="en-us" style="padding: 0px;font-family: Calibri">/etc/pki/CA/newcrets/*</span><span xml:lang="zh-cn" style="padding: 0px;font-family: 宋体">以对应证书命名为</span><span xml:lang="zh-cn" style="padding: 0px;font-family: Calibri">SERIAL.pem</span><span xml:lang="zh-cn" style="padding: 0px;font-family: 宋体">文件存放</span></p> <p><img src="//cto.wang/usr/uploads/2016/07/20160703161948-44.jpg" title="15.jpg" alt="wKiom1aPCRPSaUfiAANKOGMJ9OQ686.jpg" width="650" style="padding: 0px;vertical-align: top;border: none;float: none" /></p> <p><span xml:lang="en-us" style="padding: 0px;font-weight: bold;font-family: Calibri"> </span><span xml:lang="zh-cn" style="padding: 0px;font-weight: bold;font-family: 宋体">吊销</span><span xml:lang="zh-cn" style="padding: 0px;font-weight: bold;font-family: Calibri">:</span></p> <p><span xml:lang="en-us" style="padding: 0px;font-family: Calibri"> </span><span xml:lang="zh-cn" style="padding: 0px;font-family: Calibri"># openssl ca -revoke /etc/pki/CA/newcerts/SERIAL.pem</span><span xml:lang="en-us" style="padding: 0px;font-family: Calibri"> </span><span xml:lang="zh-cn" style="padding: 0px;font-family: Calibri">其中SERIAL要换成证书真正的序列号</span><span xml:lang="zh-cn" style="padding: 0px;font-family: 宋体">:</span><span xml:lang="en-us" style="padding: 0px;font-family: Calibri">eg. 01.pem</span></p> <p><img src="//cto.wang/usr/uploads/2016/07/20160703161948-1.jpg" title="16.jpg" alt="wKioL1aPCUCQ72KSAAC-hpFwx2o912.jpg" style="padding: 0px;vertical-align: top;border: none;float: none" /></p> <p xml:lang="en-us"><span style="padding: 0px;font-weight: bold"> </span></p> <p><span xml:lang="en-us" style="padding: 0px;font-weight: bold"> 3.</span><span xml:lang="zh-cn" style="padding: 0px;font-weight: bold">生成吊销证书的吊销编号(第一次吊销证书时执行)</span></p> <p># echo 01 > /etc/pki/CA/crlnumber</p> <p><img src="//cto.wang/usr/uploads/2016/07/20160703161948-56.jpg" title="17.jpg" alt="wKiom1aPCRrx6JiSAAB1Kg9aYOk479.jpg" style="padding: 0px;vertical-align: top;border: none;float: none" /></p> <p> </p> <p><span xml:lang="en-us" style="padding: 0px;font-weight: bold"> 4.</span><span xml:lang="zh-cn" style="padding: 0px;font-weight: bold">更新证书吊销列表</span></p> <p># openssl ca -gencrl -out thisca.crl</p> <p><img src="//cto.wang/usr/uploads/2016/07/20160703161948-36.jpg" title="18.jpg" alt="wKiom1aPCRyB8sqXAACEmF02TAg768.jpg" style="padding: 0px;vertical-align: top;border: none;float: none" /></p> <p> </p> <p><span xml:lang="en-us" style="padding: 0px;font-weight: bold"> 5.</span><span xml:lang="zh-cn" style="padding: 0px;font-weight: bold">查看crl文件:</span></p> <p># openssl crl -in /PATH/FROM/CRL_FILE.crl -noout -text</p> <p>Nicolo:http://xuding.blog.51cto.com/4890434/1732751</p> <p></p> 最后修改:2021 年 12 月 10 日 10 : 53 AM © 允许规范转载 赞赏 如果觉得我的文章对你有用,请随意赞赏 赞赏作者 支付宝微信