搭建私有CA服务器
搭建私有CA服务器
CA是什么
CA(Certificate Authority)证书颁发机构主要负责证书的颁发、管理以及归档和吊销。证书内包含了拥有证书者的姓名、地址、电子邮件账号、公钥、证书有效期、发放证书的CA、CA的数字签名等信息。证书主要有三大功能:加密、签名、身份验证。html
centos6.x上有关ssl证书的目录结构以下:linux
/etc/pki/CA/ ├── certs ├── crl 吊销的证书 ├── newcerts 存放CA签署(颁发)过的数字证书(证书备份目录) └── private 用于存放CA的私钥 /etc/pki/tls/ ├── cert.pem -> certs/ca-bundle.crt 软连接到certs/ca-bundle.crt ├── certs 该服务器上的证书存放目录,能够放置本身的证书和内置证书 │ ├── ca-bundle.crt 内置信任的证书 │ ├── ca-bundle.trust.crt │ ├── make-dummy-cert │ └── Makefile ├── misc │ ├── CA │ ├── c_hash │ ├── c_info │ ├── c_issuer │ └── c_name ├── openssl.cnf openssl的CA主配置文件 └── private 证书密钥存放目录
CA要给别人颁发证书,首先本身得有一个做为根证书,咱们得在一切工做以前修改好CA的配置文件、序列号、索引等等。nginx
vi /etc/pki/tls/openssl.cnf
一.创建CA服务器
1.生成根密钥
为了安全起见,修改cakey.pem私钥文件权限为600或400,也可使用子shell生成( umask 077; openssl genrsa -out private/cakey.pem 2048 ),下面再也不重复。web
cd /etc/pki/CA/ openssl genrsa -out private/cakey.pem 2048 或使用命令 ( umask 077; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048 )
执行结果以下:shell
[root@localhost CA]# ( umask 077; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048 ) Generating RSA private key, 2048 bit long modulus ..................+++ ...+++ e is 65537 (0x10001)
参数说明:centos
():表示此命令在子进程中运行,其目的是为了避免改变当前Shell中的umask值;
genrsa:生成私钥;
-out:私钥的存放路径,cakey.pem:为密钥名,与配置文件中保持一致;
2048:密钥长度,默认为1024。
2.生成根证书
使用req命令生成自签证书:会提示输入一些内容,由于是私有的,因此能够随便输入(以前修改的openssl.cnf会在这里呈现),最好记住能与后面保持一致
自签证书cacert.pem应该生成在/etc/pki/CA下。安全
openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out cacert.pem -days 3650
执行结果以下:服务器
[root@localhost CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3650 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:beijing Locality Name (eg, city) [Default City]:beijing Organization Name (eg, company) [Default Company Ltd]:home Organizational Unit Name (eg, section) []:homepart Common Name (eg, your name or your server's hostname) []:home.home Email Address []:home@home.home
参数说明:测试
req:生成证书签署请求;
-x509:生成自签署证书;
-days n:证书的有效天数;
-new:新请求;
-key /path/to/keyfile:指定私钥文件;
-out /path/to/somefile:输出文件位置。
3.初始化工做环境
touch /etc/pki/CA/index.txt /etc/pki/CA/serial 建立index.txt,serial文件 echo 01 > /etc/pki/CA/serial mkdir -p /etc/pki/CA/csr/ 用来存放节点上传过来的csr证书请求目录
index.txt:索引文件,用于匹配证书编号;
serial:证书序列号文件,只在首次生成证书时赋值。ui
二.节点生成证书
以上都是在CA服务器上作的操做,并且只需进行一次,如今转到nginx服务器上执行:
1.生成密钥对:
为咱们的nginx web服务器生成ssl密钥
mkdir -p /etc/nginx/ssl cd /etc/nginx/ssl (umask 077; openssl genrsa -out /etc/nginx/ssl/nginx.key 2048) 生成私钥
执行结果:
[root@localhost ssl]# (umask 077; openssl genrsa -out /etc/nginx/ssl/nginx.key 2048) Generating RSA private key, 2048 bit long modulus ..................+++ .................+++ e is 65537 (0x10001)
2.生成证书请求:
为nginx生成证书签署请求
openssl req -new -key /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.csr
一样会提示输入一些内容,其它随便,除了Commone Name必定要是你要授予证书的服务器域名或主机名,challenge password不填。
执行结果以下:
[root@localhost ssl]# openssl req -new -key /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:shanghai Locality Name (eg, city) [Default City]:shanghai Organization Name (eg, company) [Default Company Ltd]:mycompany Organizational Unit Name (eg, section) []:tech Common Name (eg, your name or your server's hostname) []:myweb.com Email Address []:myweb@myweb.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
3.把签署请求文件发送给CA服务器
接下来要把上一步生成的证书请求csr文件,发到CA服务器上(其中192.168.1.80为CA服务器)
scp /etc/nginx/ssl/nginx.csr 192.168.1.80:/etc/pki/CA/csr/nginx.csr 测试时节点和CA服务器是同一台,故使用以下命令 cp /etc/nginx/ssl/nginx.csr /etc/pki/CA/csr/nginx.csr
三.签署证书
1.在CA服务器上签署证书
私有CA根据请求来签署证书,在CA服务器上执行
openssl ca -in /etc/pki/CA/csr/nginx.csr -out /etc/pki/CA/nginx.crt -days 3650 另外在极少数状况下,上面的命令生成的证书不能识别,试试下面的命令: # openssl x509 -req -in /etc/pki/CA/csr/nginx.csr -CA /etc/pki/CA/cacert.pem -CAkey /etc/pki/CA/private/cakey.pem -CAcreateserial -out /etc/pki/CA/nginx2.crt
这里出错了,因为根证书是beijing而节点是shanghai
[root@localhost CA]# openssl ca -in /etc/pki/CA/csr/nginx.csr -out /etc/pki/CA/nginx.crt -days 3650 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok The stateOrProvinceName field needed to be the same in the CA certificate (beijing) and the request (shanghai)
从新生成节点csr证书请求,设置区域为beijing
执行结果以下(成功):
[root@localhost CA]# openssl ca -in /etc/pki/CA/csr/nginx.csr -out /etc/pki/CA/nginx.crt -days 3650 Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jun 2 10:21:22 2017 GMT
Not After : May 31 10:21:22 2027 GMT
Subject:
countryName = CN
stateOrProvinceName = beijing
organizationName = home
organizationalUnitName = home
commonName = *.test.com
emailAddress = my@test.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
96:D7:60:53:1E:52:3E:89:4F:A0:A4:3D:81:CA:97:D5:D8:67:AE:93
X509v3 Authority Key Identifier:
keyid:D5:71:B2:72:16:62:03:09:BB:6D:B2:14:5F:F2:3C:B5:AE:C1:BD:08
Certificate is to be certified until May 31 10:21:22 2027 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
上面签发过程其实默认使用了-cert cacert.pem -keyfile cakey.pem,这两个文件就是前两步生成的位于/etc/pki/CA下的根密钥和根证书。
2.将crt证书发送给请求者
将生成的crt证书发回nginx服务器使用。192.168.137.61为nginx服务器地址
scp /etc/pki/CA/csr/nginx.crt 192.168.137.61:/etc/nginx/ssl/ 同一台本机使用 cp /etc/pki/CA/nginx.crt /etc/nginx/ssl/
到此咱们已经拥有了创建ssl安全链接所须要的全部文件,而且服务器的crt和key都位于配置的目录下,剩下的是如何使用证书的问题。
四.吊销证书
1.节点请求吊销
[root@localhost CA]# openssl x509 -in /etc/nginx/ssl/nginx.crt -noout -serial -subject serial=01 subject= /C=CN/ST=beijing/O=home/OU=home/CN=*.test.com/emailAddress=my@test.com
参数说明:
x509:证书格式 -in:要吊销的证书 -noout:不输出额外信息 -serial:显示序列号 -subject:显示subject信息
2.CA验证信息
2.1 节点提交的serial和subject信息来验证与index.txt文件中的信息是否一致
[root@localhost CA]# cat /etc/pki/CA/index.txt V 270531102122Z 01 unknown /C=CN/ST=beijing/O=home/OU=home/CN=*.17coolz.com/emailAddress=my@test.com
2.2 吊销证书
openssl ca -revoke /etc/pki/CA/newcerts/01.pem
参数说明 -revoke:删除证书。
执行结果
[root@localhost CA]# openssl ca -revoke /etc/pki/CA/newcerts/01.pem Using configuration from /etc/pki/tls/openssl.cnf Revoking Certificate 01. Data Base Updated
2.3 查看被吊销的证书列表
[root@localhost CA]# cat /etc/pki/CA/index.txt R 270531102122Z 170602103652Z 01 unknown /C=CN/ST=beijing/O=home/OU=home/CN=*.17coolz.com/emailAddress=my@test.com
2.4 生成吊销证书的编号(若是是第一次吊销)
echo 00 > /etc/pki/CA/crlnumber
2.5 更新证书吊销列表
openssl ca -gencrl -out /etc/pki/CA/crl/ca.crl
执行结果:
[root@localhost CA]# openssl ca -gencrl -out /etc/pki/CA/crl/ca.crl Using configuration from /etc/pki/tls/openssl.cnf
2.6 查看吊消crl文件内容
openssl crl -in crl/ca.crl -noout -text
执行结果
[root@localhost CA]# openssl crl -in /etc/pki/CA/crl/ca.crl -noout -text
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: /C=CN/ST=beijing/L=beijing/O=home/OU=homepart/CN=home.home/emailAddress=home@home.home
Last Update: Jun 2 10:41:24 2017 GMT
Next Update: Jul 2 10:41:24 2017 GMT
CRL extensions:
X509v3 CRL Number:
0
Revoked Certificates:
Serial Number: 01
Revocation Date: Jun 2 10:36:52 2017 GMT
Signature Algorithm: sha1WithRSAEncryption
a3:fc:cf:fd:08:44:d9:c0:fd:78:75:5f:79:3a:c3:16:17:da:
b8:b1:cc:d8:67:28:73:75:4a:e1:11:e3:04:de:0a:36:4f:d6:
de:ec:37:3b:0b:18:0f:24:18:d1:8b:c9:6a:f8:e0:d3:c6:cc:
42:67:5b:15:34:da:f9:49:eb:19:73:33:4e:ef:eb:cb:82:12:
4c:27:ee:5e:9d:50:5f:8b:0c:51:3a:05:e3:0f:fb:3c:0d:0b:
8e:af:17:5e:b2:7d:30:af:e6:60:f2:6e:7f:b5:b5:9b:b1:f7:
5e:d4:80:73:d3:cc:30:e1:78:71:db:81:a0:ad:49:6a:dc:5c:
12:bf:31:0f:11:59:54:80:e9:74:36:f7:98:e2:86:f2:29:3f:
b0:69:b8:a4:32:9d:1c:61:01:ed:0f:09:b0:10:be:f4:07:ac:
32:91:9c:cc:35:cf:c3:cb:44:6b:86:22:81:7d:7a:71:9d:5c:
34:da:30:47:5a:ce:0f:10:bc:2a:56:8f:41:85:de:95:48:5c:
d3:b2:90:ae:4f:7e:7c:d1:53:5c:6f:67:cb:aa:cc:78:5b:1a:
f6:31:5b:7e:04:03:73:da:6e:8d:00:d7:bf:db:75:6a:0e:44:
be:c1:20:0f:72:40:4c:29:fc:aa:87:30:9e:84:55:e1:76:a2:
00:05:39:18
参数说明
-text:以文本形式显示。
参考:
http://www.178linux.com/12742 http://www.cnblogs.com/zhaojiedi1992/p/zhaojiedi_linux_011_ca.html http://seanlook.com/2015/01/18/openssl-self-sign-ca/
相关文章
- 1. Linux系统搭建私有CA证书服务器
- 2. 搭建CA服务器
- 3. 架设私有CA服务器
- 4. 搭建私有git服务
- 5. centos7 搭建私有云seafile服务器
- 6. 搭建私有git服务器
- 7. GIT 私有服务器搭建
- 8. 私有服务器搭建及配置
- 9. Docker私有服务器(harbor)搭建
- 10. 搭建私有Git服务器
- 更多相关文章...
- • Git 服务器搭建 - Git 教程
- • 服务器上的 XML - XML 教程
- • Spring Cloud 微服务实战(三) - 服务注册与发现
- • 再有人问你分布式事务,把这篇扔给他
相关标签/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
欢迎关注本站公众号,获取更多信息
相关文章
- 1. Linux系统搭建私有CA证书服务器
- 2. 搭建CA服务器
- 3. 架设私有CA服务器
- 4. 搭建私有git服务
- 5. centos7 搭建私有云seafile服务器
- 6. 搭建私有git服务器
- 7. GIT 私有服务器搭建
- 8. 私有服务器搭建及配置
- 9. Docker私有服务器(harbor)搭建
- 10. 搭建私有Git服务器