一、自建证书
示例操作:
1、生成密钥:CA私钥的存储位置为/etc/pki/CA/private下一般存储名字为cakey.pem的名字权限只有属主有权限(因为和配置文件中的文件保持一直)
[root@wukui CA]# (umask 077; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
Generating RSA private key, 2048 bitlong modulus
....................+++
................+++
命令解释:
umask 077:设置生成的文件的权限
genrsa:生成私钥
-out:私钥存放路径
2048:2048字节计算(默认为1024)
2、自签证书
自动在私钥中提取公钥放到自签证书中,用来验证所颁发证书的合法性。
注意路径文件名:存放密钥库的目录为private,生成的自签文件存放在/CA目录下即可名字一般为(carert.pem与配置文件中的名字保存一致)
(在/etc/pki/tls/openssl.cnf这个配置文件默认有一定的定义。。尽量不要修改,)
[root@wukui CA]# openssl req -new -x509 -key/etc/pki/CA/private/cakey.pem -out /etc/pki/CA/carert.pem -days 3655
You are about to be asked to enterinformation that will be incorporated
into your certificate request.
What you are about to enter is whatis called a Distinguished Name or a DN.
There are quite a few fields but youcan leave some blank
For some fields there will be adefault value,
If you enter '.', the field will beleft blank.
-----
Country Name (2 letter code) [XX]:cn------------国家
State or Province Name (full name)[]:ning---------省份
Locality Name (eg, city) [DefaultCity]:ning-------地区
Organization Name (eg, company)[Default Company Ltd]:ning------公司名称
Organizational Unit Name (eg,section) []:ning------公司的部门名称
Common Name (eg, your name or yourserver's hostname) []:wukui----CA服务器主机名
Email Address []:ning@qq.com---------管理员邮箱
命令解释:
req:生成证书签署请求
-new:新请求
-key /path/to/keyfile:指定私钥文件位置
-out /path/to/somefile:指定证书文件存放在位置
-x509:生成自签证书
-days n:指定过期天数
3、初始化工作环境
(#vim/etc/pki/tls/openssl.cnf在这个配置文件默认有一定的定义。。尽量不要修改,没有的文 件,我们自己创建文件)
[root@wukui CA]# touch/etc/pki/CA/{index.txt ,serial}
[root@wukui CA]# echo 01 > serial -------输入一个编号,用来以后管理办法了多少证书
index.txt------索引文件用匹配证书编号
serial----证书序列号存放文件
二、客户节点申请证书
节点生成请求:
1、生成密钥
#mkdir /etc/httpd/ssl----创建目录存放私钥和证书
[root@localhost ~]# (umask 007;openssl genrsa -out /etc/httpd/ssl/httpd.key 2048)
2、生成证书签署请求
[root@localhost ssl]# openssl req-new -key /etc/httpd/ssl/httpd.key -out /etc/httpd/ssl/httpd.csr
Country Name (2 letter code)[XX]:cn--------国家
State or Province Name (full name)[]:ning---------省份
Locality Name (eg, city) [DefaultCity]:ning--------------地区名字
Organization Name (eg, company)[Default Company Ltd]:ning------公司名
Organizational Unit Name (eg,section) []:ning-----部门
Common Name (eg, your name or yourserver's hostname) []:wukui----CA主机名
Email Address []:---------邮箱
Please enter the following 'extra'attributes
to be sent with your certificaterequest
A challenge password []:-----------证书请求密钥,CA读取证书的时候需要输入密码
An optional company name[]:-----------公司名称,CA读取证书的时候需要输入名称
3、把签署请求文件发送给CA服务(用基于ssh的scp远程复制命令来传输文件)
[root@localhost ssl]# scp /etc/httpd/ssl/httpd.scr 172.16.3.1:/etc/pki/CA/
root@172.16.3.1's password: ---------输入CA服务器密码
httpd.scr
三、CA签署证书
1、验证证书中的信息
2、签署证书
[root@wukui csr]# openssl ca -in/etc/pki/CA/httpd.scr -out /etc/pki/CA/httpd.crt -days 100(注意证书的后缀为.crt)
Using configuration from/etc/pki/tls/openssl.cnf
Check that the request matches thesignature
Signature ok
Certificate Details:--------------------验证证书中的信息
Serial Number: 1 (0x1)
Validity
Not Before: Jul16 10:54:02 2014 GMT
Not After : Oct24 10:54:02 2014 GMT
Subject:
countryName = cn
stateOrProvinceName = ning
organizationName = ning
organizationalUnitName = ning
commonName = wukui
X509v3 extensions:
X509v3 BasicConstraints:
CA:FALSE
NetscapeComment:
OpenSSLGenerated Certificate
X509v3 SubjectKey Identifier:
3D:EB:37:A6:FC:AC:E5:C9:C9:8C:BB:F2:19:51:F6:15:A3:0C:FC:A7
X509v3 AuthorityKey Identifier:
keyid:BC:93:47:99:8D:66:D0:29:7E:B1:E6:3D:EE:ED:81:99:39:F1:4F:CB
Certificate is to be certified untilOct 24 10:54:02 2014 GMT (100 days)
Sign the certificate?[y/n]:y-----------------询问你是否签署
1 out of 1 certificate requestscertified, commit? [y/n]y-----在此确认
Write out database with 1 new entries
Data Base Updated
3、发送给请求者
root@wukui csr]# scp httpd.crt172.16.3.20:/root/
The authenticity of host '172.16.3.20(172.16.3.20)' can't be established.
RSA key fingerprint isad:a7:77:c0:0d:6a:a5:6b:88:69:f4:75:a8:be:73:7d.
Are you sure you want to continueconnecting (yes/no)? y
Please type 'yes' or 'no': yes
Warning: Permanently added'172.16.3.20' (RSA) to the list of knownhosts.
root@172.16.3.20's password:
httpd.crt
吊销证书示例操作
一、节点
1、获取证书serial序列号
# openssl x509 -in/path/to/certificate_file.crt -noout -serial -subject
命令解释:
x509:格式
-in:要吊销的文件路径
-noout:不输出任何额外信息
-serial:生成的序列号
-subjiect:输出subjiect的信息
示例:[root@localhost ssl]# openssl x509 -in httpd.crt -noout -serial-subject
serial=01
subject=/C=cn/ST=ning/O=ning/OU=ning/CN=wukui
二、 CA验证信息
2、根据节点提交的serial和subject信息来验正与CA服务器中index.txt文件中的信息是否一致;
示例:节点[root@localhost ssl]# openssl x509 -in httpd.crt -noout -serial-subject
serial=01
subject=/C=cn/ST=ning/O=ning/OU=ning/CN=wukui
服务器 [root@localhost CA]# catindex.txt
V 141024105402Z 01 unknown /C=cn/ST=ning/O=ning/OU=ning/CN=wukui
(V:表示正常使用没有吊销)
3、吊销证书(查找证书编号)
# openssl ca -revoke/etc/pki/CA/newcerts/SERIAL.pem
-revoke: 删除证书
示例:
查证书编号:(1)[root@localhostCA]# ls /etc/pki/CA/newcerts
01.pem
吊销要证书编号(2)[root@localhostCA]# openssl ca -revoke /etc/pki/CA/newcerts/01.pem
Usingconfiguration from /etc/pki/tls/openssl.cnf
RevokingCertificate 01.
DataBase Updated
查看是否被吊销(3)[root@localhostCA]# cat /etc/pki/CA/index.txt
R 141024105402Z 140716195137Z 01 unknown /C=cn/ST=ning/O=ning/OU=ning/CN=wukui
(R:表示吊销)
4、生成吊销证书的编号(如果是第一次吊销)
# echo 00 >/etc/pki/CA/crlnumber
示例:
[root@localhostCA]# echo 00 > /etc/pko/CA/crlnumber
5、更新证书吊销列表文件
#cd /etc/pki/CA/crl/----切换到证书吊销列表文件下
# openssl ca -gencrl -outning.crl(吊销证书名字随便起)
命令解释:
-gencrl:生成吊销列表
示例[root@localhost crl]# openssl ca -gencrl -out ning.crl
singconfiguration from /etc/pki/tls/openssl.cnf
如果需要,查看crl文件的内容:
# openssl crl -in/path/to/crlfile.crl -noout -text
命令解释:
-text:文本的形式显示出来
示例:[root@localhost crl]# openssl crl -in /etc/pki/CA/crl/ning.crl-noout -text
CertificateRevocation List (CRL):
Version2 (0x1)
SignatureAlgorithm: sha1WithRSAEncryption
Issuer:/C=cn/ST=ning/L=ning/O=ning/OU=ning/CN=wukui/emailAddress=ning@qq.com
LastUpdate: Jul 16 20:08:26 2014 GMT
NextUpdate: Aug 15 20:08:26 2014 GMT
CRLextensions:
X509v3CRL Number:
0
RevokedCertificates:
SerialNumber: 01
RevocationDate: Jul 16 19:51:37 2014 GMT-------表示已经吊销
SignatureAlgorithm: sha1WithRSAEncryption
16:62:12:7b:c9:03:03:1b:4d:d4:c6:89:5c:a7:67:95:65:97:
dc:11:07:ca:3f:9e:2d:ea:9d:6c:8d:96:c4:7c:4b:bf:1e:37:
98:e6:4b:ad:57:74:27:3d:7f:e5:fe:a9:a6:83:79:74:fc:1a:
23:d5:91:a1:9d:a4:af:44:ee:82:16:64:8f:17:59:ab:87:59:
cc:7f:af:61:e3:2d:70:45:4f:5f:28:ff:10:34:94:a0:b3:7f:
CA管理:
1、查看颁发了多少证书:
[root@localhost CA]# cat /etc/pki/CA/serial
02
2、查看颁发的证书的记录:
[root@localhost CA]# ls /etc/pki/CA/newcerts/
01.pem
3、查看待签发证书目录
[root@localhost CA]#ls /etc/pki/csr
httpd.csr
4、查看签好的证书目录
[root@localhost CA]#ls /etc/pki/certs
httpd.crt
5、查看证书的序列号和subjiect的信息
[root@localhost CA]# cat /etc/pki/index.txt
V 141024105402Z01unknown/C=cn/ST=ning/O=ning/OU=ning/CN=wukui
6、查看吊销列表文件
[root@localhost crl]# openssl crl -in /etc/pki/CA/crl/ning.crl -noout -text