欢迎访问 SJsir 圣杰博客

A Linux operation and maintenance engineer's Blogs

自签CA证书

假设CA主机的IP为:10.1.252.234 签证服务器IP为:10.1.253.53
建立私有CA:openssl/OpenCA

  1.在确定配置为CA的服务上生成一个自签证书,并未CA提供所需要的目录和文件即可

    (1)生成私钥:
        #(umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 4096)
    (2)生成自签证书:
        #openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3655
            -new:生成新证书的签署请求;
            -x509:生成自签格式证书,专用于创建私有CA时;
            -key:生成请求时用到的私有文件路径;(之前生成的私有密钥的路径)
            -out:生成的请求文件路径;如果自签操作将直接生成签署过的证书
            -days:证书的有效时长,单位是day
                Country Name (2 letter code) [XX]:CN
                State or Province Name (full name) []:Beijing
                Locality Name (eg, city) [Default City]:Beijing
                Organization Name (eg, company) [Default Company Ltd]:Sjsir
                Organizational Unit Name (eg, section) []:Ops
                Common Name (eg, your name or your server's hostname) []:ca.sjsir.wang
                Email Address []:caadmin@sjsir.wang
    (3)为CA提供所需的目录和文件;
        # mkdir -pv /etc/pki/CA/{certs,crl,newcerts}
        # touch /etc/pki/CA/{serial,index.txt}
        # echo 01>/etc/pki/CA/serial

  2.要用到证书进行安全通信的服务器,需要向CA请求签署证书:(以httpd服务签署为例)

    (1)用到证书的主机生成私钥:
        # mkdir /etc/httpd/ssl
        # (umask 077; openssl genrsa -out /etc/httpd/ssl/httpd.key 2048)
    (2)生成证书签署请求:
        # openssl req -new -key /etc/httpd/ssl/httpd.key -put /etc/httpd/ssl/httpd.csr -day 365
            Country Name (2 letter code) [XX]:CN
            State or Province Name (full name) []:Beijing
            Locality Name (eg, city) [Default City]:Beijing
            Organization Name (eg, company) [Default Company Ltd]:Sjsir
            Organizational Unit Name (eg, section) []:Ops
            Common Name (eg, your name or your server's hostname) []:www.sjsir.wang
            Email Address []:caadmin@sjsir.wang
    (3)将请求通过可靠的方式发送到CA主机:
        # scp /etc/httpd/ssl/httpd.csr root@10.1.252.234 /tmp/
    (4)在CA主机上面签署证书:(CA主机端)
        # openssl ca -in /tmp/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365
            接下来选择 y ;然后可以给证书设置密码,也可以不设置;
        查看CA主机证书中的信息:
            openssl x509 -in /etc/pki/CA/certs/httpd.crt -noout -serial -subject
    (5)将CA主机上面签署的证书拷贝回需要签署的服务器:
        # scp /etc/pki/CA/certs/httpd.crt root@10.1.253.53 /etc/httpd/ssl/
        查看服务器上面的证书中的信息:
        openssl x509 -in /etc/httpd/ssl/httpd.crt -noout -serial -subject

  3.吊销证书:

    (1)客户端获取要吊销的证书的serial(在使用证书的主机上面执行):
        # openssl x509 -in /etc/httpd/ssl/httpd.crt -noout -serial -subject(客户端)
        # openssl x509 -in /etc/pki/CA/certs/httpd.crt -noout -serial -subject(CA主机)
    (2)CA端主机吊销证书:
        先根据客户端提交的serial和subject信息,对比其与本机数据库index.txt中存储的是否一致;
        吊销: /etc/pki/CA/newcerts/##.pem
        # openssl ca -revoke /etc/pki/CA/newcerts/SERIAL.pem (SERIAL为想要吊销主机的serial)
    (3)生成吊销证书的吊销编号(第一次吊销证书时执行)
        # echo 01 > /etc/pki/CA/crinumber
    (4)更新证书吊销列表:
        # openssl ca -gencrl -out thisca.crl
        查看crl文件内容:
        # openssl crl -in /PATH/FROM/CRL_FILE.crl -noout -text
点赞