使用OpenSSL自建CA及颁发证书、吊销证书
2024-05-11 09:10:16
一、实验说明
OpenSSL 是一个安全套接字层密码库,囊括主要的密码算法、常用的密钥和证书封装管理功能及SSL协议,并提供丰富的应用程序供测试或其它目的使用。
OpenSSL是一个开源程序的套件、这个套件有三个部分组成:一是libcryto,这是一个具有通用功能的加密库,里面实现了众多的加密库;二是libssl,这个是实现ssl机制的,它是用于实现TLS/SSL的功能;三是openssl,是个多功能命令行工具,它可以实现加密解密,甚至还可以当CA来用,可以让你创建证书、吊销证书。
二、实验环境
Centos 6.9 x86_64位(申请签名机器)、Centos 7.3 x86_64位(自建CA的机器)、VMware workstaton 12.
三、实验正文
1、查看自建CA的主机是否安装OpenSSL
[root@centos7 ~]# rpm -qa openssl # 查看openssl是否安装
openssl-1.0.1e-60.el7.x86_64
[root@centos7 ~]# rpm -ql openssl # 列出openssl安装包下有哪些文件,等下会用到下面的一些目录
/etc/pki/CA
/etc/pki/CA/certs
/etc/pki/CA/crl # 吊销的证书存放目录
/etc/pki/CA/newcerts # 存放CA签署(颁发)过的数字证书(证书备份目录)
/etc/pki/CA/private # 用于存放CA的私钥
/etc/pki/tls/certs/Makefile
/etc/pki/tls/certs/make-dummy-cert
/etc/pki/tls/certs/renew-dummy-cert
/etc/pki/tls/misc/CA
/etc/pki/tls/misc/c_hash
/etc/pki/tls/misc/c_info
/etc/pki/tls/misc/c_issuer
/etc/pki/tls/misc/c_name
/usr/bin/openssl
...(以下省略)...
[root@centos7 ~]# yum install openssl -y # 若没有安装使用此条命令安装2、创建私有CA服务器
a、创建所需要的文件,只有第一次使用CA时才需要
[root@centos7 ~]# touch /etc/pki/CA/index.txt # 生成证书索引数据库
[root@centos7 ~]# echo 01 > /etc/pki/CA/serial # 指定第一个颁发证书的序列号b、CA生成私钥
[root@centos7 ~]# cd /etc/pki/CA/ # 切换至此目录
[root@centos7 CA]# (umask 006; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048) # 生成私钥
Generating RSA private key, 2048 bit long modulus
.........+++
......................................+++
e is 65537 (0x10001)
[root@centos7 CA]# ls -l private/cakey.pem
-rw-rw----. 1 root root 1675 Jul 17 17:22 cakey.pemc、CA生成自签名证书
[root@centos7 CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days \3650 -out /etc/pki/CA/cacert.pem # CA生成自签名
...(中间省略)...
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:Hxt
Organizational Unit Name (eg, section) []:Ops
Common Name (eg, your name or your server's hostname) []:www.hengxia.top
Email Address []:miouqi@qq.com
[root@centos7 CA]# ls -l
total 12
-rw-r--r--. 1 root root 1403 Jul 17 17:59 cacert.pem
drwxr-xr-x. 2 root root 6 Nov 6 2016 certs
drwxr-xr-x. 2 root root 6 Nov 6 2016 crl
-rw-r--r--. 1 root root 0 Jul 17 16:47 index.txt
drwxr-xr-x. 2 root root 6 Nov 6 2016 newcerts
drwx------. 2 root root 23 Jul 17 17:22 private
-rw-rw----. 1 root root 1675 Jul 17 17:18 privatecakey.pem
-rw-r--r--. 1 root root 3 Jul 17 16:48 serial3、颁发证书
a、在需要使用证书的主机上给web服务器生成私钥
[root@centos6 ~]# (umask 066; openssl genrsa -out /etc/pki/tls/ private/test.key 2048)
Generating RSA private key, 2048 bit long modulus
.........+++
................................................+++
e is 65537 (0x10001)b、在需要使用证书的主机上给web服务器生成证书请求
[root@centos6 ~]# openssl req -new -key /etc/pki/tls/private/test.key -days 365 -out /etc/pki/tls/test.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN # 默认国家要与CA一致
State or Province Name (full name) []:Beijing # 默认省要与CA一致
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:Hxt # 公司名称默认要与CA一致
Organizational Unit Name (eg, section) []:Ops
Common Name (eg, your name or your server's hostname) []:*.testweb.com
Email Address []:test@qq.com Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:c、将证书文件传输给CA
[root@centos6 ~]# scp /etc/pki/tls/test.csr 172.16.251.124:/tmp
The authenticity of host '172.16.251.124 (172.16.251.124)' can't be established.
RSA key fingerprint is 8e:d7:ac:fd:71:70:22:e7:ff:98:ed:61:96:85:5f:b7.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.16.251.124' (RSA) to the list of known hosts.
root@172.16.251.124's password:
test.csr 100% 1050 1.0KB/s 00:00 d、CA签署证书,并将证书颁发给请求者
[root@centos7 ~]# openssl ca -in /tmp/test.csr -out /etc/pki/CA/certs/test.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:Serial Number: 1 (0x1)ValidityNot Before: Jul 17 11:57:46 2017 GMTNot After : Jul 17 11:57:46 2018 GMTSubject:countryName = CNstateOrProvinceName = BeijingorganizationName = HxtorganizationalUnitName = Ops commonName = *.testweb.comemailAddress = test@qq.comX509v3 extensions:X509v3 Basic Constraints: CA:FALSENetscape Comment: OpenSSL Generated CertificateX509v3 Subject Key Identifier: 58:6B:86:66:B0:41:9D:E7:C0:43:65:B4:85:51:BC:62:82:1F:91:A8X509v3 Authority Key Identifier: keyid:1A:FC:24:EA:FA:D8:03:E4:4E:2D:19:04:3D:DB:2A:30:43:88:F7:D8
Certificate is to be certified until Jul 17 11:57:46 2018 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updatede、查看证书中的信息
[root@centos7 ~]# openssl x509 -in /etc/pki/CA/certs/test.crt -noout -text
Certificate:Data:Version: 3 (0x2)Serial Number: 1 (0x1)Signature Algorithm: sha256WithRSAEncryptionIssuer: C=CN, ST=Beijing, L=Beijing, O=Hxt, OU=Ops, CN=www.hengxia.top/emailAddress=miouqi@qq.comValidityNot Before: Jul 17 11:57:46 2017 GMTNot After : Jul 17 11:57:46 2018 GMTSubject: C=CN, ST=Beijing, O=Hxt, OU=Ops ,
CN=*.testweb.com/emailAddress=test@qq.comSubject Public Key Info:Public Key Algorithm: rsaEncryptionPublic-Key: (2048 bit)Modulus:00:e3:84:72:59:14:c2:00:91:6c:d0:b4:f1:b4:6b:72:bb:a4:05:6c:ae:00:bf:b0:4b:e1:b0:1f:9a:a7:05:68:b7:73:60:ca:f5:95:59:90:cd:a3:ef:da:29:fd:83:5d:fc:bc:53:9d:4b:cb:87:c6:d9:00:1f:36:06:26:a4:15:ac:7f:01:67:4b:60:ee:af:40:30:5c:60:1c:fb:7c:33:8e:aa:45:f7:5b:55:e8:57:07:40:05:ab:4a:9e:25:ec:2c:ce:f3:6d:fb:e9:a2:eb:c0:59:49:84:5f:f7:68:98:16:c2:4e:db:ab:43:50:80:f0:71:f6:d4:9d:57:1b:a4:4d:89:e3:2f:fa:fe:48:5e:da:84:d6:64:64:36:fd:2d:03:38:0e:fe:0d:65:9a:0e:37:66:52:d3:60:ea:5d:dc:5b:36:2c:d1:25:ef:0b:e6:50:5a:81:78:00:b4:f4:c7:68:ca:d1:d0:21:d1:37:49:7a:99:1d:2d:2d:3d:7f:9e:4a:5b:87:83:d6:96:8d:84:d9:88:b7:c0:c9:63:43:4c:06:d9:19:d7:b9:5a:99:8a:7c:1b:52:04:d7:a1:e0:bb:87:bc:bd:77:1c:c9:ea:19:2e:97:f2:86:2c:fe:37:95:1a:df:e1:bb:4a:9e:26:c7:d1:1e:21:d8:1b:cd:ae:8d:11Exponent: 65537 (0x10001)X509v3 extensions:X509v3 Basic Constraints: CA:FALSENetscape Comment: OpenSSL Generated CertificateX509v3 Subject Key Identifier: 58:6B:86:66:B0:41:9D:E7:C0:43:65:B4:85:51:BC:62:82:1F:91:A8X509v3 Authority Key Identifier: keyid:1A:FC:24:EA:FA:D8:03:E4:4E:2D:19:04:3D:DB:2A:30:43:88:F7:D8Signature Algorithm: sha256WithRSAEncryption26:21:51:45:0d:8c:f4:75:25:3e:e2:13:fa:d4:7a:60:ea:ba:78:b7:aa:61:57:a5:80:9d:09:95:0a:e8:09:1d:69:20:43:1c:ee:54:b2:65:cb:0c:13:5a:e1:59:61:2d:95:ee:c6:09:f3:7d:cf:e0:dc:7c:5e:11:22:bc:7b:cc:aa:e5:3e:4a:ed:56:5a:9d:8b:8f:9b:6d:34:85:b1:f6:9e:87:07:c4:b0:5a:61:92:ca:30:66:29:fb:ea:7d:68:90:ca:30:a9:85:64:8b:90:99:01:7c:27:d6:62:c7:de:e0:f8:9d:00:6b:7b:39:d3:01:eb:32:9e:71:89:f6:17:d4:7b:08:8f:9d:48:11:e1:c5:91:91:73:fd:f5:19:b6:35:a1:15:ad:6c:78:fc:ba:e9:ea:d1:9a:8f:13:8a:bb:ec:cc:79:c8:c9:f4:0d:a1:a7:c5:f5:90:e8:3b:46:d2:9f:55:85:41:e6:36:8e:fe:3f:59:33:77:37:95:51:2e:68:cd:93:79:fd:11:db:71:d0:e7:2c:61:34:bc:db:ef:89:68:f5:ae:42:5f:df:79:ed:f7:e5:2f:9a:a7:ef:a9:8b:81:d7:32:21:13:59:91:06:4b:8f:65:82:1a:b6:7c:e6:dc:9c:98:b5:dd:79:c7:9e:49:39:1d:20:b6:d8:e6
[root@centos7 ~]# openssl ca -status 01 # 查看指定编号的证书状态
Using configuration from /etc/pki/tls/openssl.cnf
01=Valid (V)
f、CA将已签名证书传输给申请者
[root@centos7 ~]# scp /etc/pki/CA/certs/test.crt 172.16.250.164:/tmp
The authenticity of host '172.16.250.164 (172.16.250.164)' can't be established.
RSA key fingerprint is 46:78:bc:dd:e2:7d:a8:b6:b7:f0:60:53:c4:72:30:f7.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.16.250.164' (RSA) to the list of known hosts.
root@172.16.250.164's password:
test.crt 100% 4592 4.5KB/s 00:00 g、CA删除申请者证书申请文件
[root@centos7 ~]# rm -f /tmp/test.csr 4、吊销证书
a、在客户端获取要吊销的证书的serial
[root@centos6 ~]# openssl x509 -in /tmp/test.crt -noout -serial -subject
serial=01
subject= /C=CN/ST=Beijing/O=Hxt/OU=Ops /CN=www.testweb.com/emailAddress=*.testweb.comb、在CA上,根据客户提交的serial与subject信息,对比检验是否与index.txt文件中的信息一致,一致吊销证书
[root@centos7 ~]# openssl ca -revoke /etc/pki/CA/newcerts/01.pem
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 01.
Data Base Updatedc、CA指定第一个吊销证书的编号,注意:第一次更新吊销证书列表前,才需要执行
[root@centos7 ~]# echo 01 > /etc/pki/CA/crlnumberd、CA更新证书吊销列表
[root@centos7 ~]# openssl ca -gencrl -out /etc/pki/CA/crl/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf
[root@centos7 ~]# openssl crl -in /etc/pki/CA/crl/crl.pem -noout -text # 查看crl文件
Certificate Revocation List (CRL):Version 2 (0x1)Signature Algorithm: sha256WithRSAEncryptionIssuer: /C=CN/ST=Beijing/L=Beijing/O=Hxt/OU=Ops/CN=www.hengxia.top/emailAddress=miouqi@qq.comLast Update: Jul 17 12:23:07 2017 GMTNext Update: Aug 16 12:23:07 2017 GMTCRL extensions:X509v3 CRL Number: 1
Revoked Certificates:Serial Number: 01Revocation Date: Jul 17 12:21:16 2017 GMTSignature Algorithm: sha256WithRSAEncryption90:a6:22:84:bf:eb:98:d7:58:bd:22:8d:5c:41:e1:1e:2f:70:6c:e2:40:68:ce:c4:06:e1:2d:70:59:98:d9:27:6f:24:d4:63:4c:d6:81:25:ab:ac:70:1b:89:65:4c:cc:2e:20:12:66:78:bc:3e:60:4f:6d:28:72:53:7f:e0:65:92:c3:86:b2:7c:1f:dc:46:2b:f6:ba:c1:2e:73:36:4b:60:08:8f:e1:bb:0d:f9:fe:11:bb:8a:4c:92:1f:aa:a8:9f:ec:f6:45:b9:a4:1e:60:ab:70:4e:f9:09:23:83:6e:12:ed:42:bd:dd:33:99:e9:ee:a6:44:2b:89:7c:60:70:0a:1f:0f:ca:0a:62:5a:b9:5c:f9:ea:46:30:f3:1d:2e:a0:89:c1:85:a8:0f:de:3a:3a:0a:1a:c3:76:99:0b:9f:55:d5:57:52:65:bc:2e:ff:ee:a6:d0:71:24:02:56:6d:a7:fa:5a:f1:88:92:53:35:66:46:ab:59:fa:cf:09:6b:37:b6:39:7a:9d:ba:b2:8d:d5:dc:a0:38:39:76:81:85:16:72:22:39:1d:ae:fd:22:21:61:00:e9:f2:7e:71:43:e9:a3:f9:44:5b:44:83:a2:1a:82:82:8f:e1:0f:f6:57:d5:b4:62:3a:c1:5e:35:21:6f:2f:ff:11:fb:98:95:23
四、备注
1、CA生成自签名命令解析: openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days \3650 -out /etc/pki/CA/cacert.pem
-new: 生成新证书签署请求
-x509: 专用于CA生成自签证书
-key: 生成请求时用到的私钥文件
-days n: 证书的有效期限
-out /PATH/TO/SOMECRIPTFILE: 证书的保存路径
2、CA的配置文件在/etc/pki/tls/opnenssl.cof,例如CA的三种策略:匹配、支持和可选即在此文件配置;匹配指要求申请填写的信息跟CA设置信息必须一致,支持指必须填写这项申请信息,可选指可有可无。
使用OpenSSL自建CA及颁发证书、吊销证书相关推荐
- openssl 自建ca,颁发客户端证书
openssl 自建ca,颁发客户端证书 概念理解 数字证书: 数字证书就是互联网通讯中标志通讯各方身份信息的一串数字,提供了一种在Internet上验证通信实体身份的方式,数字证书不是数字身份证,而 ...
- 基于OpenSSL自建CA和颁发SSL证书
关于SSL/TLS介绍见文章 SSL/TLS原理详解. 关于证书授权中心CA以及数字证书等概念,请移步 OpenSSL 与 SSL 数字证书概念贴 . openssl是一个开源程序的套件.这个套件有三 ...
- 互联网协议 — TLS — 使用 OpenSSL 自建 CA 中心
目录 文章目录 目录 使用 OpenSSL 自建 CA 并签发证书 示例 Step 1. 搭建 CA 中心 Step 2. 生成 CA 的 RSA 私钥 Step 3. 生成 CA 的公钥(CA 证书 ...
- OpenSSL自建CA和签发二级CA及颁发SSL证书
自己签发CA证书再签发服务器证书的场景非常简单.把根CA证书导入到浏览器后,就可以信任由这个根CA直接签发的服务器证书. 但是实际上网站使用的证书肯定都不是由根CA直接签发的,比如 像百度这种,网站使 ...
- ca 自建 颁发证书_openssl自建CA后颁发证书
一 自签证书实践 在介绍颁发证书之前先做一个试验,用自签证书来通过chrome访问: 1 通过openssl一键自签证书,生成证书和私钥: sudo openssl req -x509 -nodes ...
- 利用openssl自建ca并且使apache2用自建的ca证书进行https链接(自用,,,
参考了信安实践--自建CA证书搭建https服务器 - LiBaoquan - 博客园 (cnblogs.com) 加一些关于apache的命令: sudo systemctl start apach ...
- openssl 自建CA签发证书 网站https的ssl通信
<<COMMENT X509 文件扩展名 首先我们要理解文件的扩展名代表什么.DER.PEM.CRT和CER这些扩展名经常令人困惑. 很多人错误地认为这些扩展名可以互相代替.尽管的确有时候 ...
- Openssl私建CA
构建私有CA: 在确定配置为CA的服务上生成一个自签证书,并为CA提供所需要的目录及文件即可: 步骤: (1) 生成私钥: [root@centos7 ~]# (umask 077; ope ...
- 创建私有CA及其签署和吊销证书
写在前面:如果此文有幸被某位朋友看见并发现有错的地方,希望批评指正.如有不明白的地方,愿可一起探讨. 建立CA服务器 1.初始化工作环境 # cd /etc/pki/CA/ # touch index ...
- Linux 创建一个简单的私有CA、发证、吊销证书
操作环境:Centos 6.RHEL 6 操作虚拟机:VMware 本实验基于OpenSSL实现,SSL是Secure Sockets Layer(安全套接层协议)的缩写,可以在Internet上提供 ...
最新文章
- 使用JPA进行Update操作 @Query注解的用法,JPL
- Binary XML file line #39: 最多只支持3个子View,Most only support three sub vi
- 自回归解码加速64倍,谷歌提出图像合成新模型MaskGIT
- 实验三编程、编译、连接、跟踪
- c语言两个程序合并一起运行,这两个程序如何可以在一起运行
- python实现维吉尼亚加密法
- PaddleHub人像分割模型:AI人像抠图及图像合成
- cgcs2000高斯平面直角坐标_多元微积分——环量、旋度与格林、斯托克斯公式,通量、散度与高斯公式...
- C++11右值引用和std::move语句实例解析
- 非参数统计的Python实现—— Kruskal-Wallis 单因素方差分析
- 解构领域驱动设计--思维导图
- Vue 3 中文文档来啦!
- 静态多层Map缓存清除
- 文物摄影中白平衡的正确设置(图)
- 矩阵求逆的几种方法总结(C++)
- R 回归 虚拟变量na_R语言 | 生存分析之R包survival的单变量和多变量Cox回归
- 《Nature》子刊发布,IIT科学家模仿“植物的触须”,打造可逆渗透致动的仿生软体机器人
- Python:numpy array数据去头去尾巴
- R语言导入txt文本报错:more columns than column names(列的数目比列的名字要多)问题解决
- linux上面跑lvgl GUI简单实例
热门文章
- linux 拷贝xlsx_linux 命令行将xlsx格式文件转换成CSV的5种方法
- 网记者采访时,一直称李某萍为“妻子”
- 2021年美赛资料准备
- mysql基础教程下载_MySQL基础教程
- ecshop mysql 操作_ecshop数据库操作函数
- 计算机桌面文件删除不掉是怎么了,小马教你桌面上文件夹删不掉 【设置方法】 的办法_...
- 深度学习——AI领域会议列表(以备准备和更新论文存储使用)
- 维基百科的语料库下载以及后续操作(一)2020年6月【包括opencc下载避雷,繁转简】
- 使用基础版SYD8811 Smart EVK测量SYD8811芯片功耗的说明
- 云栖科技评论第18期:Tenable 发布全球安全指数