如何在Ubuntu 20.04上设置和配置证书颁发机构（CA）

介绍 (Introduction)

A Certificate Authority (CA) is an entity responsible for issuing digital certificates to verify identities on the internet. Although public CAs are a popular choice for verifying the identity of websites and other services that are provided to the general public, private CAs are typically used for closed groups and private services.

证书颁发机构 (CA)是负责颁发数字证书以在Internet上验证身份的实体。尽管公共CA是验证提供给公众的网站和其他服务的身份的流行选择，但私有CA通常用于封闭组和私有服务。

Building a private Certificate Authority will enable you to configure, test, and run programs that require encrypted connections between a client and a server. With a private CA, you can issue certificates for users, servers, or individual programs and services within your infrastructure.

构建专用的证书颁发机构将使您能够配置，测试和运行需要客户端与服务器之间进行加密连接的程序。使用专用CA，您可以为基础结构中的用户，服务器或单个程序和服务颁发证书。

Some examples of programs on Linux that use their own private CA are OpenVPN and Puppet . You can also configure your web server to use certificates issued by a private CA in order to make development and staging environments match production servers that use TLS to encrypt connections.

Linux上使用自己的专用CA的程序的一些示例是OpenVPN和Puppet 。您还可以将Web服务器配置为使用私有CA颁发的证书，以使开发和登台环境与使用TLS加密连接的生产服务器匹配。

In this guide, we’ll learn how to set up a private Certificate Authority on an Ubuntu 20.04 server, and how to generate and sign a testing certificate using your new CA. You will also learn how to import the CA server’s public certificate into your operating system’s certificate store so that you can verify the chain of trust between the CA and remote servers or users. Finally you will learn how to revoke certificates and distribute a Certificate Revocation List to make sure only authorized users and systems can use services that rely on your CA.

在本指南中，我们将学习如何在Ubuntu 20.04服务器上设置私有证书颁发机构，以及如何使用新的CA生成并签署测试证书。您还将学习如何将CA服务器的公共证书导入到操作系统的证书存储中，以便可以验证CA与远程服务器或用户之间的信任链。最后，您将学习如何吊销证书和分发证书吊销列表，以确保只有授权的用户和系统才能使用依赖您的CA的服务。

先决条件 (Prerequisites)

To complete this tutorial, you will need access to an Ubuntu 20.04 server to host your CA server. You will need to configure a non-root user with sudo privileges before you start this guide. You can follow our Ubuntu 20.04 initial server setup guide to set up a user with appropriate permissions. The linked tutorial will also set up a firewall, which is assumed to be in place throughout this guide.

要完成本教程，您将需要访问Ubuntu 20.04服务器来托管您的CA服务器。在开始本指南之前，您将需要使用sudo特权配置非root用户。您可以按照我们的Ubuntu 20.04初始服务器设置指南来设置具有适当权限的用户。链接的教程还将设置一个防火墙 ，在本指南中假定该防火墙已安装到位。

This server will be referred to as the CA Server in this tutorial.

在本教程中，此服务器将称为CA Server 。

Ensure that the CA Server is a standalone system. It will only be used to import, sign, and revoke certificate requests. It should not run any other services, and ideally it will be offline or completely shut down when you are not actively working with your CA.

确保CA Server是独立系统。它仅用于导入，签名和吊销证书申请。它不应运行任何其他服务，并且理想情况下，当您不积极使用CA时，它将脱机或完全关闭。

Note: The last section of this tutorial is optional if you would like to learn about signing and revoking certificates. If you choose to complete those practice steps, you will need a second Ubuntu 20.04 server or you can also use your own local Linux computer running Ubuntu or Debian, or distributions derived from either of those.

注意：如果您想了解有关签名和吊销证书的信息，本教程的最后一部分是可选的。如果您选择完成这些练习步骤，则将需要第二台Ubuntu 20.04服务器，或者您也可以使用自己的本地Linux计算机，该计算机运行Ubuntu或Debian，或从这两个服务器衍生的发行版。

第1步-安装Easy-RSA (Step 1 — Installing Easy-RSA)

The first task in this tutorial is to install the easy-rsa set of scripts on your CA Server. easy-rsa is a Certificate Authority management tool that you will use to generate a private key, and public root certificate, which you will then use to sign requests from clients and servers that will rely on your CA.

本教程的首要任务是在CA Server上安装easy-rsa脚本集。 easy-rsa是一个证书颁发机构管理工具，将用于生成私钥和公共根证书，然后将其用于对来自依赖于CA的客户端和服务器的请求进行签名。

以您在初始设置步骤中创建的非根sudo用户身份登录到CA Server，然后运行以下命令：

sudo apt update sudo apt更新
sudo apt install easy-rsa sudo apt安装easy-rsa

You will be prompted to download the package and install it. Press y to confirm you want to install the package.

系统将提示您下载软件包并安装。按y确认您要安装该软件包。

At this point you have everything you need set up and ready to use Easy-RSA. In the next step you will create a Public Key Infrastructure, and then start building your Certificate Authority.

至此，您已经准备就绪，可以使用Easy-RSA。在下一步中，您将创建一个公共密钥基础结构，然后开始构建您的证书颁发机构。

步骤2 —准备公钥基础结构目录 (Step 2 — Preparing a Public Key Infrastructure Directory)

Now that you have installed easy-rsa, it is time to create a skeleton Public Key Infrastructure (PKI) on the CA Server. Ensure that you are still logged in as your non-root user and create an easy-rsa directory. Make sure that you do not use sudo to run any of the following commands, since your normal user should manage and interact with the CA without elevated privileges.

现在，您已经安装了easy-rsa ，是时候在CA Server上创建骨架公钥基础结构 (PKI)了。确保您仍以非root用户身份登录并创建一个easy-rsa目录。确保不要使用sudo运行以下任何命令，因为普通用户应在没有提升特权的情况下管理CA并与之交互。

mkdir ~/easy-rsa mkdir〜/ easy-rsa

This will create a new directory called easy-rsa in your home folder. We’ll use this directory to create symbolic links pointing to the easy-rsa package files that we’ve installed in the previous step. These files are located in the /usr/share/easy-rsa folder on the CA Server.

这将在您的主文件夹中创建一个名为easy-rsa的新目录。我们将使用此目录创建指向上一步中安装的easy-rsa软件包文件的符号链接。这些文件位于CA Server上的/usr/share/easy-rsa文件夹中。

Create the symlinks with the ln command:

使用ln命令创建符号链接：

ln -s /usr/share/easy-rsa/* ~/easy-rsa/ ln -s / usr / share / easy-rsa / *〜/ easy-rsa /

Note: While other guides might instruct you to copy the easy-rsa package files into your PKI directory, this tutorial adopts a symlink approach. As a result, any updates to the easy-rsa package will be automatically reflected in your PKI’s scripts.

注意：虽然其他指南可能会指导您将easy-rsa软件包文件复制到PKI目录中，但本教程采用了符号链接方法。因此，对easy-rsa软件包的任何更新将自动反映在您的PKI脚本中。

To restrict access to your new PKI directory, ensure that only the owner can access it using the chmod command:

要限制对新PKI目录的访问，请确保只有所有者可以使用chmod命令访问它：

chmod 700 /home/sammy/easy-rsa

chmod 700 /家庭/ sammy / easy-rsa

Finally, initialize the PKI inside the easy-rsa directory:

最后，在easy-rsa目录中初始化PKI：

cd ~/easy-rsa 光盘〜/ easy-rsa
./easyrsa init-pki ./easyrsa init-pki

Output

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /home/sammy/easy-rsa/pki

After completing this section you have a directory that contains all the files that are needed to create a Certificate Authority. In the next section you will create the private key and public certificate for your CA.

完成本节后，您将拥有一个目录，其中包含创建证书颁发机构所需的所有文件。在下一部分中，您将为CA创建私钥和公共证书。

`步骤3 —创建证书颁发机构 (Step 3 — Creating a Certificate Authority)`

Before you can create your CA’s private key and certificate, you need to create and populate a file called vars with some default values. First you will cd into the easy-rsa directory, then you will create and edit the vars file with nano or your preferred text editor:

在创建CA的私钥和证书之前，需要使用一些默认值创建并填充一个名为vars的文件。首先，您将进入cd easy-rsa目录，然后使用nano或您喜欢的文本编辑器创建和编辑vars文件：

cd ~/easy-rsa 光盘〜/ easy-rsa
nano vars 纳米变种

Once the file is opened, paste in the following lines and edit each highlighted value to reflect your own organization info. The important part here is to ensure that you do not leave any of the values blank:

打开文件后，粘贴以下行并编辑每个突出显示的值以反映您自己的组织信息。这里的重要部分是确保不要将任何值留为空白：

~/easy-rsa/vars

set_var EASYRSA_REQ_COUNTRY    "US"
set_var EASYRSA_REQ_PROVINCE   "NewYork"
set_var EASYRSA_REQ_CITY       "New York City"
set_var EASYRSA_REQ_ORG        "DigitalOcean"
set_var EASYRSA_REQ_EMAIL      "admin@example.com"
set_var EASYRSA_REQ_OU         "Community"
set_var EASYRSA_ALGO           "ec"
set_var EASYRSA_DIGEST         "sha512"

When you are finished, save and close the file. If you are using nano, you can do so by pressing CTRL+X, then Y and ENTER to confirm. You are now ready to build your CA.

完成后，保存并关闭文件。如果您使用的是nano ，则可以通过按CTRL+X ，然后按Y和ENTER进行确认。您现在准备建立CA。

To create the root public and private key pair for your Certificate Authority, run the ./easy-rsa command again, this time with the build-ca option:

要为证书颁发机构创建根公用和专用密钥对，请再次运行./easy-rsa命令，这次使用build-ca选项：

./easyrsa build-ca ./easyrsa build-ca

In the output, you’ll see some lines about the OpenSSL version and you will be prompted to enter a passphrase for your key pair. Be sure to choose a strong passphrase, and note it down somewhere safe. You will need to input the passphrase any time that you need to interact with your CA, for example to sign or revoke a certificate.

在输出中，您将看到一些有关OpenSSL版本的行，并且将提示您输入密钥对的密码。确保选择一个强密码短语，并记在安全的地方。您需要在与CA进行交互的任何时间输入密码，例如签署或撤销证书。

You will also be asked to confirm the Common Name (CN) for your CA. The CN is the name used to refer to this machine in the context of the Certificate Authority. You can enter any string of characters for the CA’s Common Name but for simplicity’s sake, press ENTER to accept the default name.

您还将被要求确认您的CA的通用名称(CN)。 CN是在证书颁发机构的上下文中用于引用此计算机的名称。您可以输入任何字符串作为CA的通用名称，但是为了简单起见，请按Enter以接受默认名称。

Output

. . .
Enter New CA Key Passphrase:
Re-Enter New CA Key Passphrase:
. . .
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/home/sammy/easy-rsa/pki/ca.crt

Note: If you don’t want to be prompted for a password every time you interact with your CA, you can run the build-ca command with the nopass option, like this:

注意：如果不想在每次与CA交互时提示您输入密码，则可以使用nopass选项运行build-ca命令，如下所示：

./easyrsa build-ca nopass ./easyrsa build-ca nopass

You now have two important files — ~/easy-rsa/pki/ca.crt and ~/easy-rsa/pki/private/ca.key — which make up the public and private components of a Certificate Authority.

现在，您有两个重要文件~/easy-rsa/pki/ca.crt和~/easy-rsa/pki/private/ca.key ，它们构成了证书颁发机构的公共和私有组件。

ca.crt is the CA’s public certificate file. Users, servers, and clients will use this certificate to verify that they are part of the same web of trust. Every user and server that uses your CA will need to have a copy of this file. All parties will rely on the public certificate to ensure that someone is not impersonating a system and performing a Man-in-the-middle attack.

ca.crt是CA的公共证书文件。用户，服务器和客户端将使用此证书来验证它们是否属于同一信任网络。使用您的CA的每个用户和服务器都需要拥有该文件的副本。各方都将依靠公共证书来确保有人不会冒充系统并进行中间人攻击。
ca.key is the private key that the CA uses to sign certificates for servers and clients. If an attacker gains access to your CA and, in turn, your ca.key file, you will need to destroy your CA. This is why your ca.key file should only be on your CA machine and that, ideally, your CA machine should be kept offline when not signing certificate requests as an extra security measure.

ca.key是CA用于签署服务器和客户端证书的私钥。如果攻击者获得对您的CA的访问权，然后又对您的ca.key文件进行访问，则需要销毁您的CA。这就是为什么ca.key文件应仅位于CA机器上的原因，并且在理想情况下，当不对证书请求进行签名时，作为额外的安全措施，CA机器应保持脱机状态。

With that, your CA is in place and it is ready to be used to sign certificate requests, and to revoke certificates.

这样，您的CA就位了，可以用来签署证书请求和吊销证书了。

步骤4 —分发证书颁发机构的公共证书 (Step 4 — Distributing your Certificate Authority’s Public Certificate)

Now your CA is configured and ready to act as a root of trust for any systems that you want to configure to use it. You can add the CA’s certificate to your OpenVPN servers, web servers, mail servers, and so on. Any user or server that needs to verify the identity of another user or server in your network should have a copy of the ca.crt file imported into their operating system’s certificate store.

现在，您的CA已配置完毕，可以用作要配置为使用它的所有系统的信任根。您可以将CA的证书添加到OpenVPN服务器，Web服务器，邮件服务器等。任何需要验证网络中其他用户或服务器的身份的用户或服务器，都应将ca.crt文件的副本导入其操作系统的证书存储中。

To import the CA’s public certificate into a second Linux system like another server or a local computer, first obtain a copy of the ca.crt file from your CA server. You can use the cat command to output it in a terminal, and then copy and paste it into a file on the second computer that is importing the certificate. You can also use tools like scp, rsync to transfer the file between systems. However we’ll use copy and paste with nano in this step since it will work on all systems.

要将CA的公共证书导入到另一个服务器或本地计算机等第二个Linux系统中，请首先从您的CA服务器获取ca.crt文件的副本。您可以使用cat命令将其输出到终端中，然后将其复制并粘贴到第二台导入证书的计算机上的文件中。您还可以使用诸如scp ， rsync类的工具在系统之间传输文件。但是，在此步骤中，我们将使用nano进行复制和粘贴，因为它适用于所有系统。

As your non-root user on the CA Server, run the following command:

以您在CA Server上的非root用户身份，运行以下命令：

cat ~/easy-rsa/pki/ca.crt 猫〜/ easy-rsa / pki / ca.crt

There will be output in your terminal that is similar to the following:

您的终端中将输出类似于以下内容的输出：

Output

-----BEGIN CERTIFICATE-----
MIIDSzCCAjOgAwIBAgIUcR9Crsv3FBEujrPZnZnU4nSb5TMwDQYJKoZIhvcNAQEL
BQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMjAwMzE4MDMxNjI2WhcNMzAw
. . .
. . .
-----END CERTIFICATE-----

Copy everything, including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines and the dashes.

复制所有内容，包括-----BEGIN CERTIFICATE-----和-----END CERTIFICATE-----行和破折号。

On your second Linux system use nano or your preferred text editor to open a file called /tmp/ca.crt:

在您的第二个Linux系统上，使用nano或您喜欢的文本编辑器打开一个名为/tmp/ca.crt的文件：

nano /tmp/ca.crt 纳米/tmp/ca.crt

Paste the contents that you just copied from the CA Server into the editor. When you are finished, save and close the file. If you are using nano, you can do so by pressing CTRL+X, then Y and ENTER to confirm.

将刚从CA Server复制的内容粘贴到编辑器中。完成后，保存并关闭文件。如果您使用的是nano ，则可以通过按CTRL+X ，然后按Y和ENTER进行确认。

Now that you have a copy of the ca.crt file on your second Linux system, it is time to import the certificate into its operating system certificate store.

现在您已经在第二个Linux系统上获得了ca.crt文件的副本，现在该将证书导入其操作系统证书存储中了。

On Ubuntu and Debian based systems, run the following commands as your non-root user to import the certificate:

在基于Ubuntu和Debian的系统上，以非root用户身份运行以下命令以导入证书：

Ubuntu and Debian derived distributions

Ubuntu和Debian衍生发行版

sudo cp /tmp/ca.crt /usr/local/share/ca-certificates/ 须藤cp /tmp/ca.crt / usr / local / share / ca-certificates /
sudo update-ca-certificates sudo update-ca-certificates

To import the CA Server’s certificate on CentOS, Fedora, or RedHat based system, copy and paste the file contents onto the system just like in the previous example in a file called /tmp/ca.crt. Next, you’ll copy the certificate into /etc/pki/ca-trust/source/anchors/, then run the update-ca-trust command.

要在基于CentOS，Fedora或RedHat的系统上导入CA Server的证书，请像上一个示例一样，将文件内容复制并粘贴到系统上，就像在名为/tmp/ca.crt的文件中/tmp/ca.crt 。接下来，将证书复制到/etc/pki/ca-trust/source/anchors/ ，然后运行update-ca-trust命令。

CentOS, Fedora, RedHat distributions

CentOS，Fedora，RedHat发行版

sudo cp /tmp/ca.crt /etc/pki/ca-trust/source/anchors/ 须藤cp /tmp/ca.crt / etc / pki / ca-trust / source / anchors /
sudo update-ca-trust 须藤更新CA信任

Now your second Linux system will trust any certificate that has been signed by the CA server.

现在，您的第二个Linux系统将信任由CA服务器签名的所有证书。

Note: If you are using your CA with web servers and use Firefox as a browser you will need to import the public ca.crt certificate into Firefox directly. Firefox does not use the local operating system’s certificate store. For details on how to add your CA’s certificate to Firefox please see this support article from Mozilla on Setting Up Certificate Authorities (CAs) in Firefox.

注意：如果将CA与Web服务器一起使用，并且将Firefox用作浏览器，则需要将公共ca.crt证书直接导入Firefox。 Firefox不使用本地操作系统的证书存储。有关如何将CA的证书添加到Firefox的详细信息，请参阅Mozilla上有关在Firefox中设置证书颁发机构(CA)的支持文章。

If you are using your CA to integrate with a Windows environment or desktop computers, please see the documentation on how to use certutil.exe to install a CA certificate.

如果要使用CA与Windows环境或台式计算机集成，请参阅有关如何使用certutil.exe 安装CA证书的文档。

If you are using this tutorial as a prerequisite for another tutorial, or are familiar with how to sign and revoke certificates you can stop here. If you would like to learn more about how to sign and revoke certificates, then the following optional section will explain each process in detail.

如果您将本教程用作其他教程的先决条件，或者熟悉如何签名和吊销证书，则可以在此处停止。如果您想了解有关如何签名和撤销证书的更多信息，那么以下可选部分将详细说明每个过程。

(可选)—创建证书签名请求和吊销证书 ((Optional) — Creating Certificate Signing Requests and Revoking Certificates)

The following sections of the tutorial are optional. If you have completed all the previous steps then you have a fully configured and working Certificate Authority that you can use as a prerequisite for other tutorials. You can import your CA’s ca.crt file and verify certificates in your network that have been signed by your CA.

本教程的以下部分是可选的。如果您完成了前面的所有步骤，那么您将拥有一个配置完整且可以运行的证书颁发机构，可以将其用作其他教程的先决条件。您可以导入CA的ca.crt文件，并验证网络中已由CA签名的证书。

If you would like to practice and learn more about how to sign certificate requests, and how to revoke certificates, then these optional sections will explain how both processes work.

如果您想练习并了解有关如何签署证书请求以及如何撤消证书的更多信息，那么这些可选部分将说明这两个过程如何工作。

(可选)—创建并签署实践证书申请 ((Optional) — Creating and Signing a Practice Certificate Request)

Now that you have a CA ready to use, you can practice generating a private key and certificate request to get familiar with the signing and distribution process.

现在您已经可以使用CA，可以练习生成私钥和证书请求，以熟悉签名和分发过程。

A Certificate Signing Request (CSR) consists of three parts: a public key, identifying information about the requesting system, and a signature of the request itself, which is created using the requesting party’s private key. The private key will be kept secret, and will be used to encrypt information that anyone with the signed public certificate can then decrypt.

证书签名请求 (CSR)由三部分组成：公钥，有关请求系统的标识信息，以及使用请求方的私钥创建的请求本身的签名。私钥将被保密，并将用于加密信息，任何拥有签名的公共证书的人都可以解密。

The following steps will be run on your second Ubuntu or Debian system, or distribution that is derived from either of those. It can be another remote server, or a local Linux machine like a laptop or a desktop computer. Since easy-rsa is not available by default on all systems, we’ll use the openssl tool to create a practice private key and certificate.

以下步骤将在您的第二个Ubuntu或Debian系统或从这两个系统派生的发行版上运行。它可以是另一台远程服务器，也可以是本地Linux计算机，例如笔记本电脑或台式计算机。由于默认情况下easy-rsa并非在所有系统上都可用，因此我们将使用openssl工具来创建练习私钥和证书。

openssl is usually installed by default on most Linux distributions, but just to be certain, run the following on your system:

默认情况下， openssl通常安装在大多数Linux发行版上，但是可以肯定的是，请在系统上运行以下命令：

sudo apt update sudo apt更新
sudo apt install openssl sudo apt安装openssl

When you are prompted to install openssl enter y to continue with the installation steps. Now you are ready to create a practice CSR with openssl.

当提示您安装openssl输入y继续安装步骤。现在，您可以使用openssl创建一个实践CSR。

The first step that you need to complete to create a CSR is generating a private key. To create a private key using openssl, create a practice-csr directory and then generate a key inside it. We will make this request for a fictional server called sammy-server, as opposed to creating a certificate that is used to identify a user or another CA.

创建CSR所需完成的第一步是生成私钥。要使用openssl创建私钥，请创建一个practice-csr目录，然后在其中生成密钥。我们将请求一个名为sammy-server的虚拟服务器，而不是创建用于标识用户或另一个CA的证书。

mkdir ~/practice-csr mkdir〜/ practice-csr
cd ~/practice-csr 光盘〜/ practice-csr
openssl genrsa -out sammy-server.key openssl genrsa -out sammy-server.key

Output

Generating RSA private key, 2048 bit long modulus (2 primes)
. . .
. . .
e is 65537 (0x010001)

Now that you have a private key you can create a corresponding CSR, again using the openssl utility. You will be prompted to fill out a number of fields like Country, State, and City. You can enter a . if you’d like to leave a field blank, but be aware that if this were a real CSR, it is best to use the correct values for your location and organization:

有了私钥后，您可以再次使用openssl实用程序来创建相应的CSR。系统将提示您填写一些字段，例如“国家/地区”，“州”和“城市”。您可以输入. 如果您想将字段留空，但是要知道，如果这是真正的CSR，则最好为您的位置和组织使用正确的值：

openssl req -new -key sammy-server.key -out sammy-server.req openssl req-新-key sammy-server.key -out sammy-server.req

Output

. . .
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:New York
Locality Name (eg, city) [Default City]:New York City
Organization Name (eg, company) [Default Company Ltd]:DigitalOcean
Organizational Unit Name (eg, section) []:Community
Common Name (eg, your name or your server's hostname) []:sammy-server
Email Address []:Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

If you would like to automatically add those values as part of the openssl invocation instead of via the interactive prompt, you can pass the -subj argument to OpenSSL. Be sure to edit the highlighted values to match your practice location, organization, and server name:

如果您希望在openssl调用中自动添加这些值，而不是通过交互式提示添加这些值，则可以将-subj参数传递给OpenSSL。确保编辑突出显示的值以匹配您的练习位置，组织和服务器名称：

openssl req -new -key sammy-server.key -out server.req -subj \ openssl req-新-key sammy-server.key -out server.req -subj \
/C=US/ST=New\ York/L=New\ York\ City/O=DigitalOcean/OU=Community/CN=sammy-server

/ C = 美国 / ST = 纽约\纽约 / L = 纽约\纽约\城市 / O = 数字海洋 / OU = 社区 / CN = 萨米服务器

To verify the contents of a CSR, you can read in a request file with openssl and examine the fields inside:

要验证CSR的内容，您可以使用openssl读取请求文件并检查其中的字段：

openssl req -in sammy-server.req -noout -subject openssl req -in sammy-server.req -noout -subject

Output

subject=C = US, ST = New York, L = New York City, O = DigitalOcean, OU = Community, CN = sammy-server

Once you’re happy with the subject of your practice certificate request, copy the sammy-server.req file to your CA server using scp:

对练习证书申请的主题感到满意后，请使用scp将sammy-server.req文件复制到CA服务器：

scp sammy-server.req sammy@your_ca_server_ip:/tmp/sammy-server.req

scp sammy-server.req sammy @ your_ca_server_ip ：/tmp/sammy-server.req

In this step you generated a Certificate Signing Request for a fictional server called sammy-server. In a real-world scenario, the request could be from something like a staging or development web server that needs a TLS certificate for testing; or it could come from an OpenVPN server that is requesting a certificate so that users can connect to a VPN. In the next step, we’ll proceed to signing the certificate signing request using the CA Server’s private key.

在此步骤中，您为名为sammy-server的虚构服务器生成了证书签名请求。在实际场景中，请求可能来自诸如需要TLS证书进行测试的登台或开发Web服务器之类的请求；或者它可能来自正在请求证书的OpenVPN服务器，以便用户可以连接到VPN。在下一步中，我们将继续使用CA Server的私钥对证书签名请求进行签名。

(可选)—签署企业社会责任 ((Optional) — Signing a CSR)

In the previous step, you created a practice certificate request and key for a fictional server. You copied it to the /tmp directory on your CA server, emulating the process that you would use if you had real clients or servers sending you CSR requests that need to be signed.

在上一步中，您为虚拟服务器创建了练习证书请求和密钥。您将其复制到CA服务器上的/tmp目录中，模拟了如果有真正的客户端或服务器向您发送需要签名的CSR请求时将使用的过程。

Continuing with the fictional scenario, now the CA Server needs to import the practice certificate and sign it. Once a certificate request is validated by the CA and relayed back to a server, clients that trust the Certificate Authority will also be able to trust the newly issued certificate.

继续执行虚拟方案，现在CA Server需要导入实践证书并对其进行签名。 CA验证了证书请求并将其转发回服务器后，信任证书颁发机构的客户端也将能够信任新颁发的证书。

Since we will be operating inside the CA’s PKI where the easy-rsa utility is available, the signing steps will use the easy-rsa utility to make things easier, as opposed to using the openssl directly like we did in the previous example.

由于我们将在可使用easy-rsa实用程序的CA PKI内部进行操作，因此签名步骤将使用easy-rsa实用程序使事情变得简单，而不是像在上一个示例中那样直接使用openssl 。

The first step to sign the fictional CSR is to import the certificate request using the easy-rsa script:

对虚拟CSR进行签名的第一步是使用easy-rsa脚本导入证书请求：

cd ~/easy-rsa 光盘〜/ easy-rsa
./easyrsa import-req /tmp/sammy-server.req sammy-server ./easyrsa import-req /tmp/sammy-server.req sammy-server

Output

. . .
The request has been successfully imported with a short name of: sammy-server
You may now use this name to perform signing operations on this request.

Now you can sign the request by running the easyrsa script with the sign-req option, followed by the request type and the Common Name that is included in the CSR. The request type can either be one of client, server, or ca. Since we’re practicing with a certificate for a fictional server, be sure to use the server request type:

现在，您可以通过运行具有sign-req选项的easyrsa脚本，然后是请求类型和CSR中包含的公用名来对请求进行sign-req 。请求类型可以是client ， server或ca 。由于我们正在使用虚拟服务器的证书，因此请确保使用server请求类型：

./easyrsa sign-req server sammy-server ./easyrsa登录请求服务器sammy-server

In the output, you’ll be asked to verify that the request comes from a trusted source. Type yes then press ENTER to confirm this:

在输出中，将要求您验证请求是否来自受信任的来源。键入yes然后按ENTER确认：

Output

You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.Request subject, to be signed as a server certificate for 3650 days:subject=commonName                = sammy-serverType the word 'yes' to continue, or any other input to abort.Confirm request details: yes
. . .
Certificate created at: /home/sammy/easy-rsa/pki/issued/sammy-server.crt

If you encrypted your CA key, you’ll be prompted for your password at this point.

如果您对CA密钥进行了加密，那么此时将提示您输入密码。

With those steps complete, you have signed the sammy-server.req CSR using the CA Server’s private key in /home/sammy/easy-rsa/pki/private/ca.key. The resulting sammy-server.crt file contains the practice server’s public encryption key, as well as a new signature from the CA Server. The point of the signature is to tell anyone who trusts the CA that they can also trust the sammy-server certificate.

完成这些步骤后，您已经使用/home/sammy/easy-rsa/pki/private/ca.key CA服务器的私钥对sammy-server.req CSR进行了/home/sammy/easy-rsa/pki/private/ca.key 。生成的sammy-server.crt文件包含练习服务器的公共加密密钥以及CA Server的新签名。签名的目的是告诉任何信任CA的人，他们也可以信任sammy-server证书。

If this request was for a real server like a web server or VPN server, the last step on the CA Server would be to distribute the new sammy-server.crt and ca.crt files from the CA Server to the remote server that made the CSR request:

如果此请求是针对真实服务器(例如Web服务器或VPN服务器)的，则CA Server的最后一步将是将新的sammy-server.crt和ca.crt文件从CA Server分发到使企业社会责任要求：

scp pki/issued/sammy-server.crt sammy@your_server_ip:/tmp

scp pki / issued / sammy-server.crt sammy @ your_server_ip ：/ tmp
scp pki/ca.crt sammy@your_server_ip:/tmp

scp pki / ca.crt sammy @ your_server_ip ：/ tmp

At this point, you would be able to use the issued certificate with something like a web server, a VPN, configuration management tool, database system, or for client authentication purposes.

此时，您将可以将已颁发的证书用于Web服务器，VPN，配置管理工具，数据库系统或用于客户端身份验证的目的。

(可选)—吊销证书 ((Optional) — Revoking a Certificate)

Occasionally, you may need to revoke a certificate to prevent a user or server from using it. Perhaps someone’s laptop was stolen, a web server was compromised, or an employee or contractor has left your organization.

有时，您可能需要吊销证书以防止用户或服务器使用它。也许某人的笔记本电脑被盗，网络服务器被盗或者某个雇员或承包商离开了您的组织。

To revoke a certificate, the general process follows these steps:

要吊销证书，一般过程如下：

Revoke the certificate with the ./easyrsa revoke client_name command.

使用./easyrsa revoke client_name命令撤消证书。
Generate a new CRL with the ./easyrsa gen-crl command.

使用./easyrsa gen-crl命令生成一个新的CRL。
Transfer the updated crl.pem file to the server or servers that rely on your CA, and on those systems copy it to the required directory or directories for programs that refer to it.

将更新的crl.pem文件传输到依赖您的CA的一个或多个服务器，然后在那些系统上将其复制到所需目录或引用该程序的目录中。
Restart any services that use your CA and the CRL file.重新启动使用您的CA和CRL文件的所有服务。

You can use this process to revoke any certificates that you’ve previously issued at any time. We’ll go over each step in detail in the following sections, starting with the revoke command.

您可以使用此过程随时撤消先前已颁发的所有证书。我们将在以下各节中详细介绍每个步骤，从revoke命令开始。

吊销证书 (Revoking a Certificate)

To revoke a certificate, navigate to the easy-rsa directory on your CA server:

要吊销证书，请导航到CA服务器上的easy-rsa目录：

cd ~/easy-rsa 光盘〜/ easy-rsa

Next, run the easyrsa script with the revoke option, followed by the client name you wish to revoke. Following the practice example above, the Common Name of the certificate is sammy-server:

接下来，运行带有revoke选项的easyrsa脚本，然后输入要撤销的客户端名称。按照上述实践示例，证书的通用名称为sammy-server ：

./easyrsa revoke sammy-server

./easyrsa撤销sammy服务器

This will ask you to confirm the revocation by entering yes:

这将要求您通过输入yes来确认撤销：

Output

Please confirm you wish to revoke the certificate with the following subject:subject=commonName                = sammy-serverType the word 'yes' to continue, or any other input to abort.Continue with revocation: yes
. . .
Revoking Certificate 8348B3F146A765581946040D5C4D590A
. . .

Note the highlighted value on the Revoking Certificate line. This value is the unique serial number of the certificate that is being revoked. If you want to examine the revocation list in the last step of this section to verify that the certificate is in it, you’ll need this value.

注意“ Revoking Certificate行上突出显示的值。此值是要吊销的证书的唯一序列号。如果要在本节的最后一步中检查吊销列表以验证证书在其中，则需要此值。

After confirming the action, the CA will revoke the certificate. However, remote systems that rely on the CA have no way to check whether any certificates have been revoked. Users and servers will still be able to use the certificate until the CA’s Certificate Revocation List (CRL) is distributed to all systems that rely on the CA.

确认操作后，CA将吊销证书。但是，依赖CA的远程系统无法检查是否已吊销任何证书。在将CA的证书吊销列表(CRL)分发给所有依赖CA的系统之前，用户和服务器仍然可以使用证书。

In the next step you’ll generate a CRL or update an existing crl.pem file.

在下一步中，您将生成CRL或更新现有的crl.pem文件。

生成证书吊销列表 (Generating a Certificate Revocation List)

Now that you have revoked a certificate, it is important to update the list of revoked certificates on your CA server. Once you have an updated revocation list you will be able to tell which users and systems have valid certificates in your CA.

现在，您已经吊销了证书，重要的是更新CA服务器上的吊销证书列表。一旦有了更新的吊销列表，您就可以知道CA中哪些用户和系统具有有效证书。

To generate a CRL, run the easy-rsa command with the gen-crl option while still inside the ~/easy-rsa directory:

要生成CRL，请在~/easy-rsa目录中运行带有gen-crl选项的easy-rsa命令：

./easyrsa gen-crl ./easyrsa gen-crl

If you have used a passphrase when creating your ca.key file, you will be prompted to enter it. The gen-crl command will generate a file called crl.pem, containing the updated list of revoked certificates for that CA.

如果在创建ca.key文件时使用了密码，则将提示您输入密码。 gen-crl命令将生成一个名为crl.pem的文件，其中包含该CA的吊销证书的更新列表。

Next you’ll need to transfer the updated crl.pem file to all servers and clients that rely on this CA each time you run the gen-crl command. Otherwise, clients and systems will still be able to access services and systems that use your CA, since those services need to know about the revoked status of the certificate.

下一步，每次运行gen-crl命令时，都需要将更新的crl.pem文件传输到依赖此CA的所有服务器和客户端。否则，客户端和系统仍将能够访问使用您的CA的服务和系统，因为这些服务需要了解证书的吊销状态。

传输证书吊销列表 (Transferring a Certificate Revocation List)

Now that you have generated a CRL on your CA server, you need to transfer it to remote systems that rely on your CA. To transfer this file to your servers, you can use the scp command.

现在，您已经在CA服务器上生成了CRL，现在需要将其传输到依赖于CA的远程系统。要将文件传输到服务器，可以使用scp命令。

Note: This tutorial explains how to generate and distribute a CRL manually. While there are more robust and automated methods to distribute and check revocation lists like OCSP-Stapling, configuring those methods is beyond the scope of this article.

注意：本教程说明了如何手动生成和分发CRL。尽管有诸如OCSP-Stapling之类的更健壮和自动化的方法来分发和检查吊销列表，但是配置这些方法超出了本文的范围。

Ensure you are logged into your CA server as your non-root user and run the following, substituting in your own server IP or DNS name in place of your_server_ip:

确保您以非root用户身份登录到CA服务器并运行以下命令，并用您自己的服务器IP或DNS名称代替your_server_ip ：

scp ~/easy-rsa/pki/crl.pem sammy@your_server_ip:/tmp

scp〜/ easy-rsa / pki / crl.pem sammy @ your_server_ip ：/ tmp

Now that the file is on the remote system, the last step is to update any services with the new copy of the revocation list.

现在该文件位于远程系统上，最后一步是使用吊销列表的新副本更新所有服务。

更新支持CRL的服务 (Updating Services that Support a CRL)

Listing the steps that you need to use to update services that use the crl.pem file is beyond the scope of this tutorial. In general you will need to copy the crl.pem file into the location that the service expects and then restart it using systemctl.

列出您需要用来更新使用crl.pem文件的服务的步骤超出了本教程的范围。通常，您需要将crl.pem文件复制到服务所需的位置，然后使用systemctl重新启动它。

Once you have updated your services with the new crl.pem file, your services will be able to reject connections from clients or servers that are using a revoked certificate.

使用新的crl.pem文件更新服务后，您的服务将能够拒绝来自使用吊销证书的客户端或服务器的连接。

检查和验证CRL的内容 (Examining and Verifying the Contents of a CRL)

If you would like to examine a CRL file, for example to confirm a list of revoked certificates, use the following openssl command from within your easy-rsa directory on your CA server:

如果要检查CRL文件，例如以确认已吊销的证书列表，请在CA服务器上的easy-rsa目录中使用以下openssl命令：

cd ~/easy-rsa 光盘〜/ easy-rsa
openssl crl -in pki/crl.pem -noout -text openssl crl -in pki / crl.pem -noout -text

You can also run this command on any server or system that has the openssl tool installed with a copy of the crl.pem file. For example, if you transferred the crl.pem file to your second system and want to verify that the sammy-server certificate is revoked, you can use an openssl command like the following, substituting the serial number that you noted earlier when you revoked the certificate in place of the highlighted one here:

您也可以在装有openssl工具并装有crl.pem文件副本的任何服务器或系统上运行此命令。例如，如果您将crl.pem文件传输到第二个系统，并且想要验证是否已撤销sammy-server证书，则可以使用如下所示的openssl命令，替换您先前撤销时所记的序列号。证书代替此处突出显示的证书：

openssl crl -in /tmp/crl.pem -noout -text |grep -A 1 8348B3F146A765581946040D5C4D590A

openssl crl -in /tmp/crl.pem -noout -text | grep -A 1 8348B3F146A765581946040D5C4D590A

Output

    Serial Number: 8348B3F146A765581946040D5C4D590ARevocation Date: Apr  1 20:48:02 2020 GMT

Notice how the grep command is used to check for the unique serial number that you noted in the revocation step. Now you can verify the contents of your Certificate Revocation List on any system that relies on it to restrict access to users and services.

请注意，如何使用grep命令来检查您在吊销步骤中记下的唯一序列号。现在，您可以在依赖它的任何系统上验证证书吊销列表的内容，以限制对用户和服务的访问。

结论 (Conclusion)

In this tutorial you created a private Certificate Authority using the Easy-RSA package on a standalone Ubuntu 20.04 server. You learned how the trust model works between parties that rely on the CA. You also created and signed a Certificate Signing Request (CSR) for a practice server and then learned how to revoke a certificate. Finally, you learned how to generate and distribute a Certificate Revocation List (CRL) for any system that relies on your CA to ensure that users or servers that should not access services are prevented from doing so.

在本教程中，您在独立的Ubuntu 20.04服务器上使用Easy-RSA软件包创建了私有证书颁发机构。您了解了信任模型在依赖CA的各方之间如何工作。您还为练习服务器创建并签署了证书签名请求(CSR)，然后学习了如何吊销证书。最后，您学习了如何为依赖于CA的任何系统生成和分发证书吊销列表(CRL)，以确保阻止不应访问服务的用户或服务器这样做。

Now you can issue certificates for users and use them with services like OpenVPN. You can also use your CA to configure development and staging web servers with certificates to secure your non-production environments. Using a CA with TLS certificates during development can help ensure that your code and environments match your production environment as closely as possible.

现在，您可以为用户颁发证书，并将其用于OpenVPN等服务。您还可以使用CA使用证书配置开发和登台Web服务器，以保护非生产环境。在开发过程中使用带有TLS证书的CA可以帮助确保您的代码和环境尽可能与生产环境匹配。

If you would like to learn more about how to use OpenSSL, our OpenSSL Essentials: Working with SSL Certificates, Private Keys and CSRs tutorial has lots of additional information to help you become more familiar with OpenSSL fundamentals.

如果您想了解有关如何使用OpenSSL的更多信息，我们的OpenSSL Essentials：使用SSL证书，私钥和CSR教程提供了许多其他信息，可帮助您更加熟悉OpenSSL基础。

翻译自: https://www.digitalocean.com/community/tutorials/how-to-set-up-and-configure-a-certificate-authority-ca-on-ubuntu-20-04