shell,Linux,security,network

私有CA搭建服务器进行证书管理

概述

CA中心为每个使用公开密钥的用户发放一个数字证书,数字证书的作用是证明证书中列出的用户合法拥有证书中列出的公开密钥.CA机构的数字签名使得攻击者不能伪造和篡改证书.它负责产生,分配并管理所有参与网上交易的个体所需的数字证书,因此是安全电子交易的核心环节

CA是证书的签发机构,它是PKI的核心.CA是负责签发证书,认证证书,管理已颁发证书的机关.它要制定政策和具体步骤来验证、识别用户身份,并对用户证书进行签名,以确保证书持有者的身份和公钥的拥有权

CA也拥有一个证书(内含公钥)和私钥.网上的公众用户通过验证CA的签字从而信任CA,任何人都可以得到CA的证书(含公钥),用以验证它所签发的证书

用户欲获取证书,应先向CA提出申请,CA判明申请者的身份后,为之分配一个公钥,并将该公钥与其身份信息绑定,为该整体签字,签字后的整体即为证书,发还给申请者

如果一个用户想鉴别另一个证书的真伪,他就用CA的公钥对那个证书上的签字进行验证,一旦验证通过,该证书就被认为是有效的

创建CA服务器

CA证书价格较高,为满足内部通信加密需求可自建私有CA

创建私有CA可以使用openssl或者OpenCA,此处使用openssl来创建,它是一个免费开源的库,提供了一些处理数字证书的命令行工具.其中一些工具可以用作证书颁发机构(Certificate Authority即CA)

  • 创建CA需要根据openssl的配置文件/etc/pki/tls/openssl.cnf来指定存放的路径,此处只列出和创建CA有关的内容
####################################################################
[ ca ]
default_ca      = CA_default            # 默认的CA配置;CA_default指向下面配置块

####################################################################
[ CA_default ]

dir             = /etc/pki/CA           # CA的默认工作目录
certs           = $dir/certs            # 认证证书的目录
crl_dir         = $dir/crl              # 证书吊销列表的路径
database        = $dir/index.txt        # 数据库的索引文件


new_certs_dir   = $dir/newcerts         # 新颁发证书的默认路径

certificate     = $dir/cacert.pem       # 此服务认证证书,如果此服务器为根CA那么这里为自颁发证书
serial          = $dir/serial           # 下一个证书的证书编号
crlnumber       = $dir/crlnumber        # 下一个吊销的证书编号
                                        
crl             = $dir/crl.pem          # The current CRL
private_key     = $dir/private/cakey.pem# CA的私钥
RANDFILE        = $dir/private/.rand    # 随机数文件

x509_extensions = usr_cert              # The extentions to add to the cert

name_opt        = ca_default            # 命名方式,以ca_default定义为准
cert_opt        = ca_default            # 证书参数,以ca_default定义为准


default_days    = 365                   # 证书默认有效期
default_crl_days= 30                    # CRl的有效期
default_md      = sha256                # 加密算法
preserve        = no                    # keep passed DN ordering


policy          = policy_match          #policy_match策略生效

# For the CA policy
[ policy_match ]
countryName             = match         #国家;match表示申请者的申请信息必须与此一致
stateOrProvinceName     = match         #州、省
organizationName        = match         #组织名、公司名
organizationalUnitName  = optional      #部门名称;optional表示申请者可以的信息与此可以不一致
commonName              = supplied
emailAddress            = optional

# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]                     #由于定义了policy_match策略生效,所以此策略暂未生效
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional
  • 生成私钥
cd /etc/pki/CA
(umask 066; openssl genrsa -out private/cakey.pem 2048)
  • 生成CA自签证书
openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN    #国家,2个大写字母
State or Province Name (full name) []:Beijing  #省份
Locality Name (eg, city) [Default City]:Beijing  #城市
Organization Name (eg, company) [Default Company Ltd]:s4lm0x  #组织名称
Organizational Unit Name (eg, section) []:DevOps  #部门名称
Common Name (eg, your name or your server's hostname) []:ca.s4lm0x.com   #主机名
Email Address []:ca@s4lm0x.com   #邮箱
  • 参数说明

    -new: 生成新证书签署请求
    -x509: 专用于CA生成自签证书
    -key: 生成请求时用到的私钥文件
    -days n: 证书的有效期限
    -out /PATH/TO/SOMECERTFILE: 证书的保存路径
    
  • 生成证书索引数据库文件,证书序列号文件
touch /etc/pki/CA/index.txt
echo 0F > /etc/pki/CA/serial

节点申请证书

  • 生成密钥对
    在服务端创建完成私有CA后,客户端就可以生成私钥并申请证书了,私钥放置的位置不是固定的,生成证书申请文件能找到路径即可,如下,将当前工作目录切换到/etc/nginx/ssl目录下并生成私钥文件
cd /etc/nginx/ssl/
(umask 066; openssl genrsa -out nginx.key 2048)
  • 生成证书请求
openssl req -new -key nginx.key -out nginx.csr -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN  #需与CA服务器的一致
State or Province Name (full name) []:Beijing  #需与CA服务器的一致
Locality Name (eg, city) [Default City]:Beijing  #需与CA服务器的一致
Organization Name (eg, company) [Default Company Ltd]:s4lm0x
Organizational Unit Name (eg, section) []:DevOps
Common Name (eg, your name or your server's hostname) []:blog.s4lm0x.com
Email Address []:webadmin@s4lm0x.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
  • 将证书请求文件文件发往CA服务器
scp nginx.csr 172.22.35.100:/data

签署证书

  • 在CA服务器上根据客户端上传的证书请求文件签署证书
openssl ca -in /data/nginx.csr -out certs/nginx.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 15 (0xf)
        Validity
            Not Before: Apr 21 09:10:24 2019 GMT
            Not After : Apr 20 09:10:24 2020 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = Beijing
            organizationName          = s4lm0x
            organizationalUnitName    = DevOps
            commonName                = blog.s4lm0x.com
            emailAddress              = webadmin@s4lm0x.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                93:03:67:14:2C:75:DD:0A:2E:34:41:24:57:2F:41:AC:FA:28:78:F2
            X509v3 Authority Key Identifier:
                keyid:F2:30:E3:38:4C:83:64:E9:F5:42:E1:82:85:6C:D0:8E:EE:D7:7B:DF

Certificate is to be certified until Apr 20 09:10:24 2020 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
  • 查看证书信息
openssl  x509 -in certs/nginx.crt  -noout -serial -subject
serial=0F
subject= /C=CN/ST=Beijing/O=s4lm0x/OU=DevOps/CN=blog.s4lm0x.com/emailAddress=webadmin@s4lm0x.com
  • 奖证证书发给申请者
scp certs/nginx.crt 172.22.35.5:/data

吊销证书

  • 客户端获取要吊销的证书的serial(在使用证书的主机上执行)
openssl x509 -in nginx.crt -noout -serial -subject
serial=0F
subject= /C=CN/ST=Beijing/O=s4lm0x/OU=DevOps/CN=blog.s4lm0x.com/emailAddress=webadmin@s4lm0x.com
  • CA主机吊销证书
    先根据客户提交的serial和subject信息,对比其与本机数据库index.txt中存储的是否一致
cat index.txt
V    200420091024Z        0F    unknown    /C=CN/ST=Beijing/O=s4lm0x/OU=DevOps/CN=blog.s4lm0x.com/emailAddress=webadmin@s4lm0x.com
  • 吊销证书
openssl ca -revoke newcerts/0F.pem
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 0F.
Data Base Updated
  • 查看被吊销的证书列表
cat index.txt
R    200420091024Z    190421092408Z    0F    unknown    /C=CN/ST=Beijing/O=s4lm0x/OU=DevOps/CN=blog.s4lm0x.com/emailAddress=webadmin@s4lm0x.com
  • 生成吊销证书的编号(如果是第一次吊销)
echo 00 > crlnumber
  • 更新证书吊销列表
cd crl
openssl ca -gencrl -out ca.crl
Using configuration from /etc/pki/tls/openssl.cnf
  • 查看crl文件内容
openssl crl -in ca.crl -noout -text

参考

证书颁发机构
私有CA服务器的搭建
自建CA服务器
数字签名、数字证书和 HTTPS
创建私有CA和申请证书
搭建私有CA服务器

微信扫一扫,向我赞赏

微信扫一扫,向我赞赏

微信扫一扫,向我赞赏

支付宝扫一扫,向我赞赏

回复

This is just a placeholder img.