一.服务器端
1,2,为演示,可以先熟悉一下命令和原理
1.生成私钥:
私钥最好要加密存放且其权限最小要是600,此时可以将命令写入()中,这些命令就相当于在一个子bash中执行而不是在当前的bash中执行,所以,umask值还是022,不会变,这样直接就能使私钥文件权限为600而不需要改变umask值或者chmod改权限了;
[root@localhost ~]# (umask 077; openssl genrsa -out privatekey 1024)
Generating RSA private key, 1024 bit long modulus
............++++++
..........++++++
e is 65537 (0x10001)
[root@localhost ~]# cat privatekey
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQCtAZUy7Scs8SaJbeYygj4yiuIXwAVu/g7p8dudkkp7M6dxnMa7
Q/+kMjyDjHRttRe09u5YE6LiISA2jy/cphmp7m6iC1gaewAMtc0yJq2Ynz1oMkyl
NxKoI3K4D6MsFQMzxsccHAR0B/dp3LMhls9ca5DozF26KQqvFe+a2y1ROwIDAQAB
AoGAaJ8car+fgT4T3+fl3YWFt2rlbxdgMc7Rlgf8lz1wbTC/gaUdSQHGBrWagrLd
dbqdq4HogLrfNYByyouslfKccXh39TIjLrxaTmUoW3mcpYpCQlpQab4B/9mWL4VH
SacY05+3sNGs3yMsORgCdn7rN+vxYYhTWjVHKUDhtQHKaAECQQDW22/o407IpY3i
WXmbtTbbm35xdv3bFaeJQU+Yq/FHRNBO+wHcKhJ0o50HNjlxvCykZj7AXQ8GKdaR
umLKERt7AkEAziKO+1XjXfX4D1oV9ZNp4mFxroYMIvdU9xEAHBOOAvQPzUx19ub8
Fa7F4dC75ti/zYOqZcht5ZUZXmn+RWjVQQJBAI2Mc+XSGw1FRHxixiM297Umc978
rbGwSne6d131qTdytmnSJB+P+CivwbwGlUHA3whP8/d3V3aQCbRoPr0xGBECQCO1
duFxQn7vcjZum6k8DTarPL9H92hDQlO+fS9f79TxJJ+i5DiOURMMgLkaqMJXv/pB
Gc6iBu+jgY6KfALYI0ECQQCtULTPGYWWU7ML36ZPMwtcSJiAxnqXSrRFLTxJ1AG4
HAm3Rvr7LgQC/te0R5sa5Fdo+PWC02S07IikXm4CFPr9
-----END RSA PRIVATE KEY-----
[root@localhost ~]# umask
0022
[root@localhost ~]# ll | grep privatekey
-rw------- 1 root root 891 Jul 28 04:21 privatekey
以下是对私钥的加密,我没用这些:
[root@localhost ~]# openssl enc -des3 -salt -a -in privatekey -out privatekey.des3
enter des-ede3-cbc encryption password:
Verifying - enter des-ede3-cbc encryption password:
2.通过私钥生成公钥
[root@localhost ~]# openssl rsa -in privatekey -pubout -out publickey
writing RSA key
[root@localhost ~]# cat publickey
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCtAZUy7Scs8SaJbeYygj4yiuIX
wAVu/g7p8dudkkp7M6dxnMa7Q/+kMjyDjHRttRe09u5YE6LiISA2jy/cphmp7m6i
C1gaewAMtc0yJq2Ynz1oMkylNxKoI3K4D6MsFQMzxsccHAR0B/dp3LMhls9ca5Do
zF26KQqvFe+a2y1ROwIDAQAB
-----END PUBLIC KEY-----
2.生成自签署证书
[root@localhost ~]# openssl req -new -x509 -key privatekey -out server.crt -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Henan
Locality Name (eg, city) [Default City]:Nanyang
Organization Name (eg, company) [Default Company Ltd]:SkyNet
Organizational Unit Name (eg, section) []:Tech
Common Name (eg, your name or your server's hostname) []:ca.skynet.com
Email Address []:caadmin@skynet.com
关于其中的Common Name要注意,假如这个证书是你服务器用的,而这个证书在将来别人链接你的服务器时必须要用的这个主机名,这样才能使用这个证书建立安全通信,否则会出现证书不可信,所以证书要和主机名保持一致
自签署证书可以用cat方式打开看,也可以这样
[root@localhost ~]# openssl x509 -text -in server.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
bb:41:82:ad:c7:33:d0:b9
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=CN, ST=Henan, L=Nanyang, O=SkyNet, OU=Tech, CN=ca.skynet.com/emailAddress=caadmin@skynet.com
Validity
Not Before: Jul 28 11:53:48 2015 GMT #证书有效期
Not After : Jul 27 11:53:48 2016 GMT
Subject: C=CN, ST=Henan, L=Nanyang, O=SkyNet, OU=Tech, CN=ca.skynet.com/emailAddress=caadmin@skynet.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:ad:01:95:32:ed:27:2c:f1:26:89:6d:e6:32:82:
3e:32:8a:e2:17:c0:05:6e:fe:0e:e9:f1:db:9d:92:
4a:7b:33:a7:71:9c:c6:bb:43:ff:a4:32:3c:83:8c:
74:6d:b5:17:b4:f6:ee:58:13:a2:e2:21:20:36:8f:
2f:dc:a6:19:a9:ee:6e:a2:0b:58:1a:7b:00:0c:b5:
cd:32:26:ad:98:9f:3d:68:32:4c:a5:37:12:a8:23:
72:b8:0f:a3:2c:15:03:33:c6:c7:1c:1c:04:74:07:
f7:69:dc:b3:21:96:cf:5c:6b:90:e8:cc:5d:ba:29:
0a:af:15:ef:9a:db:2d:51:3b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
F3:CB:01:A9:E9:0F:BD:1C:87:07:C5:7E:83:86:21:90:88:05:CD:6B
X509v3 Authority Key Identifier:
keyid:F3:CB:01:A9:E9:0F:BD:1C:87:07:C5:7E:83:86:21:90:88:05:CD:6B
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha1WithRSAEncryption
86:32:0e:e4:c2:e1:be:86:bf:d2:55:86:09:16:81:48:6f:9c:
3a:f0:c1:d9:ab:d6:4a:65:fb:5b:85:2e:5e:19:c9:f3:00:c3:
c4:dd:4e:3e:fd:49:af:4f:0d:b7:7b:5f:b4:f0:5a:15:ca:06:
65:42:50:dd:05:c6:d5:47:e8:41:2e:e9:24:1b:48:cc:a0:d4:
ca:ba:1e:90:ca:33:66:39:24:f1:83:17:b1:38:a2:27:e2:af:
48:20:0e:73:12:12:de:cb:39:aa:05:e7:92:cd:57:a9:fe:28:
75:8b:88:b9:0e:f8:05:cc:d6:80:61:99:8e:e0:a1:94:a6:84:
df:18
-----BEGIN CERTIFICATE----- #CA签名信息
MIIC5DCCAk2gAwIBAgIJALtBgq3HM9C5MA0GCSqGSIb3DQEBBQUAMIGKMQswCQYD
VQQGEwJDTjEOMAwGA1UECAwFSGVuYW4xEDAOBgNVBAcMB05hbnlhbmcxDzANBgNV
BAoMBlNreU5ldDENMAsGA1UECwwEVGVjaDEWMBQGA1UEAwwNY2Euc2t5bmV0LmNv
bTEhMB8GCSqGSIb3DQEJARYSY2FhZG1pbkBza3luZXQuY29tMB4XDTE1MDcyODEx
NTM0OFoXDTE2MDcyNzExNTM0OFowgYoxCzAJBgNVBAYTAkNOMQ4wDAYDVQQIDAVI
ZW5hbjEQMA4GA1UEBwwHTmFueWFuZzEPMA0GA1UECgwGU2t5TmV0MQ0wCwYDVQQL
DARUZWNoMRYwFAYDVQQDDA1jYS5za3luZXQuY29tMSEwHwYJKoZIhvcNAQkBFhJj
YWFkbWluQHNreW5ldC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAK0B
lTLtJyzxJolt5jKCPjKK4hfABW7+Dunx252SSnszp3GcxrtD/6QyPIOMdG21F7T2
7lgTouIhIDaPL9ymGanubqILWBp7AAy1zTImrZifPWgyTKU3EqgjcrgPoywVAzPG
xxwcBHQH92ncsyGWz1xrkOjMXbopCq8V75rbLVE7AgMBAAGjUDBOMB0GA1UdDgQW
BBTzywGp6Q+9HIcHxX6DhiGQiAXNazAfBgNVHSMEGDAWgBTzywGp6Q+9HIcHxX6D
hiGQiAXNazAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAIYyDuTC4b6G
v9JVhgkWgUhvnDrwwdmr1kpl+1uFLl4ZyfMAw8TdTj79Sa9PDbd7X7TwWhXKBmVC
UN0FxtVH6EEu6SQbSMyg1Mq6HpDKM2Y5JPGDF7E4oifir0ggDnMSEt7LOaoF55LN
V6n+KHWLiLkO+AXM1oBhmY7goZSmhN8Y
-----END CERTIFICATE-----
这样你就可以给别人发证书了,如果这是服务器,有一个客户端向CA申请证书,只需要客户端生成一个申请,把申请交给CA,CA再签署就行了;
但是此时的CA还无法用,要进行一些配置;
CA自己的密钥和证书是不能随便放的,因为它工作成CA时有一个配置文件(在/etc/pki/tls中)
其中的CA_default:
dir = /etc/pki/CA #指定CA的工作目录
certs = $dir/certs #客户端证书保存位置
crl_dir = $dir/crl #证书吊销列表的存放位置
database = $dir/index.txt #你给哪些人发了证,这些信息都保存在这里
new_certs_dir = $dir/newcerts #刚新生成的证书所放位置
certificate = $dir/cacert.pem #作为CA来讲,自己的证书是什么
serial = $dir/serial #所发证书的序列号,一般从1开始
crlnumber = $dir/crlnumber #证书吊销列表的工作号
crl = $dir/crl.pem #当前的证书吊销列表是什么
private_key = $dir/private/cakey.pem #CA自己的私钥,放在/private下
RANDFILE = $dir/private/.rand #随机数文件是什么,/private下的.rand文件,不需要建立,会自动生成
上面这些文件和目录都要准备好
default_days = 365 #默认证书的有效期限是多长
default_crl_days= 30 #放在证书吊销列表中的证书默认放置多长时间
default_md = default #默认使用哪种算法
[ req_distinguished_name ] #更改这里,可以在创建证书时不需要输入直接回车确定了
countryName = Country Name (2 letter code)
countryName_default = XX
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (eg, city)
localityName_default = Default City
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Default Company Ltd
.......
3.在/etc/pki/CA/private中放的是证书的私钥文件,所以重新生成私钥文件(注意要求的格式是private/cakey.pem)
[root@localhost CA]# (umask 077; openssl genrsa -out ./private/cakey.pem 2048 )
Generating RSA private key, 2048 bit long modulus
...............................................................................................................................................+++
.................................................................+++
e is 65537 (0x10001)
[root@localhost CA]# ll ./private/
total 4
-rw------- 1 root root 1675 Jul 28 05:56 cakey.pem
然后生成证书
[root@localhost CA]# openssl req -new -x509 -key ./private/cakey.pem -out cacert.pem #名为cacert.pem放在CA目录下
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Henan
Locality Name (eg, city) [Default City]:Nanyang
Organization Name (eg, company) [Default Company Ltd]:SkyNet
Organizational Unit Name (eg, section) []:Tech
Common Name (eg, your name or your server's hostname) []: />
Email Address []:caadmin@skynet.com
然后创建几个必要的目录
[root@localhost CA]# ll
total 20
-rw-r--r-- 1 root root 1419 Jul 28 06:04 cacert.pem
drwxr-xr-x. 2 root root 4096 Oct 12 2012 certs
drwxr-xr-x. 2 root root 4096 Oct 12 2012 crl
drwxr-xr-x. 2 root root 4096 Oct 12 2012 newcerts
drwx------. 2 root root 4096 Jul 28 05:56 private
然后创建两个文件index.txt和serial其中还要给serial一个起始号(如果没有证书吊销列表那么证书号码可以不写)
[root@localhost CA]# touch index.txt
[root@localhost CA]# touch serial
[root@localhost CA]# echo 01 > serial
到此就准备工作完成了,别人可以申请证书了;接下来你可以再开一台客户机,生成客户机的一对密钥,然后生成一个证书颁发申请,发给CA服务器,CA服务器就会再签署就行了;
4.对于服务来讲,每一种服务都需要一种证书,但尽量不要多个服务用同一个证书,下面演示为http服务颁发证书(在同一台主机上演示)
先生成私钥
[root@localhost ssl]# pwd
/etc/httpd/ssl
[root@localhost ssl]# (umask 077; openssl genrsa -out httpd.key 1024)
Generating RSA private key, 1024 bit long modulus
.........++++++
.++++++
e is 65537 (0x10001)
然后生成证书颁发请求
[root@localhost ssl]# openssl req -new -key httpd.key -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Henan #这里我第一次做时签发证书时出错了,因为CA证书是Henan,我在生成请求时不小心写成了
Locality Name (eg, city) [Default City]:Nanyang henan结果出现错误说和CA证书上的Henan领域不同,导致我又冲做了一次
Organization Name (eg, company) [Default Company Ltd]:SkyNet
Organizational Unit Name (eg, section) []:Tech
Common Name (eg, your name or your server's hostname) []: />
Email Address []:wwwadmin@skynet.com
私有证书中的机构,部门等到Organization Name这里的尽量保持一致
Please enter the following 'extra' attributes #要不要把请求加密,两次回车代表不加密
to be sent with your certificate request
A challenge password []:
An optional company name []:
好了
[root@localhost ssl]# ll
total 8
-rw-r--r-- 1 root root 700 Jul 28 06:24 httpd.csr
-rw------- 1 root root 887 Jul 28 06:17 httpd.key
此时让CA给这个请求签名就成了证书了,可以拿回来用了。这个请求要发送给CA,但是此时是在同一台主机上的,所以可以直接签名了;
[root@localhost ssl]# openssl ca -in httpd.csr -out httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jul 28 13:36:44 2015 GMT
Not After : Jul 27 13:36:44 2016 GMT
Subject:
countryName = CN
stateOrProvinceName = Henan
organizationName = SkyNet
organizationalUnitName = Tech
commonName = />
emailAddress = wwwadmin@skynet.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
7B:81:92:E7:24:E9:D3:CA:DD:9C:83:44:0B:F4:05:AF:9D:B3:17:E9
X509v3 Authority Key Identifier:
keyid:40:EF:EA:C8:58:45:27:BB:6D:51:4B:85:EC:3F:3C:23:6D:8A:6A:99
Certificate is to be certified until Jul 27 13:36:44 2016 GMT (365 days)
Sign the certificate? [y/n]:y #是否同意签发
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated #数据也已经更新了
[root@localhost ssl]# ll
total 12
-rw-r--r-- 1 root root 3853 Jul 28 06:36 httpd.crt
-rw-r--r-- 1 root root 700 Jul 28 06:36 httpd.csr
-rw------- 1 root root 887 Jul 28 06:17 httpd.key
查看签署证书信息
[root@localhost ssl]# cd /etc/pki/CA/
[root@localhost CA]# cat index.txt
V 160727133644Z 01 unknown /C=CN/ST=Henan/O=SkyNet/OU=Tech/CN= />
在签证书的话,序号会从serial中读取,此时serial文件内容是
[root@localhost CA]# cat serial
02
好了,完成了!!!
不同的主机签发证书过程和上述大致相同,秩序在客户机中生成密钥,然后生成相应的请求文件*.csr并将其通过scp命令将请求发给CA服务器让其签署就行了,感兴趣的可以试一下!
阅读(7536) | 评论(0) | 转发(0) |