阿里云
发表主题 回复主题
  • 726阅读
  • 0回复

rhel6.3下使用openssl来生成CA证书并颁发证书实例解

级别: 论坛粉丝
发帖
1402
云币
2808

一、配置OPENSSL

[root@test1 /]# rpm -qa|grep openssl

openssl-1.0.0-20.el6_2.5.i686

[root@test1 /]# cd /etc/pki/tls

[root@test1 tls]# ls

cert.pem  certs  misc  openssl.cnf  private

[root@test1 tls]# vim openssl.cnf

####################################################################

[ CA_default ]


dir             = /etc/pki/CA           # Where everything is kept  (CA中心的目录)

certs           = $dir/certs            # Where the issued certs are kept (证书保存目录)

crl_dir         = $dir/crl              # Where the issued crl are kept  (被吊销证书的目录)

database        = $dir/index.txt        # database index file.  (证书索引文件)

#unique_subject = no                    # Set to 'no' to allow creation of

                                        # several ctificates with same subject.

new_certs_dir   = $dir/newcerts         # default place for new certs.(经过CA中心签名的证书备份目录)


certificate     = $dir/my-ca.crt        # The CA certificate (CA的公钥文件名)

serial          = $dir/serial           # The current serial number (CA中心的颁发证书序列号)

crlnumber       = $dir/crlnumber        # the current crl number (已吊销证书序列号)

                                        # must be commented out to leave a V1 CRL

crl             = $dir/my-ca.crl        # The current CRL (证书吊销列表)

private_key     = $dir/private/my-ca.key # The private key (CA私钥文件)

RANDFILE        = $dir/private/.rand    # private random number file


x509_extensions = usr_cert              # The extentions to add to the cert


default_days    = 365                   # how long to certify for  (证书有效期)

default_crl_days= 30                    # how long before next CRL

default_md      = default               # use public key default MD

preserve        = no                    # keep passed DN ordering


[ policy_match ]       #此段为证书相关信息选项,其中match指定的项,要求被签名证书一定要与CA的对应项一致。

countryName  = match

stateOrProvinceName = match

organizationName = match

organizationalUnitName = optional

commonName  = supplied

emailAddress  = optional


#

[ req_distinguished_name ]

countryName                     = Country Name (2 letter code)

countryName_default             = CN    (国家代码需要自己修改)

countryName_min                 = 2

countryName_max                 = 2


stateOrProvinceName             = State or Province Name (full name)

stateOrProvinceName_default    = Hebei   (州或省名需要自己修改)


localityName                    = Locality Name (eg, city)

localityName_default    = Beijing    (地点名称需要自己修改)


0.organizationName              = Organization Name (eg, company)

0.organizationName_default      = Tianli Company    (组织或公司名需要自己修改)



[root@test1 tls]# cd ../CA/

[root@test1 CA]# ls

certs  crl  newcerts  private

注:需要有这几个目录,如果没有可以自己新建

[root@test1 CA]# touch index.txt

[root@test1 CA]# echo "00"> serial

[root@test1 CA]# ls

certs  crl  index.txt  newcerts  private  serial

二、创建密钥过程

创建私钥

[root@test1 CA]#(umask 077;openssl genrsa -out private/my-ca.key -des3 2048)

Generating RSA private key, 2048 bit long modulus

............................................................+++

..........+++

e is 65537 (0x10001)

Enter pass phrase for private/my-ca.key:

Verifying - Enter pass phrase for private/my-ca.key:


由私钥生成公钥

[root@test1 CA]#openssl req -new -x509 -key private/my-ca.key -days 365 > my-ca.crt

Enter pass phrase for private/my-ca.key:

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:CN

State or Province Name (full name) []:Hebei

Locality Name (eg, city) [Beijing]:Beijing

Organization Name (eg, company) [Default Company Ltd]:Tianli Company

Organizational Unit Name (eg, section) []:

Common Name (eg, your name or your server's hostname) []:test1

Email Address []:

[root@test1 CA]# ls

certs  crl  index.txt  my-ca.crt  newcerts  private  serial

三、客户端验证CA服务

主机端(192.168.1.130)上:

[root@test1 CA]#yum -y install httpd

[root@test1 CA]#service httpd start

[root@test1 CA]#mkdir -p /var/www/html/yum

[root@test1 CA]#cp my-ca.crt /var/www/html/yum   将my-ca.crt,即公钥放到http服务器,供其他人下载



另外客户端(192.168.1.117)上:

[root@test2 Desktop]#openssl genrsa 1024 > test2.key

Generating RSA private key, 1024 bit long modulus

.....................++++++

.......++++++

e is 65537 (0x10001)


[root@test2 Desktop]#openssl req -new -key test2.key -out dovecot.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:Hebei

Locality Name (eg, city) [Default City]:Beijing

Organization Name (eg, company) [Default Company Ltd]:Tianli Company

Organizational Unit Name (eg, section) []:

Common Name (eg, your name or your server's hostname) []:test2

Email Address []:


Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:


[root@test2 Desktop]# scp dovecot.csr root@192.168.1.130:/root/

root@192.168.1.130's password:

dovecot.csr                                   100%  668     0.7KB/s   00:00  

四、服务端签发CA证书

在CA认证服务器上

[root@test1 ~]# openssl ca -in dovecot.csr -out dovecot.cst

Using configuration from /etc/pki/tls/openssl.cnf

Enter pass phrase for /etc/pki/CA/private/my-ca.key:

Check that the request matches the signature

Signature ok

Certificate Details:

        Serial Number: 1 (0x1)

        Validity

            Not Before: Jan 22 10:44:36 2013 GMT

            Not After : Jan 22 10:44:36 2014 GMT

        Subject:

            countryName               = CN

            stateOrProvinceName       = Hebei

            organizationName          = Tianli Company

            commonName                = test2

        X509v3 extensions:

            X509v3 Basic Constraints:

                CA:FALSE

            Netscape Comment:

                OpenSSL Generated Certificate

            X509v3 Subject Key Identifier:

                56:69:58:12:67:C7:FC:9E:AC:70:1D:2A:2C:56:A4:E1:61:97:B2:23

            X509v3 Authority Key Identifier:

                keyid:4C:45:25:5F:60:7F:F8:6E:6F:B4:53:C4:FB:BD:A3:C6:82:AE:2A:62


Certificate is to be certified until Jan 22 10:44:36 2014 GMT (365 days)

Sign the certificate? [y/n]:y



1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

最后签发成功。


补充:在签发证书的过程中容易出现的两个问题

[root@test1 ~]# openssl ca -in dovecot.csr -out dovecot.cst

Using configuration from /etc/pki/tls/openssl.cnf

Enter pass phrase for /etc/pki/CA/private/my-ca.key:

unable to load number from /etc/pki/CA/serial

error while loading serial number

3078239980:error:0D066096:asn1 encoding routines:a2i_ASN1_INTEGER:short line:f_int.c:215:

提示error while loading serial number,一般是因为serial文件中没有赋初值

解决办法

[root@test1 ~]#cd /etc/pki/CA

[root@test1 CA]# echo "00" >serial

[root@test1 CA]# cat serial

00


还有一个问题在CA签名时,最后出现failed to update database错误

[root@test1 ~]#openssl ca -in dovecot.csr -out dovecot.crt

Using configuration from /etc/pki/tls/openssl.cnf

Enter pass phrase for /etc/pki/CA/private/my-ca.key:

Check that the request matches the signature

Signature ok

Certificate Details:

        Serial Number: 2 (0x2)

        Validity

            Not Before: Jan 23 02:23:39 2013 GMT

            Not After : Jan 23 02:23:39 2014 GMT

        Subject:

            countryName               = CN

            stateOrProvinceName       = Hebei

            organizationName          = Tianli Company

            commonName                = test2

        X509v3 extensions:

            X509v3 Basic Constraints:

                CA:FALSE

            Netscape Comment:

                OpenSSL Generated Certificate

            X509v3 Subject Key Identifier:

                96:86:28:B7:ED:2E:96:79:32:88:7E:C3:23:37:02:BC:43:1C:76:87

            X509v3 Authority Key Identifier:

                keyid:4C:45:25:5F:60:7F:F8:6E:6F:B4:53:C4:FB:BD:A3:C6:82:AE:2A:62


Certificate is to be certified until Jan 23 02:23:39 2014 GMT (365 days)

Sign the certificate? [y/n]:y



1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated



Certificate is to be certified until Jan 23 02:17:38 2014 GMT (365 days)

Sign the certificate? [y/n]:y

failed to update database

TXT_DB error number 2

遇到这个错误,只需要清空/etc/pki/CA/index.txt的内容再签发就可以成功了。


吊销证书:

[root@test1 ~]# openssl ca -revoke my-ca.crt

Using configuration from /etc/pki/tls/openssl.cnf

Enter pass phrase for /etc/pki/CA/private/my-ca.key:

Adding Entry with serial number B443BCCFCD08C1CD to DB for /C=CN/ST=Hebei/L=Beijing/O=Default Company Ltd/CN=test1

Revoking Certificate B443BCCFCD08C1CD.

Data Base Updated


生成吊销证书列表

[root@test1 ~]# openssl ca -gencrl -out my-ca.crl

Using configuration from /etc/pki/tls/openssl.cnf

Enter pass phrase for /etc/pki/CA/private/my-ca.key:

unable to load number from /etc/pki/CA/crlnumber

error while loading CRL number

3079087852:error:0D066096:asn1 encoding routines:a2i_ASN1_INTEGER:short line:f_int.c:215:

出现error while loading CRL number,解决办法给crlnumber赋值

[root@test1 ~]# echo "00" >/etc/pki/CA/crlnumber

[root@test1 ~]# openssl ca -gencrl -out my-ca.crl

Using configuration from /etc/pki/tls/openssl.cnf

Enter pass phrase for /etc/pki/CA/private/my-ca.key:

[root@test1 ~]# ls

anaconda-ks.cfg  dovecot.csr  install.log         my-ca.crl  Public

dead.letter      dovecot.cst  install.log.syslog  my-ca.crt  Templates

Desktop          dovecot.pem  Music              test2.key

Documents        Downloads    Pictures   Videos

[root@test1 ~]# cat my-ca.crl

-----BEGIN X509 CRL-----

MIIB1DCBvQIBATANBgkqhkiG9w0BAQUFADBdMQswCQYDVQQGEwJDTjEOMAwGA1UE

CAwFSGViZWkxEDAOBgNVBAcMB0JlaWppbmcxHDAaBgNVBAoME0RlZmF1bHQgQ29t

cGFueSBMdGQxDjAMBgNVBAMMBXRlc3QxFw0xMzAxMjQwMzMyMzRaFw0xMzAyMjMw

MzMyMzRaMBwwGgIJALRDvM/NCMHNFw0xMzAxMjQwMzIzMDVaoA4wDDAKBgNVHRQE

AwIBADANBgkqhkiG9w0BAQUFAAOCAQEAhUevJlfn+W4VpX2SWn1RA9Y+qqEHB9i1

9rPSBDpC+NUpiKhF09n1eZRGqbInGQ+KVGxWF7iRAQ/znVV06wJiRU1i1/os3f9E

s2PiYYx8fltLOmaR027BhOB1ZO2mQmF/rvl+Soox+XH/YXD9T6wyD9STwm9jzFnD

iY86D+dgCRFCa3GWJyCFV1jr+79gY4q9rNV5Cmpozyxtz+szVgk8D+03X52KSg35

Ow7eCwK9W0rToq31+nR9+EQ3Cx7dUNrXftfzTCbFFhr87/b4w7iH+G9/3hfv91rt

zLuEriAlumiLVNAVk4gU0VJImAbArCOewaNmarzG8N8U9KYAcAWITw==

-----END X509 CRL-----

转:http://xjsunjie.blog.51cto.com/999372/1124285/



发表主题 回复主题
« 返回列表
«12345678910»
共10页
上一主题下一主题

限100 字节
如果您在写长篇帖子又不马上发表,建议存为草稿
 
验证问题: 6 + 8 = ?
上一个 下一个
      ×
      全新阿里云开发者社区, 去探索开发者的新世界吧!
      一站式的体验,更多的精彩!
      通过下面领域大门,一起探索新的技术世界吧~ (点击图标进入)

      版权声明

      开发者论坛为你提供“rhel6.3下使用openssl来生成CA证书并颁发证书实例解”的内容,论坛中还有更多关于 opensslmy97caopenssl使用x509 的内容供你使用,该内容是网友上传,与开发者论坛无关,如果需要删除请联系zixun-group@service.aliyun.com,工作人员会在5个工作日内回复您。