一、准备工作
调试好一台Red Hat 5.8的服务器一台、安装好openssl,openssl-devel两个软件包
二、设定好需要认证的单位信息
国家:中国
省份:河南
城市:郑州
公司:网E家
部门:技术部
服务器的主机名:ca.wangej.com
管理员邮箱:caadmin@wangej.com
三、关键字和命令分析
目前最通行的标准CA存储格式为x509格式。
一个完整意义上的证书:
x509:
公钥及其过期时间
证书的合法拥有者
证书该如何被使用
CA认证机构的信息
CA签名的校验码(CA的签名)
互联网上著名的安全机制TLS/SSL使用的就是x509的格式,除此之外还有OpenGPGA的机制,这些都属于PKI的实现架构。
PS:如有错误欢迎指出,谢谢!
openssl version 查看openssl版本
- openssl speed:测试openssl对各种加密算法的速度
- openssl enc:
- -e:加密
- -d:解密
- -k:指定加密密钥
- -a:基于base64机制处理
- openssl enc -des3(指定加密算法) -salt -a -in(对哪个文件) inittab(文件) -out(放到哪个文件中) inittab.des3
- openssl提取特征码:
- openssl dgst -sha1 passwd 使用sha1方式
- openssl dgst -md5 passwd 使用md5方式
- openssl passwd:
- openssl passwd -1(指定md5格式)
- -salt(指定杂质)
- openssl passwd -1 -salt 1234567
- openssl rand -base64 长度 用来生成随机数
四、搭建操作
openssl实现私有CA:
1、为服务创建必须的目录及文件
在/etc/pki/CA目录下创建 certs, crl, newcerts三个目录和serial, index.txt两个文件并给serial创建抬头。
- [root@www CA]# mkdir crl newcerts certs
- [root@www CA]# touch serial
- [root@www CA]# touch index.txt
- [root@www CA]# ls
- cacert.pem crl index.txt.attr newcerts serial certs index.txt private
2、生成一对密钥
[root@www CA]# (umask 077; openssl genrsa -out private/cakey.pem 2048 ) #直接指定600权限并保存在private/cakey.pem
- [root@www private]# cat cakey.pem
- -----BEGIN RSA PRIVATE KEY-----
- MIIEowIBAAKCAQEA0SBIoqQIrTCIaAUUta9mhEz/CSotVj214Iv8xgiLl8Z0ElU+
- mgipTVhCS6e9KV3IaKymUoAxKbW1zntCe7OBVMOPoPEAip1qTxohkIIF9K+8lC94
- rbLJPORVMDd8l2MeqoK9gSt57aWbxJspG50T8egxjK5gL5gLRdSUqcmpsuWkdZP8
- znR/AhEH+zpT6bmg1ds99yl5Yg42hFeiulUwddlZmVvneZVDduuovOmGX2dtwqQM
- rympbdRt2FzP6LWdQBykVstw1SVN0p6cnbxTPTCZTRFD0AgRoMPSsYxh2cpYC5Gs
- bydXiToi50VLy8M/AGz1eOE+xgquD5jVpcr2OQIDAQABAoIBAF7SmJzGa/i7jN49
- j4piIcXTc8CgEzaLfLB4SQEyVrlXDsJRTLVjQAEGB+luAWOEVp6/yhqWbbRP5EPf
- t+GHHxlkIvgCzxALGG0NmDKCAllUZdl7POjlrEGj9syKHEA4fWsrJOow4HRVJzAa
- eqU+sBB8DBuR5aMu+c2L+mySOBQZInJoMZTwoXMHquV1UUJuFwSzuRTe6z5lLxnH
- 50qAYFxReepSPq+cdRM3f8mJwaxU4xmx3vIF98Je1o+fg7bZJEUYTHI44TylqLnn
- 3PLzR/gqgdcMUilM+2iMwORKpXYT722m0ZoJicRISW9jmrZYrskBzN2n/+ANBIg6
- upjfJkECgYEA7ivEThNhFcb06iDrKdjtCUc1s8gqSZ+O7Aw+Avd1vtBxIxNL6ISt
- tyNxuy86yOraBrlZpt8uvRNXiLnKykmsEHRTm+I6f0yAcUtDtcciShUiBUb3IGt4
- SinR9TGqAxJaqzxQGEKiS3W736kV+9uTYyTpvrVADwmCzAbXjz3pLv0CgYEA4Mfp
- FE7I7GMJ8JkBrQObVjt43WX1tY4LzdZ+Tj5g8+WxWfMo+G2FMdaOMuCLZC/jChOe
- v8mHQvtbbT92HYzep8sFs/kntWxT53TGvEp8uFGyfCoX/ciSFPNyHHuL3JWqI9G3
- yBAHcZzdocSr5l8vthNDWCAuN1oA1LjZgpwtLu0CgYAfqDOciRjjcyGEqUF4u3uu
- OwfZUKbGSG4P1AS+EjRVW5FeLydszY3lhNGOJtXydLzsHeDbvFiTCyocY02gG7DC
- MyQV2TkbSIjeBjoGxGQ7Ypm2B9u7NG21td9RbvuBEwR4NDkVMG4wB4MkVG42ntX1
- XKexEJhmJ0Z6ZgJq6LjA5QKBgEdWSpt+UXfsCpiIBqchEOhyIW6qUCuZdBeUbito
- 0p41FG8Go8cMAwyJGkH9T1+xbu2gwm39iGbynNZ0IIlKTtOTtDCk7zw9r/cx8WyK
- e0CH9QxA07JgODRb+qgdcYrFGOUbRqdApwwgi5oub5vCM8MmI+ZQ+Dnq336jV6yC
- 4jgVAoGBAKDdoyPEUHyszUVf9MWNAQCeJNiH3Wpj6dY+e66bpkShrQ7JFRpw+fXt
- icy4xC6lhd4tD9M9ODCC/n9906ySurij9lOCO0X00coSlE9/44lrRwz9hD5KTYKJ
- zeGNRLJixgIFnMzbanzmvr4+zgJz9G1RW9BtDm1Pmdo+TrZDg2kK
- -----END RSA PRIVATE KEY-----
3、生成自签署证书
openssl req -new -x509(生成自签证书) -key(指定密钥文件) siyaoa -out(指定存储) cakey.pem
- [root@www CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem
- You are about to be asked to enter information that will be incorporated
- into your certificate request.
- What you are about to enter is what is called a Distinguished Name or a DN.
- There are quite a few fields but you can leave some blank
- For some fields there will be a default value,
- If you enter '.', the field will be left blank.
- -----
- Country Name (2 letter code) [GB]:CN #国家
- State or Province Name (full name) [Berkshire]:Henan #省份
- Locality Name (eg, city) [Newbury]:zhengzhou #城市
- Organization Name (eg, company) [My Company Ltd]:wangej #公司
- Organizational Unit Name (eg, section) []:jishubu #部门
- Common Name (eg, your name or your server's hostname) []:ca.wangej.com #服务器的主机名
- Email Address []:caadmin@wangej.com #管理员邮箱
4、查看证书信息
openssl x509 -text(输出成文本格式) -in(读取证书信息)
- [root@www CA]# openssl x509 -text -in cacert.pem
- Certificate:
- Data:
- Version: 3 (0x2)
- Serial Number:
- b5:4a:6d:18:6c:ac:eb:b5
- Signature Algorithm: sha1WithRSAEncryption
- Issuer: C=CN, ST=Henan, L=Zhengzhou, O=Wangej, OU=jishubu, CN=ca.wangej.com/emailAddress=caadmin@wangej.com
- Validity
- Not Before: Apr 7 06:26:56 2013 GMT
- Not After : May 7 06:26:56 2013 GMT
- Subject: C=CN, ST=Henan, L=Zhengzhou, O=Wangej, OU=jishubu, CN=ca.wangej.com/emailAddress=caadmin@wangej.com
- Subject Public Key Info:
- Public Key Algorithm: rsaEncryption
- RSA Public Key: (2048 bit)
- Modulus (2048 bit):
- 00:d1:20:48:a2:a4:08:ad:30:88:68:05:14:b5:af:
- 66:84:4c:ff:09:2a:2d:56:3d:b5:e0:8b:fc:c6:08:
- 8b:97:c6:74:12:55:3e:9a:08:a9:4d:58:42:4b:a7:
- bd:29:5d:c8:68:ac:a6:52:80:31:29:b5:b5:ce:7b:
- 42:7b:b3:81:54:c3:8f:a0:f1:00:8a:9d:6a:4f:1a:
- 21:90:82:05:f4:af:bc:94:2f:78:ad:b2:c9:3c:e4:
- 55:30:37:7c:97:63:1e:aa:82:bd:81:2b:79:ed:a5:
- 9b:c4:9b:29:1b:9d:13:f1:e8:31:8c:ae:60:2f:98:
- 0b:45:d4:94:a9:c9:a9:b2:e5:a4:75:93:fc:ce:74:
- 7f:02:11:07:fb:3a:53:e9:b9:a0:d5:db:3d:f7:29:
- 79:62:0e:36:84:57:a2:ba:55:30:75:d9:59:99:5b:
- e7:79:95:43:76:eb:a8:bc:e9:86:5f:67:6d:c2:a4:
- 0c:af:29:a9:6d:d4:6d:d8:5c:cf:e8:b5:9d:40:1c:
- a4:56:cb:70:d5:25:4d:d2:9e:9c:9d:bc:53:3d:30:
- 99:4d:11:43:d0:08:11:a0:c3:d2:b1:8c:61:d9:ca:
- 58:0b:91:ac:6f:27:57:89:3a:22:e7:45:4b:cb:c3:
- 3f:00:6c:f5:78:e1:3e:c6:0a:ae:0f:98:d5:a5:ca:
- f6:39
- Exponent: 65537 (0x10001)
- X509v3 extensions:
- X509v3 Subject Key Identifier:
- 9A:78:03:D5:26:0E:2D:11:6D:FD:57:22:6E:09:E4:62:DA:37:19:9A
- X509v3 Authority Key Identifier:
- keyid:9A:78:03:D5:26:0E:2D:11:6D:FD:57:22:6E:09:E4:62:DA:37:19:9A
- DirName:/C=CN/ST=Henan/L=Zhengzhou/O=Wangej/OU=jishubu/CN=ca.wangej.com/emailAddress=caadmin@wangej.com
- serial:B5:4A:6D:18:6C:AC:EB:B5
- X509v3 Basic Constraints:
- CA:TRUE
- Signature Algorithm: sha1WithRSAEncryption
- a6:57:5d:59:76:60:27:88:3b:14:3a:91:43:7a:f3:c7:50:d9:
- ba:0e:9f:83:b5:c9:4e:a3:fa:85:72:3c:73:d5:2e:e1:cd:fd:
- 6c:ed:41:db:3e:52:00:4a:0a:dc:bc:a2:7a:c1:25:7b:39:ad:
- 94:4a:8b:c6:15:1b:df:1c:1d:c7:1c:e3:96:c5:75:f8:9c:9c:
- 49:0b:fb:00:76:16:77:e9:f6:7d:87:53:46:e8:af:7f:c1:6d:
- 8e:9d:28:bc:57:ec:35:af:29:fc:51:a8:81:50:6f:a7:b8:e6:
- f1:d7:23:ad:98:8f:e0:28:a0:b5:d8:5d:2b:5a:94:a3:1b:74:
- ee:8e:30:42:05:f4:1c:89:d8:f9:fd:64:c4:98:f5:1c:88:39:
- b6:c4:2c:a7:2f:9f:59:5d:29:4d:6b:0a:1b:cc:a2:dd:6d:82:
- 2a:cf:dd:23:fa:5b:b2:e5:0b:07:fc:c7:25:ea:8d:40:16:3c:
- 8d:15:f7:6a:bb:3e:08:d3:3c:3d:b8:f4:fc:36:42:11:80:ad:
- 79:29:bf:70:90:e6:e9:a9:75:f6:2b:dc:cc:e4:18:5b:fc:79:
- 5d:74:17:39:6c:a8:ac:8d:2a:9f:b4:ac:cc:30:a7:fd:10:63:
- b2:78:f0:24:f7:8b:71:02:55:87:ad:ed:ee:23:e0:60:31:03:
- 81:31:e8:7e
- -----BEGIN CERTIFICATE-----
- MIIEmzCCA4OgAwIBAgIJALVKbRhsrOu1MA0GCSqGSIb3DQEBBQUAMIGPMQswCQYD
- VQQGEwJDTjEOMAwGA1UECBMFSGVuYW4xEjAQBgNVBAcTCVpoZW5nemhvdTEPMA0G
- A1UEChMGV2FuZ2VqMRAwDgYDVQQLEwdqaXNodWJ1MRYwFAYDVQQDEw1jYS53YW5n
- ZWouY29tMSEwHwYJKoZIhvcNAQkBFhJjYWFkbWluQHdhbmdlai5jb20wHhcNMTMw
- NDA3MDYyNjU2WhcNMTMwNTA3MDYyNjU2WjCBjzELMAkGA1UEBhMCQ04xDjAMBgNV
- BAgTBUhlbmFuMRIwEAYDVQQHEwlaaGVuZ3pob3UxDzANBgNVBAoTBldhbmdlajEQ
- MA4GA1UECxMHamlzaHVidTEWMBQGA1UEAxMNY2Eud2FuZ2VqLmNvbTEhMB8GCSqG
- SIb3DQEJARYSY2FhZG1pbkB3YW5nZWouY29tMIIBIjANBgkqhkiG9w0BAQEFAAOC
- AQ8AMIIBCgKCAQEA0SBIoqQIrTCIaAUUta9mhEz/CSotVj214Iv8xgiLl8Z0ElU+
- mgipTVhCS6e9KV3IaKymUoAxKbW1zntCe7OBVMOPoPEAip1qTxohkIIF9K+8lC94
- rbLJPORVMDd8l2MeqoK9gSt57aWbxJspG50T8egxjK5gL5gLRdSUqcmpsuWkdZP8
- znR/AhEH+zpT6bmg1ds99yl5Yg42hFeiulUwddlZmVvneZVDduuovOmGX2dtwqQM
- rympbdRt2FzP6LWdQBykVstw1SVN0p6cnbxTPTCZTRFD0AgRoMPSsYxh2cpYC5Gs
- bydXiToi50VLy8M/AGz1eOE+xgquD5jVpcr2OQIDAQABo4H3MIH0MB0GA1UdDgQW
- BBSaeAPVJg4tEW39VyJuCeRi2jcZmjCBxAYDVR0jBIG8MIG5gBSaeAPVJg4tEW39
- VyJuCeRi2jcZmqGBlaSBkjCBjzELMAkGA1UEBhMCQ04xDjAMBgNVBAgTBUhlbmFu
- MRIwEAYDVQQHEwlaaGVuZ3pob3UxDzANBgNVBAoTBldhbmdlajEQMA4GA1UECxMH
- amlzaHVidTEWMBQGA1UEAxMNY2Eud2FuZ2VqLmNvbTEhMB8GCSqGSIb3DQEJARYS
- Y2FhZG1pbkB3YW5nZWouY29tggkAtUptGGys67UwDAYDVR0TBAUwAwEB/zANBgkq
- hkiG9w0BAQUFAAOCAQEAplddWXZgJ4g7FDqRQ3rzx1DZug6fg7XJTqP6hXI8c9Uu
- 4c39bO1B2z5SAEoK3LyiesElezmtlEqLxhUb3xwdxxzjlsV1+JycSQv7AHYWd+n2
- fYdTRuivf8Ftjp0ovFfsNa8p/FGogVBvp7jm8dcjrZiP4CigtdhdK1qUoxt07o4w
- QgX0HInY+f1kxJj1HIg5tsQspy+fWV0pTWsKG8yi3W2CKs/dI/pbsuULB/zHJeqN
- QBY8jRX3ars+CNM8Pbj0/DZCEYCteSm/cJDm6al19ivczOQYW/x5XXQXOWyorI0q
- n7SszDCn/RBjsnjwJPeLcQJVh63t7iPgYDEDgTHofg==
- -----END CERTIFICATE-----
5、在另外一台主机中生成密钥,然后申请一个CA认证
(umask 077; openssl genrsa -out httpd.key 1024) #生成 主机私钥
openssl req -new -key httpd.key -out httpd.csr #向服务器申请认证
openssl ca -in httpd.csr -out httpd.crt -days 365 #服务器签署确认
- [root@www ssl]# openssl ca -in httpd.csr -out httpd.crt -days 365
- Using configuration from /etc/pki/tls/openssl.cnf
- Check that the request matches the signature
- Signature ok
- Certificate Details:
- Serial Number: 1 (0x1)
- Validity
- Not Before: Apr 7 06:41:12 2013 GMT
- Not After : Apr 7 06:41:12 2014 GMT
- Subject:
- countryName = CN
- stateOrProvinceName = Henan
- organizationName = Wangej
- organizationalUnitName = jishubu
- commonName = www.wangej.com
- emailAddress = wwwadmin@wangej.com
- X509v3 extensions:
- X509v3 Basic Constraints:
- CA:FALSE
- Netscape Comment:
- OpenSSL Generated Certificate
- X509v3 Subject Key Identifier:
- 17:C6:85:DB:34:DC:AE:21:79:CA:22:90:C9:E2:14:7B:C3:3B:02:7D
- X509v3 Authority Key Identifier:
- keyid:9A:78:03:D5:26:0E:2D:11:6D:FD:57:22:6E:09:E4:62:DA:37:19:9A
- Certificate is to be certified until Apr 7 06:41:12 2014 GMT (365 days)
- Sign the certificate? [y/n]:y
- 1 out of 1 certificate requests certified, commit? [y/n]y
- Write out database with 1 new entries
- Data Base Updated
如此一个完整的认证过程就已经实现了,此时将httpd.crt的认证证书发送给请求认证的服务器即可。