證書的說(shuō)明及使用
電子商務(wù)認(rèn)證授權(quán)機(jī)構(gòu)(CA, Certificate Authority)纱扭,也稱為電子商務(wù)認(rèn)證中心悉尾,是負(fù)責(zé)發(fā)放和管理數(shù)字證書的權(quán)威機(jī)構(gòu)葫督,并作為電子商務(wù)交易中受信任的第三方棘脐,承擔(dān)公鑰體系中公鑰的合法性檢驗(yàn)的責(zé)任人芽。
客戶機(jī)需要申請(qǐng)CA認(rèn)證時(shí)隐圾,首先要生成申請(qǐng)請(qǐng)求伍掀,把申請(qǐng)的請(qǐng)求發(fā)送到CA,CA進(jìn)行審核暇藏,審核之后驗(yàn)證無(wú)誤蜜笤,CA可以進(jìn)行簽名,之后才能發(fā)放證書盐碱。得到證書之后就可以應(yīng)用到程序里把兔,程序的配置文件里包含證書的路徑沪伙,既可以實(shí)現(xiàn)加密
搭建私有CA
1)查看CA的配置文件/etc/pki/tls/openssl.cnf
####################################################################
[ ca ]
default_ca = CA_default # 默認(rèn)CA
####################################################################
[ CA_default ]
dir = /etc/pki/CA # CA的工作目錄
certs = $dir/certs # 證書指定存放的文件夾
crl_dir = $dir/crl # 證書吊銷列表文件夾
database = $dir/index.txt # 數(shù)據(jù)庫(kù)文件夾,index.txt需手動(dòng)創(chuàng)建空文件
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # 新證書存放列表
certificate = $dir/cacert.pem # CA自身的證書
serial = $dir/serial # 當(dāng)前序列號(hào)县好,決定下一個(gè)證書的編號(hào)围橡,需要手動(dòng)創(chuàng)建文件,并設(shè)定編號(hào)
crlnumber = $dir/crlnumber # 下一個(gè)證書被吊銷的編號(hào)
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# 證書CA的私鑰
RANDFILE = $dir/private/.rand # private random number file
default_days = 365 # 證書的默認(rèn)時(shí)間365天
default_crl_days= 30 # crl的有效時(shí)間
default_md = sha256 # 加密算法
[ policy_match ] # CA的策略
countryName = match # 國(guó)家
stateOrProvinceName = match # 城市
organizationName = match # 公司
organizationalUnitName = optional # 部門
commonName = supplied # 主機(jī)的通用名缕贡,泛域名
emailAddress = optional # 郵件地址
2)創(chuàng)建所需文件
在CA的文件目錄下某饰,index.txt和serial文件需要手工創(chuàng)建,index.txt是空文件善绎,serial指定頒發(fā)證書的序列號(hào)黔漂,所有在創(chuàng)建文件時(shí)需寫入一個(gè)能表達(dá)序號(hào)的數(shù)字。
[root@c7 ~]# touch /etc/pki/CA/index.txt # 創(chuàng)建index.txt
[root@c7 ~]# ls /etc/pki/CA/index.txt
/etc/pki/CA/index.txt
[root@c7 ~]# echo 01 > /etc/pki/CA/serial # 創(chuàng)建serial
[root@c7 ~]# ls /etc/pki/CA/serial
/etc/pki/CA/serial
3)生成私鑰
首先生成私鑰禀酱,生成的私鑰存放在/etc/pki/CA/private/下炬守,文件名為cakey.pem,權(quán)限為只讀剂跟,并進(jìn)行加密减途,因?yàn)閡mask僅對(duì)本文件生效,所以要加括號(hào)
[root@c7 CA]# (umask 066;openssl genrsa -out /etc/pki/CA/private/cakey.pem -des3 2048) # 生成私鑰
Generating RSA private key, 2048 bit long modulus
.......+++
.........+++
e is 65537 (0x10001)
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Verifying - Enter pass phrase for /etc/pki/CA/private/cakey.pem:
[root@c7 CA]# cat private/cakey.pem # 查看私鑰
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED # 已加密
DEK-Info: DES-EDE3-CBC,3F051902487C8CE7
cE6TNk0+ZGdh70JHwD9m6+KN/Y9Cx7K8Q1+xSsD2voAKTIIcxgS0ANWcIDnF1xLz
JS0aNeflStP2gOlb6cdXclkA1rVuLM8tuJ+bP2u2THOERA6HPpqyPZeAdb5AwBeO
hE3I+HSWzYu9VhfIfDILV9FC2rJJTyOoSyPJfPlCyzIzsgJs30pCfk+WSRgsISpM
...... # 文件過(guò)長(zhǎng)
4)生成自簽名證書
利用x509申請(qǐng)新的自簽名證書曹洽,時(shí)間7300天鳍置,保存位置在/etc/pki/CA/,文件名cacert.pem
-new: 生成新證書簽署請(qǐng)求
-x509: 專用于CA生成自簽證書
-key: 生成請(qǐng)求時(shí)用到的私鑰文件
-days n:證書的有效期限
-out /PATH/TO/SOMECERTFILE: 證書的保存路徑
[root@c7 CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 7300 -out /etc/pki/CA/cacert.pem
Enter pass phrase for /etc/pki/CA/private/cakey.pem: # 輸入私鑰密碼
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN # 填寫國(guó)家簡(jiǎn)稱(兩位)
State or Province Name (full name) []:henan # 填寫地區(qū)
Locality Name (eg, city) [Default City]:zhengzhou # 填寫城市
Organization Name (eg, company) [Default Company Ltd]:magedu.com # 填寫公司名稱
Organizational Unit Name (eg, section) []:yunwei # 填寫公司部門
Common Name (eg, your name or your server's hostname) []:ca.magedu.com # 填寫證書頒發(fā)機(jī)構(gòu)
Email Address []: # 填寫公司郵箱送淆,可以忽略
用sz命令到處cacert.pem文件到物理機(jī)税产,修改文件后綴為.cer,雙擊查看證書偷崩,自簽名證書頒發(fā)者和頒發(fā)給是相同的辟拷,安裝證書之后證書即可受信
客戶端申請(qǐng)證書
1)首先生成私鑰,私鑰沒(méi)有固定的文件路徑阐斜,可以根據(jù)使用程序的路徑隨處存放衫冻。建議放在服務(wù)對(duì)應(yīng)的文件夾里.
[root@c6 ~]# (umask 066; openssl genrsa -out /etc/pki/tls/private/test.key 2048)
Generating RSA private key, 2048 bit long modulus
..............+++
..................................................+++
e is 65537 (0x10001)
[root@c6 ~]# ls /etc/pki/tls/private/test.key
/etc/pki/tls/private/test.key
2)利用私鑰生成證書申請(qǐng)文件,然后把申請(qǐng)文件發(fā)送到CA的辦法機(jī)構(gòu)谒出,經(jīng)過(guò)CA的確認(rèn)后頒發(fā)CA授權(quán)證書隅俘。這一步與搭建私有CA的區(qū)別就是在命令中沒(méi)有使用命令x509
[root@c6 ~]# openssl req -new -key /etc/pki/tls/private/test.key -out app.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN # 輸入國(guó)家(必須和證書頒發(fā)機(jī)構(gòu)一致)
State or Province Name (full name) []:henan # 輸入地區(qū)(必須和證書頒發(fā)機(jī)構(gòu)一致)
Locality Name (eg, city) [Default City]:zmd # 輸入任意城市
Organization Name (eg, company) [Default Company Ltd]:magedu.com # 輸入CA機(jī)構(gòu)的名稱(必須和證書頒發(fā)機(jī)構(gòu)一致)
Organizational Unit Name (eg, section) []:bg # 輸入任意部門
Common Name (eg, your name or your server's hostname) []:test.magedu.com # 輸入使用證書的網(wǎng)址
Email Address []: # 輸入郵箱(可忽略)
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: # 輸入密碼(可忽略)
An optional company name []: # 輸入公司名稱(可忽略)
[root@c6 ~]# ls # 查看生成的app.csr文件
anaconda-ks.cfg Desktop Downloads install.log.syslog Pictures Templates
app.csr Documents install.log Music Public Videos
3)發(fā)送證書申請(qǐng)文件app.csr到CA頒發(fā)機(jī)構(gòu)
[root@c6 ~]# scp app.csr 192.168.10.134:/etc/pki/CA
root@192.168.10.134's password:
app.csr 100% 1005 1.0KB/s 00:00
4)由證書的頒發(fā)機(jī)構(gòu)進(jìn)行審核后頒發(fā)證書
[root@c7 CA]# openssl ca -in app.csr -out /etc/pki/CA/certs/app.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem: # 輸入私鑰密碼
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Sep 10 09:32:45 2017 GMT
Not After : Sep 10 09:32:45 2018 GMT
Subject: # 審核申請(qǐng)信息
countryName = CN
stateOrProvinceName = henan
organizationName = magedu.com
organizationalUnitName = bg
commonName = test.magedu.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
A0:CA:77:3A:E0:58:CA:B7:E9:85:31:93:02:9C:2B:C9:C5:EE:FF:7E
X509v3 Authority Key Identifier:
keyid:B2:7A:04:20:87:A8:3F:7A:DA:28:63:02:AC:D7:5B:AF:7E:9E:00:4A
Certificate is to be certified until Sep 10 09:32:45 2018 GMT (365 days)
Sign the certificate? [y/n]:y # 審核通過(guò)
1 out of 1 certificate requests certified, commit? [y/n]y # 確認(rèn)頒發(fā)證書
Write out database with 1 new entries
Data Base Updated
[root@c7 CA]# ls certs/app.crt # 確認(rèn)證書的生成
certs/app.crt
此時(shí)在index.txt文件中加入了一條新的記錄,因?yàn)閟erial保存的是下一個(gè)證書的序列號(hào)笤喳,所以新的serial文件的內(nèi)容在原有內(nèi)容上加1为居,證書的序列號(hào)使用十六進(jìn)制表示
[root@c7 CA]# cat index.txt
V 180910093245Z 01 unknown /C=CN/ST=henan/O=magedu.com/OU=bg/CN=test.magedu.com
[root@c7 CA]# cat serial
02
同時(shí)index.txt生成了備份文件index.txt.old,serial生成了備份文件serial.old
[root@c7 CA]# ls
app.csr certs index.txt index.txt.old private serial.old
cacert.pem crl index.txt.attr newcerts serial
在newcerts文件中生成以證書編號(hào)命名的內(nèi)容相同的證書文件
[root@c7 CA]# ls newcerts/01.pem certs/app.crt
certs/app.crt newcerts/01.pem
[root@c7 CA]# diff newcerts/01.pem certs/app.crt
[root@c7 CA]#
5)復(fù)制證書到申請(qǐng)機(jī)構(gòu)莉测,就可以隨意使用了
[root@c7 CA]# scp certs/app.crt 192.168.10.133:/etc/pki/tls/certs
The authenticity of host '192.168.10.133 (192.168.10.133)' can't be established.
RSA key fingerprint is 48:ad:3b:a3:d0:53:c6:ca:d0:48:da:5b:35:78:4e:72.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.10.133' (RSA) to the list of known hosts.
root@192.168.10.133's password:
app.crt 100% 4480 4.4KB/s 00:00
★ 同一個(gè)申請(qǐng)不能頒發(fā)兩份證書
