openssl实现私有CA证书生成和吊销
2022/4/24 23:15:04
本文主要是介绍openssl实现私有CA证书生成和吊销,对大家解决编程问题具有一定的参考价值,需要的程序猿们随着小编来一起学习吧!
1G
DES 4m 8m
RSA 1m 64h
有实验证明,对称加密算法比非对称加密算法快大约1500倍
避免乱码
[root@localhost ~]# echo 川 | base64
5bedCg==
[root@localhost ~]# echo 5bedCg== | base64 -d
川
mkdir -pv /etc/pki/CA/{certs,crl,newcerts,private}
[root@localhost ~]# echo 123456 | openssl passwd -6 --stdin #SHA512算法 $6$WNoUVbFvp40Aw7aL$d7T63djg2TnXnF7SZyogKoHhrV9xG6PGksnnC0x3FYzTFoIBSn1y15n322WgJmpphkRxXtyvRIj5FvTfkeEVn0
[root@localhost ~]# echo 123456 | openssl passwd -6 --stdin -salt "WNoUVbFvp40Aw7aL" $6$WNoUVbFvp40Aw7aL$d7T63djg2TnXnF7SZyogKoHhrV9xG6PGksnnC0x3FYzTFoIBSn1y15n322WgJmpphkRxXtyvRIj5FvTfkeEVn0
[root@localhost ~]# cat /etc/shadow root:$6$GuXYkkXUI59mp6Md$4fycaS6olcfwfCkYx6EqI0Nv3OXK7.fTDqBfUb4bRbo8pfVZXrFXPwdhBnRIcNuugjQd8a0CB4jYG4nrKdZoI/::0:99999:7::: [root@localhost ~]# echo 1 | openssl passwd -6 --stdin -salt GuXYkkXUI59mp6Md $6$GuXYkkXUI59mp6Md$4fycaS6olcfwfCkYx6EqI0Nv3OXK7.fTDqBfUb4bRbo8pfVZXrFXPwdhBnRIcNuugjQd8a0CB4jYG4nrKdZoI/建立私有CA: OpenCA:OpenCA开源组织使用Perl对OpenSSL进行二次开发而成的一套完善的PKI免费软件 openssl:相关包 openssl和openssl-libs 证书申请及签署步骤: 1、生成证书申请请求 2、RA核验 3、CA签署 4、获取证书 三种策略:match匹配、optional可选、supplied提供
match:要求申请填写的信息跟CA设置信息必须一致 optional:可有可无,跟CA设置信息可不一致 supplied:必须填写这项申请信息
vim /etc/pki/tls/openssl.cnf
1、创建CA所需要的文件 2、 生成CA私钥[root@localhost CA]# touch /etc/pki/CA/index.txt [root@localhost CA]# echo 01 > /etc/pki/CA/serial [root@localhost CA]# (umask 066; openssl genrsa -out private/cakey.pem 2048) Generating RSA private key, 2048 bit long modulus (2 primes) .............................................+++++ ...............................+++++ e is 65537 (0x010001)3、生成CA自签名证书
-new:生成新证书签署请求 -x509:专用于CA生成自签证书 -key:生成请求时用到的私钥文件 -days n:证书的有效期限 -out /PATH/TO/SOMECERTFILE: 证书的保存路径
[root@localhost CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 36000 -out /etc/pki/CA/cacert.pem You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:beijing Locality Name (eg, city) [Default City]:beijing Organization Name (eg, company) [Default Company Ltd]:zhengfu Organizational Unit Name (eg, section) []:guofangbu Common Name (eg, your name or your server's hostname) []:www.baidu.com Email Address []:
[root@localhost CA]# openssl x509 -in cacert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
38:5b:5c:9e:32:31:5d:ed:a0:5a:9c:3e:bb:65:d0:6d:02:04:bb:01
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CN, ST = beijing, L = beijing, O = zhengfu, OU = guofangbu, CN = www.baidu.com
Validity
Not Before: Apr 23 08:51:56 2022 GMT
Not After : Nov 15 08:51:56 2120 GMT
Subject: C = CN, ST = beijing, L = beijing, O = zhengfu, OU = guofangbu, CN = www.baidu.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:a2:e7:e0:35:58:82:88:3f:de:5a:f6:5b:f0:7e:
b4:52:10:a2:0c:16:f2:35:e9:78:e7:58:77:6c:d1:
f9:28:dc:8b:a7:23:8a:45:07:ed:b2:e3:e1:d5:05:
24:b3:93:b0:41:94:1c:15:20:6b:7f:e6:95:13:f6:
86:65:12:12:74:a6:45:fd:38:a6:a5:d6:a6:52:74:
1c:f3:c4:a6:ac:db:c6:c1:dc:a3:50:e4:8b:16:8e:
2c:33:0b:b7:c9:3d:45:98:ee:41:85:31:b2:b1:69:
6f:e1:70:5a:2a:33:49:8b:41:ca:db:50:bf:dc:25:
5d:23:cb:f9:2d:c2:67:f4:a5:37:73:6a:1c:86:60:
a0:92:e4:2a:a0:32:9a:b9:56:c7:b6:7b:66:b6:89:
3e:2b:ab:f0:e5:e2:a2:77:ec:bf:b9:2a:91:d8:29:
c6:40:e5:12:9f:39:db:0e:33:5c:6a:61:0d:de:c8:
9b:ea:39:8a:2a:2a:7f:fb:95:e0:c2:a0:d2:17:3d:
85:05:00:df:39:21:cd:e4:36:13:1f:fa:26:db:4c:
d4:c7:9a:6b:c0:78:72:44:5f:2a:8c:04:a8:87:a5:
6c:e7:9e:d4:dd:32:70:7a:6a:01:c0:d4:02:0a:9a:
b6:48:cc:cf:b2:82:6f:2a:da:f3:34:4d:51:f8:a8:
93:97
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
61:D0:AA:08:90:F1:01:59:EC:7C:E5:93:A0:FF:74:74:44:FC:59:A6
X509v3 Authority Key Identifier:
keyid:61:D0:AA:08:90:F1:01:59:EC:7C:E5:93:A0:FF:74:74:44:FC:59:A6
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
2d:52:26:fa:ed:36:02:03:b2:28:6e:89:41:6a:5d:85:7f:37:
c6:3a:c8:db:f9:82:62:8e:80:d9:8f:fb:06:1a:bc:03:cd:3d:
3d:a1:79:5c:7d:9e:e7:4c:8e:c5:99:b5:32:bb:ed:3e:d8:a6:
cc:b3:1c:c7:3e:00:87:32:9e:6f:62:ac:a0:27:76:97:ea:03:
34:37:3c:2d:5c:7d:58:75:0e:fc:df:3e:3c:28:7e:53:b0:db:
4a:f5:07:65:cf:43:90:8c:44:30:8e:f5:91:9a:71:1a:00:53:
51:df:7c:8c:06:63:84:a3:db:26:53:63:19:ba:91:ee:ec:a6:
4a:28:40:3d:24:63:23:c0:de:9d:09:bc:21:31:57:ec:7e:4c:
a6:bc:13:1d:03:03:12:86:65:5c:72:e5:cc:e9:c6:49:8d:22:
87:ee:31:81:b8:c5:61:23:33:fd:28:07:92:be:44:fa:d5:ee:
80:95:b0:94:ef:67:d6:a0:f9:94:b0:53:db:b2:23:05:57:85:
51:f1:fc:cb:d0:35:fd:fa:65:f5:be:49:d9:6d:22:73:63:c6:
b0:f9:f2:ed:03:2f:5e:3b:83:15:38:8b:0d:72:ca:97:01:62:
6d:f0:5f:aa:f6:db:93:b1:65:4a:7b:ec:ab:48:8f:ae:51:82:
df:bf:85:48
cacert.pem .crt
申请证书并颁发证书 1、为需要使用证书的主机生成生成私钥
[root@localhost CA]# (umask 066;openssl genrsa -out /data/test.key 2048) Generating RSA private key, 2048 bit long modulus (2 primes) .......................................................................................+++++ ..+++++ e is 65537 (0x0100012、为需要使用证书的主机生成证书申请文件
[root@localhost CA]# openssl req -new -key /data/test.key -out /data/test.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:beijing Locality Name (eg, city) [Default City]:jinan Organization Name (eg, company) [Default Company Ltd]:zhengfu Organizational Unit Name (eg, section) []:guofangbu Common Name (eg, your name or your server's hostname) []:www.chuan.com Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:3、在CA签署证书并将证书颁发给请求者
[root@localhost CA]# openssl ca -in /data/test.csr -out /etc/pki/CA/certs/test.crt -days 36000
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Apr 23 09:25:31 2022 GMT
Not After : Nov 15 09:25:31 2120 GMT
Subject:
countryName = CN
stateOrProvinceName = beijing
organizationName = zhengfu
organizationalUnitName = guofangbu
commonName = www.chuan.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
60:63:F8:E7:1B:4C:03:07:2C:6D:C6:FA:E2:DC:C1:C9:72:25:63:2E
X509v3 Authority Key Identifier:
keyid:31:1F:D6:D9:B8:A2:82:30:0B:24:5C:C7:58:15:FD:2B:17:A8:85:02
Certificate is to be certified until Nov 15 09:25:31 2120 GMT (36000 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
注意:默认要求 国家,省,公司名称三项必须和CA一致
vim /etc/pki/tls/openssl.cnf [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional
4、查看证书中的信息
[root@localhost CA]# tree . ├── ├── cacert.pem ├── certs │ └── test.crt ├── crl ├── index.txt ├── index.txt.attr ├── index.txt.old ├── newcerts │ └── 01.pem ├── private │ └── cakey.pem ├── serial └── serial.old 4 directories, 10 files
[root@localhost CA]# cat serial 02
[root@localhost CA]# cat index.txt V 21201115092531Z 01 unknown /C=CN/ST=beijing/O=zhengfu/OU=guofangbu/CN=www.chuan.com
policy = policy_anything
[root@localhost data]# (umask 066;openssl genrsa -out /data/test2.key 2048) Generating RSA private key, 2048 bit long modulus (2 primes) ....................................................................................................+++++ ...............................+++++ e is 65537 (0x010001)
[root@localhost data]# openssl req -new -key /data/test2.key -out /data/test2.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:US State or Province Name (full name) []:newyork Locality Name (eg, city) [Default City]:newyork Organization Name (eg, company) [Default Company Ltd]:zhengfu Organizational Unit Name (eg, section) []:guofangbu Common Name (eg, your name or your server's hostname) []:www.chuan.com Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
[root@localhost CA]# openssl ca -in /data/test2.csr -out /etc/pki/CA/certs/test2.crt -days 36000 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok The countryName field is different between CA certificate (CN) and the request (US)
vim /etc/pki/tls/openssl.cnf
policy = policy_anything
[root@localhost CA]# openssl ca -in /data/test2.csr -out /etc/pki/CA/certs/test2.crt -days 36000
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 2 (0x2)
Validity
Not Before: Apr 23 09:50:51 2022 GMT
Not After : Nov 15 09:50:51 2120 GMT
Subject:
countryName = US
stateOrProvinceName = newyork
localityName = newyork
organizationName = zhengfu
organizationalUnitName = guofangbu
commonName = www.chuan.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
1B:1A:15:BF:3C:E8:71:ED:18:D6:F5:53:AB:ED:81:F0:2B:A7:BD:34
X509v3 Authority Key Identifier:
keyid:31:1F:D6:D9:B8:A2:82:30:0B:24:5C:C7:58:15:FD:2B:17:A8:85:02
Certificate is to be certified until Nov 15 09:50:51 2120 GMT (36000 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
吊销证书
[root@localhost ~]# openssl ca -revoke /etc/pki/CA/newcerts/02.pem Using configuration from /etc/pki/tls/openssl.cnf Revoking Certificate 02. Data Base Updated
[root@localhost CA]# cat index.txt V 21201115092531Z 01 unknown /C=CN/ST=beijing/O=zhengfu/OU=guofangbu/CN=www.chuan.com R 21201115095051Z 220423095539Z 02 unknown /C=US/ST=newyork/L=newyork/O=zhengfu/OU=guofangbu/CN=www.chuan.com指定第一个吊销证书的编号,注意:第一次更新证书吊销列表前,才需要执行
echo 01 > /etc/pki/CA/crlnumber更新证书吊销列表
openssl ca -gencrl -out /etc/pki/CA/crl.pem [root@localhost CA]# cat /etc/pki/CA/crl.pem -----BEGIN X509 CRL----- MIIB3jCBxwIBATANBgkqhkiG9w0BAQsFADBvMQswCQYDVQQGEwJDTjEQMA4GA1UE CAwHYmVpamluZzEQMA4GA1UEBwwHYmVpamluZzEQMA4GA1UECgwHemhlbmdmdTES MBAGA1UECwwJZ3VvZmFuZ2J1MRYwFAYDVQQDDA13d3cuYmFpZHUuY29tFw0yMjA0 MjMxMDA1MDJaFw0yMjA1MjMxMDA1MDJaMBQwEgIBAhcNMjIwNDIzMDk1NTM5WqAO MAwwCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQELBQADggEBAJ1Jf8QebJd7mKsFjXpN IbkJv7H7YysMcWzs3xycDXQqXkRxn9TMT1OTyDNSyBjFgQui/SXzLQA9jcmjIPGD z8kuAIZDuDPHzGhZeFCj6uFogUeg8J+YHAPrj4EWqFjh8ZXeTuM+NznzxPc02sBU zWN6zd/Zh3bRuhYsyrMZ3/i79j/PpEeipipYfF0iXli9QOExknawhiHZlEPsfW8P 7jeYVWXyOUH/9+jVKUIp++Nce/DxkeiZfoo/dq4LF5GYNyzid0xNVkIBIYX7g2LS gSfLN46g6eL+Gh81wyedT/fBA3eYG0JdV41xac5di/MSbMFS3mJGPAtHShD4Qsrh l2I= -----END X509 CRL-----
查看文件
[root@localhost CA]# openssl crl -in /etc/pki/CA/crl.pem -noout -text
crl.pem.crl
这篇关于openssl实现私有CA证书生成和吊销的文章就介绍到这儿,希望我们推荐的文章对大家有所帮助,也希望大家多多支持为之网!
- 2024-05-04安装 VPrix Desktop 的系统要求-icode9专业技术文章分享
- 2024-05-01巧用 TiCDC Syncpoint 构建银行实时交易和准实时计算一体化架构
- 2024-05-01银行核心背后的落地工程体系丨Oracle - TiDB 数据迁移详解
- 2024-04-26高性能表格工具VTable总体构成-icode9专业技术文章分享
- 2024-04-16软路由代理问题, tg 无法代理问题-icode9专业技术文章分享
- 2024-04-16程序猿用什么锅-icode9专业技术文章分享
- 2024-04-16自建 NAS 的方案-icode9专业技术文章分享
- 2024-04-14ansible 在远程主机上执行脚本,并传入参数-icode9专业技术文章分享
- 2024-04-14ansible 在远程主机上执行脚本,并传入参数, 加上remote_src: yes 配置-icode9专业技术文章分享
- 2024-04-14ansible 检测远程主机的8080端口,如果关闭,则echo 进程已关闭-icode9专业技术文章分享
