Linux操作系统安全-局域网私有CA(Certificate Authority)证书服务器实战篇
分类:
IT文章
•
2023-10-26 19:13:26
Linux操作系统安全-局域网私有CA(Certificate Authority)证书服务器实战篇
作者:尹正杰
版权声明:原创作品,谢绝转载!否则将追究法律责任。
一.试验架构说明
node101.yinzhengjie.org.cn:
CA服务器
node108.yinzhengjie.org.cn:
CA客户端
![]()
[root@node101.yinzhengjie.org.cn ~]# uname -r
3.10.0-957.el7.x86_64
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# uname -m
x86_64
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# cat /etc/redhat-release
CentOS Linux release 7.6.1810 (Core)
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# free -h
total used free shared buff/cache available
Mem: 7.6G 132M 7.2G 8.6M 299M 7.3G
Swap: 7.9G 0B 7.9G
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# hostname -i
172.30.1.101
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# cat /etc/hostname
node101.yinzhengjie.org.cn
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
172.30.1.101 node101.yinzhengjie.org.cn
172.30.1.102 node102.yinzhengjie.org.cn
172.30.1.103 node103.yinzhengjie.org.cn
172.30.1.104 node104.yinzhengjie.org.cn
172.30.1.105 node105.yinzhengjie.org.cn
172.30.1.106 node106.yinzhengjie.org.cn
172.30.1.107 node107.yinzhengjie.org.cn
172.30.1.108 node108.yinzhengjie.org.cn
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# cat /etc/hosts
![]()
[root@node108.yinzhengjie.org.cn ~]# uname -r
3.10.0-957.el7.x86_64
[root@node108.yinzhengjie.org.cn ~]#
[root@node108.yinzhengjie.org.cn ~]# uname -m
x86_64
[root@node108.yinzhengjie.org.cn ~]#
[root@node108.yinzhengjie.org.cn ~]# free -h
total used free shared buff/cache available
Mem: 3.7G 98M 3.5G 8.5M 148M 3.4G
Swap: 3.9G 0B 3.9G
[root@node108.yinzhengjie.org.cn ~]#
[root@node108.yinzhengjie.org.cn ~]# cat /etc/redhat-release
CentOS Linux release 7.6.1810 (Core)
[root@node108.yinzhengjie.org.cn ~]#
[root@node108.yinzhengjie.org.cn ~]# hostname -i
172.30.1.108
[root@node108.yinzhengjie.org.cn ~]#
[root@node108.yinzhengjie.org.cn ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
172.30.1.101 node101.yinzhengjie.org.cn
172.30.1.102 node102.yinzhengjie.org.cn
172.30.1.103 node103.yinzhengjie.org.cn
172.30.1.104 node104.yinzhengjie.org.cn
172.30.1.105 node105.yinzhengjie.org.cn
172.30.1.106 node106.yinzhengjie.org.cn
172.30.1.107 node107.yinzhengjie.org.cn
172.30.1.108 node108.yinzhengjie.org.cn
[root@node108.yinzhengjie.org.cn ~]#
[root@node108.yinzhengjie.org.cn ~]#
[root@node108.yinzhengjie.org.cn ~]# cat /etc/hosts
二.生成自签名证书
1>.查看opennssl的配置文件
openssl的配置文件:
/etc/pki/tls/openssl.cnf
三种策略:match匹配、optional可选、supplied提供
match:
要求申请填写的信息跟CA设置信息必须一致
optional:
可有可无,跟CA设置信息可不一致
supplied:
必须填写这项申请信息,
![]()
[root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/pki/tls/openssl.cnf
HOME = .
RANDFILE = $ENV::HOME/.rnd
oid_section = new_oids
[ new_oids ]
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7
[ ca ]
default_ca = CA_default # 默认的CA标题名称,该名称会定有很多CA服务器相关参数
[ CA_default ] # 上一行指定的CA标题名称就是这里定义的
dir = /etc/pki/CA # 存放CA的目录
certs = $dir/certs # 存放证书的目录
crl_dir = $dir/crl # 存放证书吊销列表信息
database = $dir/index.txt # 一个文本文件用来保存已颁发证书的信息,该文件默认不存在,需要手动创建
new_certs_dir = $dir/newcerts # 默认存放新颁发的证书
certificate = $dir/cacert.pem # 指定CA的证书,即CA自签名证书
serial = $dir/serial # 指定下一个颁发证书的编号,该文件默认不存在,需要手动创建
crlnumber = $dir/crlnumber # 指定下一个吊销证书的编号
crl = $dir/crl.pem # 指定CRL证书文件文件名称
private_key = $dir/private/cakey.pem # 指定CA的私钥文件名称
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
default_days = 365 # 指定证书的默认有效期
default_crl_days= 30 # 指定多久发布一次CRL信息(证书吊销信息)
default_md = sha256 # 使用默认的加密算法
preserve = no # keep passed DN ordering
policy = policy_match #匹配策略名称,见下一行有定义该名称
[ policy_match ] #用于CA的策略证书
countryName = match #match要求申请填写的信息跟CA设置信息必须一致。国家信息要一样
stateOrProvinceName = match #同上,省份也要一样
organizationName = match #同上,一般情况下,自建的CA服务器国家,省份和组织单位都是一样的。
organizationalUnitName = optional #optional表示可选项,即可有可无,跟CA设置信息可不一致
commonName = supplied #supplied表示必须填写这项申请信息, 即填写用户申请的域名
emailAddress = optional #optional表示可选项,即邮箱可以写也可以不写
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 2048
default_md = sha256
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
string_mask = utf8only
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = XX
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (eg, city)
localityName_default = Default City
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Default Company Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (eg, your name or your server's hostname)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
basicConstraints=CA:FALSE
nsComment = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = CA:true
[ crl_ext ]
authorityKeyIdentifier=keyid:always
[ proxy_cert_ext ]
basicConstraints=CA:FALSE
nsComment = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
[ tsa ]
default_tsa = tsa_config1 # the default TSA section
[ tsa_config1 ]
dir = ./demoCA # TSA root directory
serial = $dir/tsaserial # The current serial number (mandatory)
crypto_device = builtin # OpenSSL engine to use for signing
signer_cert = $dir/tsacert.pem # The TSA signing certificate
# (optional)
certs = $dir/cacert.pem # Certificate chain to include in reply
# (optional)
signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
default_policy = tsa_policy1 # Policy if request did not specify it
# (optional)
other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
clock_precision_digits = 0 # number of digits after dot. (optional)
ordering = yes # Is ordering defined for timestamps?
# (optional, default: no)
tsa_name = yes # Must the TSA name be included in the reply?
# (optional, default: no)
ess_cert_id_chain = no # Must the ESS cert id chain be included?
# (optional, default: no)
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/pki/tls/openssl.cnf
2>.生成私钥
![]()
[root@node101.yinzhengjie.org.cn ~]# yum -y install tree
Loaded plugins: fastestmirror
Determining fastest mirrors
* base: mirror.bit.edu.cn
* extras: mirrors.tuna.tsinghua.edu.cn
* updates: mirrors.tuna.tsinghua.edu.cn
base | 3.6 kB 00:00:00
extras | 2.9 kB 00:00:00
updates | 2.9 kB 00:00:00
(1/4): base/7/x86_64/group_gz | 165 kB 00:00:00
(2/4): extras/7/x86_64/primary_db | 153 kB 00:00:00
(3/4): base/7/x86_64/primary_db | 6.0 MB 00:00:01
(4/4): updates/7/x86_64/primary_db | 5.8 MB 00:00:01
Resolving Dependencies
--> Running transaction check
---> Package tree.x86_64 0:1.6.0-10.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
============================================================================================================================================================================
Package Arch Version Repository Size
============================================================================================================================================================================
Installing:
tree x86_64 1.6.0-10.el7 base 46 k
Transaction Summary
============================================================================================================================================================================
Install 1 Package
Total download size: 46 k
Installed size: 87 k
Downloading packages:
tree-1.6.0-10.el7.x86_64.rpm | 46 kB 00:00:05
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : tree-1.6.0-10.el7.x86_64 1/1
Verifying : tree-1.6.0-10.el7.x86_64 1/1
Installed:
tree.x86_64 0:1.6.0-10.el7
Complete!
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# yum -y install tree
![]()
[root@node101.yinzhengjie.org.cn ~]# cd /etc/pki/CA/
[root@node101.yinzhengjie.org.cn /etc/pki/CA]#
[root@node101.yinzhengjie.org.cn /etc/pki/CA]# tree
.
├── certs
├── crl
├── newcerts
└── private
4 directories, 0 files
[root@node101.yinzhengjie.org.cn /etc/pki/CA]#
[root@node101.yinzhengjie.org.cn /etc/pki/CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
...........................................................................................+++
........+++
e is 65537 (0x10001)
[root@node101.yinzhengjie.org.cn /etc/pki/CA]#
[root@node101.yinzhengjie.org.cn /etc/pki/CA]# tree
.
├── certs
├── crl
├── newcerts
└── private
└── cakey.pem
4 directories, 1 file
[root@node101.yinzhengjie.org.cn /etc/pki/CA]#
[root@node101.yinzhengjie.org.cn /etc/pki/CA]# ll private/
total 4
-rw------- 1 root root 1675 Dec 21 13:02 cakey.pem
[root@node101.yinzhengjie.org.cn /etc/pki/CA]#
[root@node101.yinzhengjie.org.cn /etc/pki/CA]#
[root@node101.yinzhengjie.org.cn /etc/pki/CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
3>.生成自签名证书
[root@node101.yinzhengjie.org.cn /etc/pki/CA]# tree
.
├── certs
├── crl
├── newcerts
└── private
└── cakey.pem
4 directories, 1 file
[root@node101.yinzhengjie.org.cn /etc/pki/CA]#
[root@node101.yinzhengjie.org.cn /etc/pki/CA]# ll private/
total 4
-rw------- 1 root root 1675 Dec 21 13:02 cakey.pem
[root@node101.yinzhengjie.org.cn /etc/pki/CA]#
[root@node101.yinzhengjie.org.cn /etc/pki/CA]#
[root@node101.yinzhengjie.org.cn /etc/pki/CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 36500
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:shanxi
Locality Name (eg, city) [Default City]:ankang
Organization Name (eg, company) [Default Company Ltd]:yinzhengjie
Organizational Unit Name (eg, section) []:devops
Common Name (eg, your name or your server's hostname) []:ca.yinzhengjie.org.cn
Email Address []:
[root@node101.yinzhengjie.org.cn /etc/pki/CA]#
[root@node101.yinzhengjie.org.cn /etc/pki/CA]# tree
.
├── cacert.pem #新生成的证书文件,可以下载到windows系统查看,如下图所示(在windows系统需要修改文件后缀为crt才能打开哟).
├── certs
├── crl
├── newcerts
└── private
└── cakey.pem
4 directories, 2 files
[root@node101.yinzhengjie.org.cn /etc/pki/CA]#
三.CA客户端申请证书
1>.生成私钥
[root@node108.yinzhengjie.org.cn ~]# mkdir /data/ssl -pv
mkdir: created directory ‘/data’
mkdir: created directory ‘/data/ssl’
[root@node108.yinzhengjie.org.cn ~]#
[root@node108.yinzhengjie.org.cn ~]# cd /data/ssl/
[root@node108.yinzhengjie.org.cn /data/ssl]#
[root@node108.yinzhengjie.org.cn /data/ssl]# (umask 066;openssl genrsa -out myapp.key 1024)
Generating RSA private key, 1024 bit long modulus
.++++++
.....................................++++++
e is 65537 (0x10001)
[root@node108.yinzhengjie.org.cn /data/ssl]#
[root@node108.yinzhengjie.org.cn /data/ssl]# ll
total 4
-rw------- 1 root root 887 Dec 21 13:20 myapp.key
[root@node108.yinzhengjie.org.cn /data/ssl]#
[root@node108.yinzhengjie.org.cn /data/ssl]#
2>.利用私钥生成证书请求并发送至CA服务器上
[root@node108.yinzhengjie.org.cn /data/ssl]# ll
total 4
-rw------- 1 root root 887 Dec 21 13:20 myapp.key
[root@node108.yinzhengjie.org.cn /data/ssl]#
[root@node108.yinzhengjie.org.cn /data/ssl]# openssl req -new -key myapp.key -out myapp.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:shanxi
Locality Name (eg, city) [Default City]:ankang
Organization Name (eg, company) [Default Company Ltd]:yinzhengjie
Organizational Unit Name (eg, section) []:devops
Common Name (eg, your name or your server's hostname) []:*.yinzhengjie.org.cn
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@node108.yinzhengjie.org.cn /data/ssl]#
[root@node108.yinzhengjie.org.cn /data/ssl]# ll
total 8
-rw-r--r-- 1 root root 668 Dec 21 13:53 myapp.csr
-rw------- 1 root root 887 Dec 21 13:20 myapp.key
[root@node108.yinzhengjie.org.cn /data/ssl]#
[root@node108.yinzhengjie.org.cn /data/ssl]# scp myapp.csr node101.yinzhengjie.org.cn:/etc/pki/CA/
The authenticity of host 'node101.yinzhengjie.org.cn (172.30.1.101)' can't be established.
ECDSA key fingerprint is SHA256:KEchoZnVBkijeoWfG2nvx2ptthsXv7IjkxIJYule57g.
ECDSA key fingerprint is MD5:52:c8:f5:6e:5f:cf:44:ec:c4:11:60:d2:d0:31:3c:da.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'node101.yinzhengjie.org.cn,172.30.1.101' (ECDSA) to the list of known hosts.
root@node101.yinzhengjie.org.cn's password:
myapp.csr 100% 668 900.0KB/s 00:00
[root@node108.yinzhengjie.org.cn /data/ssl]#
[root@node108.yinzhengjie.org.cn /data/ssl]#
四.颁发证书
1>.颁发证书过程及故障排除
[root@node101.yinzhengjie.org.cn /etc/pki/CA]# tree
.
├── cacert.pem
├── certs
├── crl
├── myapp.csr
├── newcerts
└── private
└── cakey.pem
4 directories, 3 files
[root@node101.yinzhengjie.org.cn /etc/pki/CA]#
[root@node101.yinzhengjie.org.cn /etc/pki/CA]# openssl ca -in myapp.csr -out certs/myapp.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
/etc/pki/CA/index.txt: No such file or directory
unable to open '/etc/pki/CA/index.txt'
139995437246352:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/pki/CA/index.txt','r')
139995437246352:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:
[root@node101.yinzhengjie.org.cn /etc/pki/CA]#
[root@node101.yinzhengjie.org.cn /etc/pki/CA]#
[root@node101.yinzhengjie.org.cn /etc/pki/CA]#
[root@node101.yinzhengjie.org.cn /etc/pki/CA]# touch index.txt #根据上面的报错提示,说明缺少index.txt文件,因此我们手动创建出来
[root@node101.yinzhengjie.org.cn /etc/pki/CA]#
[root@node101.yinzhengjie.org.cn /etc/pki/CA]# openssl ca -in myapp.csr -out certs/myapp.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
/etc/pki/CA/serial: No such file or directory
error while loading serial number
139709222610832:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/pki/CA/serial','r')
139709222610832:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:
[root@node101.yinzhengjie.org.cn /etc/pki/CA]#
[root@node101.yinzhengjie.org.cn /etc/pki/CA]# echo 0F > serial #根据上面的提示,说明仍然是少了文件,因此我们继续手动创建出来
[root@node101.yinzhengjie.org.cn /etc/pki/CA]#
[root@node101.yinzhengjie.org.cn /etc/pki/CA]# cat serial
0F
[root@node101.yinzhengjie.org.cn /etc/pki/CA]#
[root@node101.yinzhengjie.org.cn /etc/pki/CA]# openssl ca -in myapp.csr -out certs/myapp.crt -days 1000 #执行颁发证书的指令
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 15 (0xf)
Validity
Not Before: Dec 21 06:27:58 2019 GMT
Not After : Sep 16 06:27:58 2022 GMT
Subject:
countryName = CN
stateOrProvinceName = shanxi
organizationName = yinzhengjie
organizationalUnitName = devops
commonName = *.yinzhengjie.org.cn
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
D0:F2:4D:0E:32:E5:FF:0D:AC:51:B2:B3:7C:23:12:F2:AB:31:C1:74
X509v3 Authority Key Identifier:
keyid:61:3E:46:F0:EA:BE:7F:DA:8B:A4:7A:F6:89:35:F0:9A:65:BC:05:13
Certificate is to be certified until Sep 16 06:27:58 2022 GMT (1000 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@node101.yinzhengjie.org.cn /etc/pki/CA]#
[root@node101.yinzhengjie.org.cn /etc/pki/CA]# tree
.
├── cacert.pem
├── certs
│ └── myapp.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── myapp.csr
├── newcerts
│ └── 0F.pem
├── private
│ └── cakey.pem
├── serial
└── serial.old
4 directories, 10 files
[root@node101.yinzhengjie.org.cn /etc/pki/CA]#
[root@node101.yinzhengjie.org.cn /etc/pki/CA]#
[root@node101.yinzhengjie.org.cn /etc/pki/CA]# ll certs/myapp.crt newcerts/0F.pem #我们发现这两个新生成的文件大小是一样的
-rw-r--r-- 1 root root 3771 Dec 21 14:30 certs/myapp.crt
-rw-r--r-- 1 root root 3771 Dec 21 14:30 newcerts/0F.pem
[root@node101.yinzhengjie.org.cn /etc/pki/CA]#
[root@node101.yinzhengjie.org.cn /etc/pki/CA]# diff certs/myapp.crt newcerts/0F.pem #很显然,这两个文件内容是一样的
[root@node101.yinzhengjie.org.cn /etc/pki/CA]#
[root@node101.yinzhengjie.org.cn /etc/pki/CA]#
2>.查看证书信息
![]()
[root@node101.yinzhengjie.org.cn /etc/pki/CA]# cat newcerts/0F.pem #查看证书信息
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 15 (0xf)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=shanxi, L=ankang, O=yinzhengjie, OU=devops, CN=ca.yinzhengjie.org.cn
Validity
Not Before: Dec 21 06:27:58 2019 GMT
Not After : Sep 16 06:27:58 2022 GMT
Subject: C=CN, ST=shanxi, O=yinzhengjie, OU=devops, CN=*.yinzhengjie.org.cn
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:b7:a1:2e:0c:f3:a4:e8:bc:41:0b:9b:40:3b:26:
80:ed:8d:03:5a:e2:15:4d:05:98:cc:f5:1d:ef:bb:
26:32:d3:3e:a6:47:f8:6d:24:23:35:23:fd:09:cc:
5b:6d:25:23:96:34:90:92:ab:5f:ea:ae:21:07:67:
2c:51:10:e4:34:5f:08:ff:eb:0a:ea:2a:fa:6f:47:
71:88:fb:d1:b4:7e:65:a9:52:ba:87:2e:1c:0f:f6:
55:56:42:e6:c5:ca:35:64:8c:96:76:c7:5d:e0:b6:
d7:99:e5:17:b8:95:ff:fb:22:ca:99:cc:d3:7c:6c:
70:c4:b0:f7:f3:87:32:a2:45
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
D0:F2:4D:0E:32:E5:FF:0D:AC:51:B2:B3:7C:23:12:F2:AB:31:C1:74
X509v3 Authority Key Identifier:
keyid:61:3E:46:F0:EA:BE:7F:DA:8B:A4:7A:F6:89:35:F0:9A:65:BC:05:13
Signature Algorithm: sha256WithRSAEncryption
29:48:7f:38:fe:e5:c2:ad:fd:dc:c2:bc:0b:38:88:fb:99:a8:
2e:dc:69:8c:f6:a9:24:2d:2a:c1:27:bb:50:5c:16:70:25:1f:
4a:a8:c3:a5:21:1a:79:30:ac:0e:88:82:04:dd:f8:14:22:56:
bd:fc:cf:86:8a:cf:7e:88:7a:34:be:a7:3f:58:05:cc:33:95:
71:6f:53:39:5c:c7:0b:fa:c5:66:d2:2f:dc:d3:f4:86:01:53:
f2:63:1b:0c:fc:3c:c1:92:c2:c8:24:ed:2a:76:3b:37:20:93:
e1:47:71:26:5d:3f:bf:d5:03:62:c2:49:d8:84:dd:fe:1c:83:
60:43:88:77:b7:c8:f2:3e:95:63:d1:57:6c:f6:05:3d:b7:fc:
d9:80:be:ad:39:a2:f1:7f:b8:46:59:b2:2e:21:a7:86:53:e1:
7a:43:95:9b:1c:33:7d:84:03:5d:98:ce:c8:6f:eb:01:7e:d5:
82:91:c9:ea:a0:b1:67:39:3b:21:f7:c2:50:8f:8d:b2:a0:92:
c6:dd:f3:76:85:de:3a:77:03:26:3e:c2:b0:27:ca:b1:44:2f:
fd:e2:75:96:9c:dc:f3:e5:d6:24:62:65:44:3a:42:2c:08:4c:
18:87:41:b7:09:4e:68:bf:9c:1c:0c:f0:ce:50:af:be:33:a7:
ea:98:bf:af
-----BEGIN CERTIFICATE-----
MIIDTDCCAjSgAwIBAgIBDzANBgkqhkiG9w0BAQsFADB2MQswCQYDVQQGEwJDTjEP
MA0GA1UECAwGc2hhbnhpMQ8wDQYDVQQHDAZhbmthbmcxFDASBgNVBAoMC3lpbnpo
ZW5namllMQ8wDQYDVQQLDAZkZXZvcHMxHjAcBgNVBAMMFWNhLnlpbnpoZW5namll
Lm9yZy5jbjAeFw0xOTEyMjEwNjI3NThaFw0yMjA5MTYwNjI3NThaMGQxCzAJBgNV
BAYTAkNOMQ8wDQYDVQQIDAZzaGFueGkxFDASBgNVBAoMC3lpbnpoZW5namllMQ8w
DQYDVQQLDAZkZXZvcHMxHTAbBgNVBAMMFCoueWluemhlbmdqaWUub3JnLmNuMIGf
MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3oS4M86TovEELm0A7JoDtjQNa4hVN
BZjM9R3vuyYy0z6mR/htJCM1I/0JzFttJSOWNJCSq1/qriEHZyxREOQ0Xwj/6wrq
KvpvR3GI+9G0fmWpUrqHLhwP9lVWQubFyjVkjJZ2x13gtteZ5Re4lf/7IsqZzNN8
bHDEsPfzhzKiRQIDAQABo3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1P
cGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQU0PJNDjLl/w2s
UbKzfCMS8qsxwXQwHwYDVR0jBBgwFoAUYT5G8Oq+f9qLpHr2iTXwmmW8BRMwDQYJ
KoZIhvcNAQELBQADggEBAClIfzj+5cKt/dzCvAs4iPuZqC7caYz2qSQtKsEnu1Bc
FnAlH0qow6UhGnkwrA6IggTd+BQiVr38z4aKz36IejS+pz9YBcwzlXFvUzlcxwv6
xWbSL9zT9IYBU/JjGwz8PMGSwsgk7Sp2Ozcgk+FHcSZdP7/VA2LCSdiE3f4cg2BD
iHe3yPI+lWPRV2z2BT23/NmAvq05ovF/uEZZsi4hp4ZT4XpDlZscM32EA12Yzshv
6wF+1YKRyeqgsWc5OyH3wlCPjbKgksbd83aF3jp3AyY+wrAnyrFEL/3idZac3PPl
1iRiZUQ6QiwITBiHQbcJTmi/nBwM8M5Qr74zp+qYv68=
-----END CERTIFICATE-----
[root@node101.yinzhengjie.org.cn /etc/pki/CA]#
[root@node101.yinzhengjie.org.cn /etc/pki/CA]#
[root@node101.yinzhengjie.org.cn /etc/pki/CA]# cat newcerts/0F.pem #查看证书信息,也可以直接查看myapp.crt证书文件,因为它们是一样的
3>.将证书下载到windows操作系统查看
[root@node101.yinzhengjie.org.cn /etc/pki/CA]# sz certs/myapp.crt #如下图所示,下载文件到本地,下载时选择crt结尾的,其实下载0F.pem也可以(因为文件内容相同),但windows识别crt格式的文件可以直接查看。
[root@node101.yinzhengjie.org.cn /etc/pki/CA]#
4>.颁发证书后查看文件内容变更
[root@node101.yinzhengjie.org.cn /etc/pki/CA]# tree
.
├── cacert.pem
├── certs
│ └── myapp.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── myapp.csr
├── newcerts
│ └── 0F.pem
├── private
│ └── cakey.pem
├── serial
└── serial.old
4 directories, 10 files
[root@node101.yinzhengjie.org.cn /etc/pki/CA]#
[root@node101.yinzhengjie.org.cn /etc/pki/CA]# cat index.txt #该文件记录了证书文件相关信息,首字母"V"表示证书有效,若证书被吊销的话,可能首字母是"R"
V 220916062758Z 0F unknown /C=CN/ST=shanxi/O=yinzhengjie/OU=devops/CN=*.yinzhengjie.org.cn
[root@node101.yinzhengjie.org.cn /etc/pki/CA]#
[root@node101.yinzhengjie.org.cn /etc/pki/CA]# cat serial
10
[root@node101.yinzhengjie.org.cn /etc/pki/CA]#
[root@node101.yinzhengjie.org.cn /etc/pki/CA]# cat index.txt.old #存放之前版本的信息
[root@node101.yinzhengjie.org.cn /etc/pki/CA]#
[root@node101.yinzhengjie.org.cn /etc/pki/CA]# cat serial.old #存放之前的版本信息
0F
[root@node101.yinzhengjie.org.cn /etc/pki/CA]#
[root@node101.yinzhengjie.org.cn /etc/pki/CA]# cat index.txt.attr #如果看到"unique_subject=yes"想必大家也猜到啥意思了,没错它规定了证书必须是唯一性的,也就是说我们不能对同一个证书请求多次颁发证书文件。
unique_subject = yes
[root@node101.yinzhengjie.org.cn /etc/pki/CA]#
五.windows导入咱们自己生成自签名证书
1>.如下图所示,咱们的操作系统"无法找到该证书的颁发者。",因此我们可以考虑将"*.yinzhengjie.org.cn"证书的颁发者证书也下载到本地导入并安装
2>.下载CA服务器证书到本地并更名为"*.crt"或者"*.cer"文件后缀,如下图所示(紧接着安装证书)
3>.如下图所示,点击"安装证书"会弹出右侧的对话框,继续点击"下一步"
4>.如下图所示,将我们的证书选择为"受信任的根证书颁发机构"
5>.配置完成后,点击"下一步"
6>.继续点击"完成"
7>.接下来会弹出如下图所示的对话框以确认安装证书提示,点击"是"
8>.点击"确定",证书导入成功
9>.证书安装完成后,再次打开证书查看相应信息,如下图所示
六.使用openssl命令在命令行查看证书信息
1>.将证书文件拷贝到客户端
[root@node101.yinzhengjie.org.cn /etc/pki/CA]# ll
total 24
-rw-r--r-- 1 root root 1363 Dec 21 13:07 cacert.pem
drwxr-xr-x. 2 root root 23 Dec 21 14:26 certs
drwxr-xr-x. 2 root root 6 Oct 31 2018 crl
-rw-r--r-- 1 root root 92 Dec 21 14:30 index.txt
-rw-r--r-- 1 root root 21 Dec 21 14:30 index.txt.attr
-rw-r--r-- 1 root root 0 Dec 21 14:26 index.txt.old
-rw-r--r-- 1 root root 668 Dec 21 13:58 myapp.csr
drwxr-xr-x. 2 root root 20 Dec 21 14:30 newcerts
drwx------. 2 root root 23 Dec 21 13:02 private
-rw-r--r-- 1 root root 3 Dec 21 14:30 serial
-rw-r--r-- 1 root root 3 Dec 21 14:27 serial.old
[root@node101.yinzhengjie.org.cn /etc/pki/CA]#
[root@node101.yinzhengjie.org.cn /etc/pki/CA]# tree
.
├── cacert.pem
├── certs
│ └── myapp.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── myapp.csr
├── newcerts
│ └── 0F.pem
├── private
│ └── cakey.pem
├── serial
└── serial.old
4 directories, 10 files
[root@node101.yinzhengjie.org.cn /etc/pki/CA]#
[root@node101.yinzhengjie.org.cn /etc/pki/CA]# scp certs/myapp.crt root@node108.yinzhengjie.org.cn:/data/ssl
myapp.crt 100% 3771 5.1MB/s 00:00
[root@node101.yinzhengjie.org.cn /etc/pki/CA]#
2>.客户端查看证书信息
[root@node108.yinzhengjie.org.cn ~]# ll /data/ssl/
total 12
-rw-r--r-- 1 root root 3771 Dec 21 15:01 myapp.crt
-rw-r--r-- 1 root root 668 Dec 21 13:53 myapp.csr
-rw------- 1 root root 887 Dec 21 13:20 myapp.key
[root@node108.yinzhengjie.org.cn ~]#
[root@node108.yinzhengjie.org.cn ~]# openssl x509 -in /data/ssl/myapp.crt -noout -text #以文本方式在客户端查看证书信息
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 15 (0xf)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=shanxi, L=ankang, O=yinzhengjie, OU=devops, CN=ca.yinzhengjie.org.cn
Validity
Not Before: Dec 21 06:27:58 2019 GMT
Not After : Sep 16 06:27:58 2022 GMT
Subject: C=CN, ST=shanxi, O=yinzhengjie, OU=devops, CN=*.yinzhengjie.org.cn
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:b7:a1:2e:0c:f3:a4:e8:bc:41:0b:9b:40:3b:26:
80:ed:8d:03:5a:e2:15:4d:05:98:cc:f5:1d:ef:bb:
26:32:d3:3e:a6:47:f8:6d:24:23:35:23:fd:09:cc:
5b:6d:25:23:96:34:90:92:ab:5f:ea:ae:21:07:67:
2c:51:10:e4:34:5f:08:ff:eb:0a:ea:2a:fa:6f:47:
71:88:fb:d1:b4:7e:65:a9:52:ba:87:2e:1c:0f:f6:
55:56:42:e6:c5:ca:35:64:8c:96:76:c7:5d:e0:b6:
d7:99:e5:17:b8:95:ff:fb:22:ca:99:cc:d3:7c:6c:
70:c4:b0:f7:f3:87:32:a2:45
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
D0:F2:4D:0E:32:E5:FF:0D:AC:51:B2:B3:7C:23:12:F2:AB:31:C1:74
X509v3 Authority Key Identifier:
keyid:61:3E:46:F0:EA:BE:7F:DA:8B:A4:7A:F6:89:35:F0:9A:65:BC:05:13
Signature Algorithm: sha256WithRSAEncryption
29:48:7f:38:fe:e5:c2:ad:fd:dc:c2:bc:0b:38:88:fb:99:a8:
2e:dc:69:8c:f6:a9:24:2d:2a:c1:27:bb:50:5c:16:70:25:1f:
4a:a8:c3:a5:21:1a:79:30:ac:0e:88:82:04:dd:f8:14:22:56:
bd:fc:cf:86:8a:cf:7e:88:7a:34:be:a7:3f:58:05:cc:33:95:
71:6f:53:39:5c:c7:0b:fa:c5:66:d2:2f:dc:d3:f4:86:01:53:
f2:63:1b:0c:fc:3c:c1:92:c2:c8:24:ed:2a:76:3b:37:20:93:
e1:47:71:26:5d:3f:bf:d5:03:62:c2:49:d8:84:dd:fe:1c:83:
60:43:88:77:b7:c8:f2:3e:95:63:d1:57:6c:f6:05:3d:b7:fc:
d9:80:be:ad:39:a2:f1:7f:b8:46:59:b2:2e:21:a7:86:53:e1:
7a:43:95:9b:1c:33:7d:84:03:5d:98:ce:c8:6f:eb:01:7e:d5:
82:91:c9:ea:a0:b1:67:39:3b:21:f7:c2:50:8f:8d:b2:a0:92:
c6:dd:f3:76:85:de:3a:77:03:26:3e:c2:b0:27:ca:b1:44:2f:
fd:e2:75:96:9c:dc:f3:e5:d6:24:62:65:44:3a:42:2c:08:4c:
18:87:41:b7:09:4e:68:bf:9c:1c:0c:f0:ce:50:af:be:33:a7:
ea:98:bf:af
[root@node108.yinzhengjie.org.cn ~]#
[root@node108.yinzhengjie.org.cn ~]#
七.吊销证书
1>.吊销证书
[root@node101.yinzhengjie.org.cn /etc/pki/CA]# tree
.
├── cacert.pem
├── certs
│ └── myapp.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── myapp.csr
├── newcerts
│ └── 0F.pem
├── private
│ └── cakey.pem
├── serial
└── serial.old
4 directories, 10 files
[root@node101.yinzhengjie.org.cn /etc/pki/CA]#
[root@node101.yinzhengjie.org.cn /etc/pki/CA]# cat index.txt #注意第一个字母是"V",说明该证书是可以正常使用的
V 220916062758Z 0F unknown /C=CN/ST=shanxi/O=yinzhengjie/OU=devops/CN=*.yinzhengjie.org.cn
[root@node101.yinzhengjie.org.cn /etc/pki/CA]#
[root@node101.yinzhengjie.org.cn /etc/pki/CA]# openssl ca -revoke certs/myapp.crt #我们将指定的证书吊销
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 0F.
Data Base Updated
[root@node101.yinzhengjie.org.cn /etc/pki/CA]#
[root@node101.yinzhengjie.org.cn /etc/pki/CA]# cat index.txt #注意观察第一个字母是"R",说明该 证书已经被吊销了
R 220916062758Z 191221071820Z 0F unknown /C=CN/ST=shanxi/O=yinzhengjie/OU=devops/CN=*.yinzhengjie.org.cn
[root@node101.yinzhengjie.org.cn /etc/pki/CA]#
2>.生成吊销证书列表CRL
[root@node101.yinzhengjie.org.cn /etc/pki/CA]# tree
.
├── cacert.pem
├── certs
│ └── myapp.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── myapp.csr
├── newcerts
│ └── 0F.pem
├── private
│ └── cakey.pem
├── serial
└── serial.old
4 directories, 11 files
[root@node101.yinzhengjie.org.cn /etc/pki/CA]#
[root@node101.yinzhengjie.org.cn /etc/pki/CA]# openssl ca -gencrl -out crl.pem
Using configuration from /etc/pki/tls/openssl.cnf
/etc/pki/CA/crlnumber: No such file or directory
error while loading CRL number
140432981714832:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/pki/CA/crlnumber','r')
140432981714832:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:
[root@node101.yinzhengjie.org.cn /etc/pki/CA]#
[root@node101.yinzhengjie.org.cn /etc/pki/CA]# echo FF > crlnumber #根据报错可知是缺少证书吊销列表的编号文件
[root@node101.yinzhengjie.org.cn /etc/pki/CA]#
[root@node101.yinzhengjie.org.cn /etc/pki/CA]# openssl ca -gencrl -out crl.pem #生成证书吊销列表
Using configuration from /etc/pki/tls/openssl.cnf
[root@node101.yinzhengjie.org.cn /etc/pki/CA]#
[root@node101.yinzhengjie.org.cn /etc/pki/CA]# cat crlnumber
0100
[root@node101.yinzhengjie.org.cn /etc/pki/CA]#
[root@node101.yinzhengjie.org.cn /etc/pki/CA]#
[root@node101.yinzhengjie.org.cn /etc/pki/CA]# tree
.
├── cacert.pem
├── certs
│ └── myapp.crt
├── crl
├── crlnumber
├── crlnumber.old
├── crl.pem
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── myapp.csr
├── newcerts
│ └── 0F.pem
├── private
│ └── cakey.pem
├── serial
└── serial.old
4 directories, 14 files
[root@node101.yinzhengjie.org.cn /etc/pki/CA]#
[root@node101.yinzhengjie.org.cn /etc/pki/CA]#
3>.查看已经被吊销的证书列表
[root@node101.yinzhengjie.org.cn /etc/pki/CA]# tree
.
├── cacert.pem
├── certs
│ └── myapp.crt
├── crl
├── crlnumber
├── crlnumber.old
├── crl.pem
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── myapp.csr
├── newcerts
│ └── 0F.pem
├── private
│ └── cakey.pem
├── serial
└── serial.old
4 directories, 14 files
[root@node101.yinzhengjie.org.cn /etc/pki/CA]#
[root@node101.yinzhengjie.org.cn /etc/pki/CA]# openssl crl -in /etc/pki/CA/crl.pem -noout -text
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: /C=CN/ST=shanxi/L=ankang/O=yinzhengjie/OU=devops/CN=ca.yinzhengjie.org.cn
Last Update: Dec 21 07:22:48 2019 GMT
Next Update: Jan 20 07:22:48 2020 GMT
CRL extensions:
X509v3 CRL Number:
255
Revoked Certificates:
Serial Number: 0F
Revocation Date: Dec 21 07:18:20 2019 GMT
Signature Algorithm: sha256WithRSAEncryption
b5:05:5a:ee:3d:e2:7c:d8:11:12:36:a3:01:43:b8:a7:c4:65:
da:a7:87:9f:ff:17:c0:46:45:5e:ca:6e:46:f6:30:ed:e0:58:
db:74:36:92:c0:52:95:a7:17:c8:f6:f5:ea:73:ec:35:1b:18:
38:3e:b6:24:69:f5:12:8c:05:06:af:61:aa:76:2e:6c:ac:6c:
8b:72:12:9d:1a:c1:8e:65:b0:cb:07:97:2f:00:15:99:61:76:
cd:80:ba:1b:12:db:e5:c1:8f:ea:cd:ce:53:24:e7:ad:4c:2b:
81:43:89:ab:fa:7e:e9:1e:f1:49:b4:87:20:31:a9:c6:24:ef:
91:31:c5:05:1b:05:70:28:ce:5e:4d:ef:83:62:ff:ea:f6:2e:
30:ee:cd:4f:ed:0a:a5:06:c4:83:47:75:61:d7:41:8f:b0:11:
40:5b:0d:8c:20:c4:1f:22:1d:5e:a9:c2:a2:ba:84:6d:e8:5e:
19:77:79:0a:fe:70:f2:8f:29:94:fa:f6:36:d0:b4:a2:d8:69:
6f:ab:25:ae:28:43:5c:ef:ec:8d:28:51:b1:f7:d5:42:01:4e:
02:c8:55:65:3c:c4:2c:a9:65:1e:65:86:94:5a:22:b9:2a:b1:
f7:26:3f:4b:1f:3b:06:5c:48:96:ba:8c:5c:8f:80:86:f6:5e:
c7:1d:61:e4
[root@node101.yinzhengjie.org.cn /etc/pki/CA]#
4>.将已经吊销的证书文件拷贝到windows操作系统
[root@node101.yinzhengjie.org.cn /etc/pki/CA]# sz crl.pem #下载到windows操作系统后,由于操作系统不识别因此我们得修改文件后缀,如下图所示。
[root@node101.yinzhengjie.org.cn /etc/pki/CA]#
八.验证证书的合法性
1>.验证CA自签名的证书合法性
[root@node101.yinzhengjie.org.cn /etc/pki/CA]# tree
.
├── cacert.pem
├── certs
│?? └── myapp.crt
├── crl
├── crlnumber
├── crlnumber.old
├── crl.pem
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── myapp.csr
├── newcerts
│?? └── 0F.pem
├── private
│?? └── cakey.pem
├── serial
└── serial.old
4 directories, 14 files
[root@node101.yinzhengjie.org.cn /etc/pki/CA]#
[root@node101.yinzhengjie.org.cn /etc/pki/CA]# openssl verify -CAfile cacert.pem certs/myapp.crt #很显然,咱们服务器自签名的证书是合法的,输出是"OK"
certs/myapp.crt: OK
[root@node101.yinzhengjie.org.cn /etc/pki/CA]#
[root@node101.yinzhengjie.org.cn /etc/pki/CA]#
2>.验证"*cnblogs.com"证书的合法性
[root@node101.yinzhengjie.org.cn /etc/pki/CA]# ll cnblog.crt.cer
-rw-r--r-- 1 root root 1424 Dec 21 15:40 cnblog.crt.cer
[root@node101.yinzhengjie.org.cn /etc/pki/CA]#
[root@node101.yinzhengjie.org.cn /etc/pki/CA]# openssl verify -CAfile cacert.pem cnblog.crt.cer
unable to load certificate
140288852195216:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: TRUSTED CERTIFICATE
[root@node101.yinzhengjie.org.cn /etc/pki/CA]#
[root@node101.yinzhengjie.org.cn /etc/pki/CA]#
