openssl创建CA、申请证书及其给web服务颁发证书
生活随笔
收集整理的這篇文章主要介紹了
openssl创建CA、申请证书及其给web服务颁发证书
小編覺得挺不錯的,現在分享給大家,幫大家做個參考.
一、創建私有的CA ?
1)查看openssl的配置文件:/etc/pki/tls/openssl.cnf ?
2)創建所需的文件?
touch /etc/pki/CA/index.txt ? echo 01 >/etc/pki/CA/serial ?
3)CA自簽證書生成私鑰
cd /etc/pki/CA?
(umask 066;openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
4)生成自簽名證書 ??
openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 7300 -out /etc/pki/CA/cacert.pem ?
-new:生成新的證書簽署請求 ? ??
-x509:專用CA生成自簽證書?
-key:生成請求時用到的私鑰文件?
-days n:證書的有限期?
-out /path/to/somecertfile:證書的保存路徑?
代碼演示:
二、頒發及其吊銷證書 ?
1)頒發證書,在需要使用證書的主機生成證書請求,給web服務器生成私鑰(本實驗在另一臺主機上)
(umask 066;openssl genrsa -out /etc/httpd/ssl/httpd.key 2048)
2)生成證書申請文件
openssl req -new-key /etc/httpd/ssl/httpd.key -days 365 -out /etc/httpd/ssl/httpd.csr?
3)將證書文件傳給CA,CA簽署證書并將證書頒發給請求者,注意:默認國家、省和公司必須和CA一致
openssl ca -in /tmp/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365?
4)查看證書中的信息
opessl x509 -in /path/from/cert_file -noout -text|sbuject|serial|dates?
5)吊銷證書,在客戶端獲取要吊銷的證書的serial?
openssl x509 -in /PATH/FROM/CERT_FILE -noout -serial -subject
6)在CA上,根據客戶提交的serial與subject信息,對比檢驗 是否與index.txt文件中的信息一致吊銷證書
?openssl ca -revoke /etc/pki/CA/newcerts/ SERIAL.pem
7)生成吊銷證書的編號(第一次吊銷一個證書時才需要執行)?
echo 01 > /etc/pki/CA/crlnumber?
8)更新證書吊銷列表,查看crl文件
openssl ca -gencrl -out /etc/pki/CA/crl/ca.crl?
openssl crl -in /etc/pki/CA/crl/ca.crl -noout -text
9)安裝mod_ssl模塊并修改/etc/httpd/conf.d/ssl.conf配置文件
DocumentRoot "/web/pma"
ServerName www.chen.net:443
<Directory "/web/pma">
? AllowOverride All
? Options None
? require all granted
</Directory>
SSLCertificateFile /etc/httpd/ssl/httpd.crt
SSLCertificateFile /etc/httpd/ssl/httpd.key
圖示:
授權目錄
10)測試
openssl ?s_client ?[-connect host:port] [-cert filename] [-CApath directory] [-CAfile filename]
實例:
openssl s_client -connect www.chen.net:443 -CAfile /etc/pki/CA/cacert.pem
curl --cacert /etc/pki/CA/cacert.pem ?https://www.chen.net/
實現圖示:
代碼演示:
[root@chen?~]#?(umask?066;openssl?genrsa?-out?/etc/pki/tls/private/httpd.key?2048) Generating?RSA?private?key,?2048?bit?long?modulus ..................+++ .....................+++ e?is?65537?(0x10001) [root@chen?~]#?cd?/etc/pki/tls/private/ [root@chen?private]#?cat?httpd.key -----BEGIN?RSA?PRIVATE?KEY----- MIIEpAIBAAKCAQEAydNdaHEea6lQpeMOof1bARNbNjerS+CG6bZWxYp3FVIEsqnQ 5dGZ9uvWFcN3XWAb3nTQR0cEjULIkLQS/RnoQA3t9uy83+PmL7imXnB6eDhBXOhb QYXjAyShhR/Y+OHBJT6HhDZYxqNPoKIxi7ObJVmG6ovuE8P5SQJl5bX21/YB+CmJ PpoY37WVd4lJagECSK2NjIuMCdMnmIKZIZgCU3XKnw1kDsG8DJXj7ZVuiimxgspM wyXFI94vHDVxQ7mEJiIBT3F9rn95+Fy35p+fHBcXS4Iw+gJaa4GZeOuYaNxdwI9l 9nLwx9hW69UJ0wcuJQGc8kyN8AFul/sh2aWExQIDAQABAoIBAQC4snRN6w9CyVzj oqm2dsv8bQFQ2ZsqQhxU7yfzeWbHHRrtgdiJKMq0nFh77DhlPFnkt5QPVp+EwrQX MKQb+cSAMf8utLGYVtBFpb6iuF5rfFfctUsl6Ge6baBe2qlOAhMmiVWtGasehT+O qj+bME9v28FLDalfbz3HoakskdyG/ptb6MEh/8Z4bAFovyYfI+IY+P3dzDd018Sv V6wgj+A11wmhNUyete++DoO/JJtQJZuh0LeN4eg2W51M9vnnH7hrosyRwHfcYioU SUoKEWs4Md78zVL7IeFcRwV3mSgm356u9SKl2gs+X9Qpb9Uyt5zs1q2jxGxwoe5s ige9ERbVAoGBAPBIoELS4Cvdr1McaYbvnU6XfCVuWti0ZFDKcEaK2XUz2xMaCeBV WPfNHq0PiC52RG8h0f9cqSt6m3rB8/5HjTuf9fyv2C6rnpUxfzqZ0P3euMBPIMHM e2nBwr6hOMNeQwxs6YfXILlcRzMub4c4jqxNGESrWoQTogFe4TEINoe/AoGBANcG yXsZRwI76lPEm5Z8eyFiHqKAq+QazyZoH1xXW6ByqtDA6toqHGOtuzhUIwR2HfiG O2I3CWYVnIxWcnBMvdJ4XwIORVzfG9sh6fBqCRbYd2LhD6xTXPqq6dfssT/qI2ql Cy5PNc0Q2XDFdar0dpIjbjcYuxGPlPPlDtdwALR7AoGBAJtZKRvrAHn72nVuYh+W XWrJb783iM6gWlcNeudwr8UhoJrJ8+aw51NWr2WOLCp11irPf9iMjOcKXulP6jLV Cc+pzLzw52DNHjsxBCPb/I2V6HaU8gW58XRfjEv5KhzNnaWz6IwlnweYTIQfmoWf IEbvlSgYbO4FT3F5aThtKew7AoGADojo6adFw4LlThBGLB/x+sm1JGrqM5sUUZZM OGO3T9swbLf9qA2cqag+tYoKa+zIDdqU/QiXXA0t7daSGcE2O5njYjIwwhxat69N LvEb+C1dtJNeCdoAuPkAoZXgTV+4USci4Fh+XIQ9DoBqecnYkfxPIO5NBtzbxri/ DhUGFy0CgYB6Q0T2w3e8SkgF6FSgqIe4u5vio6RCsPIVhHuuZacOgeyzAqCEwQJg b3SDZIexAUyPAnhNtkllnAYSKdFa97fXyGUdLNh0otj74C9Na6yLrUQ8zdEC1o3u VOJyOO57bfBykghXYi9JN+29sBB0YOj9uDE0nOUImR95eiwKsP5QXg== -----END?RSA?PRIVATE?KEY----- [root@chen?private]#?openssl?req?-new?-key?/etc/pki/tls/private/httpd.key??-days?365?-out??httpd.csr You?are?about?to?be?asked?to?enter?information?that?will?be?incorporated into?your?certificate?request. What?you?are?about?to?enter?is?what?is?called?a?Distinguished?Name?or?a?DN. There?are?quite?a?few?fields?but?you?can?leave?some?blank For?some?fields?there?will?be?a?default?value, If?you?enter?'.',?the?field?will?be?left?blank. ----- Country?Name?(2?letter?code)?[XX]:CN State?or?Province?Name?(full?name)?[]:beijing Locality?Name?(eg,?city)?[Default?City]:bj Organization?Name?(eg,?company)?[Default?Company?Ltd]:chen.com Organizational?Unit?Name?(eg,?section)?[]:alren_1 Common?Name?(eg,?your?name?or?your?server's?hostname)?[]:www.alren.com Email?Address?[]:admin@chen.com Please?enter?the?following?'extra'?attributes to?be?sent?with?your?certificate?request A?challenge?password?[]: An?optional?company?name?[]: [root@chen?private]#?ls httpd.csr??httpd.key [root@chen?private]#?scp?httpd.csr?10.1.249.94: [root@centos6?CA]#?cp?/root/httpd.csr??. [root@centos6?CA]#?ls cacert.pem??certs??crl??httpd.csr??index.txt??newcerts??private??serial [root@centos6?CA]#?openssl?ca?-in?httpd.csr??-out??certs/httpd.crt Using?configuration?from?/etc/pki/tls/openssl.cnf Check?that?the?request?matches?the?signature Signature?ok Certificate?Details:Serial?Number:?1?(0x1)ValidityNot?Before:?Sep?22?23:43:02?2016?GMTNot?After?:?Sep?22?23:43:02?2017?GMTSubject:countryName???????????????=?CNstateOrProvinceName???????=?beijingorganizationName??????????=?chen.comorganizationalUnitName????=?alren_1commonName????????????????=?www.alren.comemailAddress??????????????=?admin@chen.comX509v3?extensions:X509v3?Basic?Constraints:CA:FALSENetscape?Comment:OpenSSL?Generated?CertificateX509v3?Subject?Key?Identifier:CA:82:B2:CF:4A:A2:49:9B:1D:46:84:04:F8:C6:F6:0D:E0:49:B7:A4X509v3?Authority?Key?Identifier:keyid:26:A2:98:70:1F:8A:3B:A3:A1:05:0E:8B:79:34:C5:66:FA:B9:A6:D9Certificate?is?to?be?certified?until?Sep?22?23:43:02?2017?GMT?(365?days) Sign?the?certificate??[y/n]:y1?out?of?1?certificate?requests?certified,?commit??[y/n]y Write?out?database?with?1?new?entries Data?Base?Updated [root@centos6?CA]#?ls cacert.pem??crl????????index.txt???????index.txt.old??private??serial.old certs???????httpd.csr??index.txt.attr??newcerts???????serial [root@centos6?CA]#?cat?index.txt.attr unique_subject?=?yes [root@centos6?CA]#?cat?index.txt V 170922234302Z 01 unknown /C=CN/ST=beijing/O=chen.com/OU=alren_1/CN=www.alren.com/emailAddress=admin@chen.com [root@centos6?CA]#?cat?serial 02 [root@centos6?CA]#?cd?certs/ [root@centos6?certs]#?ls httpd.crt [root@centos6?certs]#?openssl?x509?-in?httpd.crt??-noout?-text Certificate:Data:Version:?3?(0x2)Serial?Number:?1?(0x1)Signature?Algorithm:?sha1WithRSAEncryptionIssuer:?C=CN,?ST=beijing,?L=bj,?O=chen.com,?OU=alren_1,?CN=centos6.localdomain/emailAddress=alren@163.comValidityNot?Before:?Sep?22?23:43:02?2016?GMTNot?After?:?Sep?22?23:43:02?2017?GMTSubject:?C=CN,?ST=beijing,?O=chen.com,?OU=alren_1,?CN=www.alren.com/emailAddress=admin@chen.comSubject?Public?Key?Info:Public?Key?Algorithm:?rsaEncryptionPublic-Key:?(2048?bit)Modulus:00:c9:d3:5d:68:71:1e:6b:a9:50:a5:e3:0e:a1:fd:5b:01:13:5b:36:37:ab:4b:e0:86:e9:b6:56:c5:8a:77:15:52:04:b2:a9:d0:e5:d1:99:f6:eb:d6:15:c3:77:5d:60:1b:de:74:d0:47:47:04:8d:42:c8:90:b4:12:fd:19:e8:40:0d:ed:f6:ec:bc:df:e3:e6:2f:b8:a6:5e:70:7a:78:38:41:5c:e8:5b:41:85:e3:03:24:a1:85:1f:d8:f8:e1:c1:25:3e:87:84:36:58:c6:a3:4f:a0:a2:31:8b:b3:9b:25:59:86:ea:8b:ee:13:c3:f9:49:02:65:e5:b5:f6:d7:f6:01:f8:29:89:3e:9a:18:df:b5:95:77:89:49:6a:01:02:48:ad:8d:8c:8b:8c:09:d3:27:98:82:99:21:98:02:53:75:ca:9f:0d:64:0e:c1:bc:0c:95:e3:ed:95:6e:8a:29:b1:82:ca:4c:c3:25:c5:23:de:2f:1c:35:71:43:b9:84:26:22:01:4f:71:7d:ae:7f:79:f8:5c:b7:e6:9f:9f:1c:17:17:4b:82:30:fa:02:5a:6b:81:99:78:eb:98:68:dc:5d:c0:8f:65:f6:72:f0:c7:d8:56:eb:d5:09:d3:07:2e:25:01:9c:f2:4c:8d:f0:01:6e:97:fb:21:d9:a5:84:c5Exponent:?65537?(0x10001)X509v3?extensions:X509v3?Basic?Constraints:CA:FALSENetscape?Comment:OpenSSL?Generated?CertificateX509v3?Subject?Key?Identifier:CA:82:B2:CF:4A:A2:49:9B:1D:46:84:04:F8:C6:F6:0D:E0:49:B7:A4X509v3?Authority?Key?Identifier:keyid:26:A2:98:70:1F:8A:3B:A3:A1:05:0E:8B:79:34:C5:66:FA:B9:A6:D9Signature?Algorithm:?sha1WithRSAEncryption5f:b8:37:e2:e5:e0:5e:65:99:60:9f:2f:5a:81:7e:55:e7:dc:85:94:bc:d0:ae:82:db:c0:cd:bb:0c:7c:7d:6e:97:41:35:94:71:d9:bc:a4:3e:76:d1:4e:09:3d:a2:a9:5e:a2:24:9c:98:f3:ac:7d:ea:f0:f2:ff:17:0d:47:fb:47:04:d6:29:7f:d8:3a:08:df:33:45:8c:15:2a:a0:be:03:dc:4e:9c:91:ef:a1:99:a8:6d:f2:4c:10:1d:9c:7b:23:28:0a:17:bd:cf:c4:2d:c6:07:d1:73:48:2c:f9:a0:0f:2a:21:d0:f7:a4:9c:85:d5:75:02:c0:09:19:97:b8:aa:1d:e0:e3:8a:39:29:f5:4c:d7:69:01:e8:e6:50:91:fe:75:8a:3d:75:1c:df:94:36:01:32:43:4e:9c:49:f4:4c:f2:d9:85:9d:45:89:7f:6d:47:a9:48:48:bc:b3:8b:ed:06:34:f5:30:6e:c9:8f:a9:54:f6:6d:e7:2d:ce:03:9d:2f:ea:fa:47:fa:ee:13:f2:26:3b:a8:7a:e8:fd:66:ae:c6:97:37:03:a7:e8:c7:ad:c3:d9:e1:b1:b9:b0:61:ba:34:ea:80:6b:42:e4:d9:b7:38:0d:49:13:b1:89:2f:ca:a0:aa:69:e5:95:c0:c0:e3:ba:af:9f:68:80:5a:4f [root@centos6?certs]# [root@centos6?certs]# [root@centos6?certs]#?openssl?ca??-revoke?httpd.crt Using?configuration?from?/etc/pki/tls/openssl.cnf Revoking?Certificate?01. Data?Base?Updated [root@centos6?certs]#?cd?../ [root@centos6?CA]#?ls cacert.pem??crl????????index.txt???????index.txt.attr.old??newcerts??serial certs???????httpd.csr??index.txt.attr??index.txt.old???????private???serial.old [root@centos6?CA]#?cat?index.txt R 170922234302Z 160922234706Z 01 unknown /C=CN/ST=beijing/O=chen.com/OU=alren_1/CN=www.alren.com/emailAddress=admin@chen.com [root@centos6?CA]#?echo?01?>?crlnumber [root@centos6?CA]#?openssl?ca?-gencrl?-out?crl crl/???????crlnumber [root@centos6?CA]#?openssl?ca?-gencrl?-out?crl/ca.rcl Using?configuration?from?/etc/pki/tls/openssl.cnf [root@centos6?CA]#?cat?crl/ca.rcl -----BEGIN?X509?CRL----- MIIB/TCB5gIBATANBgkqhkiG9w0BAQUFADCBjTELMAkGA1UEBhMCQ04xEDAOBgNV BAgMB2JlaWppbmcxCzAJBgNVBAcMAmJqMREwDwYDVQQKDAhjaGVuLmNvbTEQMA4G A1UECwwHYWxyZW5fMTEcMBoGA1UEAwwTY2VudG9zNi5sb2NhbGRvbWFpbjEcMBoG CSqGSIb3DQEJARYNYWxyZW5AMTYzLmNvbRcNMTYwOTIyMjM1MDU0WhcNMTYxMDIy MjM1MDU0WjAUMBICAQEXDTE2MDkyMjIzNDcwNlqgDjAMMAoGA1UdFAQDAgEBMA0G CSqGSIb3DQEBBQUAA4IBAQADo6PBGbyqpM+noDuaDZxy349jgqcmRLCPDYKRZ4L+ 1PyRTVhuIZztSUu2u5x7ZEYx3jyR7rFY8tpHRYT4ZnJe9ol4pTUb8INNx0lIZ4r1 hGlKWKQSDS3WVrQnCswBhWcAccd9wU2+YTj4m7f1drTbu6d5elfaZR1yKsTLnZdV ESKmr4MXjcD0F80Q8Dc0hpKVKt71JiDwJt0WuHI6XPz90ta8EAN7Ry87Aj8f9/HD LDnOWEEA50F7JgUQgFKI72wvekQoZ9Cj/KeFbOov+wde7+uCGNqRcPLznnTxVz8a e0/e9HGQaDLGKDoN/vxVXCRQ030fZrPzag810yqSxxgZ -----END?X509?CRL----- [root@centos6?CA]#?openssl?crl?-in?crl/ca.rcl??-noout?-text Certificate?Revocation?List?(CRL):Version?2?(0x1)Signature?Algorithm:?sha1WithRSAEncryptionIssuer:?/C=CN/ST=beijing/L=bj/O=chen.com/OU=alren_1/CN=centos6.localdomain/emailAddress=alren@163.comLast?Update:?Sep?22?23:50:54?2016?GMTNext?Update:?Oct?22?23:50:54?2016?GMTCRL?extensions:X509v3?CRL?Number:1 Revoked?Certificates:Serial?Number:?01Revocation?Date:?Sep?22?23:47:06?2016?GMTSignature?Algorithm:?sha1WithRSAEncryption03:a3:a3:c1:19:bc:aa:a4:cf:a7:a0:3b:9a:0d:9c:72:df:8f:63:82:a7:26:44:b0:8f:0d:82:91:67:82:fe:d4:fc:91:4d:58:6e:21:9c:ed:49:4b:b6:bb:9c:7b:64:46:31:de:3c:91:ee:b1:58:f2:da:47:45:84:f8:66:72:5e:f6:89:78:a5:35:1b:f0:83:4d:c7:49:48:67:8a:f5:84:69:4a:58:a4:12:0d:2d:d6:56:b4:27:0a:cc:01:85:67:00:71:c7:7d:c1:4d:be:61:38:f8:9b:b7:f5:76:b4:db:bb:a7:79:7a:57:da:65:1d:72:2a:c4:cb:9d:97:55:11:22:a6:af:83:17:8d:c0:f4:17:cd:10:f0:37:34:86:92:95:2a:de:f5:26:20:f0:26:dd:16:b8:72:3a:5c:fc:fd:d2:d6:bc:10:03:7b:47:2f:3b:02:3f:1f:f7:f1:c3:2c:39:ce:58:41:00:e7:41:7b:26:05:10:80:52:88:ef:6c:2f:7a:44:28:67:d0:a3:fc:a7:85:6c:ea:2f:fb:07:5e:ef:eb:82:18:da:91:70:f2:f3:9e:74:f1:57:3f:1a:7b:4f:de:f4:71:90:68:32:c6:28:3a:0d:fe:fc:55:5c:24:50:d3:7d:1f:66:b3:f3:6a:0f:35:d3:2a:92:c7:18:19 [root@centos6?CA]#
不同主機之間拷貝文件小技巧:
在使用ssh遠程登錄時提示:remote host indentification has changed!則需清除~/.ssh/known_hosts文件即可,因為系統檢測出rsa鑰匙發生了改變。清除此配置文件重連。
本文出自小耳朵原創,每天進步一點點,積少成多。
轉載于:https://blog.51cto.com/purify/1856060
總結
以上是生活随笔為你收集整理的openssl创建CA、申请证书及其给web服务颁发证书的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: BZOJ 3990: [SDOI2015
- 下一篇: 例子:倒计时按钮可用