Linux CA

摘要:
CA(CertificateAuthority)认证机构主要负责证书的颁发、管理、存档和吊销。证书包含证书所有者的名称、地址、电子邮件帐户、公钥、证书有效性、颁发证书的CA、CA数字签名和其他信息。证书实际上是由证书颁发机构(CA)颁发的用户公钥的身份验证。

CA(Certificate Authority)证书颁发机构主要负责证书的颁发、管理以及归档和吊销。证书内包含了拥有证书者的姓名、地址、电子邮件帐号、公钥、证书有效期、发放证书的CA、CA的数字签名等信息。证书主要有三大功能:加密、签名、身份验证。

1.什么是CA认证?

CA认证,即CA认证机构,为电子签名相关各方提供真实性、可靠性验证的行为。

2.什么是CA证书?

证书实际是由证书签证机关(CA)签发的对用户的公钥的认证。

3.CA证书类型?

  • 证书颁发机构自签名证书
  • 服务器证书
  • 用户证书

二. CA服务器部署

1. 部署环境

[root@linux-ca ~]# touch /etc/pki/CA/index.txt  #index.txt:索引文件,用于匹配证书编号;
[root@linux-ca ~]# echo 01 >/etc/pki/CA/serial  #serial:证书序列号文件,只在首次生成证书时赋值。
[root@linux-ca ~]# cat /etc/pki/CA/serial 
01

2. 生成密钥

[root@linux-ca private]# (umask 077; openssl genrsa -out /etc/pki/CA/private/cakay.pem 2048)

     genrsa:生成私钥;

     -out:私钥的存放路径,cakey.pem:为密钥名,与配置文件中保持一致;

     2048:密钥长度,默认为1024。

3. 修改配置文件/etc/pki/tls/openssl.cnf

40 [ CA_default ]
 41 
 42 dir             = /etc/pki/CA           # Where everything is kept
 43 certs           = $dir/certs            # Where the issued certs are kept
 44 crl_dir         = $dir/crl              # Where the issued crl are kept
 45 database        = $dir/index.txt        # database index file.
 46 #unique_subject = no                    # Set to 'no' to allow creation of
 47                                         # several ctificates with same subject.
 48 new_certs_dir   = $dir/newcerts         # default place for new certs.
 49 
 50 certificate     = $dir/cacert.pem       # The CA certificate
 51 serial          = $dir/serial           # The current serial number
 52 crlnumber       = $dir/crlnumber        # the current crl number
 53                                         # must be commented out to leave a V1 CRL
 54 crl             = $dir/crl.pem          # The current CRL
 55 private_key     = $dir/private/cakey.pem# The private key
 56 RANDFILE        = $dir/private/.rand    # private random number file
 
 83 # For the CA policy
 84 [ policy_match ]
 85 countryName             = match
 86 stateOrProvinceName     = match
 87 organizationName        = match
 88 organizationalUnitName  = optional
 89 commonName              = supplied
 90 emailAddress            = optional

128 [ req_distinguished_name ]
129 countryName                     = Country Name (2 letter code)
130 countryName_default             = US
131 countryName_min                 = 2
132 countryName_max                 = 2
133 
134 stateOrProvinceName             = State or Province Name (full name)
135 stateOrProvinceName_default     = California
136 
137 localityName                    = Locality Name (eg, city)
138 localityName_default            = Redwood City
139 
140 0.organizationName              = Organization Name (eg, company)
141 0.organizationName_default      = Electronic Arts, Inc.
142 
143 # we can do this but it is not needed normally :-)
144 #1.organizationName             = Second Organization Name (eg, company)
145 #1.organizationName_default     = World Wide Web Pty Ltd
146 
147 organizationalUnitName          = Organizational Unit Name (eg, section)
148 organizationalUnitName_default  = EA Online/pogo.com
149 
150 commonName                      = Common Name (eg, your name or your server's hostname)
151 commonName_max                  = 64
152 commonName_default              =
153 
154 emailAddress                    = Email Address
155 emailAddress_max                = 64
156 emailAddress_default            =

4. CA 创建自签根证书

[root@linux-ca CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakay.pem -out /etc/pki/CA/cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [California]:
Locality Name (eg, city) [Redwood City]:
Organization Name (eg, company) [Electronic Arts, Inc.]:
Organizational Unit Name (eg, section) [EA Online/pogo.com]:
Common Name (eg, your name or your server's hostname) []:cacert
Email Address []:vxxxxxxxxxxxxxxxxx

   req:生成证书签署请求;

   -x509:生成自签署证书;

   -days n:证书的有效天数;

   -new:新请求;

   -key /path/to/keyfile:指定私钥文件;

   -out /path/to/somefile:输出文件位置。

三. 客户端申请证书

1. 生成客户端私钥

[root@web ~]# mkdir ssl
[root@web ~]# cd ssl/
[root@web ssl]# (umask 077; openssl genrsa -out /root/ssl/web.key 2048)
Generating RSA private key, 2048 bit long modulus
.......................................+++
.................................................+++
e is 65537 (0x10001)

2. 生成证书请求文件

[root@web ssl]# openssl req -new -key /root/ssl/web.key -out /root/ssl/web.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:California
Locality Name (eg, city) [Default City]:Redwood City
Organization Name (eg, company) [Default Company Ltd]:Electronic Arts, Inc.
Organizational Unit Name (eg, section) []:EA Online/pogo.com
Common Name (eg, your name or your server's hostname) []:web
Email Address []:xxxxxxxxxxx

3. 将生成的申请文件发送到CA颁发服务器

[root@web ssl]# scp web.csr root@10.17.160.241:/etc/pki/CA/csr/

四. CA服务器为客户端颁发证书

1.为客户端颁发证书

[root@linux-ca CA]# openssl ca -in /etc/pki/CA/csr/web.csr -out /etc/pki/CA/certs/web.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: May 15 06:58:48 2019 GMT
            Not After : May 14 06:58:48 2020 GMT
        Subject:
            countryName               = US
            stateOrProvinceName       = California
            organizationName          = Electronic Arts, Inc.
            organizationalUnitName    = EA Online/pogo.com
            commonName                = web
            emailAddress              = vli@contractor.ea.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                4E:FE:C1:E2:17:92:C6:D1:48:42:70:1F:59:95:FA:9D:49:76:B0:47
            X509v3 Authority Key Identifier: 
                keyid:82:81:30:91:40:F8:D2:FD:B4:D5:A8:52:DF:FE:D2:62:12:38:53:7F

Certificate is to be certified until May 14 06:58:48 2020 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

2. 将生成的证书发送给申请的客户端

五. 吊销证书

1. 获取证书serial

[root@linux-ca CA]# openssl x509 -in certs/web.crt -noout -serial -subject
serial=01
subject= /C=US/ST=California/O=Electronic Arts, Inc./OU=EA Online/pogo.com/CN=web/emailAddress=xxxxxxxxxxxxxx

   x509:证书格式;

   -in:要吊销的证书;

   -noout:不输出额外信息;

   -serial:显示序列号;

   -subject:显示subject信息。

二) CA验证信息

1、节点提交的serial和subject信息来验证与index.txt文件中的信息是否一致
搭建私有CA服务器搭建私有CA服务器
2、吊销证书
搭建私有CA服务器搭建私有CA服务器
-revoke:删除证书。

查看被吊销的证书列表
搭建私有CA服务器搭建私有CA服务器
3、生成吊销证书的编号(如果是第一次吊销)
搭建私有CA服务器搭建私有CA服务器
4、更新证书吊销列表
搭建私有CA服务器搭建私有CA服务器
-gencrl:生成证书吊销列表;
5、查看crl文件内容
搭建私有CA服务器搭建私有CA服务器

-text:以文本形式显示。

参考: https://www.linuxprobe.com/private-ca.html

免责声明:文章转载自《Linux CA》仅用于学习参考。如对内容有疑问,请及时联系本站处理。

上篇MFC编程入门之二十(常用控件:静态文本框)Notepad++使用小技巧下篇

宿迁高防,2C2G15M,22元/月;香港BGP,2C5G5M,25元/月 雨云优惠码:MjYwNzM=

相关文章

java导出生成word

最近做的项目,需要将一些信息导出到word中。在网上找了好多解决方案,现在将这几天的总结分享一下。 目前来看,java导出word大致有6种解决方案:   1:Jacob是Java-COM Bridge的缩写,它在Java与微软的COM组件之间构建一座桥梁。使用Jacob自带的DLL动态链接库,并通过JNI的方式实现了在Java平台上对COM程序的调用。D...

接口-配置文件

实现功能:通过更改配置文件实现不同的功能 1,创建以下内容  2,ICar接口代码 using System; using System.Collections.Generic; using System.Linq; using System.Text; using System.Threading.Tasks; namespace 接口配置文件 {...

20款免费备份文件软件

      经常对电脑中资料进行备份的重要性已不用多说,但每次都辛苦地逐个目录拷贝、或花半天时间整理目录和文件、更不能想象重装系统后繁复的系统设置调整。如果你曾经因为这些而对系统备份工作有所迟疑,那么现在让你彻底告别这些顾虑! 1. Areca Backup 7.1.10 Areca Backup 是一个开源的备份软件,用 Java 写成。Areca B...

《第一行代码》书籍阅读笔记

注:书籍阅读笔记,方便查看第1章 开始启程,你的第一行Android代码 第2章 先从看得到的入手,探究活动 1.隐藏标题栏   在onCreate()方法中添加:   requestWindowFeature(Window.FEATURE_NO_TITLE);//不在活动中显示标题栏。   需要在setContentView()之前执行。 2.Int...

将本地jar包手动复制到Maven库中,在其它电脑上用Maven打包时出错

版权声明:本文为博主原创文章,未经博主同意不得转载。 https://blog.csdn.net/UP19910522/article/details/31396107 背景交代:在做图片水印时候引入了两个包文件。这两个包是JDK自带的私有包,不能用Maven库里下载,因此笔者手动将rt和jce两个工具jar文件复制到本地的Maven库中。例如...

Python爬虫入门

Python爬虫简介(来源于维基百科): 网络爬虫始于一张被称作种子的统一资源地址(URLs)列表。当网络爬虫访问这些统一资源定位器时,它们会甄别出页面上所有的超链接,并将它们写入一张"待访列表",即所谓"爬行疆域"(crawl frontier)。此疆域上的统一资源地址将被按照一套策略循环访问。如果爬虫在他执行的过程中复制归档和保存网站上的信息,这些档案...