【08-01】建立私有CA並進行證書申請
阿新 • • 發佈:2022-03-22
建立私有CA並進行證書申請。
0.建立私有CA的準備
建立私有CA的過程:
- 建立私有CA
- 生成CA私鑰
- 生成CA自簽名證書
- 使用者證書申請
- 生成使用者私鑰
- 生成使用者證書申請檔案
- 申請檔案轉化為證書檔案
- 可用性驗證
- 安裝CA證書伺服器的證書
- 安裝使用者證書
0.1 建立環境
CentOS8沒有相應的檔案所以需要手工建立
[root@rhel8 ~]# mkdir /etc/pki/CA/{certs,crl,newcerts,private} -pv #建立相關資料夾 [root@rhel8 ~]# touch /etc/pki/CA/index.txt #生成證書索引資料庫檔案 [root@rhel8~]# echo 01 > /etc/pki/CA/serial #生成辦法證書初始序號(16進位制) [root@rhel8 ~]# tree /etc/pki/CA/ #檢視生成的檔案 /etc/pki/CA/ ├── certs ├── crl ├── index.txt ├── newcerts ├── private └── serial
0.2 配置檔案
[root@rhel8 ~]# vim /etc/pki/tls/openssl.cnf # CA相關設定 #################################################################### [ ca ] default_ca= CA_default # The default ca section #################################################################### [ CA_default ] dir = /etc/pki/CA # 這個目錄預設沒有這個資料夾 需要手工建立, certs = $dir/certs # 放頒發的證書 crl_dir = $dir/crl # 證書吊銷列表 database= $dir/index.txt # 1.所有證書的索引 需要建立空檔案 #unique_subject = no # Set to 'no' to allow creation of # several certs with same subject. new_certs_dir = $dir/newcerts # 新證書存放位置 certificate = $dir/cacert.pem # 建立自簽名證書(CA) serial = $dir/serial # 2.證書編號 序列號 需要人為寫個資料後才能自動增長N+1 crlnumber = $dir/crlnumber # 證書吊銷列表編號 # must be commented out to leave a V1 CRL crl = $dir/crl.pem # 證書吊銷列表檔案 private_key = $dir/private/cakey.pem# 私鑰 (CA的私鑰檔案) …………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………… default_days = 365 # 證書預設有效期 default_crl_days= 30 # 吊銷時間 CRL default_md = sha256 # use SHA-256 by default preserve = no # keep passed DN ordering …………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………… # A few difference way of specifying how similar the request should look # For type CA, the listed attributes must be the same, and the optional # and supplied fields are just that :-) policy = policy_match #這裡為預設規則設定 [ policy_match ] # For the CA policy 證書的匹配策略 match必須為一致 使用和簽發的CA位置必須要在一起 countryName = match #國家 stateOrProvinceName = match #省份 organizationName = match #城市|州 organizationalUnitName = optional #組織 commonName = supplied #部門 emailAddress = optional # [ policy_anything ] # 該策略不受規則限制 countryName = optional #國家 stateOrProvinceName = optional #省份 州 localityName = optional #城市 organizationName = optional #組織名 organizationalUnitName = optional #部門名 commonName = supplied # emailAddress = optional #
1.建立私有CA
1.1 生成CA私鑰
[root@rhel8 ~]# (umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem -des3 2048) #Centos8不需要做umask許可權操作 這裡留底方便其他場景,防止忘記 #-des3為對稱加密演算法man genrsa 其實也可以不增加,但是為了安全考慮還是增加為好。還可以使用其他的演算法 #[aes128|aes192|aes256|aria128|aria192|aria256|camellia128|camellia192|camellia256|-des|-des3|-idea]
1.2 生成CA自簽名證書
[root@rhel8 ~]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem #根據私鑰檔案建立證書檔案pem在win下面改字尾crt可用 Enter pass phrase for /etc/pki/CA/private/cakey.pem: #輸入建立私鑰的密碼 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN #國家編碼 State or Province Name (full name) []:nmg #省|區 Locality Name (eg, city) [Default City]:baotou #市|城 Organization Name (eg, company) [Default Company Ltd]:FeiFa #企業名稱 Organizational Unit Name (eg, section) []:it #所在部門 Common Name (eg, your name or your server's hostname) []:ca.feifa.com #域名 Email Address []:[email protected] #郵箱
2.使用者證書申請
2.1 生成使用者私鑰
[root@rhel8 ~]# mkdir -p /data/app1/ [root@rhel8 ~]# (umask 077;openssl genrsa -out /data/app1/app1.key 2048) #建立key檔案 這次不加密 [root@rhel8 ~]# cat /data/app1/app1.key #檢視檔案 -----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEAwkMoUonfvc71IMrYyxK+U73dILYwc8JvR15eyajKYk4cQyKT …………………………………… I1PW47YUVMAWUdS82IFReYR1LOSxy2evAyf6moRcV+isMNtxpZTIO9rgkBb86NS0 JFbGYbsHC1sS/PbQamYmJ+AcS7jXKEtyWBkfSTcVHAK2AlP0+6aRJw== -----END RSA PRIVATE KEY-----
2.2 生成使用者證書申請檔案
[root@rhel8 ~]# openssl req -new /data/app1/app1.key -out /data/app1/app1.csr #將key轉換為csr的證書申請檔案 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN #* 國家 必須與自籤的一致 State or Province Name (full name) []:nmg #* 省|區 必須與自籤的一致 Locality Name (eg, city) [Default City]:alashan #城市 Organization Name (eg, company) [Default Company Ltd]:FeiFa #* 企業名稱 必須與自籤的一致 Organizational Unit Name (eg, section) []:aa #部門名稱 Common Name (eg, your name or your server's hostname) []:app.feifa.com #域名 Email Address []:[email protected] #郵箱 Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
2.3 申請檔案轉化為證書檔案
[root@rhel8 ~]# openssl ca -in /data/app1/app1.csr -out /etc/pki/CA/certs/app1.crt -days 1095 #生成的檔案為crt檔案 Using configuration from /etc/pki/tls/openssl.cnf Enter pass phrase for /etc/pki/CA/private/cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Mar 22 01:52:52 2022 GMT Not After : Mar 21 01:52:52 2025 GMT Subject: countryName = CN stateOrProvinceName = nmg organizationName = FeiFa organizationalUnitName = aa commonName = app.feifa.com emailAddress = [email protected] X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 54:19:74:86:99:8C:D0:08:DF:3D:10:94:54:8D:62:C5:91:0D:E5:CA X509v3 Authority Key Identifier: keyid:7C:42:E1:68:86:92:D3:2A:4B:80:98:98:6C:9A:AB:1C:6E:F0:45:B9 Certificate is to be certified until Mar 21 01:52:52 2025 GMT (1095 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
3.可用性驗證
3.1 匯入私有CA證書
1.將/etc/pki/CA/cacert.pem檔案放入windows中改副檔名為crt檔案 雙擊執行
1. 2. 3. 4.
點選完成後 會提示安全警告 選擇 是 即可 然後便匯入成功
3.2 匯入其他證書檔案
當系統匯入CA證書後再匯入生成的其他證書便沒有安全警告了
只要確認頒發者和證書路徑是我們的ca伺服器就行