首页 > 其他 > 详细

使用OpenSSL 自建CA 以及颁发证书

时间:2014-08-02 23:35:25      阅读:855      评论:0      收藏:0      [点我收藏+]

OpenSSL是套开放源代码的软件库包,实现了SSL与TLS协议。其主要库是以C语言所写成,实现了基本的加密功能。

OpenSSL可以运行在绝大多数类Unix操作系统上(包括Solaris,Linux,Mac OS X与各种版本的开放源代码BSD操作系统),OpenVMS与 Microsoft Windows。它也提供了一个移植版本,可以在IBM i(OS/400)上运作。

此软件是以Eric Young以及Tim Hudson两人所写的SSLeay为基础所发展的,SSLeay随着两人前往RSA公司任职而停止开发。

虽然此软件是开放源代码的,但其授权书条款与GPL有冲突之处,故GPL软件使用OpenSSL时(如Wget)必须对OpenSSL给予例外。


在Linux环境下,我们能够利用它来搭建一个CA来实现证书的发放,可以用于企业内部使用的加密工具


1安装openssl

[root@localhost ~]# yum install openssl
Loaded plugins: fastestmirror, langpacks
base                                                                                                                               | 3.6 kB  00:00:00     
extras                                                                                                                             | 3.3 kB  00:00:00     
updates                                                                                                                            | 3.4 kB  00:00:00     
(1/4): base/7/x86_64/group_gz                                                                                                      | 157 kB  00:00:05     
(2/4): extras/7/x86_64/primary_db                                                                                                  |  15 kB  00:00:07     
(3/4): base/7/x86_64/primary_db                                                                                                    | 4.9 MB  00:00:23     
(4/4): updates/7/x86_64/primary_db                                                                                                 | 2.1 MB  00:00:42     
Determining fastest mirrors
 * base: mirror.bit.edu.cn
 * extras: mirror.bit.edu.cn
 * updates: mirror.bit.edu.cn
Resolving Dependencies
--> Running transaction check
---> Package openssl.x86_64 1:1.0.1e-34.el7 will be updated
---> Package openssl.x86_64 1:1.0.1e-34.el7_0.3 will be an update
--> Processing Dependency: openssl-libs(x86-64) = 1:1.0.1e-34.el7_0.3 for package: 1:openssl-1.0.1e-34.el7_0.3.x86_64
--> Running transaction check
---> Package openssl-libs.x86_64 1:1.0.1e-34.el7 will be updated
---> Package openssl-libs.x86_64 1:1.0.1e-34.el7_0.3 will be an update
--> Finished Dependency Resolution

Dependencies Resolved

==========================================================================================================================================================
 Package                              Arch                           Version                                        Repository                       Size
==========================================================================================================================================================
Updating:
 openssl                              x86_64                         1:1.0.1e-34.el7_0.3                            updates                         705 k
Updating for dependencies:
 openssl-libs                         x86_64                         1:1.0.1e-34.el7_0.3                            updates                         939 k

Transaction Summary
==========================================================================================================================================================
Upgrade  1 Package (+1 Dependent package)

Total download size: 1.6 M
Is this ok [y/d/N]: y
Downloading packages:
Delta RPMs disabled because /usr/bin/applydeltarpm not installed.
warning: /var/cache/yum/x86_64/7/updates/packages/openssl-1.0.1e-34.el7_0.3.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID f4a80eb5: NOKEY0:00:00 ETA 
Public key for openssl-1.0.1e-34.el7_0.3.x86_64.rpm is not installed
(1/2): openssl-1.0.1e-34.el7_0.3.x86_64.rpm                                                                                        | 705 kB  00:00:09     
(2/2): openssl-libs-1.0.1e-34.el7_0.3.x86_64.rpm                                                                                   | 939 kB  00:00:09     
----------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                     163 kB/s | 1.6 MB  00:00:10     
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
Importing GPG key 0xF4A80EB5:
 Userid     : "CentOS-7 Key (CentOS 7 Official Signing Key) <security@centos.org>"
 Fingerprint: 6341 ab27 53d7 8a78 a7c2 7bb1 24c6 a8a7 f4a8 0eb5
 Package    : centos-release-7-0.1406.el7.centos.2.3.x86_64 (@anaconda)
 From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
Is this ok [y/N]: y
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Updating   : 1:openssl-libs-1.0.1e-34.el7_0.3.x86_64                                                                                                1/4 
  Updating   : 1:openssl-1.0.1e-34.el7_0.3.x86_64                                                                                                     2/4 
  Cleanup    : 1:openssl-1.0.1e-34.el7.x86_64                                                                                                         3/4 
  Cleanup    : 1:openssl-libs-1.0.1e-34.el7.x86_64                                                                                                    4/4 
  Verifying  : 1:openssl-libs-1.0.1e-34.el7_0.3.x86_64                                                                                                1/4 
  Verifying  : 1:openssl-1.0.1e-34.el7_0.3.x86_64                                                                                                     2/4 
  Verifying  : 1:openssl-libs-1.0.1e-34.el7.x86_64                                                                                                    3/4 
  Verifying  : 1:openssl-1.0.1e-34.el7.x86_64                                                                                                         4/4 

Updated:
  openssl.x86_64 1:1.0.1e-34.el7_0.3                                                                                                                      

Dependency Updated:
  openssl-libs.x86_64 1:1.0.1e-34.el7_0.3                                                                                                                 

Complete!

bubuko.com,布布扣


2创建CA自签证书

[root@localhost ~]# (umask 077; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
................................+++
.+++
e is 65537 (0x10001)

#命令解释:
在Linux 中使用()可以让()创建一个子shell让()内命令执行完毕会关闭这个子shell,
由于我们需要对生成CAKEY.pem文件做权限设置,这时候我们直接用umask改变默认权限就Ok了,再在()内执行就可以达到新建文件默认的权限设置不影响当前系统环境配置。
使用 openssl创建一个2048位证书
genrsa :生成私钥
存放路径为 :/etc/pki/CA/private/
文件名为 :cakey.pem

#注意:这地方的路径和文件名不能随便修改哦


2生成自签证书

[root@localhost ~]# openssl req -new -x509 -days 1000 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem &> /dev/null << EOF
CN
BeiJing
BeiJing
51CTOblog
FangKe
mondeolove.blog.51cto.com
taoxiaoyuzy@vip.qq.com


EOF

命令解释

bubuko.com,布布扣


3、创建3个必要的文件

touch /etc/pki/CA/{serial,index.txt,crlnumber}
echo 01 | tee /etc/pki/CA/{serial,crlnumber}
#echo 01 >> /etc/pki/CA/{serial,crlnumber} 这样做是不行的,所以借助tee命令做多文件的重定向
#命令解释:
在/etc/pki/CA/目录下创建 serial index.txt crlnumber这3个文件
然后在serial crlnumber 追加01内容进去
/etc/pki/CA/serial     #生成证书的序列号
/etc/pki/CA/crlnumber  #生成吊销证书的开始序列号


4、证书生成签署请求(这个是在客户端生成)

[root@localhost ~]# mkdir -p /etc/ssl/CA/
[root@localhost ~]# (umask 077; openssl genrsa -out /etc/ssl/CA/httpd.key 2048)
Generating RSA private key, 2048 bit long modulus
.............................................................................+++
...+++
e is 65537 (0x10001)
[root@localhost ~]# openssl req -new -key /etc/ssl/CA/httpd.key  -out /etc/ssl/CA/httpd.csr &> /dev/null << EOF
CN
BeiJing
BeiJing
51CTOblog
FangKe
mondeolove.blog.51cto.com
admin@mondeolove.blog.51cto.com


EOF


5、给客户端颁发证书(由于是测试环境所以这里CA和客户端都是一台电脑)

[root@localhost ~]# openssl ca -in /etc/ssl/CA/httpd.csr -out /etc/ssl/CA/httpd.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Aug  2 13:27:17 2014 GMT
            Not After : Apr 28 13:27:17 2017 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = BeiJing
            organizationName          = 51CTOblog
            organizationalUnitName    = FangKe
            commonName                = mondeolove.blog.51cto.com
            emailAddress              = admin@mondeolove.blog.51cto.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                EB:A6:79:60:DF:56:E8:B7:56:81:BD:D6:D9:A1:9D:BD:8E:F2:13:0E
            X509v3 Authority Key Identifier: 
                keyid:B6:6B:52:5F:D5:B2:6B:87:9D:F0:E3:A0:67:9D:7D:B0:D8:77:70:80

Certificate is to be certified until Apr 28 13:27:17 2017 GMT (1000 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@localhost ~]# ls /etc/ssl/CA/
httpd.crt  httpd.csr  httpd.key

bubuko.com,布布扣


到了这里就实现了自建CA 并且能给客户颁发证书了,客户的证书就是

/etc/ssl/CA/httpd.crt

这个文件,由于这里是测试环境,在实际环境中,我们还需要把这个证书返还给客户端的



umask解释参见:http://blog.csdn.net/lmh12506/article/details/7281910

使用OpenSSL 自建CA 以及颁发证书,布布扣,bubuko.com

使用OpenSSL 自建CA 以及颁发证书

原文:http://mondeolove.blog.51cto.com/8823973/1534288

(1)
(1)
   
举报
评论 一句话评论(0
关于我们 - 联系我们 - 留言反馈 - 联系我们:wmxa8@hotmail.com
© 2014 bubuko.com 版权所有
打开技术之扣,分享程序人生!