OpenSSL <搭建私有CA>

CA Server : el7-2 (172.16.1.51) ,颁发证书

CA Client : el7-1 (172.16.1.52) ,申请证书

1）CA自签证书

###################生成私钥

[root@el7-2 ~]# openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048

Generating RSA private key, 2048 bit long modulus

............................................................+++

...................................................................................................................................................................+++

###################自签证书

[root@el7-2 ~]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:cn

State or Province Name (full name) []:shandong

Locality Name (eg, city) [Default City]:yantai

Organization Name (eg, company) [Default Company Ltd]:jying

Organizational Unit Name (eg, section) []:tech

Common Name (eg, your name or your server's hostname) []:cert.jying.com

Email Address []:

2）客户端创建私钥、证书申请请求

#####################创建私钥

[root@7-1 ~]# openssl genrsa -out ClientPrivateKey 2048

Generating RSA private key, 2048 bit long modulus

.....+++

...............................................................................................+++

e is 65537 (0x10001)

#####################创建申请证书请求(有些参数需要与CA一致)

[root@7-1 ~]# openssl req -new -key ClientPrivateKey -out ClientReq.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:cn

State or Province Name (full name) []:shandong

Locality Name (eg, city) [Default City]:yantai

Organization Name (eg, company) [Default Company Ltd]:jying

Organizational Unit Name (eg, section) []:web

Common Name (eg, your name or your server's hostname) []:www.jying.com

Email Address []:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

#####################将请求传送至CA

[root@7-1 ~]# scp ClientReq.csr [email protected]:/etc/pki/CA

The authenticity of host '172.16.1.52 (172.16.1.52)' can't be established.

ECDSA key fingerprint is SHA256:P1BfX8LN+/3SzKEugmKlg9VOziuyMiSJosAz1eVwk08.

ECDSA key fingerprint is MD5:11:f7:ae:b1:0c:6d:6c:19:9a:00:24:bd:f2:1b:22:d1.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added '172.16.1.52' (ECDSA) to the list of known hosts.

[email protected]'s password:

ClientReq.csr 100% 1005 900.4KB/s 00:00

3）CA颁发证书

#####################创建证书数据库

[root@el7-2 CA]# touch index.txt

#####################创建证书序列号

[root@el7-2 CA]# echo 01 >serial

#####################颁发证书

[root@el7-2 CA]# openssl ca -in ClientReq.csr -out newcerts/Client.crt

Using configuration from /etc/pki/tls/openssl.cnf

Check that the request matches the signature

Signature ok

Certificate Details:

Serial Number: 1 (0x1)

Validity

Not Before: May 12 05:11:17 2018 GMT

Not After : May 12 05:11:17 2019 GMT

Subject:

countryName = cn

stateOrProvinceName = shandong

organizationName = jying

organizationalUnitName = web

commonName = www.jying.com

X509v3 extensions:

X509v3 Basic Constraints:

CA:FALSE

Netscape Comment:

OpenSSL Generated Certificate

X509v3 Subject Key Identifier:

4E:C0:F2:5D:0B:43:3E:C5:CF:6D:3F:06:14:94:B2:08:87:2E:3D:A9

X509v3 Authority Key Identifier:

keyid:9C:2C:DA:2B:57:98:0B:26:3B:08:52:F2:AF:73:DE:ED:EB:46:97:FA

Certificate is to be certified until May 12 05:11:17 2019 GMT (365 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

########################将证书传递给客户端

[root@el7-2 CA]# scp newcerts/Client.crt [email protected]:~

The authenticity of host '172.16.1.51 (172.16.1.51)' can't be established.

ECDSA key fingerprint is SHA256:P1BfX8LN+/3SzKEugmKlg9VOziuyMiSJosAz1eVwk08.

ECDSA key fingerprint is MD5:11:f7:ae:b1:0c:6d:6c:19:9a:00:24:bd:f2:1b:22:d1.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added '172.16.1.51' (ECDSA) to the list of known hosts.

[email protected]'s password:

Client.crt 100% 4438 3.7MB/s 00:00

####################客户端查看证书

[root@7-1 ~]# openssl x509 -in Client.crt -text -noout

Certificate:

Data:

Version: 3 (0x2)

Serial Number: 1 (0x1)

Signature Algorithm: sha256WithRSAEncryption

Issuer: C=cn, ST=shandong, L=yantai, O=jying, OU=1, CN=jying.com

Validity

Not Before: May 12 05:11:17 2018 GMT

Not After : May 12 05:11:17 2019 GMT

Subject: C=cn, ST=shandong, O=jying, OU=web, CN=www.jying.com

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

Public-Key: (2048 bit)

Modulus:

00:c4:b2:57:14:ba:a4:ed:b0:14:ed:52:2e:f2:4c:

0e:e9:59:ab:6b:79:8a:ac:95:11:d3:b1:0c:61:12:

08:d6:19:73:6e:63:5b:1c:8e:3e:5c:02:da:95:5a:

b7:58:94:bd:66:c1:eb:22:15:84:7e:73:63:45:ed:

b2:24:e4:fa:c9:6c:6f:80:a0:78:63:bf:03:62:4f:

71:e1:2f:62:98:1e:7c:ab:f7:c3:f3:0d:e1:be:8c:

12:55:bf:82:c4:8c:03:63:ff:31:43:40:45:ac:5e:

fd:d7:3e:bb:a2:89:2c:9a:ea:a1:4f:70:17:29:da:

2c:aa:3b:7b:45:45:f8:c4:fd:b9:71:31:59:17:63:

e5:95:35:7e:55:99:6f:40:5a:63:2f:b1:ae:b5:41:

ad:54:4e:33:e6:c4:49:86:1d:68:23:0a:9a:40:e9:

b4:fd:da:e6:07:7e:71:73:c2:17:d6:8e:af:a8:e7:

39:5f:8e:79:0e:a9:78:13:09:30:df:ba:ff:d1:db:

47:9f:95:7c:fb:24:a4:b8:24:34:ab:a8:25:ec:d2:

e3:64:09:4d:1c:87:ac:de:b9:5c:54:27:c2:56:a3:

22:a2:fb:11:1e:69:57:cf:40:b5:33:69:4d:7c:5b:

e4:4f:a6:1d:73:cd:c0:da:69:cc:59:b6:3b:43:49:

8e:9d

Exponent: 65537 (0x10001)

X509v3 extensions:

X509v3 Basic Constraints:

CA:FALSE

Netscape Comment:

OpenSSL Generated Certificate

X509v3 Subject Key Identifier:

4E:C0:F2:5D:0B:43:3E:C5:CF:6D:3F:06:14:94:B2:08:87:2E:3D:A9

X509v3 Authority Key Identifier:

keyid:9C:2C:DA:2B:57:98:0B:26:3B:08:52:F2:AF:73:DE:ED:EB:46:97:FA

Signature Algorithm: sha256WithRSAEncryption

65:59:b1:68:14:79:c2:30:07:57:5a:fe:04:9b:bb:c4:b0:d5:

31:bb:70:08:32:14:63:18:79:ea:3d:e7:cc:33:7f:4f:8b:2a:

e4:a5:6c:81:34:99:cb:0e:15:f3:3c:14:96:6a:ea:f7:30:f1:

d3:f4:4d:8e:7d:99:02:c9:a1:10:8c:38:64:52:a7:1e:b6:73:

ac:56:74:1b:25:b6:ab:d3:cd:6d:22:7e:14:8d:aa:63:eb:15:

8b:61:c2:58:6f:0a:6d:a5:e1:c5:32:99:62:04:14:6f:5b:a0:

30:e7:8f:0e:bd:f2:7e:d0:79:69:f1:c7:29:26:87:15:b5:21:

0a:9e:0e:09:98:ab:39:7b:a0:4f:61:5e:da:0d:ab:00:9e:39:

e1:85:c4:9c:9e:ff:bc:74:4c:d9:03:ad:03:3d:d7:3e:56:46:

f3:06:d2:2d:52:f5:27:53:e4:ca:84:24:a6:c8:09:35:9d:28:

90:f7:12:04:df:f6:07:59:c2:ed:85:e8:2f:30:9e:d9:91:d5:

a8:4f:f8:a7:aa:6e:3e:8c:2f:6f:17:15:67:52:69:7d:fa:ce:

e5:64:b5:50:70:d6:30:b4:ad:26:b7:61:c2:9a:5c:64:68:e2:

72:93:6d:a8:d1:8e:26:d4:52:3d:8b:ac:27:5d:73:00:c4:bc:

65:ca:b7:63

吊销证书

######################吊销证书

[root@el7-2 CA]# openssl ca -revoke /etc/pki/CA/newcerts/Client.crt

Using configuration from /etc/pki/tls/openssl.cnf

Revoking Certificate 01.

#####################生成CRL 序列号

[root@el7-2 CA]# echo 01 >/etc/pki/CA/crlnumber

#####################生成CRL

[root@el7-2 CA]# openssl ca -gencrl -out /etc/pki/CA/crl/jying_web.crl

#####################查看CRL

[root@el7-2 CA]# openssl crl -in /etc/pki/CA/crl/jying_web.crl -noout -text

Certificate Revocation List (CRL):

Version 2 (0x1)

Signature Algorithm: sha256WithRSAEncryption

Issuer: /C=cn/ST=shandong/L=yantai/O=jying/OU=1/CN=jying.com

Last Update: May 12 05:24:41 2018 GMT

Next Update: Jun 11 05:24:41 2018 GMT

CRL extensions:

X509v3 CRL Number:

Revoked Certificates:

Serial Number: 01

Revocation Date: May 12 05:23:39 2018 GMT

Signature Algorithm: sha256WithRSAEncryption

94:e3:a5:c3:9b:da:f8:d8:38:dd:ca:5c:b5:a2:b6:4b:0f:fc:

3c:a4:07:d5:a4:61:9a:d9:9f:60:74:2f:c2:58:41:67:cc:f4:

b7:03:e1:01:6e:69:ea:a0:8f:be:7a:7f:be:75:90:fd:b5:95:

79:98:9d:02:aa:4e:bb:b1:9d:c4:df:8b:ac:86:8e:b7:da:af:

56:6e:40:57:7e:d2:7d:fe:08:bb:04:54:56:82:0a:17:32:65:

52:41:9f:49:1b:42:c4:c7:5d:4e:83:5c:cc:07:dc:d2:7b:8b:

1c:36:4e:20:5b:af:05:87:07:29:5c:bb:b9:dc:42:e1:54:db:

77:8c:03:96:e2:28:9a:2c:e7:26:1d:be:37:93:5b:7c:96:50:

30:55:ea:54:d4:c9:8d:df:13:21:1c:ff:c2:ae:dd:35:65:a3:

ba:eb:f1:86:13:a1:06:85:40:74:c9:c2:42:b3:5f:ba:8d:0b:

73:33:52:7d:4a:fe:2d:b7:33:20:ce:4f:de:1b:8e:ea:87:40:

e3:fb:79:23:d3:dd:62:65:71:87:d8:fd:cb:36:3e:b8:39:27:

86:de:02:ed:9a:ec:c4:a2:35:08:a0:e4:1f:05:a6:c7:7e:24:

06:18:bc:91:0d:54:fa:18:5d:07:9e:93:6b:3e:0c:13:c2:3a:

2d:02:d1:2a

OpenSSL <搭建私有CA>

猜你喜欢