Objective: To set up a CA server to the client and certification authority
Preparation:
1. a linux operating system (to centos7 virtual machine, for example)
2. Prepare a client (centos6 virtual machine)
to a mind map on the right.
step
The server creates a .CA.
1. CA server we use centos7 to establish, first apply the private key of the server, note the path, we want files in / etc / pki / CA / private under
2. Use just created a private key to generate a self-signed certificate, Note: CA's certificate is signed for ourselves.
View a self-signed certificate
into windows system modifications suffix cer can also see detailed information.
3. If you are new build CA also manually create index files and serial file, otherwise it will prompt an error when the certificate issued to the client.
4. get a client certificate request to the client certificate.
After the certificates can also import the certificate into windows to change the suffix to view, pay attention to first install the CA certificate server to the system before they can see the specific certification path.
5. revoke the certificate.
II. The client application for a certificate.
1. The client first have to apply for their own private key, where a virtual machine centos6 example, clients can define their own path, I was here in the / data / app /
create a CA certificate with the private key just generated 2. Application file.
3. The just-generated CA certificate application documents sent to the CA server authentication.
After certification by the CA server application, you can put the certificate of authentication to take over after use.
The use of shell scripts automatically create and apply CA.
A .CA server
Note: The client application automatically pass over the CA certificate will be stored in / data / down, only the script followed by the file name on it, do not write the suffix.
#!/bin/bash
#
#***********************************************************
#Autohor: GuoCheng
#QQ: 792402658
#Date: 2019-06-20
#FileName: createCA.sh
#***********************************************************
set -u
set -e
way=/etc/pki/CA
day=100
name=$1
cd $way
#-------------------------定义函数-------------------------------
#生成CA自己的私钥
private(){
(umask 077;openssl genrsa -out private/cakey.pem 4096 )
openssl req -new -x509 -key $way/private/cakey.pem -out $way/cacert.pem -days 3650 <<EOF
CN
beijing
beijing
magedu
devops
ca.magede.com
[email protected]
root
792402658
EOF
echo .
}
#------------------------------------------------------------------
#主程序开始
if [ ! -e $way/index.txt ];then
touch $way/index.txt
fi
if [ ! -e $way/serial ];then
echo 00 > $way/serial
fi
if [ ! -e $way/private/cakey.pem ];then
private
fi
#颁发证书
spawn openssl ca -in /data/${name}.csr -out $way/certs/${name}.crt -days $day
II. Client
Note: The client only needs to write the name of the CA certificate you want to apply after the script name (do not write the suffix) and CA server IP two parameters can be read, note that this script is not perfect do not write the order reversed.
#!/bin/bash
#
#***********************************************************
#Autohor: GuoCheng
#QQ: 792402658
#Date: 2019-06-22
#FileName: RequestCA.sh
#***********************************************************
set -u
set -e
way=/data/app
hostname=root
password=792402658
filename=$1
CAIP=$2
filekey=${filename}.key
filecsr=${filename}.csr
cd $way
#----------------------定义函数-------------------------------
key(){
(umask 066;openssl genrsa -out $filekey 1024)
openssl req -new -key $filekey -out $filecsr <<EOF
CN
beijing
beijing
magedu
37
app.magedu.com
[email protected]
792402658
root
EOF
echo .
}
#--------------------------------------------------------------
#生成本机密钥和CA申请文件
key
#把申请文件发送给CA服务器
#spawn scp reboot.sh $user@$ip:/data
expect <<EOF
set timeout 10
spawn scp $filecsr $hostname@$CAIP:/data
expect <<EOF
expect {
"yes/no" { send "yes\n";exp_continue }
"password" { send "$password\n" }
}
expect eof
EOF
echo .