如何使用openssl工具創建私有CA

一、CA及證書

非對稱加密是為了保證互聯網中通訊信息安全使用的一種算法，密鑰是成對出現(公鑰和私鑰），它的特點是發送方A使用接收方B的公鑰加密數據，所有只有B擁有與之配對的私鑰解密該數據，反之亦然。那么，A和B之間怎么交換得到對方的真實安全的公鑰呢？此時就需要一個權威的機構來驗證公鑰的合法性，這個機構稱之為CA(Certification Authority)。CA為每個使用公開密鑰的客戶發放數字證書，數字證書的作用是證明證書中列出的客戶合法擁有證書中列出的公開密鑰。

二、獲取證書兩種方法
? 使用證書授權機構：生成簽名請求(csr) –>將csr發送給CA –> 從CA處接收簽名

                                                                     圖一 CA證書頒發（假設只有一級CA）

很多權威的根CA會被內置到操作系統里面，用戶安裝系統之后也就會擁有根CA的公鑰，所以可以獲得上級CA的公鑰，進而可以申請證書

                                                                     圖二 主機通過RootCA獲得上級CA的公鑰

? 自簽名的證書: 自已創建根CA并簽發自己的公鑰
OpenSSL是一個免費開源的庫，它提供了構建數字證書的命令行工具，其中一些可以用來自建RootCA

1.創建私有CA

創建之前要了解一下openssl的配置文件： /etc/pki/tls/openssl.cnf 

[ ca ] default_ca      = CA_default            # The default ca section           <--啟用的CA名字

[ CA_default ]
dir             = /etc/pki/CA           # Where everything is kept         <--相關文件存放目錄
certs           = $dir/certs            # Where the issued certs are kept  <--存檔頒發證書文件
crl_dir         = $dir/crl              # Where the issued crl are kept    <--吊銷證書列表
database        = $dir/index.txt        # database index file.             <--證書索引數據庫
#unique_subject = no                    # Set to 'no' to allow creation of <--是否允許創建具有相同主題的多個證書
                                        # several certificates with same subject.

new_certs_dir   = $dir/newcerts         # default place for new certs.    
certificate     = $dir/cacert.pem       # The CA certificate               <--自簽名的證書
serial          = $dir/serial           # The current serial number        <--當前可用的序列號(下一個要頒發證書的序列號)
crlnumber       = $dir/crlnumber        # the current crl number           <--吊銷證書編號
                                        # must be commented out to leave a V1 CRL
crl             = $dir/crl.pem          # The current CRL
private_key     = $dir/private/cakey.pem# The private key                  <--CA的私鑰文件
RANDFILE        = $dir/private/.rand    # private random number file

default_days    = 365                   # how long to certify for          <--證書有效期
default_crl_days= 30                    # how long before next CRL         <--發布吊銷證書列表周期
default_md      = sha256                # use SHA-256 by default           <--算法

policy          = policy_match                                             <--使用哪個策略

# For the CA policy
[ policy_match ]
countryName             = match                                            <--CA與客戶端的申請信息必須一致
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional                                         <--可填可不填
commonName              = supplied                                         <--必須填
emailAddress            = optional

# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

a.在CentOS7上創建CA的私鑰

[root@centos7 ~]#(umask 066;openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048) <--私鑰文件只對屬主有權限
Generating RSA private key, 2048 bit long modulus
...+++
.............+++
e is 65537 (0x10001)
[root@centos7 ~]#tree /etc/pki/CA
/etc/pki/CA
├── certs
├── crl
├── newcerts
└── private
    └── cakey.pem
4 directories, 1 file

b.生成自簽名證書

[root@centos7 ~]#openssl req -new -x509 \                                    <-- -x509 專用于CA生成自簽證書
>         -key  /etc/pki/CA/private/cakey.pem \                              <-- 生成請求時用到的私鑰文件
>         -out  /etc/pki/CA/cacert.pem \                                     <-- 證書的保存路徑
>         -days 365                                                          <-- 證書的有效期限
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BeiJing   
Locality Name (eg, city) [Default City]:BeiJing
Organization Name (eg, company) [Default Company Ltd]:ffu
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:ca.ffu.com      
Email Address []:ffu@outlook.com

c.查看自簽名證書信息

[root@centos7 ~]#openssl x509 -in /etc/pki/CA/cacert.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 14141409927417363425 (0xc440616792e4fbe1)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=BeiJing, L=BeiJing, O=ffu, OU=IT, CN=ca.ffu.com/emailAddress=ffu@outlook.com
        Validity
            Not Before: Jul 16 08:57:27 2017 GMT
            Not After : Jul 16 08:57:27 2018 GMT
        Subject: C=CN, ST=BeiJing, L=BeiJing, O=ffu, OU=IT, CN=ca.ffu.com/emailAddress=ffu@outlook.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                 ....后面省略....

d.創建所需數據庫文件

[root@centos7 CA]#touch /etc/pki/CA/index.txt                    <--生成證書索引數據庫文件
[root@centos7 CA]#echo 01 > /etc/pki/CA/serial                   <--指定第一個頒發證書的序列號;十六進制，必須是兩位數

2.頒發證書

a.生成CentOS6主機的私鑰

[root@centos6 ~]#(umask 066;openssl genrsa -out /app/service.key 2048)
Generating RSA private key, 2048 bit long modulus
.............+++
.................................+++
e is 65537 (0x10001)

b.生成證書申請文件

[root@centos6 app]#openssl req -new -key /app/service.key -out /app/service.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN                                       <--按照所選policy，必須和申請CA的信息一致
State or Province Name (full name) []:BeiJing                              <--按照所選policy，必須和申請CA的信息一致
Locality Name (eg, city) [Default City]:Zhengzhou   
Organization Name (eg, company) [Default Company Ltd]:ffu                  <--按照所選policy，必須和申請CA的信息一致
Organizational Unit Name (eg, section) []:cs
Common Name (eg, your name or your server's hostname) []:*.ffu.com        
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

c.將證書請求文件傳輸給CA

[root@centos6 app]#scp service.csr 192.168.196.166:/etc/pki/CA/

d.CA簽署證書，并將證書頒發給請求者

[root@centos7 CA]#openssl ca -in /etc/pki/CA/service.csr -out /etc/pki/CA/certs/service.crt -days 100
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Jul 16 09:44:51 2017 GMT
            Not After : Oct 24 09:44:51 2017 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = BeiJing
            organizationName          = ffu
            organizationalUnitName    = cs
            commonName                = *.ffu.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
    89:01:83:51:84:C8:1F:A9:1F:E7:F5:60:6E:6E:5D:5A:2B:59:5A:F2
            X509v3 Authority Key Identifier: 
keyid:A9:5F:1B:D6:F6:7E:99:5D:2F:EE:7D:40:F7:DA:61:AE:29:EE:D1:6F
Certificate is to be certified until Oct 24 09:44:51 2017 GMT (100 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated         

[root@centos7 CA]#ll certs/service.crt newcerts/01.pem 
-rw-r--r--. 1 root root 4456 Jul 16 17:45 certs/service.crt
-rw-r--r--. 1 root root 4456 Jul 16 17:45 newcerts/01.pem         <--自動生成以證書序列號命名的文件，內容與證書一致
[root@centos7 CA]#cat index.txt  serial
V       171024094451Z           01      unknown /C=CN/ST=BeiJing/O=ffu/OU=cs/CN=ffu     <--自動生成數據庫
02  <--自動更新下一個頒發證書的序列號       

然后，CA就可以把證書發送給主機，主機相關Web服務就可以使用了

3.如何吊銷證書

a.在客戶端上先查看證書serial–>#openssl x509 -in /etc/pki/CA/service.crt -noout -text

b. 在CA上，根據客戶提交的serial與subject信息，對比檢驗是否與index.txt文件中的信息一致，吊銷證書

[root@centos7 CA]#openssl ca -revoke /etc/pki/CA/newcerts/01.pem 
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 01.
Data Base Updated
[root@centos7 CA]#cat index.txt
R       171024094451Z   170716112929Z   01      unknown /C=CN/ST=BeiJing/O=ffu/OU=cs/CN=ffu  <--R代表removed

c.指定第一個吊銷證書的編號

[root@centos7 CA]#echo 01 > /etc/pki/CA/crlnumber    <--第一次更新證書吊銷列表前，才需要執行

d.更新證書吊銷列表

[root@centos7 CA]#openssl ca -gencrl -out /etc/pki/CA/crl/crl.pem  
Using configuration from /etc/pki/tls/openssl.cnf
[root@centos7 CA]#cat crlnumber
02                                                                                      <--自動更新下一個吊銷證書的序列號
[root@centos7 CA]#openssl crl -in /etc/pki/CA/crl/crl.pem -noout -text <--查看吊銷證書文件詳情
Certificate Revocation List (CRL):
        Version 2 (0x1)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: /C=CN/ST=BeiJing/L=BeiJing/O=ffu/OU=IT/CN=ffu/emailAddress=ffu@outloo.co
        Last Update: Jul 16 11:35:48 2017 GMT
        Next Update: Aug 15 11:35:48 2017 GMT
        CRL extensions:
            X509v3 CRL Number: 
                1
Revoked Certificates:
    Serial Number: 01
        Revocation Date: Jul 16 11:29:29 2017 GMT
    Signature Algorithm: sha256WithRSAEncryption
            .....后面省略.....