创建证书颁发机构并与根CA签署证书
时间:2020-01-09 10:37:52 来源:igfitidea点击:
在本文中,我将分享创建证书颁发机构证书的步骤,然后使用此CA证书对证书进行签名。
:安装OpenSSL
在RHEL/CentOS 7/8上,我们可以分别使用yum或者dnf;而在Ubuntu上,可以使用" apt-get"安装openssl rpm。
说明:
在RHEL系统上,我们必须具有RHN的有效订阅,或者我们可以配置本地脱机存储库,通过该本地脱机存储库,yum软件包管理器可以安装提供的rpm及其依赖项。
[root@centos8-1 ~]# yum -y install openssl
:使用加密密码的OpenSSL加密数据
当我们为根CA证书创建私钥时,我们可以选择对私钥使用加密,也可以创建不进行任何加密的密钥。
就像我们选择使用3DES,AES这样的加密方式创建私钥一样,每次尝试访问私钥时,我们都必须提供密码。
我已经写了另一篇文章,介绍了使用盐腌密码对openssl encd数据进行加密的步骤。
因此,我将不再其中重复这些步骤。
对于本文中的所有示例,我们将使用相同的加密密码文件,以演示openssl创建证书链示例。
:产生私钥
首先生成私钥" ca.key",我们将使用此私钥创建证书颁发机构证书
[root@centos8-1 certs]# openssl genrsa -des3 -passout file:mypass.enc -out ca.key 4096 Generating RSA private key, 4096 bit long modulus (2 primes) .............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................++++ ....................................++++ e is 65537 (0x010001)
OpenSSL验证私钥内容
要验证我们在上面创建的私钥的内容,请使用openssl命令,如下所示:
[root@centos8-1 certs]# openssl rsa -noout -text -in ca.key -passin file:mypass.enc
:创建证书颁发机构证书
现在,我们将使用带有openssl的私钥来创建证书颁发机构证书ca.cert.pem。
OpenSSL使用我们指定的信息,使用提示用户的信息来编译X.509证书,该信息是从指定的私钥中提取的公钥,该私钥也用于生成签名。
[root@centos8-1 certs]# openssl req -new -x509 -days 365 -key ca.key -out ca.cert.pem -passin file:mypass.enc You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ---- Country Name (2 letter code) [XX]:IN State or Province Name (full name) []:Karnataka Locality Name (eg, city) [Default City]:Bengaluru Organization Name (eg, company) [Default Company Ltd]:theitroad Organizational Unit Name (eg, section) []:R&D Common Name (eg, your name or your server's hostname) []:centos8-1 CA Email Address []:[email protected]
OpenSSL验证CA证书
要使用openssl验证CA证书内容:
[root@centos8-1 certs]# openssl x509 -noout -text -in ca.cert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
4a:73:47:ce:49:c6:a7:ab:36:ad:b8:56:bc:73:3a:e4:63:f7:93:14
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = IN, ST = Karnataka, L = Bengaluru, O = theitroad, OU = R&D, CN = centos8-1 CA, emailAddress = [email protected]
Validity
Not Before: Apr 11 15:45:10 2017 GMT
Not After : Apr 11 15:45:10 2021 GMT
Subject: C = IN, ST = Karnataka, L = Bengaluru, O = theitroad, OU = R&D, CN = centos8-1 CA, emailAddress = [email protected]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit)
<Output trimmed>
X509v3 extensions:
X509v3 Subject Key Identifier:
04:A6:1C:8B:4B:6C:B9:47:3D:A7:FB:38:CA:91:C0:B5:28:A5:BE:94
X509v3 Authority Key Identifier:
keyid:04:A6:1C:8B:4B:6C:B9:47:3D:A7:FB:38:CA:91:C0:B5:28:A5:BE:94
X509v3 Basic Constraints: critical
CA:TRUE
<Output trimmed>
:生成服务器密钥并请求签名(CSR)
此步骤将创建服务器密钥,以及我们希望其通过证书颁发机构签名的请求(" .csr"文件)
[root@centos8-1 certs]# openssl genrsa -des3 -passout file:mypass.enc -out server.key 4096 Generating RSA private key, 4096 bit long modulus (2 primes) .....................................++++ ...........................................................................................................++++ e is 65537 (0x010001)
现在,我们生成一个证书签名请求,其中包含一些我们希望包含在证书中的信息。
为了证明私钥的所有权,请使用主题的私钥" server.key"对CSR进行签名。
在生成下面的.csr文件时,输入通用名称(CN)时请仔细考虑。
这应该与DNS名称或者我们在Apache配置中指定的IP地址匹配。
[root@centos8-1 certs]# openssl req -new -key server.key -out server.csr -passin file:mypass.enc You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ---- Country Name (2 letter code) [XX]:IN State or Province Name (full name) []:Karnataka Locality Name (eg, city) [Default City]:Bengaluru Organization Name (eg, company) [Default Company Ltd]:theitroad Organizational Unit Name (eg, section) []:R&D Common Name (eg, your name or your server's hostname) []:server Email Address []:[email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
OpenSSL验证服务器密钥内容
我们可以使用与验证ca.key内容相同的命令
[root@centos8-1 certs]# openssl rsa -noout -text -in server.key -passin file:mypass.enc
OpenSSL验证证书签名请求(CSR)
要验证openssl CSR证书,请使用以下命令:
[root@centos8-1 certs]# openssl req -noout -text -in server.csr
Certificate Request:
Data:
Version: 1 (0x0)
Subject: C = IN, ST = Karnataka, L = Bengaluru, O = theitroad, OU = R&D, CN = server, emailAddress = [email protected]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit)
<Output trimmed>
:与CA签署证书
在此命令中,我们将颁发此证书" server.crt",该证书由在上一个命令中创建的CA根证书" ca.cert.pem"和CA密钥" ca.key"签名。
Openssl接收签名请求(csr),并从中获得一年有效的签名服务器证书(crt)。
为此,我们需要告诉它要使用的证书颁发机构(CA),要使用的CA密钥以及要签名的服务器密钥。
我们使用CAcreateserial设置序列号,并将签名的密钥输出到名为server.crt的文件中。
[root@centos8-1 certs]# openssl x509 -req -days 365 -in server.csr -CA ca.cert.pem -CAkey ca.key -CAcreateserial -out server.crt -passin file:mypass.enc Signature ok subject=C = IN, ST = Karnataka, L = Bengaluru, O = theitroad, OU = R&D, CN = server, emailAddress = [email protected] Getting CA Private Key
OpenSSL验证服务器证书
使用openssl验证服务器证书内容:
[root@centos8-1 certs]# openssl x509 -noout -text -in server.crt
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
69:ee:7f:8f:12:77:b3:0b:75:b8:ac:eb:66:df:bf:50:82:bf:64:b0
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = IN, ST = Karnataka, L = Bengaluru, O = theitroad, OU = R&D, CN = centos8-1 CA, emailAddress = [email protected]
Validity
Not Before: Apr 11 15:50:23 2017 GMT
Not After : Apr 11 15:50:23 2021 GMT
Subject: C = IN, ST = Karnataka, L = Bengaluru, O = theitroad, OU = R&D, CN = server, emailAddress = [email protected]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit)
<Output trimmed>
提示:
如果我们将此server.key用于Apache或者其他服务,则每次我们重新启动各自的服务时,它将要求输入密码。
我们可以选择使用openssl rsa -in server.key -out server.key.insecure删除密码短语,然后为服务使用不安全版本的server.key
