创建证书颁发机构并与根CA签署证书

时间:2020-01-09 10:37:52  来源:igfitidea点击:

在本文中,我将分享创建证书颁发机构证书的步骤,然后使用此CA证书对证书进行签名。

:安装OpenSSL

在RHEL/CentOS 7/8上,我们可以分别使用yum或者dnf;而在Ubuntu上,可以使用" apt-get"安装openssl rpm。

说明:

在RHEL系统上,我们必须具有RHN的有效订阅,或者我们可以配置本地脱机存储库,通过该本地脱机存储库,yum软件包管理器可以安装提供的rpm及其依赖项。

[root@centos8-1 ~]# yum -y install openssl

:使用加密密码的OpenSSL加密数据

当我们为根CA证书创建私钥时,我们可以选择对私钥使用加密,也可以创建不进行任何加密的密钥。
就像我们选择使用3DES,AES这样的加密方式创建私钥一样,每次尝试访问私钥时,我们都必须提供密码。

我已经写了另一篇文章,介绍了使用盐腌密码对openssl encd数据进行加密的步骤。

因此,我将不再其中重复这些步骤。

对于本文中的所有示例,我们将使用相同的加密密码文件,以演示openssl创建证书链示例。

:产生私钥

首先生成私钥" ca.key",我们将使用此私钥创建证书颁发机构证书

[root@centos8-1 certs]# openssl genrsa -des3 -passout file:mypass.enc -out ca.key 4096
Generating RSA private key, 4096 bit long modulus (2 primes)
.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................++++
....................................++++
e is 65537 (0x010001)

OpenSSL验证私钥内容

要验证我们在上面创建的私钥的内容,请使用openssl命令,如下所示:

[root@centos8-1 certs]# openssl rsa -noout -text -in ca.key -passin file:mypass.enc

:创建证书颁发机构证书

现在,我们将使用带有openssl的私钥来创建证书颁发机构证书ca.cert.pem
OpenSSL使用我们指定的信息,使用提示用户的信息来编译X.509证书,该信息是从指定的私钥中提取的公钥,该私钥也用于生成签名。

[root@centos8-1 certs]# openssl req -new -x509 -days 365 -key ca.key -out ca.cert.pem -passin file:mypass.enc
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
----
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:Karnataka
Locality Name (eg, city) [Default City]:Bengaluru
Organization Name (eg, company) [Default Company Ltd]:theitroad
Organizational Unit Name (eg, section) []:R&D
Common Name (eg, your name or your server's hostname) []:centos8-1 CA
Email Address []:[email protected]

OpenSSL验证CA证书

要使用openssl验证CA证书内容:

[root@centos8-1 certs]# openssl x509 -noout -text -in ca.cert.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            4a:73:47:ce:49:c6:a7:ab:36:ad:b8:56:bc:73:3a:e4:63:f7:93:14
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = IN, ST = Karnataka, L = Bengaluru, O = theitroad, OU = R&D, CN = centos8-1 CA, emailAddress = [email protected]
        Validity
            Not Before: Apr 11 15:45:10 2017 GMT
            Not After : Apr 11 15:45:10 2021 GMT
        Subject: C = IN, ST = Karnataka, L = Bengaluru, O = theitroad, OU = R&D, CN = centos8-1 CA, emailAddress = [email protected]
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (4096 bit)
             <Output trimmed>
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                04:A6:1C:8B:4B:6C:B9:47:3D:A7:FB:38:CA:91:C0:B5:28:A5:BE:94
            X509v3 Authority Key Identifier:
                keyid:04:A6:1C:8B:4B:6C:B9:47:3D:A7:FB:38:CA:91:C0:B5:28:A5:BE:94
            X509v3 Basic Constraints: critical
                CA:TRUE
            <Output trimmed>

:生成服务器密钥并请求签名(CSR)

此步骤将创建服务器密钥,以及我们希望其通过证书颁发机构签名的请求(" .csr"文件)

[root@centos8-1 certs]# openssl genrsa -des3 -passout file:mypass.enc -out server.key 4096
Generating RSA private key, 4096 bit long modulus (2 primes)
.....................................++++
...........................................................................................................++++
e is 65537 (0x010001)

现在,我们生成一个证书签名请求,其中包含一些我们希望包含在证书中的信息。
为了证明私钥的所有权,请使用主题的私钥" server.key"对CSR进行签名。
在生成下面的.csr文件时,输入通用名称(CN)时请仔细考虑。
这应该与DNS名称或者我们在Apache配置中指定的IP地址匹配。

[root@centos8-1 certs]# openssl req -new -key server.key -out server.csr -passin file:mypass.enc
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
----
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:Karnataka
Locality Name (eg, city) [Default City]:Bengaluru
Organization Name (eg, company) [Default Company Ltd]:theitroad
Organizational Unit Name (eg, section) []:R&D
Common Name (eg, your name or your server's hostname) []:server
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

OpenSSL验证服务器密钥内容

我们可以使用与验证ca.key内容相同的命令

[root@centos8-1 certs]# openssl rsa -noout -text -in server.key -passin file:mypass.enc

OpenSSL验证证书签名请求(CSR)

要验证openssl CSR证书,请使用以下命令:

[root@centos8-1 certs]# openssl req -noout -text -in server.csr
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: C = IN, ST = Karnataka, L = Bengaluru, O = theitroad, OU = R&D, CN = server, emailAddress = [email protected]
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (4096 bit)
                <Output trimmed>

:与CA签署证书

在此命令中,我们将颁发此证书" server.crt",该证书由在上一个命令中创建的CA根证书" ca.cert.pem"和CA密钥" ca.key"签名。

Openssl接收签名请求(csr),并从中获得一年有效的签名服务器证书(crt)。
为此,我们需要告诉它要使用的证书颁发机构(CA),要使用的CA密钥以及要签名的服务器密钥。
我们使用CAcreateserial设置序列号,并将签名的密钥输出到名为server.crt的文件中。

[root@centos8-1 certs]# openssl x509 -req -days 365 -in server.csr -CA ca.cert.pem -CAkey ca.key -CAcreateserial -out server.crt -passin file:mypass.enc
Signature ok
subject=C = IN, ST = Karnataka, L = Bengaluru, O = theitroad, OU = R&D, CN = server, emailAddress = [email protected]
Getting CA Private Key

OpenSSL验证服务器证书

使用openssl验证服务器证书内容:

[root@centos8-1 certs]# openssl x509 -noout -text -in server.crt
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            69:ee:7f:8f:12:77:b3:0b:75:b8:ac:eb:66:df:bf:50:82:bf:64:b0
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = IN, ST = Karnataka, L = Bengaluru, O = theitroad, OU = R&D, CN = centos8-1 CA, emailAddress = [email protected]
        Validity
            Not Before: Apr 11 15:50:23 2017 GMT
            Not After : Apr 11 15:50:23 2021 GMT
        Subject: C = IN, ST = Karnataka, L = Bengaluru, O = theitroad, OU = R&D, CN = server, emailAddress = [email protected]
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (4096 bit)
                <Output trimmed>

提示:

如果我们将此server.key用于Apache或者其他服务,则每次我们重新启动各自的服务时,它将要求输入密码。
我们可以选择使用openssl rsa -in server.key -out server.key.insecure删除密码短语,然后为服务使用不安全版本的server.key