模拟CA自签证书
发布时间:2020-12-15 21:38:16 所属栏目:安全 来源:网络整理
导读:第一部分,配置CA的工作环境 1、 配置CA工作配置文件 vim /etc/pki/tls/openssl.cnf [ CA_default ] # CA的配置信息dir = /etc/pki/CA # Where everything is kept,CA的工作目录certs = $dir/certs # Where the issued certs are kept,证书的保持目录crl_dir
第一部分,配置CA的工作环境
1、 配置CA工作配置文件vim /etc/pki/tls/openssl.cnf [ CA_default ] # CA的配置信息 dir = /etc/pki/CA # Where everything is kept,CA的工作目录 certs = $dir/certs # Where the issued certs are kept,证书的保持目录 crl_dir = $dir/crl # Where the issued crl are kept ,证书吊销目录 database = $dir/index.txt # database index file.,证书的列表 #unique_subject = no # Set to ‘no‘ to allow creation of # several ctificates with same subject. new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/cacert.pem # The CA certificate ,CA自己的证书 serial = $dir/serial # The current serial number ,签署的证书的序列号 crlnumber = $dir/crlnumber # the current crl number # must be commented out to leave a V1 CRL crl = $dir/crl.pem # The current CRL , private_key = $dir/private/cakey.pem# The private key ,CA自己的私钥 RANDFILE = $dir/private/.rand # private random number file x509_extensions = usr_cert # The extentions to add to the cert # Comment out the following two lines for the "traditional" # (and highly broken) format. name_opt = ca_default # Subject Name options cert_opt = ca_default # Certificate field options default_days = 365 # how long to certify for default_crl_days= 30 # how long before next CRL default_md = sha256 # use SHA-256 by default preserve = no # keep passed DN ordering # A few difference way of specifying how similar the request should look # For type CA,the listed attributes must be the same,and the optional # and supplied fields are just that :-) policy = policy_match [ req_distinguished_name ] #请求者的默认信息,主机名和邮件不会默认 countryName = Country Name (2 letter code) countryName_default = CN countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = GD localityName = Locality Name (eg,city) localityName_default = SHENZHEN 0.organizationName = Organization Name (eg,company) 0.organizationName_default = SZXX # we can do this but it is not needed normally :-) #1.organizationName = Second Organization Name (eg,company) #1.organizationName_default = World Wide Web Pty Ltd organizationalUnitName = Organizational Unit Name (eg,section) organizationalUnitName_default = TECH commonName = Common Name (eg,your name or your server‘s hostname) commonName_max = 64 emailAddress = Email Address emailAddress_max = 64 # SET-ex3 = SET extension number 3 2、生成CA的私钥cd /etc/pki/CA (umask 077;openssl genrsa -out private/cakey.pem 2048) # 生成一个私钥 # ls private/ cakey.pem openssl rsa -in cakey.pem -pubout # 从私钥中提取公钥 3、根据私钥生成CA自己的证书openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365 # 加上-x509 参数用来生成一个自签证书 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value,If you enter ‘.‘,the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [GD]: Locality Name (eg,city) [shengzhen]: Organization Name (eg,company) [SZXX]: Organizational Unit Name (eg,section) [IT]: Common Name (eg,your name or your server‘s hostname) []:ca.fish.com -- 这个名字非常重要,跟主机名或者DNS保持一致 Email Address []:[email?protected] # openssl x509 -text -in private/cakey.pem -- 查看证书中的信息 4、创建颁发证书时工作的目录和文件mkdir certs crl newcerts touch index.txt echo 01 > serial # tree . . ├── cacert.pem ├── certs ├── crl ├── index.txt ├── newcerts ├── private │?? └── cakey.pem ├── serial 第二部分,准备客户端签发的证书请求1、客户端生成私钥mkdir /etc/httpd/ssl cd /etc/httpd/ssl (umask 077; openssl genrsa -out httpd.key 1024) 2、客户端生成证书请求# openssl req -new -key httpd.key -out httpd.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value,your name or your server‘s hostname) []:www.fish.com Email Address []:[email?protected] Please enter the following ‘extra‘ attributes to be sent with your certificate request A challenge password []: An optional company name []: 3、CA 根据证书申请请求办法证书,此时客户端的证书请求一般是拷贝到CA服务器上的openssl ca -in httpd.csr -out http.crt -days 365 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: May 29 14:33:26 2019 GMT Not After : May 28 14:33:26 2020 GMT Subject: countryName = CN stateOrProvinceName = GD organizationName = SZXX organizationalUnitName = IT commonName = www.fish.com emailAddress = [email?protected] X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: F6:61:F0:99:90:29:F7:66:5E:55:F9:D1:D0:7F:58:14:CA:53:0A:72 X509v3 Authority Key Identifier: keyid:88:A4:07:29:65:16:7D:A0:87:26:B0:0D:AC:22:DB:3A:5A:12:FF:20 Certificate is to be certified until May 28 14:33:26 2020 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified,commit? [y/n]y Write out database with 1 new entries Data Base Updated # ll total 12 -rw-r--r-- 1 root root 3840 May 29 22:34 http.crt -rw-r--r-- 1 root root 696 May 29 22:32 httpd.csr -rw------- 1 root root 887 May 29 22:29 httpd.key 3、此时CA的情况# cat /etc/pki/CA/index.txt V 200528143326Z 01 unknown /C=CN/ST=GD/O=SZXX/OU=IT/CN=www.fish.com/[email?protected] # cat /etc/pki/CA/serial 02 (编辑:李大同) 【声明】本站内容均来自网络,其相关言论仅代表作者个人观点,不代表本站立场。若无意侵犯到您的权利,请及时与联系站长删除相关内容! |