使用openssl自建CA服务器,实现证书的发布
CA服务器
/etc/pki/tls/openssl.cnf是CA相关的配置信息,需要根据配置里面的相关信息在指定路径生成一些文件信息。
####################################################################
[ CA_default ]
dir = /etc/pki/CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
根据cnf创建一些文件信息:
-
创建index.txt 存储证书索引数据库文件
$ touch /etc/pki/CA/index.txt # 指定索引起始值 $ echo 01 > /etc/pki/CA/serial -
生成cakey.pem
$ (umask 066;openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048) -
根据私钥生成公钥
$ openssl rsa -in /etc/pki/CA/private/cakey.pem -pubout -out /etc/pki/CA/public/ca_public_key.pem -
生成cacert.pem CA自签名证书
$ openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 7300 -out /etc/pki/CA/cacert.pem
证书申请
在另一台机器上面生成证书申请文件,传输给CA服务器进行证书的颁发
# 生成私钥
$ (umask 066; openssl genrsa -out /etc/pki/tls/private/smart-test.key 2048)
# 生成证书请求
$ openssl req -new -key /etc/pki/tls/private/smart-test.key -days 3560 -out /etc/pki/tls/smart-test.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BJ
Locality Name (eg, city) [Default City]:BJ
Organization Name (eg, company) [Default Company Ltd]:G7
Organizational Unit Name (eg, section) []:IOT
Common Name (eg, your name or your server's hostname) []:iot-parser
Email Address []:iot-parser@g7.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:test
An optional company name []:
将证书申请文件传输到CA服务器,CA服务器进行证书颁发
$ openssl ca -in /etc/pki/CA/csrs/smart-test.csr -out /etc/pki/CA/certs/smart-test.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Oct 8 03:32:20 2020 GMT
Not After : Oct 8 03:32:20 2021 GMT
Subject:
countryName = CN
stateOrProvinceName = BJ
organizationName = G7
organizationalUnitName = IOT
commonName = iot-parser
emailAddress = iot-parser@g7.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
FF:56:8F:31:7F:8C:80:48:18:13:F1:3B:65:5E:12:49:3F:DC:3F:A0
X509v3 Authority Key Identifier:
keyid:E3:FA:3B:21:8A:64:BB:9D:F4:D3:6B:06:94:5F:E4:F0:68:82:CD:77
Certificate is to be certified until Oct 8 03:32:20 2021 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
CA服务器将/etc/pki/CA/certs/smart-test.crt 文件回传给申请者即可