当前位置: 澳门新濠3559 > 操作系统 > 正文

今天小编我就讲解一下怎么在企业局部实现CA认证

时间:2019-12-08 05:50来源:操作系统
摘要:涉及到互联网安全这一块,想必大家都听过CA吧。像百度、Tmall、京东等那么些盛名网址,每年每度都要开销一笔money来买CA证书。但事实上轻易的铺面内的CA认证,大家协和就足以

摘要:涉及到互联网安全这一块,想必大家都听过CA吧。像百度、Tmall、京东等那么些盛名网址,每年每度都要开销一笔money来买CA证书。但事实上轻易的铺面内的CA认证,大家协和就足以兑现,前几日笔者小编就批注一下怎么在商铺一些完毕CA认证。

撤除证书

1、在顾客端获取要吊销的证书的serial
openssl x509 -in /PATH/FROM/CERT_FILE -noout -serial -subject

[root@centos app]#pwd
/root/app
[root@centos app]#openssl x509 -in service.crt -noout -serial -subject
serial=01
subject= /C=cn/ST=henan/O=xmj/OU=m/CN=www.xmj.com/emailAddress=111111

2、在CA上,依据顾客提交的serial与subject音信,相比核查是否与index.txt文件中的音信相像,吊销证书:
openssl ca -revoke /etc/pki/CA/newcerts/*.pem
创办吊销列表数据库(先导值01可自定)
echo 01 > /etc/pki/CA/crlnumber
履新证书吊销列表
openssl ca -gencrl -out crl.pem
翻开始吊唁销列表
openssl crl -in crl.pem -noout -text

[root@centos CA]#pwd
/etc/pki/CA
[root@centos CA]#cat index.txt
V       180717080807Z           01      unknown /C=cn/ST=henan/O=xmj/OU=m/CN=www.xmj.com/emailAddress=111111
######吊销证书
[root@centos CA]#openssl ca -revoke newcerts/01.pem
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 01.
Data Base Updated
######数据库更新,证书状态由V变为R(吊销)
[root@centos CA]#cat index.txt                     
R       180717080807Z   170717090033Z   01      unknown /C=cn/ST=henan/O=xmj/OU=m/CN=www.xmj.com/emailAddress=111111
######创建吊销列表数据库(初始值01可自定)
[root@centos CA]#echo 01 > crlnumber
[root@centos CA]#tree
.
├── cacert.pem
├── certs
│   └── service.crt
├── crl
├── crlnumber
├── csr
│   └── service.csr
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── newcerts
│   └── 01.pem
├── private
│   └── cakey.pem
├── serial
└── serial.old

5 directories, 12 
######更新证书吊销列表
[root@centos CA]#openssl ca -gencrl -out crl/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf
[root@centos CA]#tree
.
├── cacert.pem
├── certs
│   └── service.crt
├── crl
│   └── crl.pem
├── crlnumber
├── crlnumber.old
├── csr
│   └── service.csr
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── newcerts
│   └── 01.pem
├── private
│   └── cakey.pem
├── serial
└── serial.old

5 directories, 14 files
######crlnumber文件中存放的是下一个被吊销证书的编号
[root@centos CA]#cat crlnumber
02
[root@centos CA]#cat crlnumber.old 
01
######查看吊销列表
[root@centos CA]#openssl crl -in crl/crl.pem -noout -text
Certificate Revocation List (CRL):
        Version 2 (0x1)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: /C=cn/ST=henan/L=zhengzhou/O=xmj/OU=x/CN=xmj.com
        Last Update: Jul 17 09:02:34 2017 GMT
        Next Update: Aug 16 09:02:34 2017 GMT
        CRL extensions:
            X509v3 CRL Number: 
                1
Revoked Certificates:
    Serial Number: 01
        Revocation Date: Jul 17 09:00:33 2017 GMT
    Signature Algorithm: sha1WithRSAEncryption
         5c:87:ce:3e:52:da:f3:6f:5f:d9:4a:f2:20:73:d1:22:d6:85:
         34:2d:0d:5a:99:6a:90:13:ec:ff:3c:b1:b2:ad:d9:c1:00:f3:
         29:0c:21:22:c6:76:2d:0a:8e:b1:23:76:70:c8:38:ae:28:2d:
         2a:b6:df:8e:87:cf:db:dd:79:db:17:ba:aa:73:1f:3c:b9:8e:
         69:e3:1b:24:30:56:f3:36:50:57:83:a5:ee:3e:c5:15:44:de:
         6d:38:b3:47:29:c6:e8:7a:6b:66:0e:4a:c7:23:c1:ef:d6:2b:
         fd:5a:c0:48:04:c1:33:b8:fb:78:3b:27:30:f8:76:0f:4d:44:
         35:13:0d:af:67:14:03:63:38:00:44:db:79:1c:0e:27:4d:5f:
         27:0b:2b:79:b2:94:75:19:1b:a9:79:1c:00:62:41:ad:28:ec:
         78:06:eb:04:0f:92:4d:01:42:e7:b3:a2:d5:82:6d:f2:4d:b6:
         00:1e:45:35:ab:ac:50:15:6d:1e:60:74:84:a3:d6:17:f4:21:
         b4:d7:5d:1e:ed:69:82:22:13:34:a8:60:5a:9e:70:cc:58:26:
         68:5d:92:dd:78:87:47:91:c8:94:12:89:43:fc:eb:1f:9f:8e:
         22:1e:19:4b:ea:6d:2d:0b:1c:e7:17:e7:e9:33:e6:19:37:6f:
         70:03:25:51

二、创制私有CA和报名证书及简单步骤表明

1、原理介绍:

作者们以A端为CA机构,B端是报名证书的商铺

2、A端自签证书,自签证书在此之前大家要,驾驭查看配置文件的辨证 vim /etc/pki/tls/openssl.cnf,会告知大家怎么自签证书,须要大家创立的东西放在怎样目录下。图片 1

 [ CA_default ]

dir                 = /etc/pki/CA     #今天小编我就讲解一下怎么在企业局部实现CA认证,需要用到的参考目录。 Where everything is kept   总目录,把总目录付给变量,下面都用变量表示

certs             = $dir/certs        # Where the issued certs are kept  揭橥的注解,若干表明

crl_dir              = $dir/crl         # Where the issued crl are kept      证书吊销列表

database           = $dir/index.txt        # database index file.             文本文件,数据库,寄存证书编号,轻巧的目录

#unique_subject  = no           # Set to 'no' to allow creation of    是还是不是允许三个证件用相同的subject(颁发给谁)

                            # several ctificates with same subject.

new_certs_dir   = $dir/newcerts    # default place for new certs.  新揭橥的证书放的地点

  

certificate       = $dir/cacert.pem     # The CA certificate   证书文件,第三个是自签订证书

serial        = $dir/serial       # The current serial number   下二个要揭露证书的数码

crlnumber      = $dir/crlnumber         # the current crl number   吊销列表的号码

                              # must be commented out to leave a V1 CRL

crl                  = $dir/crl.pem        # The current CHavalL          吊销列表寄存的文件

private_key         = $dir/private/cakey.pem # The private key   私钥放的地点

RANDFILE         = $dir/private/.rand     # private random number file   随机数

3、申请证书时,要填写的化腐朽为神奇消息

图片 2

 [ policy_match ]   注意:match非得协作,顾客端申请证书和CA颁发填写的新闻必得一致

countryName         = match国家

stateOrProvinceName  = match省、州

organizationName     = match组织、公司名

organizationalUnitName = optional 部门

commonName      = supplied 给哪个域名颁发

emailAddress       = optional[ policy_anything ] 邮件地址

  

3、B端证书申请及签定步骤:

① 生成申请央浼

② RA 核验

③ CA 签署

④ 获取证书

 

搭建CA和申请证书

相关参谋构造文件:/etc/pki/tls/openssl.cnf

####################################################################
[ ca ]
default_ca      = CA_default            # The default ca section

####################################################################
[ CA_default ]

dir             = /etc/pki/CA           # Where everything is kept
certs           = $dir/certs            # Where the issued certs are kept
crl_dir         = $dir/crl              # Where the issued crl are kept
database        = $dir/index.txt        # database index file.
#unique_subject = no                    # Set to 'no' to allow creation of
                                        # several ctificates with same subject.
new_certs_dir   = $dir/newcerts         # default place for new certs.

certificate     = $dir/cacert.pem       # The CA certificate
serial          = $dir/serial           # The current serial number
crlnumber       = $dir/crlnumber        # the current crl number
                                        # must be commented out to leave a V1 CRL
crl             = $dir/crl.pem          # The current CRL
private_key     = $dir/private/cakey.pem# The private key
RANDFILE        = $dir/private/.rand    # private random number file

x509_extensions = usr_cert              # The extentions to add to the cert

# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt        = ca_default            # Subject Name options
cert_opt        = ca_default            # Certificate field options

# Extension copying option: use with caution.
# copy_extensions = copy

# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions        = crl_ext

default_days    = 365                   # how long to certify for
default_crl_days= 30                    # how long before next CRL
default_md      = sha256                # use SHA-256 by default
preserve        = no                    # keep passed DN ordering

# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy          = policy_match

# For the CA policy
[ policy_match ]
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

####################################################################
[ req ]
default_bits            = 2048
default_md              = sha256
default_keyfile         = privkey.pem
distinguished_name      = req_distinguished_name
attributes              = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert

亟需运用的参阅目录

dir             = /etc/pki/CA           # Where everything is kept
certs           = /etc/pki/CA/certs            # Where the issued certs are kept
database        = /etc/pki/CA/index.txt        # database index file.
new_certs_dir   = /etc/pki/CA/newcerts         # default place for new certs.
certificate     = /etc/pki/CA/cacert.pem       # The CA certificate
serial          = /etc/pki/CA/serial           # The current serial number
private_key     = /etc/pki/CA/private/cakey.pem   # The private key

注意事项:默许顾客端证书央求中华夏儿女民共和国家、省、集团名称三项必得和CA保持生龙活虎致,不然比比较小概颁发证书,原因:/etc/pki/tls/openssl.cnf配置文件中policy = policy_match,将其改为policy=policy_anything,或者将[ policy_match ]下countryName 、stateOrProvinceName、organizationName 那三项的值由match改为optional将不再必要生龙活虎律

一、CA介绍

1、电商认证授权机关(CA, Certificate Authority),也称为电商认证中央,是担任发放和治本数字证书的权威机构,并视作电商贸易中受信任的第三方,担任公钥体系中钥的合法性考验的职务。

2、PKI: Public Key Infrastructure

  签证机构:CA (Certificate Authority) 

  注册机构:RA

  证书吊销列表:CEvoqueL

3、获取证书二种方式:

• 使用证书授权部门

  生成具名号召(csr)

  将csr 发送给CA

  从CA 处选取签字

• 自签订合同的证件

  自已签发自个儿

4、实例:张开百度,按F12,能够查阅百度的CA证书

图片 3

 

服务端搭建私有CA

1、制造所需的文本
touch /etc/pki/CA/index.txt 生成证书索引数据库文件
echo 01 > /etc/pki/CA/serial 钦定第三个揭橥证书的系列号(可自定,但需是两位数卡塔尔
2、生成CA私钥
(umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)

[root@centos CA]#(umask 077; openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
........................................................................+++
....................................+++
e is 65537 (0x10001)

3、自签订(给协调宣布证书卡塔尔(英语:State of Qatar)
openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3650
-new: 生成新证书签订央求
-x509: 专项使用于CA生成自签证书
-key: 生成须要时用到的私钥文件
-days n:证书的保质期限
-out /PATH/TO/SOMECERTFILE: 证书的保存路线

[root@centos CA]#openssl req -new -x509 -key private/cakey.pem -days 7300 -out cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:henan
Locality Name (eg, city) [Default City]:zhengzhou
Organization Name (eg, company) [Default Company Ltd]:xmj
Organizational Unit Name (eg, section) []:x
Common Name (eg, your name or your server's hostname) []:xmj.com
Email Address []:

openssl x509 -in /etc/pki/CA/cacert.pem -noout -text 查看CA证书新闻

[root@centos CA]#openssl x509 -in cacert.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 11583334546095199587 (0xa0c045660683d563)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=cn, ST=henan, L=zhengzhou, O=xmj, OU=x, CN=xmj.com
        Validity
            Not Before: Jul 17 07:11:40 2017 GMT
            Not After : Jul 12 07:11:40 2037 GMT
        Subject: C=cn, ST=henan, L=zhengzhou, O=xmj, OU=x, CN=xmj.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c3:c1:ed:52:ee:9f:8b:52:2d:48:69:86:05:84:
                    30:8b:57:14:1f:04:23:2d:a3:3d:c5:87:5d:65:35:
                    61:65:0e:fc:74:93:88:be:2a:66:47:ea:e4:c6:e7:
                    0c:6b:74:4d:28:e9:eb:21:75:58:8a:61:83:84:d8:
                    7f:09:4a:0e:63:c9:e1:d6:26:92:46:94:79:3b:f1:
                    08:a3:f7:05:cc:f6:87:f7:74:29:67:71:f0:f4:82:
                    6a:bf:51:e9:99:01:4e:df:dc:ff:d7:88:54:22:06:
                    d4:76:e1:1b:4f:4e:8a:e4:2f:64:6e:2f:c4:0d:25:
                    2c:cd:4f:e3:d0:1f:3e:e2:2d:82:a5:12:7a:95:88:
                    10:08:36:71:59:af:3a:c5:bf:b5:1d:8c:11:79:bc:
                    d6:18:d5:cd:39:f7:66:8a:ef:19:11:22:e3:7d:3f:
                    db:2b:67:4d:e5:20:98:43:7b:a3:60:cb:da:75:65:
                    d0:e3:22:f7:d0:98:90:e5:c8:16:5b:65:c0:64:6a:
                    71:33:6a:80:5c:2d:47:b5:8a:b5:53:64:3d:70:a4:
                    77:a5:df:dc:67:53:d9:f3:55:3c:68:9c:c5:f8:61:
                    25:ff:8b:e1:9a:2c:11:0f:4f:ad:f6:da:55:e9:d8:
                    57:d3:81:6d:45:b9:f0:f3:4f:c6:bb:2c:9b:de:4e:
                    cd:a1
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                04:9D:1F:51:07:F9:4B:23:D2:58:6C:89:EC:30:13:94:4D:1B:14:EF
            X509v3 Authority Key Identifier: 
                keyid:04:9D:1F:51:07:F9:4B:23:D2:58:6C:89:EC:30:13:94:4D:1B:14:EF

            X509v3 Basic Constraints: 
                CA:TRUE
    Signature Algorithm: sha1WithRSAEncryption
         c1:1f:ab:c9:3b:61:71:ff:21:b4:6f:03:0e:de:e8:f7:78:be:
         b7:1c:50:85:6d:20:5a:4f:fa:22:6b:b6:29:d0:a2:a2:dc:7e:
         95:bc:14:a4:84:49:9f:cb:cd:27:1e:c9:8f:5a:98:89:a4:1d:
         af:76:b8:13:6d:96:d3:f7:7d:8b:9a:b7:26:71:63:32:af:59:
         d2:12:0a:4f:4b:e8:55:c2:79:ef:da:bd:2d:ea:c2:7a:3d:87:
         4d:7f:51:22:48:f8:84:2e:0b:43:8c:a4:6b:e3:ea:d7:79:3b:
         f2:ee:8f:26:f6:08:97:b7:e1:b2:0a:a7:30:46:23:04:74:d8:
         75:22:77:ac:1a:88:db:41:e5:a9:e6:9d:18:a5:14:44:58:c5:
         87:4e:f0:b1:ce:01:a7:8d:c5:ed:0a:51:04:c5:a6:9a:c9:00:
         64:1b:21:96:58:69:54:05:1a:3b:14:10:d0:6a:49:db:78:34:
         69:77:c9:24:33:63:85:fc:41:0f:f8:e0:da:9e:ca:c7:10:fe:
         7e:03:8f:60:e2:bb:56:92:38:12:a4:e7:d3:6a:07:f1:c6:44:
         81:f1:68:81:d8:c4:92:91:0a:b9:28:1d:ea:17:3b:ef:91:8c:
         ab:b1:78:6d:c8:ac:63:02:3a:12:ba:d0:bb:bc:2d:28:c4:ba:
         cb:59:7a:5e

六、吊销证书

1、在顾客端(A端)获取要撤废的证书的serial(编号)

openssl x509 -in / PATH/FROM/CERT_FILE -noout -serial -subject

2、在CA(B端) 上,遵照客商提交的serial 与subject 音信,相比较核查是或不是与index.txt 文件中的新闻相仿,确认就裁撤证书:

openssl ca -revoke newcerts/99.pem

3、钦赐第多少个吊销证书的数码

注意:第贰次改过证书吊销列表前,才须要试行

echo 01 > /etc/pki/CA/crlnumber

4、更新证书吊销列表,未来将废除的列表放到互联英特网,让大家了然

openssl ca -gencrl -out /etc/pki/CA/crl/crl.pem

5、查看crl 吊销毁文件件:

openssl crl -in /etc/pki/CA/crl/crl.pem -noout -text

图片 4

也足以在windows上查看,sz发到windows上,后缀改为.crl

图片 5

好了,有关CA证书的东西就这么些了。

 

客商端报名证书

1、给web服务器生成私钥
(umask 077;openssl genrsa -out /root/app/service.key 2048 )
2、申请证书
转移证书申请文件
openssl req -new -key /root/app/service.key -out /root/app/service.csr
3、发送申请文件至服务端
scp /root/app/service.csr IP:/etc/pki/CA

四、B顾客端申请证书

1、centos 6 生成私钥

(umask 066;openssl genrsa -out /app/service.key 2048)

2、利用私钥生成证书诉求文件, 在须要动用证书的主机生成证书需要

openssl req -new -key /etc/pki/tls/private/test.key -days 365 -out etc/pki/tls/test.csr

图片 6

 

3、将评释哀告文件传输给CA

scp /app/service.csr 192.168.30.107:/etc/pki/CA

 

CA签定证书,颁发证书给申请者

服务端
1、创设顾客端证书申请目录
mkdir /etc/pki/CA/csr
mv /etc/pki/CA/service.csr /etc/pki/CA/csr

[root@centos CA]#tree
.
├── cacert.pem
├── certs
├── crl
├── index.txt
├── newcerts
├── private
│   └── cakey.pem
├── serial
└── service.csr

4 directories, 5 files
[root@centos CA]#mkdir csr
[root@centos CA]#mv service.csr csr
[root@centos CA]#tree
.
├── cacert.pem
├── certs
├── crl
├── csr
│   └── service.csr
├── index.txt
├── newcerts
├── private
│   └── cakey.pem
└── serial

5 directories, 5 files
[root@centos CA]#ll
total 28
-rw-r--r--. 1 root root 1294 Jul 17 15:11 cacert.pem
drwxr-xr-x. 2 root root 4096 Mar 23 05:46 certs
drwxr-xr-x. 2 root root 4096 Mar 23 05:46 crl
drwxr-xr-x. 2 root root 4096 Jul 17 15:59 csr
-rw-r--r--. 1 root root    0 Jul 17 14:55 index.txt
drwxr-xr-x. 2 root root 4096 Mar 23 05:46 newcerts
drwx------. 2 root root 4096 Jul 17 15:00 private
-rw-r--r--. 1 root root    3 Jul 17 14:55 serial

2、颁发证书
openssl ca -in /etc/pki/CA/csr/service.csr -out /etc/pki/CA/certs/service.crt -days 365

[root@centos CA]#pwd
/etc/pki/CA
[root@centos CA]#openssl ca -in csr/service.csr -out certs/service.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Jul 17 08:08:07 2017 GMT
            Not After : Jul 17 08:08:07 2018 GMT
        Subject:
            countryName               = cn
            stateOrProvinceName       = henan
            organizationName          = xmj
            organizationalUnitName    = m
            commonName                = www.xmj.com
            emailAddress              = 111111
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                58:C1:E6:56:07:FF:B7:FD:EC:AC:9A:DD:05:19:EA:98:D0:7F:9B:6B
            X509v3 Authority Key Identifier: 
                keyid:04:9D:1F:51:07:F9:4B:23:D2:58:6C:89:EC:30:13:94:4D:1B:14:EF

Certificate is to be certified until Jul 17 08:08:07 2018 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@centos CA]#ll
total 40
-rw-r--r--. 1 root root 1294 Jul 17 15:11 cacert.pem
drwxr-xr-x. 2 root root 4096 Jul 17 16:08 certs
drwxr-xr-x. 2 root root 4096 Mar 23 05:46 crl
drwxr-xr-x. 2 root root 4096 Jul 17 15:59 csr
-rw-r--r--. 1 root root   89 Jul 17 16:08 index.txt
-rw-r--r--. 1 root root   21 Jul 17 16:08 index.txt.attr
-rw-r--r--. 1 root root    0 Jul 17 14:55 index.txt.old
drwxr-xr-x. 2 root root 4096 Jul 17 16:08 newcerts
drwx------. 2 root root 4096 Jul 17 15:00 private
-rw-r--r--. 1 root root    3 Jul 17 16:08 serial
-rw-r--r--. 1 root root    3 Jul 17 14:55 serial.old
[root@centos CA]#cd newcerts/
[root@centos newcerts]#ls
01.pem
[root@centos newcerts]#cd ..
######serial文件里放的是下一个申请证书的证书编号
[root@centos CA]#cat serial
02
######此时数据库已更新,V为证书状态表示已颁发可用的
[root@centos CA]#cat index.txt
V       180717080807Z           01      unknown /C=cn/ST=henan/O=xmj/OU=m/CN=www.xmj.com/emailAddress=111111
[root@centos CA]#tree
.
├── cacert.pem
├── certs
│   └── service.crt
├── crl
├── csr
│   └── service.csr
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│   └── 01.pem
├── private
│   └── cakey.pem
├── serial
└── serial.old

5 directories, 10 files

3、申请的证件的查看
openssl x509 -in /etc/pki/CA/certs/service.crt -noout -text|issuer|subject|serial|dates
openssl ca -status SEOdysseyIAL 查看钦点编号的申明情状

[root@centos CA]#openssl x509 -in certs/service.crt -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=cn, ST=henan, L=zhengzhou, O=xmj, OU=x, CN=xmj.com
        Validity
            Not Before: Jul 17 08:08:07 2017 GMT
            Not After : Jul 17 08:08:07 2018 GMT
        Subject: C=cn, ST=henan, O=xmj, OU=m, CN=www.xmj.com/emailAddress=111111
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:bd:a1:a2:49:f0:e5:9a:fd:3f:e6:87:24:0e:79:
                    6b:3e:05:db:52:06:d7:34:15:4a:2c:92:48:1f:c1:
                    0f:c6:7d:18:4b:fd:d0:82:10:c1:a4:9e:ae:65:05:
                    6a:2c:e4:53:cd:0d:07:cf:ff:77:1a:b6:3d:87:0f:
                    c5:b9:81:82:bb:7c:ef:9b:1b:24:82:f1:1e:2a:4d:
                    0c:a1:a5:1b:43:ad:33:01:e3:a4:ee:4f:d8:28:7a:
                    e7:fa:e4:fc:08:f4:89:13:e7:ca:85:77:00:34:15:
                    3d:61:02:74:bc:7d:af:13:de:02:4e:c2:ac:60:7d:
                    ff:2b:70:ed:06:66:6a:1f:63:c0:a2:bf:87:6d:d8:
                    dc:dc:14:70:3c:e3:14:72:75:b4:6d:d1:e8:28:72:
                    f5:f5:0f:9c:32:c5:cb:04:54:e9:51:32:5d:d9:5e:
                    71:54:3a:da:d4:33:ed:ac:14:25:6d:4b:c8:08:33:
                    11:f5:9f:ba:04:95:8b:d3:c9:11:e3:16:ae:c3:23:
                    d1:12:f0:80:cb:e9:d6:5b:03:d5:9e:1e:11:e2:4a:
                    ec:7a:c8:fd:69:ab:56:2d:3e:f3:db:48:a0:a6:b3:
                    0a:17:20:f0:bb:f8:e9:3d:a1:f3:87:a3:13:a6:93:
                    f9:9c:cd:88:cc:73:af:43:6a:ce:2f:5f:f6:08:a1:
                    31:3d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                58:C1:E6:56:07:FF:B7:FD:EC:AC:9A:DD:05:19:EA:98:D0:7F:9B:6B
            X509v3 Authority Key Identifier: 
                keyid:04:9D:1F:51:07:F9:4B:23:D2:58:6C:89:EC:30:13:94:4D:1B:14:EF

    Signature Algorithm: sha1WithRSAEncryption
         2e:a5:ed:ab:b7:b1:e5:fb:03:e7:dd:4e:15:61:25:81:c3:ee:
         a6:e4:60:e2:74:36:61:8b:39:e4:25:fd:12:12:ce:37:28:fe:
         7d:1f:c4:c7:fa:fc:60:a9:e9:36:1d:b9:23:e9:d9:91:e3:e0:
         b2:e2:32:41:a7:4e:8d:a4:9e:33:0d:66:b9:cb:1a:7c:31:61:
         78:18:ce:03:50:b1:e1:07:b9:39:0d:f5:c8:80:b9:d6:06:0f:
         4c:5a:67:29:3c:34:70:c6:d5:2d:d8:5f:0b:4d:ba:0e:8c:cb:
         56:b9:fb:df:5f:58:df:ab:7e:ac:41:9e:32:74:65:b3:2d:70:
         d2:f7:78:05:17:47:bb:ef:de:44:b3:8b:70:03:11:da:79:eb:
         e9:57:9d:e8:c2:43:43:73:72:b6:ff:e4:bc:0f:41:38:b7:af:
         7a:74:b2:17:57:c5:8a:8d:b5:d1:ba:aa:42:bf:3f:17:f3:54:
         8e:54:86:3c:95:0a:d1:27:d6:a7:ce:f6:c5:2b:e6:79:68:76:
         6a:5b:bb:d9:6a:23:7a:f2:3d:41:bb:f5:ec:29:fc:0a:46:e5:
         11:8b:04:39:86:6e:7d:59:50:7e:2c:47:f2:9f:20:31:54:07:
         87:1e:39:af:28:dd:c0:c2:6f:2a:89:91:c6:25:2a:35:0e:f9:
         a6:2e:51:62
[root@centos CA]#openssl x509 -in certs/service.crt -noout -issuer
issuer= /C=cn/ST=henan/L=zhengzhou/O=xmj/OU=x/CN=xmj.com
[root@centos CA]#openssl x509 -in certs/service.crt -noout -subject
subject= /C=cn/ST=henan/O=xmj/OU=m/CN=www.xmj.com/emailAddress=111111
[root@centos CA]#openssl x509 -in certs/service.crt -noout -serial
serial=01
[root@centos CA]#openssl x509 -in certs/service.crt -noout -dates
notBefore=Jul 17 08:08:07 2017 GMT
notAfter=Jul 17 08:08:07 2018 GMT
[root@centos CA]#openssl ca -status 01
Using configuration from /etc/pki/tls/openssl.cnf
01=Valid (V)

4、把证件复制发送给顾客端

三、A端创制私有CA

1、创设所急需的文书(如若不创建,后面操作会出错)

touch /etc/pki/CA/index.txt 生成证书索引数据库文件

echo 99 > /etc/pki/CA/serial 钦赐第一个公布证书的行列号,平常都以从01起头,也得以不从01起来,但不可否认假诺2位或4位数,大家就以99为例

2、CA 自签证书

生成私钥

cd /etc/pki/CA/

(umask 066; openssl genrsa -out /etc/pki/CA/private/cakey.pem [-des3] 2048)

能够加密,也得以不加密,加过密,前边每便都要输入,为了考试方便就不加密了,但加密更安全

tree /etc/pki/CA/ 能够看见cakey.pem 生成了

图片 7

生成自签字证书

openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 7300 -out /etc/pki/CA/cacert.pem (req申请、-x509自签名、cacert.pem)

  req:哀告申请证书

  -new: 生成新证书签订央浼

  -x509: 专用于CA 生成自签证书

  -key: 生成伏乞时用到的私钥文件

  -days n :证书的保质期限

  -out / PATH/TO/SOMECERTFILE : 生成私钥证书的保留路线

图片 8

③ 查看

cat /etc/pki/CA/cacert.pem 生成的证书文件,直接cat不能够看出音讯,用上边的一声令下

openssl x509 -in /etc/pki/CA/cacert.pem -noout -text   (-text:生成的证件)

图片 9

④ 也足以流传windows上查看,要改后缀,可以为cer/crt,不然不识别,sz发到windows上

图片 10

 

五、A端,签定证书

1、为了方便管理,创立二个专程放须要的目录,把央浼都坐落于这么些目录下,不是必需的

mkdir csr

mv service.csr csr/

 

2、CA 签定证书,并将证件颁发给乞求者

openssl ca -in /etc/pki/CA/csr/service.csr -out /etc/pki/CA/certs/service.crt -days 100

注意:默认国家,省,公司名称三项必需和CA生机勃勃致

图片 11

签约后:会生成更新一些文本

图片 12

 

3、查看证书中的音信:

openssl x509 -in /etc/pki/CA/certs/service.crt -noout -text

图片 13

openssl ca -status 99 查看钦赐编号的表明情形

也得以流传windows上查看,看见更清楚,sz发到windows上

图片 14

 

编辑:操作系统 本文来源:今天小编我就讲解一下怎么在企业局部实现CA认证

关键词: