20.1. CA的搭建¶
20.1.1. CA服务器的配置¶
[root@localhost CA]# cd /etc/pki/CA/
[root@localhost CA]# sed -r -i 's@#?countryName_default.*@countryName_default=cn@' /etc/pki/tls/openssl.cnf
[root@localhost CA]# sed -r -i 's@#?stateOrProvinceName_default.*@stateOrProvinceName_default=henan@' /etc/pki/tls/openssl.cnf
[root@localhost CA]# sed -r -i 's@#?localityName_default.*@localityName_default=zhengzhou@' /etc/pki/tls/openssl.cnf
[root@localhost CA]# sed -r -i 's@#?0.organizationName_default.*@0.organizationName_default=linuxpanda@' /etc/pki/tls/openssl.cnf
[root@localhost CA]# sed -r -i 's@#?organizationalUnitName_default.*@organizationalUnitName_default=opt@' /etc/pki/tls/openssl.cnf
# 在CA目录创建一个Makefile
[root@localhost CA]# wget http://download.linuxpanda.tech/ca/Makefile
# 先获取make的帮助使用
[root@localhost CA]# make usage
This makefile allows you to create:
make init
make ca
make /etc/httpd/ssl/http.key
make /etc/httpd/ssl/httpd.csr
make copytoca csr=httpd.csr
make copytoclient crt=httpd.crt ip=192.168.46.1
make httpd.csr
make revoke crt=httpd
# 初始化创建文件
[root@localhost CA]# make init
# 创建ca私钥和对应的自签证书
[root@localhost CA]# make ca
umask 77 ; \
/usr/bin/openssl genrsa -out private/cakey.pem 2048 ; \
/usr/bin/openssl req -utf8 -new -x509 -key private/cakey.pem -out cacert.pem -days 3650 ;
Generating RSA private key, 2048 bit long modulus
......................................................+++
............+++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [cn]:
State or Province Name (full name) [henan]:
Locality Name (eg, city) [zhengzhou]:
Organization Name (eg, company) [linuxpanda]:
Organizational Unit Name (eg, section) [opt]:
Common Name (eg, your name or your server's hostname) []:ca.linuxpanda.tech
Email Address []:
20.1.2. 客户端的配置¶
这里使用为http配置为例,同样需要那个Makedown文件
[root@localhost CA]# wget http://download.linuxpanda.tech/ca/Makefile
# 先获取make的帮助使用
[root@localhost CA]# make usage
This makefile allows you to create:
make init
make ca
make /etc/httpd/ssl/http.key
make /etc/httpd/ssl/httpd.csr
make copytoca csr=httpd.csr
make copytoclient crt=httpd.crt ip=192.168.46.1
make httpd.csr
make revoke crt=httpd
[root@localhost CA]# yum install httpd -y
[root@localhost CA]# mkdir /etc/httpd/ssl
[root@localhost CA]# make /etc/httpd/ssl/httpd.key
umask 77 ; \
/usr/bin/openssl genrsa 2048 > /etc/httpd/ssl/httpd.key
Generating RSA private key, 2048 bit long modulus
...........+++
...............+++
e is 65537 (0x10001)
[root@localhost CA]# make /etc/httpd/ssl/httpd.csr
umask 77 ; \
/usr/bin/openssl req -utf8 -new -key /etc/httpd/ssl/httpd.key -out /etc/httpd/ssl/httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [cn]:
State or Province Name (full name) [henan]:
Locality Name (eg, city) [zhengzhou]:
Organization Name (eg, company) [linuxpanda]:
Organizational Unit Name (eg, section) [opt]:
Common Name (eg, your name or your server's hostname) []:www.linuxpanda.tech
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@localhost CA]# make copytoca crt=/etc/httpd/ssl/httpd.csr
scp /etc/httpd/ssl/httpd.csr 192.168.46.129:/etc/pki/CA/csr/
root@192.168.46.129's password:
httpd.csr 100% 1017 319.1KB/s 00:00
20.1.3. CA颁发证书¶
[root@localhost CA]# make httpd.crt
/usr/bin/openssl ca -utf8 -days 365 -in csr/httpd.csr -out certs/httpd.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Feb 13 04:49:57 2018 GMT
Not After : Feb 13 04:49:57 2019 GMT
Subject:
countryName = cn
stateOrProvinceName = henan
organizationName = linuxpanda
organizationalUnitName = opt
commonName = www.linuxpanda.tech
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
EE:92:FF:A7:15:8F:39:DD:65:AC:B4:F1:59:76:04:32:18:9B:25:8E
X509v3 Authority Key Identifier:
keyid:B0:9B:0B:62:50:40:E3:00:C6:4D:4F:3E:76:F9:E0:6F:A6:18:20:1C
Certificate is to be certified until Feb 13 04:49:57 2019 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@localhost CA]# make copytoclient crt=htttpd.crt ip=192.168.46.2
20.1.4. CA吊销证书¶
[root@localhost CA]# make showcrt crt=certs/httpd.crt
/usr/bin/openssl x509 -in certs/httpd.crt -noout -serial -subject
serial=01
subject= /C=cn/ST=henan/O=linuxpanda/OU=opt/CN=www.linuxpanda.tech
[root@localhost CA]# make revoke crt=certs/httpd.crt
/usr/bin/openssl ca -revoke certs/httpd.crt ; \
/usr/bin/openssl ca -gencrl -out crl/ca.crl
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 01.
Data Base Updated
Using configuration from /etc/pki/tls/openssl.cnf
[root@localhost CA]# make showcrl
/usr/bin/openssl crl -in crl/ca.crl -noout -text
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: /C=cn/ST=henan/L=zhengzhou/O=linuxpanda/OU=opt/CN=ca.linuxpanda.tech
Last Update: Feb 13 04:53:35 2018 GMT
Next Update: Mar 15 04:53:35 2018 GMT
CRL extensions:
X509v3 CRL Number:
1
Revoked Certificates:
Serial Number: 01
Revocation Date: Feb 13 04:53:35 2018 GMT
Signature Algorithm: sha256WithRSAEncryption
48:3e:bb:f4:6c:1a:e3:61:5d:c7:68:db:37:2f:97:e4:18:c7:
dc:40:56:7b:60:13:d7:07:9f:5e:e5:7b:0d:f4:33:fc:5a:a9:
1d:5f:ee:b9:64:cf:80:bc:a5:0c:fe:e5:ba:9a:f7:cc:1c:54:
63:53:d9:44:cc:a5:2c:0b:98:b5:c1:4a:2e:ca:27:3c:c9:4e:
f4:af:8b:7a:13:52:78:e1:84:96:1a:e0:64:4b:6b:a4:f2:c0:
42:37:f4:23:da:32:04:87:43:aa:97:c7:e9:16:2a:88:df:6a:
26:45:74:4e:6b:36:d5:6d:d7:13:82:e4:57:8e:31:5d:71:73:
1a:a9:cb:76:c9:48:b1:ca:6a:b9:00:c2:07:4e:35:5b:18:0b:
db:e6:0e:df:ef:75:da:ab:58:01:b4:ab:9c:89:85:f5:4c:67:
2b:61:3e:e3:f0:bd:7d:39:1a:d3:ce:1d:28:55:a1:cb:92:8f:
73:ed:0e:77:7a:ec:56:97:d4:64:05:c8:05:8f:c8:d8:c5:7c:
05:24:f8:a4:98:ff:71:48:2d:2d:b3:a5:a2:de:c2:02:62:38:
a4:88:96:43:84:e2:9b:a4:a5:09:0f:3c:26:57:6b:f5:53:75:
df:08:c1:8a:ab:a7:26:66:b8:1f:21:26:c8:6c:11:27:10:6e:
e2:fa:29:7c