openssl 证书创建和申请

Openssl 介绍

Openssl 功能：
1.为网络通信提供安全及数据完整性的一种安全协议，囊括了主要的密码算法、常用的密钥和证书封装管理功能以及SSL协议，并提供了丰富的应用程序供测试或其它目的使用；
2.OpenSSL只是OpenSSL开源套件中的多功能命令工具；
OpenSSL套件的组成部分有：
openssl: 多用途的命令行工具，包openssl
libcrypto: 加密算法库，包openssl-libs
libssl：加密模块应用库，实现了ssl及tls，包nss

为什么需要OpenSSL

• 网络通信时存在大量的数据交互，若没有一套完整的数据加密解密机制，将导致敏感信息和数据遭到泄露，网络安全通信也就无从谈起；
• 幸运的是OpenSSL这组套件提供了这方面的强大功能，而且还是开源程序，现已广泛使用在现在网络通信机制中；
• 通过在一定范围内部署一台CA（Certificate Authority）服务器，可以实现局域网内的证书认证和授权，保证数据传输的安全性；也可以通过具体的部署实践，了解国际上大型CA机构的工作原理，为企业级的证书管理提供知识积累。

openssl 私有证书搭建

下面介绍的只是在局域网内部署CA服务器，若是企业级应用，则需要向专业的CA机构购买其服务，获得国际认可的证书。

一：首先看下根证书默认配置规则：cat /etc/pki/tls/openssl.cnf

[ CA_default ]dir             = /etc/pki/CA           # Where everything is keptcerts           = $dir/certs            # Where the issued certs are keptcrl_dir         = $dir/crl              # Where the issued crl are keptdatabase        = $dir/index.txt        # database index file.#unique_subject = no                    # Set to 'no' to allow creation of                                        # several ctificates with same subject.new_certs_dir   = $dir/newcerts         # default place for new certs.certificate     = $dir/cacert.pem       # The CA certificateserial          = $dir/serial           # The current serial numbercrlnumber       = $dir/crlnumber        # the current crl number                                        # must be commented out to leave a V1 CRLcrl             = $dir/crl.pem          # The current CRLprivate_key     = $dir/private/cakey.pem# The private keyRANDFILE        = $dir/private/.rand    # private random number filex509_extensions = usr_cert              # The extentions to add to the cert# Comment out the following two lines for the "traditional"# (and highly broken) format.name_opt        = ca_default            # Subject Name optionscert_opt        = ca_default            # Certificate field options.....# For the CA policy[ policy_match ]  （ 默认情况颁发的证书和根证书的countryName，stateOrProvinceName，organizationName 必须一致，否则颁发不了，如果不想一致的话把match 改成 optional ）countryName             = matchstateOrProvinceName     = matchorganizationName        = matchorganizationalUnitName  = optionalcommonName              = suppliedemailAddress            = optional

index.txt 是证书数据库索引，如果/etc/pki/CA 下没有必须要创建；serial 是存放证书序列号的文件；
cacert.pem 是证书的颁发机构的证书名称
private/cakey.pem 证书私钥key
创建证书的时候默认名称必须是上面的名称，否则不能成功创建。

创建CA和申请证书具体步骤

实验环境如下图：CA 根服务器系统为 centos 6.9，服务器1系统为7.3

1 CA 根server 配置
1.1 创建所需要的文件
touch /etc/pki/CA/index.txt 生成证书索引数据库文件
echo 01 > /etc/pki/CA/serial 指定第一个颁发证书的序列号
1.2 为CA证书生成私钥
[root@Centos6.9 private]#(umask 066;openssl genrsa -out cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
………………………………………………+++
………………………….+++
e is 65537 (0x10001)
[root@Centos6.9 private]#ll
total 4
-rw——-. 1 root root 1679 Sep 5 14:26 cakey.pem
1.3 生成自签名证书

[root@Centos6.9 CA]#openssl req -new -x509 -key private/cakey.pem -days 3650 -out cacert.pem （-x509 是证书格式，-key private/cacky.pem 就是之前生成的私钥，-days 3650 是证书的时间天数， cacert.pem 是生成的证书名字，默认必须是这个名字）You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:CNState or Province Name (full name) []:BJLocality Name (eg, city) [Default City]:bjOrganization Name (eg, company) [Default Company Ltd]:redhatOrganizational Unit Name (eg, section) []:yyCommon Name (eg, your name or your server's hostname) []:centos6Email Address []:

2. 服务器1配置
2.1 生成私钥

[root@centos7 pki]#(umask 066; openssl genrsa -out app.key 2048 )    （生成app.key 的私钥 ，这个名称可以随便定义）Generating RSA private key, 2048 bit long modulus........................+++.........................................................................+++e is 65537 (0x10001)[root@centos7 pki]#lltotal 16-rw-------  1 root root 1679 Sep  9 19:45 app.keydrwxr-xr-x. 6 root root   61 Jul 14 11:20 CAdrwxr-xr-x. 4 root root   73 Jul 14 11:18 ca-trustdrwxr-xr-x. 2 root root   21 Jul 14 11:18 javadrwxr-xr-x. 2 root root  103 Jul 14 11:19 nssdb2.2 通过私钥生成证书请求[root@centos7 pki]#openssl req -new -key app.key -out app.csr （生成名称为app.csr 的证书请求）You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:CN        和服务器端一致State or Province Name (full name) []:BJ    和服务器端一致Locality Name (eg, city) [Default City]:bjOrganization Name (eg, company) [Default Company Ltd]:redhat  和服务器端一致Organizational Unit Name (eg, section) []:yyCommon Name (eg, your name or your server's hostname) []:centos7Email Address []:Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:[root@centos7 pki]#lltotal 20-rw-r--r--  1 root root  989 Sep  9 19:50 app.csr-rw-------  1 root root 1679 Sep  9 19:45 app.keydrwxr-xr-x. 6 root root   61 Jul 14 11:20 CAdrwxr-xr-x. 4 root root   73 Jul 14 11:18 ca-trustdrwxr-xr-x. 2 root root   21 Jul 14 11:18 javadrwxr-xr-x. 2 root root  103 Jul 14 11:19 nssdb2.3 上传生成的证书请求到服务器[root@centos7 pki]#scp app.csr 192.168.10.30:/etc/pki/CA/root@192.168.10.30's password: app.csr                                                      100%  989     1.0KB/s   00:00 

3 . 根CA 服务器颁发证书

[root@Centos6.9 CA]#openssl  ca -in app.csr -out app.crt（为收到的app.csr 证书请求颁发名称为app.crt 的证书）Using configuration from /etc/pki/tls/openssl.cnfCheck that the request matches the signatureSignature okCertificate Details:        Serial Number: 17 (0x11)        Validity            Not Before: Sep  5 07:03:41 2017 GMT            Not After : Sep  5 07:03:41 2018 GMT        Subject:            countryName               = CN            stateOrProvinceName       = BJ            organizationName          = redhat            organizationalUnitName    = yy            commonName                = centos7        X509v3 extensions:            X509v3 Basic Constraints:                 CA:FALSE            Netscape Comment:                 OpenSSL Generated Certificate            X509v3 Subject Key Identifier:                 37:42:18:5F:0F:4A:A4:9E:84:B0:E5:41:2D:B4:13:E4:C4:1A:11:A3            X509v3 Authority Key Identifier:                 keyid:ED:AA:59:17:F7:8E:35:C2:DF:4E:0B:E7:9F:D4:9D:77:E3:2B:22:A9Certificate is to be certified until Sep  5 07:03:41 2018 GMT (365 days)Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base Updated[root@Centos6.9 CA]#cat index.txt  查看证书序列V       180905070341Z           11      unknown /C=CN/ST=BJ/O=redhat/OU=yy/CN=centos7    可以看到生成证书了。[root@Centos6.9 CA]#cat serial 这是下一个即将生成的证书序号12[root@Centos6.9 CA]#cat serial.old 11 

3.2 根CA 把证书传给服务器1
[root@Centos6.9 CA]#scp app.crt 192.168.10.33:/etc/pki/CA
app.crt 100% 4386 4.3KB/s 00:00
这样根证书的申请和证书颁发配置已经完成了。
4 证书安装
把根证书 和颁发给服务器1 app.crt 证书导入到电脑上，先安装根证书，添加到信任区域中，如下图：

安装根证书安装后，在安装app.crt 证书，完成后可以看到如下：

子证书申请

现在用服务器1给服务器2颁发子证书,思路如下：服务器1要想给别人颁发证书，必须在/etc/pki/CA/ 下有 cacert.pem的证书，但是这个证书不能自己生成，必须要找根证书服务器颁发，所以服务器1先要生成一个证书请求，发给根证书服务器，根证书根据收到的请求为服务器1颁发证书。然后服务器2生成证书请求发给服务器1，服务器1就可以为服务器2颁发证书了。

1. 服务器1配置
服务器1 上的配置和上文中根证书的配置过程类似，如下：

[root@centos7 CA]#echo 01 > serial [root@centos7 CA]#touch index.txt[root@centos7 CA]#lltotal 12-rw-------  1 root root 4386 Sep  9 20:08 app.crt-rw-------  1 root root    0 Sep  9 21:07 cert2.crtdrwxr-xr-x. 2 root root    6 Nov  6  2016 certsdrwxr-xr-x. 2 root root    6 Nov  6  2016 crl-rw-r--r--  1 root root    0 Sep  9 21:10 index.txtdrwxr-xr-x. 2 root root    6 Nov  6  2016 newcertsdrwx------. 2 root root    6 Nov  6  2016 private-rw-r--r--  1 root root    3 Sep  9 21:10 serial[root@centos7 CA]#(umask 066;openssl genrsa -out private/cakey.pem 2048)  生成名称为cakey.pem 私钥Generating RSA private key, 2048 bit long modulus...................................................................................+++.....................................................................................................................................................................+++e is 65537 (0x10001)[root@centos7 CA]#openssl req -new -key private/cakey.pem -out subca.csr （用cakey.pem 生成名称为subca.csr请求，subca 名称可以随便定义）You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:CN  和根CA一致State or Province Name (full name) []:BJ 和根CA一致Locality Name (eg, city) [Default City]:BJOrganization Name (eg, company) [Default Company Ltd]:redhat  和根CA一致Organizational Unit Name (eg, section) []:subcaCommon Name (eg, your name or your server's hostname) []:centos7-2Email Address []:Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:[root@centos7 CA]#lltotal 16-rw-------  1 root root 4386 Sep  9 20:08 app.crt-rw-------  1 root root    0 Sep  9 21:07 cert2.crtdrwxr-xr-x. 2 root root    6 Nov  6  2016 certsdrwxr-xr-x. 2 root root    6 Nov  6  2016 crl-rw-r--r--  1 root root    0 Sep  9 21:10 index.txtdrwxr-xr-x. 2 root root    6 Nov  6  2016 newcertsdrwx------. 2 root root   23 Sep  9 21:13 private-rw-r--r--  1 root root    3 Sep  9 21:10 serial-rw-r--r--  1 root root  989 Sep  9 21:17 subca.csr[root@centos7 CA]#scp sub.csr 192.168.10.30:/etc/pki/CA/把sub.csr 的请求传到根证书服务器上

2 根证书服务器配置：

[root@Centos6.9 CA]#openssl ca -in subca.csr -out certs/subca.crt -days 3000
scp certs/subca.crt 192.168.10.33:/etc/pki/CA/cacert.pem （把生成的名称为subca.crt的证书传给服务器1，并且在服务器1上的名称为cacert.pem,必须为/etc/pki/CA/cacert.pem，除非改CA配置文件）

3.服务器2配置：

[root@yys ~]#(umask 066; openssl genrsa -out centos.key 1024 )  （生成centos.key 的私钥） Generating RSA private key, 1024 bit long modulus......++++++..............++++++e is 65537 (0x10001)[root@yys ~]#openssl req -new -key centos.key -out centos.scr （通过centos.key 生成 名称为centos.scr 的请求 ，这个名称可以随便定义）You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:CN   与根证书一致State or Province Name (full name) []:BJ 与根证书一致Locality Name (eg, city) [Default City]:shanghaiOrganization Name (eg, company) [Default Company Ltd]:redhat  与根证书一致Organizational Unit Name (eg, section) []:heheCommon Name (eg, your name or your server's hostname) []:centos6.9-2Email Address []:Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:传给中级证书颁发机构服务器1：[root@yys ~]#scp centos.scr 192.168.10.33:/etc/pki/CA

4 服务器1给服务器2颁发证书：

[root@centos7 CA]#openssl ca -in centos.scr -out centos.crt （为centos.csr 的证书请求颁发名称为centos.crt 的证书，名称可以随便定义）
[root@centos7 CA]#cat index.txt 查看证书信息
V 180909135045Z 01 unknown /C=CN/ST=BJ/O=redhat/OU=hehe/CN=centos6.9-2

至此子证书申请已经完成了。现在把服务器1的cacert.pem 和centos.crt 证书导入到电脑上，把cacert.pem 路径选为中级证书颁发机构，再安装centos.crt。安装完成后会看到如下路径：

到此，子证书的申请和安装就可以完成了。

证书吊销

• A 在客户端获取要吊销的证书的serialopenssl x509 -in /PATH/FROM/CERT_FILE -noout-serial -subject• B 在CA上，根据客户提交的serial与subject信息，对比检验是否与index.txt文件中的信息一致，吊销证书：openssl ca -revoke /etc/pki/CA/newcerts/SERIAL.pem3