C/C++教程

openssl实现私有CA证书生成和吊销

本文主要是介绍openssl实现私有CA证书生成和吊销,对大家解决编程问题具有一定的参考价值,需要的程序猿们随着小编来一起学习吧!

  1G

DES 4m 8m

RSA 1m 64h

有实验证明,对称加密算法比非对称加密算法快大约1500倍

 

避免乱码

[root@localhost ~]# echo 川 | base64
5bedCg==
[root@localhost ~]# echo 5bedCg== | base64 -d
川 

mkdir -pv /etc/pki/CA/{certs,crl,newcerts,private}
[root@localhost ~]# echo 123456 | openssl passwd -6 --stdin   #SHA512算法
$6$WNoUVbFvp40Aw7aL$d7T63djg2TnXnF7SZyogKoHhrV9xG6PGksnnC0x3FYzTFoIBSn1y15n322WgJmpphkRxXtyvRIj5FvTfkeEVn0
[root@localhost ~]# echo 123456 | openssl passwd -6 --stdin -salt "WNoUVbFvp40Aw7aL"  
$6$WNoUVbFvp40Aw7aL$d7T63djg2TnXnF7SZyogKoHhrV9xG6PGksnnC0x3FYzTFoIBSn1y15n322WgJmpphkRxXtyvRIj5FvTfkeEVn0
[root@localhost ~]# cat /etc/shadow
root:$6$GuXYkkXUI59mp6Md$4fycaS6olcfwfCkYx6EqI0Nv3OXK7.fTDqBfUb4bRbo8pfVZXrFXPwdhBnRIcNuugjQd8a0CB4jYG4nrKdZoI/::0:99999:7:::
[root@localhost ~]# echo 1 | openssl passwd -6 --stdin -salt GuXYkkXUI59mp6Md
$6$GuXYkkXUI59mp6Md$4fycaS6olcfwfCkYx6EqI0Nv3OXK7.fTDqBfUb4bRbo8pfVZXrFXPwdhBnRIcNuugjQd8a0CB4jYG4nrKdZoI/
建立私有CA: OpenCA:OpenCA开源组织使用Perl对OpenSSL进行二次开发而成的一套完善的PKI免费软件 openssl:相关包 openssl和openssl-libs 证书申请及签署步骤: 1、生成证书申请请求 2、RA核验 3、CA签署 4、获取证书 三种策略:match匹配、optional可选、supplied提供
match:要求申请填写的信息跟CA设置信息必须一致
optional:可有可无,跟CA设置信息可不一致
supplied:必须填写这项申请信息

vim  /etc/pki/tls/openssl.cnf

1、创建CA所需要的文件 2、 生成CA私钥
[root@localhost CA]# touch /etc/pki/CA/index.txt
[root@localhost CA]# echo 01 > /etc/pki/CA/serial
[root@localhost CA]# (umask 066; openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
.............................................+++++
...............................+++++
e is 65537 (0x010001)
3、生成CA自签名证书
-new:生成新证书签署请求
-x509:专用于CA生成自签证书
-key:生成请求时用到的私钥文件
-days n:证书的有效期限
-out /PATH/TO/SOMECERTFILE: 证书的保存路径

 

[root@localhost CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 36000 -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:zhengfu
Organizational Unit Name (eg, section) []:guofangbu
Common Name (eg, your name or your server's hostname) []:www.baidu.com
Email Address []:

 

[root@localhost CA]# openssl x509 -in cacert.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            38:5b:5c:9e:32:31:5d:ed:a0:5a:9c:3e:bb:65:d0:6d:02:04:bb:01
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = CN, ST = beijing, L = beijing, O = zhengfu, OU = guofangbu, CN = www.baidu.com
        Validity
            Not Before: Apr 23 08:51:56 2022 GMT
            Not After : Nov 15 08:51:56 2120 GMT
        Subject: C = CN, ST = beijing, L = beijing, O = zhengfu, OU = guofangbu, CN = www.baidu.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:a2:e7:e0:35:58:82:88:3f:de:5a:f6:5b:f0:7e:
                    b4:52:10:a2:0c:16:f2:35:e9:78:e7:58:77:6c:d1:
                    f9:28:dc:8b:a7:23:8a:45:07:ed:b2:e3:e1:d5:05:
                    24:b3:93:b0:41:94:1c:15:20:6b:7f:e6:95:13:f6:
                    86:65:12:12:74:a6:45:fd:38:a6:a5:d6:a6:52:74:
                    1c:f3:c4:a6:ac:db:c6:c1:dc:a3:50:e4:8b:16:8e:
                    2c:33:0b:b7:c9:3d:45:98:ee:41:85:31:b2:b1:69:
                    6f:e1:70:5a:2a:33:49:8b:41:ca:db:50:bf:dc:25:
                    5d:23:cb:f9:2d:c2:67:f4:a5:37:73:6a:1c:86:60:
                    a0:92:e4:2a:a0:32:9a:b9:56:c7:b6:7b:66:b6:89:
                    3e:2b:ab:f0:e5:e2:a2:77:ec:bf:b9:2a:91:d8:29:
                    c6:40:e5:12:9f:39:db:0e:33:5c:6a:61:0d:de:c8:
                    9b:ea:39:8a:2a:2a:7f:fb:95:e0:c2:a0:d2:17:3d:
                    85:05:00:df:39:21:cd:e4:36:13:1f:fa:26:db:4c:
                    d4:c7:9a:6b:c0:78:72:44:5f:2a:8c:04:a8:87:a5:
                    6c:e7:9e:d4:dd:32:70:7a:6a:01:c0:d4:02:0a:9a:
                    b6:48:cc:cf:b2:82:6f:2a:da:f3:34:4d:51:f8:a8:
                    93:97
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                61:D0:AA:08:90:F1:01:59:EC:7C:E5:93:A0:FF:74:74:44:FC:59:A6
            X509v3 Authority Key Identifier: 
                keyid:61:D0:AA:08:90:F1:01:59:EC:7C:E5:93:A0:FF:74:74:44:FC:59:A6

            X509v3 Basic Constraints: critical
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         2d:52:26:fa:ed:36:02:03:b2:28:6e:89:41:6a:5d:85:7f:37:
         c6:3a:c8:db:f9:82:62:8e:80:d9:8f:fb:06:1a:bc:03:cd:3d:
         3d:a1:79:5c:7d:9e:e7:4c:8e:c5:99:b5:32:bb:ed:3e:d8:a6:
         cc:b3:1c:c7:3e:00:87:32:9e:6f:62:ac:a0:27:76:97:ea:03:
         34:37:3c:2d:5c:7d:58:75:0e:fc:df:3e:3c:28:7e:53:b0:db:
         4a:f5:07:65:cf:43:90:8c:44:30:8e:f5:91:9a:71:1a:00:53:
         51:df:7c:8c:06:63:84:a3:db:26:53:63:19:ba:91:ee:ec:a6:
         4a:28:40:3d:24:63:23:c0:de:9d:09:bc:21:31:57:ec:7e:4c:
         a6:bc:13:1d:03:03:12:86:65:5c:72:e5:cc:e9:c6:49:8d:22:
         87:ee:31:81:b8:c5:61:23:33:fd:28:07:92:be:44:fa:d5:ee:
         80:95:b0:94:ef:67:d6:a0:f9:94:b0:53:db:b2:23:05:57:85:
         51:f1:fc:cb:d0:35:fd:fa:65:f5:be:49:d9:6d:22:73:63:c6:
         b0:f9:f2:ed:03:2f:5e:3b:83:15:38:8b:0d:72:ca:97:01:62:
         6d:f0:5f:aa:f6:db:93:b1:65:4a:7b:ec:ab:48:8f:ae:51:82:
         df:bf:85:48

 cacert.pem .crt

 

申请证书并颁发证书 1、为需要使用证书的主机生成生成私钥 
[root@localhost CA]# (umask 066;openssl genrsa -out /data/test.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
.......................................................................................+++++
..+++++
e is 65537 (0x010001
2、为需要使用证书的主机生成证书申请文件 
[root@localhost CA]# openssl req -new -key /data/test.key -out /data/test.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:jinan  
Organization Name (eg, company) [Default Company Ltd]:zhengfu
Organizational Unit Name (eg, section) []:guofangbu 
Common Name (eg, your name or your server's hostname) []:www.chuan.com 
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
3、在CA签署证书并将证书颁发给请求者
[root@localhost CA]# openssl ca -in /data/test.csr -out /etc/pki/CA/certs/test.crt -days 36000
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Apr 23 09:25:31 2022 GMT
            Not After : Nov 15 09:25:31 2120 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = beijing
            organizationName          = zhengfu
            organizationalUnitName    = guofangbu
            commonName                = www.chuan.com 
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                60:63:F8:E7:1B:4C:03:07:2C:6D:C6:FA:E2:DC:C1:C9:72:25:63:2E
            X509v3 Authority Key Identifier: 
                keyid:31:1F:D6:D9:B8:A2:82:30:0B:24:5C:C7:58:15:FD:2B:17:A8:85:02

Certificate is to be certified until Nov 15 09:25:31 2120 GMT (36000 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

 注意:默认要求 国家,省,公司名称三项必须和CA一致

vim  /etc/pki/tls/openssl.cnf
[ policy_match ]
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

 

4、查看证书中的信息
[root@localhost CA]# tree 
.
├──  
├── cacert.pem
├── certs
│   └── test.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│   └── 01.pem
├── private
│   └── cakey.pem
├── serial
└── serial.old

4 directories, 10 files
[root@localhost CA]# cat serial
02
[root@localhost CA]# cat index.txt
V    21201115092531Z        01    unknown    /C=CN/ST=beijing/O=zhengfu/OU=guofangbu/CN=www.chuan.com

 

policy          = policy_anything
[root@localhost data]# (umask 066;openssl genrsa -out /data/test2.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
....................................................................................................+++++
...............................+++++
e is 65537 (0x010001)

 

[root@localhost data]# openssl req -new -key /data/test2.key -out /data/test2.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:newyork
Locality Name (eg, city) [Default City]:newyork
Organization Name (eg, company) [Default Company Ltd]:zhengfu
Organizational Unit Name (eg, section) []:guofangbu
Common Name (eg, your name or your server's hostname) []:www.chuan.com 
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

 

[root@localhost CA]# openssl ca -in /data/test2.csr -out /etc/pki/CA/certs/test2.crt -days 36000
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
The countryName field is different between
CA certificate (CN) and the request (US)

vim  /etc/pki/tls/openssl.cnf 

policy          = policy_anything

[root@localhost CA]# openssl ca -in /data/test2.csr -out /etc/pki/CA/certs/test2.crt -days 36000
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 2 (0x2)
        Validity
            Not Before: Apr 23 09:50:51 2022 GMT
            Not After : Nov 15 09:50:51 2120 GMT
        Subject:
            countryName               = US
            stateOrProvinceName       = newyork
            localityName              = newyork
            organizationName          = zhengfu
            organizationalUnitName    = guofangbu
            commonName                = www.chuan.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                1B:1A:15:BF:3C:E8:71:ED:18:D6:F5:53:AB:ED:81:F0:2B:A7:BD:34
            X509v3 Authority Key Identifier: 
                keyid:31:1F:D6:D9:B8:A2:82:30:0B:24:5C:C7:58:15:FD:2B:17:A8:85:02

Certificate is to be certified until Nov 15 09:50:51 2120 GMT (36000 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

 

吊销证书
[root@localhost ~]# openssl ca -revoke /etc/pki/CA/newcerts/02.pem 
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 02.
Data Base Updated
[root@localhost CA]# cat index.txt
V    21201115092531Z        01    unknown    /C=CN/ST=beijing/O=zhengfu/OU=guofangbu/CN=www.chuan.com 
R    21201115095051Z    220423095539Z    02    unknown    /C=US/ST=newyork/L=newyork/O=zhengfu/OU=guofangbu/CN=www.chuan.com
指定第一个吊销证书的编号,注意:第一次更新证书吊销列表前,才需要执行
echo 01 > /etc/pki/CA/crlnumber
更新证书吊销列表  
openssl ca -gencrl -out /etc/pki/CA/crl.pem
[root@localhost CA]# cat /etc/pki/CA/crl.pem 
-----BEGIN X509 CRL-----
MIIB3jCBxwIBATANBgkqhkiG9w0BAQsFADBvMQswCQYDVQQGEwJDTjEQMA4GA1UE
CAwHYmVpamluZzEQMA4GA1UEBwwHYmVpamluZzEQMA4GA1UECgwHemhlbmdmdTES
MBAGA1UECwwJZ3VvZmFuZ2J1MRYwFAYDVQQDDA13d3cuYmFpZHUuY29tFw0yMjA0
MjMxMDA1MDJaFw0yMjA1MjMxMDA1MDJaMBQwEgIBAhcNMjIwNDIzMDk1NTM5WqAO
MAwwCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQELBQADggEBAJ1Jf8QebJd7mKsFjXpN
IbkJv7H7YysMcWzs3xycDXQqXkRxn9TMT1OTyDNSyBjFgQui/SXzLQA9jcmjIPGD
z8kuAIZDuDPHzGhZeFCj6uFogUeg8J+YHAPrj4EWqFjh8ZXeTuM+NznzxPc02sBU
zWN6zd/Zh3bRuhYsyrMZ3/i79j/PpEeipipYfF0iXli9QOExknawhiHZlEPsfW8P
7jeYVWXyOUH/9+jVKUIp++Nce/DxkeiZfoo/dq4LF5GYNyzid0xNVkIBIYX7g2LS
gSfLN46g6eL+Gh81wyedT/fBA3eYG0JdV41xac5di/MSbMFS3mJGPAtHShD4Qsrh
l2I=
-----END X509 CRL-----

查看文件

[root@localhost CA]# openssl crl -in /etc/pki/CA/crl.pem -noout -text

crl.pem.crl

 

 

这篇关于openssl实现私有CA证书生成和吊销的文章就介绍到这儿,希望我们推荐的文章对大家有所帮助,也希望大家多多支持为之网!