|
|
像 Web Mail,POP3S, IMAPS 以及 SMTPS 这些应用都基于 SSL 加密连接机制,那么在服务器端就一定需要提供证书,如果没有证书,那么 SSL 机制就无法工作。因此,在企业网络中,证书的需求量是很大的,如果每为一个服务申请一个证书,那么就要付出一份相应的费用,如此下来一年中的成本一定将会十分惊人。
在开源软件领域,OpenSSL 组织开发了一个名为 OpenSSL 的软件,只要通过该软件,就可以在企业中轻松搭建自己的证书中心(CA)。下面介绍在 Linux 平台如何去做这件事情。
1. 切换到相应的工具目录[root@beyes misc]# cd /etc/pki/tls/misc
2. 使用 -newca 选项建立自己的 CA[root@beyes misc]# ./CA -newca
CA certificate filename (or enter to create) # 要求输入CA 证书文件名,可以直接按回车使用默认的名字 cakey.pem
Making CA certificate ...
Generating a 2048 bit RSA private key
.........................+++
.....+++
writing new private key to '/etc/pki/CA/private/./cakey.pem' #将 CA 的私钥写入到文件 cakey.pem
Enter PEM pass phrase: #输入保护 CA 私钥的密码
Verifying - Enter PEM pass phrase: #确认输入
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
----- # 填入 CA 的相关信息
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Hainan
Locality Name (eg, city) [Default City]:Wenchang
Organization Name (eg, company) [Default Company Ltd]:Groad
Organizational Unit Name (eg, section) []:EDU
Common Name (eg, your name or your server's hostname) []:ca.groad.net
Email Address []:groad_net@163.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: # 可选扩展属性项,可以直接回车跳过
An optional company name []: # 可选扩展属性项,可以直接回车跳过
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/./cakey.pem: #请输保护 CA 私钥的密码,和上面输入的保护密码一样
Check that the request matches the signature
Signature ok
Certificate Details: # CA 已经正式建立完成,下面信息即为 CA 证书
Serial Number:
c9:82:87:ff:0c:22:2a:11
Validity
Not Before: Sep 2 12:49:35 2012 GMT
Not After : Sep 2 12:49:35 2015 GMT
Subject:
countryName = CN
stateOrProvinceName = Hainan
organizationName = Groad
organizationalUnitName = EDU
commonName = ca.groad.net
emailAddress = groad_net@163.com
X509v3 extensions:
X509v3 Subject Key Identifier:
D1:06:2E:1C:E6:CB:C0:6D:1E:C8:DA:A6:25:9B:41:AC:6A:2E:B6:56
X509v3 Authority Key Identifier:
keyid:D1:06:2E:1C:E6:CB:C0:6D:1E:C8:DA:A6:25:9B:41:AC:6A:2E:B6:56
X509v3 Basic Constraints:
CA:TRUE
Certificate is to be certified until Sep 2 12:49:35 2015 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
1. 证书的保存路径和文件名
2. 私钥的保存路径及其文件名/etc/pki/CA/private/cakey.pem
经过上面的步骤,我们已经建立起自己的企业 CA 证书,也就是说,我们可以给自己的企业内部的服务器上的基于 SSL 机制的服务颁发证书了。
当使用者提交证书申请单后(在 《生成证书申请单》中有介绍),我们必须将证书申请单放在 /etc/pki/tls/misc 这个路径下,且文件名必须为 newreq.pem ,这两个条件必须同时成立,否则无法完成证书的签发工作。当条件满足后,可以进行下面的证书签发流程了。
1. 切换到如下目录
[root@beyes misc]# cd /etc/pki/tls/misc
2. 执行下面命令对证书进行审核签发[root@beyes misc]# ./CA -sign # -sign 选项执行证书签发作业
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem: # 输入 CA 私钥的密码
Check that the request matches the signature
Signature ok
Certificate Details: #显示出使用者的证书申请单内容,以便管理者进行核对
Serial Number:
c9:82:87:ff:0c:22:2a:12
Validity
Not Before: Sep 3 15:42:28 2012 GMT
Not After : Sep 3 15:42:28 2013 GMT
Subject:
countryName = CN
stateOrProvinceName = Hainan
localityName = Wenchang
organizationName = TEC
organizationalUnitName = HACK
commonName = tec.groad.net
emailAddress = l4nneret@163.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
9B:F2:92:32:09:FB:C5:8F:DA:3C:CF:FC:3D:59:08:F1:3D:6E:99:CE
X509v3 Authority Key Identifier:
keyid:D1:06:2E:1C:E6:CB:C0:6D:1E:C8:DA:A6:25:9B:41:AC:6A:2E:B6:56
Certificate is to be certified until Sep 3 15:42:28 2013 GMT (365 days)
Sign the certificate? [y/n]:y # 是否执行执行凭证签发作业
1 out of 1 certificate requests certified, commit? [y/n]y # 再次确认执行凭证签发作业
Write out database with 1 new entries
Data Base Updated
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
c9:82:87:ff:0c:22:2a:12
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=CN, ST=Hainan, O=Groad, OU=EDU, CN=ca.groad.net/emailAddress=groad_net@163.com
Validity
Not Before: Sep 3 15:42:28 2012 GMT
Not After : Sep 3 15:42:28 2013 GMT
Subject: C=CN, ST=Hainan, L=Wenchang, O=TEC, OU=HACK, CN=tec.groad.net/emailAddress=l4nneret@163.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d8:a2:63:58:3d:2e:66:62:a2:a2:78:a5:06:f4:
32:83:f4:ed:44:b2:19:f6:e7:d9:f4:24:72:fd:02:
3b:28:93:e5:71:fa:00:c8:e0:51:85:fa:f5:0b:c8:
83:a4:11:94:a6:f3:c0:06:16:63:e9:e3:d0:f4:3c:
a8:33:ff:9f:e5:9b:29:51:2e:3c:2e:d2:9e:87:5c:
a7:7e:71:e3:5d:88:53:92:f2:1e:ac:9b:a0:06:b0:
fb:3b:7d:59:95:8b:5d:d3:f2:b3:e5:da:98:99:25:
a8:8b:a2:f2:a1:36:3d:47:5f:5f:86:05:6b:d3:5a:
33:b4:ae:65:35:7a:cf:f2:d8:f0:4e:43:c9:42:af:
61:a3:ae:1b:fa:57:9e:9d:b9:ef:a0:11:75:6c:8a:
a5:22:90:f1:fe:63:db:71:6a:30:30:21:0d:90:e9:
77:56:71:30:8a:bc:68:4c:45:b8:30:a8:7a:56:f4:
9b:7a:13:21:35:64:9e:2e:ec:8f:db:95:ba:11:ec:
46:12:cb:e0:b3:d1:e7:a4:a8:06:f5:10:b9:d9:b9:
c1:47:6f:01:f2:38:92:34:39:7d:9f:96:37:a5:bd:
80:8a:54:ff:a2:21:f0:99:5a:48:d7:70:9a:fa:3a:
79:dc:88:da:bf:03:a6:3a:93:ff:90:87:6c:53:57:
b5:c1
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
9B:F2:92:32:09:FB:C5:8F:DA:3C:CF:FC:3D:59:08:F1:3D:6E:99:CE
X509v3 Authority Key Identifier:
keyid:D1:06:2E:1C:E6:CB:C0:6D:1E:C8:DA:A6:25:9B:41:AC:6A:2E:B6:56
Signature Algorithm: sha1WithRSAEncryption
7f:e9:c4:c8:6e:82:09:23:04:df:f3:21:94:6a:65:b8:81:ad:
e2:db:93:6a:9a:f6:ea:7f:f8:4d:9d:45:d3:f2:67:33:8f:27:
4b:87:1c:93:39:7a:a8:22:10:2e:2e:c4:9e:c6:e0:72:b8:a7:
75:90:16:2f:98:2d:ee:d6:8b:18:2f:27:b1:f8:68:ee:7d:e1:
7d:89:b7:bb:0a:49:bf:a9:42:6a:6c:1c:8c:bd:0f:1d:38:d6:
dd:16:89:e7:ea:31:c5:db:d3:b9:6d:1b:88:b3:57:ca:9e:a9:
73:56:e1:12:6a:c5:9c:97:d8:1f:36:20:0e:ec:c6:b1:46:db:
7a:e5:92:29:0b:27:77:99:8b:23:1a:46:00:39:57:e7:4d:d2:
6c:04:d0:ad:12:59:83:7a:ac:11:f1:a9:9b:b1:57:14:6e:63:
4a:e3:da:79:5e:56:71:00:1b:14:e9:db:e9:58:44:c9:4a:a6:
79:c1:a2:06:ff:f4:4f:b2:e2:88:d0:0b:ab:69:dc:37:b3:41:
b6:df:d7:59:92:e7:e7:96:53:f2:1a:6a:d5:d7:d3:02:55:9d:
36:45:96:3d:c7:77:23:4c:09:44:30:a5:72:93:66:a7:7e:36:
a2:82:63:3d:f7:72:b6:92:fa:11:c4:e0:f1:d7:2a:94:9f:f1:
a7:38:c3:d9
-----BEGIN CERTIFICATE-----
MIID+zCCAuOgAwIBAgIJAMmCh/8MIioSMA0GCSqGSIb3DQEBBQUAMHUxCzAJBgNV
BAYTAkNOMQ8wDQYDVQQIDAZIYWluYW4xDjAMBgNVBAoMBUdyb2FkMQwwCgYDVQQL
DANFRFUxFTATBgNVBAMMDGNhLmdyb2FkLm5ldDEgMB4GCSqGSIb3DQEJARYRZ3Jv
YWRfbmV0QDE2My5jb20wHhcNMTIwOTAzMTU0MjI4WhcNMTMwOTAzMTU0MjI4WjCB
hzELMAkGA1UEBhMCQ04xDzANBgNVBAgMBkhhaW5hbjERMA8GA1UEBwwIV2VuY2hh
bmcxDDAKBgNVBAoMA1RFQzENMAsGA1UECwwESEFDSzEWMBQGA1UEAwwNdGVjLmdy
b2FkLm5ldDEfMB0GCSqGSIb3DQEJARYQbDRubmVyZXRAMTYzLmNvbTCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBANiiY1g9LmZioqJ4pQb0MoP07USyGfbn
2fQkcv0COyiT5XH6AMjgUYX69QvIg6QRlKbzwAYWY+nj0PQ8qDP/n+WbKVEuPC7S
nodcp35x412IU5LyHqyboAaw+zt9WZWLXdPys+XamJklqIui8qE2PUdfX4YFa9Na
M7SuZTV6z/LY8E5DyUKvYaOuG/pXnp2576ARdWyKpSKQ8f5j23FqMDAhDZDpd1Zx
MIq8aExFuDCoelb0m3oTITVkni7sj9uVuhHsRhLL4LPR56SoBvUQudm5wUdvAfI4
kjQ5fZ+WN6W9gIpU/6Ih8JlaSNdwmvo6edyI2r8DpjqT/5CHbFNXtcECAwEAAaN7
MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQg
Q2VydGlmaWNhdGUwHQYDVR0OBBYEFJvykjIJ+8WP2jzP/D1ZCPE9bpnOMB8GA1Ud
IwQYMBaAFNEGLhzmy8BtHsjapiWbQaxqLrZWMA0GCSqGSIb3DQEBBQUAA4IBAQB/
6cTIboIJIwTf8yGUamW4ga3i25Nqmvbqf/hNnUXT8mczjydLhxyTOXqoIhAuLsSe
xuByuKd1kBYvmC3u1osYLyex+GjufeF9ibe7Ckm/qUJqbByMvQ8dONbdFonn6jHF
29O5bRuIs1fKnqlzVuESasWcl9gfNiAO7MaxRtt65ZIpCyd3mYsjGkYAOVfnTdJs
BNCtElmDeqwR8ambsVcUbmNK49p5XlZxABsU6dvpWETJSqZ5waIG//RPsuKI0Aur
adw3s0G239dZkufnllPyGmrV19MCVZ02RZY9x3cjTAlEMKVyk2anfjaigmM993K2
kvoRxODx1yqUn/GnOMPZ
-----END CERTIFICATE-----
Signed certificate is in newcert.pem
(图-1)
首先,CA 会将自己的信息加入到证书申请单之中,以表明证书申请单是由哪家 CA 处理的,接着加入有效的使用期限,最后 CA 对处理后的证书申请单进行签名操作。签名是这样的一种过程:将 (图-1) 中的上面 4 部分信息进行哈希计算,然后把计算后得到的指纹使用 CA 的私钥进行加密,这样就行程了证书。也就是说,签名完成后的证书申请单就是证书。形象点说,你的学位证书只有经过盖章确认后才能成为真正可用的证书。
关于证书的更多内容可参考《数字证书,根证书等概念图文解说》,在这篇文章里,提到过吊销证书列表的概念。下面介绍我们以 CA 的身份,如何去吊销一个证书。
证书的目的在于证明证书内公钥拥有者的身份。公钥是公布于众的,当你要将机密数据发送到网站时,你就要用公钥对你的数据进行加密后再发送,当数据到达网站后,网站会用相应的私钥进行解密。如果网站方不小心丢失了私钥或者说被盗窃,那么得到私钥的人就可以用私钥来解开所有的机密数据。此时可以采取的弥补办法是,迅速吊销掉你的证书。那么在 Linux 里如何吊销证书呢?
要吊销证书,首先要生成一个证书吊销清单,清单上将列出所有被吊销的证书列表,而所有的客户端会定时到 CA 获取证书注销列表,这样客户端才能知道哪些证书是已经注销了的(关于这些内容的详细介绍可参考《数字证书,根证书等概念图文解说》)。
先生成空白的证书吊销列表:[root@beyes crl]# echo "01" > /etc/pki/CA/crlnumber #生成证书吊销编号,该编号从 01 开始,没吊销一个证书,则该值加 1
[root@beyes crl]# cd /etc/pki/CA/crl
[root@beyes crl]# openssl ca -gencrl -out crl.pem #生成吊销证书列表
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem: #输入私钥加密密码
吊销证书:
在吊销某个证书之前,必须取得该证书,否则无法进行证书吊销操作。但此时不需要证书拥有着提供证书,因为我们在 CA 上签发证书的同时,系统会自动在 /etc/pki/CA/newcerts 目录保留一份签发出去的证书,如:[root@beyes crl]# ls ../newcerts/
C98287FF0C222A11.pem C98287FF0C222A12.pem [root@beyes crl]# openssl ca -revoke ../newcerts/C98287FF0C222A12.pem
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Revoking Certificate C98287FF0C222A12.
Data Base Updated
[root@beyes crl]# cat crl.pem #查看一下吊销列表
-----BEGIN X509 CRL-----
MIIBzjCBtwIBATANBgkqhkiG9w0BAQUFADB1MQswCQYDVQQGEwJDTjEPMA0GA1UE
CAwGSGFpbmFuMQ4wDAYDVQQKDAVHcm9hZDEMMAoGA1UECwwDRURVMRUwEwYDVQQD
DAxjYS5ncm9hZC5uZXQxIDAeBgkqhkiG9w0BCQEWEWdyb2FkX25ldEAxNjMuY29t
Fw0xMjA5MDMxNjI1MTdaFw0xMjEwMDMxNjI1MTdaoA4wDDAKBgNVHRQEAwIBATAN
BgkqhkiG9w0BAQUFAAOCAQEAN1/zZCfwDpG1OGTMqHaOCJuYtMpwPQgajKQ6OYhT
jVKOkOWvCqyfLCB0w4UFSLsq4Rud2BG535zmuKgCmM3Axc7NxY93u8qY615MVQ9s
NWg5znm5if1jXCG+Y1av7gzzlhkls04SyPdeXaRteuBJGy0ph9WhxLPj1Epn/K+t
59X++CKVLumH5fgznRh9dFvtF7AOwi6SRIRJWVcBfnET2ZT6snOzaAnN1gI7HkIq
4pci/bRi4OxbXGkSb3wVXldqJdt+N9vYnl/C0rfRIPZSMGWCOGyjic2eninnsPru
lZDHBkw5DM3zJMzNoOsR67iFxngydyDFb90fZOfDY3uFnw==
-----END X509 CRL-----
[root@beyes crl]# openssl ca -gencrl -out crl.pem #重新生成一份最新的证书吊销清单
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
[root@beyes crl]# cat crl.pem #再查看一下,以和之前的比对
-----BEGIN X509 CRL-----
MIIB7DCB1QIBATANBgkqhkiG9w0BAQUFADB1MQswCQYDVQQGEwJDTjEPMA0GA1UE
CAwGSGFpbmFuMQ4wDAYDVQQKDAVHcm9hZDEMMAoGA1UECwwDRURVMRUwEwYDVQQD
DAxjYS5ncm9hZC5uZXQxIDAeBgkqhkiG9w0BCQEWEWdyb2FkX25ldEAxNjMuY29t
Fw0xMjA5MDMxNjM3NDNaFw0xMjEwMDMxNjM3NDNaMBwwGgIJAMmCh/8MIioSFw0x
MjA5MDMxNjM2NDhaoA4wDDAKBgNVHRQEAwIBAjANBgkqhkiG9w0BAQUFAAOCAQEA
er33Yi2e/stXsOu+VPIBvLPClk0uhkAD/CxLRB6VWXFjezm/D1/LWjgqQz9nM6mK
0BA3srFMsQVNh1y015yDXolQHUh2go/Po7iTywt2EZ/niQYWta55PpQGm6XQ+Iwf
YM7Ix1zIaaPPRQetgP6Y7ACz0rlnjIZQrHZdmGMpcMdrcsM5WLpcMJzF4Jvs3BIL
Lx/ddXc/RTI+Oa2N5hd2ie9t/81V7Zi/4HYauJQPcGvdw1xKaJRcUH7cSOQALhf0
A+LriQW8EkCPh0PCqP8+EV8X+VG5/IMpfmoSpS5On95TwF/fK9txKmq9qOfSy4A+
+O9+t8kJydK98mvTnMa30w==
-----END X509 CRL-----
上面所述一共有 3 个部分:建立自己的 CA ,签发证书,吊销证书并生成吊销证书列表。 |
本帖子中包含更多资源
您需要 登录 才可以下载或查看,没有帐号?立即注册
x
|
窥视卡
雷达卡
发表于 2012-9-4 00:50:00
收藏
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡