Linux操作系统安全-局域网私有CA(Certificate Authority)证书服务器实战篇

飞翔梧桐 發表於 2019-12-21 05:37:00

Linux操作系统安全-局域网私有CA(Certificate Authority)证书服务器实战篇

Linux操作系统安全-局域网私有CA(Certificate Authority)证书服务器实战篇
　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　作者：尹正杰
版权声明：原创作品，谢绝转载！否则将追究法律责任。
 
 
 
一.试验架构说明
<div class="cnblogs_code">
<pre>node101.yinzhengjie.org.cn：
　　　CA服务器 
node108.yinzhengjie.org.cn: 　　　CA客户端</pre>
</div>
<div class="cnblogs_code"><img src="http://images.cnblogs.com/OutliningIndicators/ContractedBlock.gif"><img id="code_img_opened_c2f7b00e-ee2a-4b01-8ce5-b7813fa01f60" class="code_img_opened lazyload" style="display: none" alt="" data-src="http://images.cnblogs.com/OutliningIndicators/ExpandedBlockStart.gif">
<div id="cnblogs_code_open_c2f7b00e-ee2a-4b01-8ce5-b7813fa01f60" class="cnblogs_code_hide">
<pre># uname -r
3.10.0-957.el7.x86_64
#
# uname -m
x86_64
#
# cat /etc/redhat-release
CentOS Linux release 7.6.1810 (Core)
#
# free -h
 total used free sharedbuff/cache available
Mem: 7.6G 132M 7.2G 8.6M 299M 7.3G
Swap: 7.9G 0B 7.9G
#
#
# hostname -i
172.30.1.101
#
# cat /etc/hostname
node101.yinzhengjie.org.cn
#
# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6

172.30.1.101 node101.yinzhengjie.org.cn
172.30.1.102 node102.yinzhengjie.org.cn
172.30.1.103 node103.yinzhengjie.org.cn
172.30.1.104 node104.yinzhengjie.org.cn
172.30.1.105 node105.yinzhengjie.org.cn
172.30.1.106 node106.yinzhengjie.org.cn
172.30.1.107 node107.yinzhengjie.org.cn
172.30.1.108 node108.yinzhengjie.org.cn
#
# </pre>
</div>
# cat /etc/hosts</div>
<div class="cnblogs_code"><img id="code_img_closed_1e7f5052-7d3d-4136-b1db-ed1cc5a9a8ae" class="code_img_closed lazyload" alt="" data-src="http://images.cnblogs.com/OutliningIndicators/ContractedBlock.gif"><img id="code_img_opened_1e7f5052-7d3d-4136-b1db-ed1cc5a9a8ae" class="code_img_opened lazyload" style="display: none" alt="" data-src="http://images.cnblogs.com/OutliningIndicators/ExpandedBlockStart.gif">
<div id="cnblogs_code_open_1e7f5052-7d3d-4136-b1db-ed1cc5a9a8ae" class="cnblogs_code_hide">
<pre># uname -r
3.10.0-957.el7.x86_64
#
# uname -m
x86_64
#
# free -h
 total used free sharedbuff/cache available
Mem: 3.7G 98M 3.5G 8.5M 148M 3.4G
Swap: 3.9G 0B 3.9G
#
# cat /etc/redhat-release
CentOS Linux release 7.6.1810 (Core)
#
# hostname -i
172.30.1.108
#
# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6

172.30.1.101 node101.yinzhengjie.org.cn
172.30.1.102 node102.yinzhengjie.org.cn
172.30.1.103 node103.yinzhengjie.org.cn
172.30.1.104 node104.yinzhengjie.org.cn
172.30.1.105 node105.yinzhengjie.org.cn
172.30.1.106 node106.yinzhengjie.org.cn
172.30.1.107 node107.yinzhengjie.org.cn
172.30.1.108 node108.yinzhengjie.org.cn

#
#</pre>
</div>
# cat /etc/hosts</div>
 
二.生成自签名证书
1>.查看opennssl的配置文件
<div class="cnblogs_code">
<pre>openssl的配置文件： 　　/etc/pki/tls/openssl.cnf
　　三种策略：match匹配、optional可选、supplied提供
　　　　match： 　　　　　　要求申请填写的信息跟CA设置信息必须一致
　　　　optional： 　　　　　　可有可无，跟CA设置信息可不一致
　　　　supplied： 　　　　　　必须填写这项申请信息，</pre>
</div>
<div class="cnblogs_code"><img id="code_img_closed_378b65e6-0428-4c34-8fad-9792051233a3" class="code_img_closed lazyload" alt="" data-src="http://images.cnblogs.com/OutliningIndicators/ContractedBlock.gif"><img id="code_img_opened_378b65e6-0428-4c34-8fad-9792051233a3" class="code_img_opened lazyload" style="display: none" alt="" data-src="http://images.cnblogs.com/OutliningIndicators/ExpandedBlockStart.gif">
<div id="cnblogs_code_open_378b65e6-0428-4c34-8fad-9792051233a3" class="cnblogs_code_hide">
<pre># egrep -v "^ *#|^$" /etc/pki/tls/openssl.cnf
HOME = .
RANDFILE = $ENV::HOME/.rnd
oid_section = new_oids
[ new_oids ]
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7
[ ca ]
default_ca = CA_default # 默认的CA标题名称，该名称会定有很多CA服务器相关参数
[ CA_default ] # 上一行指定的CA标题名称就是这里定义的
dir = /etc/pki/CA # 存放CA的目录
certs = $dir/certs # 存放证书的目录
crl_dir = $dir/crl # 存放证书吊销列表信息
database = $dir/index.txt # 一个文本文件用来保存已颁发证书的信息，该文件默认不存在，需要手动创建
new_certs_dir = $dir/newcerts # 默认存放新颁发的证书
certificate = $dir/cacert.pem # 指定CA的证书，即CA自签名证书
serial = $dir/serial # 指定下一个颁发证书的编号，该文件默认不存在，需要手动创建
crlnumber = $dir/crlnumber # 指定下一个吊销证书的编号
crl = $dir/crl.pem # 指定CRL证书文件文件名称
private_key = $dir/private/cakey.pem # 指定CA的私钥文件名称
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
default_days = 365 # 指定证书的默认有效期
default_crl_days= 30 # 指定多久发布一次CRL信息(证书吊销信息)
default_md = sha256 # 使用默认的加密算法
preserve = no # keep passed DN ordering
policy = policy_match #匹配策略名称，见下一行有定义该名称
[ policy_match ] #用于CA的策略证书
countryName = match #match要求申请填写的信息跟CA设置信息必须一致。国家信息要一样
stateOrProvinceName = match #同上，省份也要一样
organizationName = match #同上，一般情况下，自建的CA服务器国家，省份和组织单位都是一样的。
organizationalUnitName = optional #optional表示可选项，即可有可无，跟CA设置信息可不一致
commonName = supplied #supplied表示必须填写这项申请信息，即填写用户申请的域名
emailAddress = optional #optional表示可选项，即邮箱可以写也可以不写
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 2048
default_md = sha256
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
string_mask = utf8only
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = XX
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (eg, city)
localityName_default = Default City
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Default Company Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (eg, your name or your server\'s hostname)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
basicConstraints=CA:FALSE
nsComment = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = CA:true
[ crl_ext ]
authorityKeyIdentifier=keyid:always
[ proxy_cert_ext ]
basicConstraints=CA:FALSE
nsComment = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
[ tsa ]
default_tsa = tsa_config1 # the default TSA section
[ tsa_config1 ]
dir = ./demoCA # TSA root directory
serial = $dir/tsaserial # The current serial number (mandatory)
crypto_device = builtin # OpenSSL engine to use for signing
signer_cert = $dir/tsacert.pem # The TSA signing certificate
 # (optional)
certs = $dir/cacert.pem # Certificate chain to include in reply
 # (optional)
signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
default_policy = tsa_policy1 # Policy if request did not specify it
 # (optional)
other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
clock_precision_digits= 0 # number of digits after dot. (optional)
ordering = yes # Is ordering defined for timestamps?
 # (optional, default: no)
tsa_name = yes # Must the TSA name be included in the reply?
 # (optional, default: no)
ess_cert_id_chain = no # Must the ESS cert id chain be included?
 # (optional, default: no)
# </pre>
</div>
# egrep -v "^ *#|^$" /etc/pki/tls/openssl.cnf</div>
2>.生成私钥
<div class="cnblogs_code"><img id="code_img_closed_cd37663a-0a30-45ac-9d80-049388f9de3c" class="code_img_closed lazyload" alt="" data-src="http://images.cnblogs.com/OutliningIndicators/ContractedBlock.gif"><img id="code_img_opened_cd37663a-0a30-45ac-9d80-049388f9de3c" class="code_img_opened lazyload" style="display: none" alt="" data-src="http://images.cnblogs.com/OutliningIndicators/ExpandedBlockStart.gif">
<div id="cnblogs_code_open_cd37663a-0a30-45ac-9d80-049388f9de3c" class="cnblogs_code_hide">
<pre># yum -y install tree
Loaded plugins: fastestmirror
Determining fastest mirrors
* base: mirror.bit.edu.cn
* extras: mirrors.tuna.tsinghua.edu.cn
* updates: mirrors.tuna.tsinghua.edu.cn
base | 3.6 kB00:00:00
extras | 2.9 kB00:00:00
updates | 2.9 kB00:00:00
(1/4): base/7/x86_64/group_gz | 165 kB00:00:00
(2/4): extras/7/x86_64/primary_db | 153 kB00:00:00
(3/4): base/7/x86_64/primary_db | 6.0 MB00:00:01
(4/4): updates/7/x86_64/primary_db | 5.8 MB00:00:01
Resolving Dependencies
--> Running transaction check
---> Package tree.x86_64 0:1.6.0-10.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

============================================================================================================================================================================
Package Arch Version Repository Size
============================================================================================================================================================================
Installing:
tree x86_64 1.6.0-10.el7 base 46 k

Transaction Summary
============================================================================================================================================================================
Install1 Package

Total download size: 46 k
Installed size: 87 k
Downloading packages:
tree-1.6.0-10.el7.x86_64.rpm |46 kB00:00:05
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : tree-1.6.0-10.el7.x86_64 1/1
Verifying: tree-1.6.0-10.el7.x86_64 1/1

Installed:
tree.x86_64 0:1.6.0-10.el7

Complete!
# </pre>
</div>
# yum -y install tree</div>
<div class="cnblogs_code"><img id="code_img_closed_1d55d193-1977-456e-b00c-5d93106a9ce5" class="code_img_closed lazyload" alt="" data-src="http://images.cnblogs.com/OutliningIndicators/ContractedBlock.gif"><img id="code_img_opened_1d55d193-1977-456e-b00c-5d93106a9ce5" class="code_img_opened lazyload" style="display: none" alt="" data-src="http://images.cnblogs.com/OutliningIndicators/ExpandedBlockStart.gif">
<div id="cnblogs_code_open_1d55d193-1977-456e-b00c-5d93106a9ce5" class="cnblogs_code_hide">
<pre># cd /etc/pki/CA/
#
# tree
.
├── certs
├── crl
├── newcerts
└── private

4 directories, 0 files
#
# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
...........................................................................................+++
........+++
e is 65537 (0x10001)
#
# tree
.
├── certs
├── crl
├── newcerts
└── private
└── cakey.pem

4 directories, 1 file
#
# ll private/
total 4
-rw------- 1 root root 1675 Dec 21 13:02 cakey.pem
#
# </pre>
</div>
# (umask 077;openssl genrsa -out private/cakey.pem 2048)</div>
3>.生成自签名证书
<div class="cnblogs_code">
<pre># tree
.
├── certs
├── crl
├── newcerts
└── private
└── cakey.pem

4 directories, 1 file
#
# ll private/
total 4
-rw------- 1 root root 1675 Dec 21 13:02 cakey.pem
#
#
# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 36500
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) :CN
State or Province Name (full name) []:shanxi
Locality Name (eg, city) :ankang
Organization Name (eg, company) :yinzhengjie
Organizational Unit Name (eg, section) []:devops
Common Name (eg, your name or your server's hostname) []:ca.yinzhengjie.org.cn
Email Address []:
#
# tree
.
├── cacert.pem　　　　　　　　　　#新生成的证书文件，可以下载到windows系统查看，如下图所示(在windows系统需要修改文件后缀为crt才能打开哟).
├── certs
├── crl
├── newcerts
└── private
└── cakey.pem

4 directories, 2 files
# </pre>
</div>
<img alt="" data-src="https://img2018.cnblogs.com/blog/795254/201912/795254-20191221131413371-1174178871.png">
 
三.CA客户端申请证书
1>.生成私钥
<div class="cnblogs_code">
<pre># mkdir /data/ssl -pv
mkdir: created directory ‘/data’
mkdir: created directory ‘/data/ssl’
#
# cd /data/ssl/
#
# (umask 066;openssl genrsa -out myapp.key 1024)
Generating RSA private key, 1024 bit long modulus
.++++++
.....................................++++++
e is 65537 (0x10001)
#
# ll
total 4
-rw------- 1 root root 887 Dec 21 13:20 myapp.key
#
# </pre>
</div>
2>.利用私钥生成证书请求并发送至CA服务器上
<div class="cnblogs_code">
<pre># ll
total 4
-rw------- 1 root root 887 Dec 21 13:20 myapp.key
#
# openssl req -new -key myapp.key -out myapp.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) :CN
State or Province Name (full name) []:shanxi
Locality Name (eg, city) :ankang
Organization Name (eg, company) :yinzhengjie
Organizational Unit Name (eg, section) []:devops
Common Name (eg, your name or your server's hostname) []:*.yinzhengjie.org.cn 
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
#
# ll
total 8
-rw-r--r-- 1 root root 668 Dec 21 13:53 myapp.csr
-rw------- 1 root root 887 Dec 21 13:20 myapp.key
# 
# scp myapp.csr node101.yinzhengjie.org.cn:/etc/pki/CA/
The authenticity of host 'node101.yinzhengjie.org.cn (172.30.1.101)' can't be established.
ECDSA key fingerprint is SHA256:KEchoZnVBkijeoWfG2nvx2ptthsXv7IjkxIJYule57g.
ECDSA key fingerprint is MD5:52:c8:f5:6e:5f:cf:44:ec:c4:11:60:d2:d0:31:3c:da.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'node101.yinzhengjie.org.cn,172.30.1.101' (ECDSA) to the list of known hosts.
root@node101.yinzhengjie.org.cn's password: 
myapp.csr 100%668 900.0KB/s 00:00
#
# </pre>
</div>
 
四.颁发证书
1>.颁发证书过程及故障排除
<div class="cnblogs_code">
<pre># tree
.
├── cacert.pem
├── certs
├── crl
├── myapp.csr
├── newcerts
└── private
└── cakey.pem

4 directories, 3 files
#
# openssl ca -in myapp.csr -out certs/myapp.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
/etc/pki/CA/index.txt: No such file or directory
unable to open '/etc/pki/CA/index.txt'
139995437246352:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/pki/CA/index.txt','r')
139995437246352:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:
#
#
#
# touch index.txt　　　　　　　　#根据上面的报错提示，说明缺少index.txt文件，因此我们手动创建出来
#
# openssl ca -in myapp.csr -out certs/myapp.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
/etc/pki/CA/serial: No such file or directory
error while loading serial number
139709222610832:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/pki/CA/serial','r')
139709222610832:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:
#
# echo 0F > serial　　　　　　#根据上面的提示，说明仍然是少了文件，因此我们继续手动创建出来
#
# cat serial
0F
#
# openssl ca -in myapp.csr -out certs/myapp.crt -days 1000　　　　#执行颁发证书的指令
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
 Serial Number: 15 (0xf)
 Validity
 Not Before: Dec 21 06:27:58 2019 GMT
 Not After : Sep 16 06:27:58 2022 GMT
 Subject:
 countryName = CN
 stateOrProvinceName = shanxi
 organizationName = yinzhengjie
 organizationalUnitName = devops
 commonName = *.yinzhengjie.org.cn
 X509v3 extensions:
 X509v3 Basic Constraints:
 CA:FALSE
 Netscape Comment:
 OpenSSL Generated Certificate
 X509v3 Subject Key Identifier:
 D0:F2:4D:0E:32:E5:FF:0D:AC:51:B2:B3:7C:23:12:F2:AB:31:C1:74
 X509v3 Authority Key Identifier:
 keyid:61:3E:46:F0:EA:BE:7F:DA:8B:A4:7A:F6:89:35:F0:9A:65:BC:05:13

Certificate is to be certified until Sep 16 06:27:58 2022 GMT (1000 days)
Sign the certificate? :y

1 out of 1 certificate requests certified, commit? y
Write out database with 1 new entries
Data Base Updated
#
# tree
.
├── cacert.pem
├── certs
│   └── myapp.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── myapp.csr
├── newcerts
│   └── 0F.pem
├── private
│   └── cakey.pem
├── serial
└── serial.old

4 directories, 10 files
#
#
# ll certs/myapp.crt newcerts/0F.pem 　　　　　　　#我们发现这两个新生成的文件大小是一样的
-rw-r--r-- 1 root root 3771 Dec 21 14:30 certs/myapp.crt
-rw-r--r-- 1 root root 3771 Dec 21 14:30 newcerts/0F.pem
#
# diff certs/myapp.crt newcerts/0F.pem 　　　　　　#很显然，这两个文件内容是一样的
#
# </pre>
</div>
2>.查看证书信息
<div class="cnblogs_code"><img src="http://images.cnblogs.com/OutliningIndicators/ContractedBlock.gif"><img id="code_img_opened_126d96a6-fe4e-4544-971b-09f42f312430" class="code_img_opened lazyload" style="display: none" alt="" data-src="http://images.cnblogs.com/OutliningIndicators/ExpandedBlockStart.gif">
<div id="cnblogs_code_open_126d96a6-fe4e-4544-971b-09f42f312430" class="cnblogs_code_hide">
<pre># cat newcerts/0F.pem 　　　　　　　　　　　　　　#查看证书信息
Certificate:
Data:
 Version: 3 (0x2)
 Serial Number: 15 (0xf)
Signature Algorithm: sha256WithRSAEncryption
 Issuer: C=CN, ST=shanxi, L=ankang, O=yinzhengjie, OU=devops, CN=ca.yinzhengjie.org.cn
 Validity
 Not Before: Dec 21 06:27:58 2019 GMT
 Not After : Sep 16 06:27:58 2022 GMT
 Subject: C=CN, ST=shanxi, O=yinzhengjie, OU=devops, CN=*.yinzhengjie.org.cn
 Subject Public Key Info:
 Public Key Algorithm: rsaEncryption
 Public-Key: (1024 bit)
 Modulus:
 00:b7:a1:2e:0c:f3:a4:e8:bc:41:0b:9b:40:3b:26:
 80:ed:8d:03:5a:e2:15:4d:05:98:cc:f5:1d:ef:bb:
 26:32:d3:3e:a6:47:f8:6d:24:23:35:23:fd:09:cc:
 5b:6d:25:23:96:34:90:92:ab:5f:ea:ae:21:07:67:
 2c:51:10:e4:34:5f:08:ff:eb:0a:ea:2a:fa:6f:47:
 71:88:fb:d1:b4:7e:65:a9:52:ba:87:2e:1c:0f:f6:
 55:56:42:e6:c5:ca:35:64:8c:96:76:c7:5d:e0:b6:
 d7:99:e5:17:b8:95:ff:fb:22:ca:99:cc:d3:7c:6c:
 70:c4:b0:f7:f3:87:32:a2:45
 Exponent: 65537 (0x10001)
 X509v3 extensions:
 X509v3 Basic Constraints:
 CA:FALSE
 Netscape Comment:
 OpenSSL Generated Certificate
 X509v3 Subject Key Identifier:
 D0:F2:4D:0E:32:E5:FF:0D:AC:51:B2:B3:7C:23:12:F2:AB:31:C1:74
 X509v3 Authority Key Identifier:
 keyid:61:3E:46:F0:EA:BE:7F:DA:8B:A4:7A:F6:89:35:F0:9A:65:BC:05:13

Signature Algorithm: sha256WithRSAEncryption
 29:48:7f:38:fe:e5:c2:ad:fd:dc:c2:bc:0b:38:88:fb:99:a8:
 2e:dc:69:8c:f6:a9:24:2d:2a:c1:27:bb:50:5c:16:70:25:1f:
 4a:a8:c3:a5:21:1a:79:30:ac:0e:88:82:04:dd:f8:14:22:56:
 bd:fc:cf:86:8a:cf:7e:88:7a:34:be:a7:3f:58:05:cc:33:95:
 71:6f:53:39:5c:c7:0b:fa:c5:66:d2:2f:dc:d3:f4:86:01:53:
 f2:63:1b:0c:fc:3c:c1:92:c2:c8:24:ed:2a:76:3b:37:20:93:
 e1:47:71:26:5d:3f:bf:d5:03:62:c2:49:d8:84:dd:fe:1c:83:
 60:43:88:77:b7:c8:f2:3e:95:63:d1:57:6c:f6:05:3d:b7:fc:
 d9:80:be:ad:39:a2:f1:7f:b8:46:59:b2:2e:21:a7:86:53:e1:
 7a:43:95:9b:1c:33:7d:84:03:5d:98:ce:c8:6f:eb:01:7e:d5:
 82:91:c9:ea:a0:b1:67:39:3b:21:f7:c2:50:8f:8d:b2:a0:92:
 c6:dd:f3:76:85:de:3a:77:03:26:3e:c2:b0:27:ca:b1:44:2f:
 fd:e2:75:96:9c:dc:f3:e5:d6:24:62:65:44:3a:42:2c:08:4c:
 18:87:41:b7:09:4e:68:bf:9c:1c:0c:f0:ce:50:af:be:33:a7:
 ea:98:bf:af
-----BEGIN CERTIFICATE-----
MIIDTDCCAjSgAwIBAgIBDzANBgkqhkiG9w0BAQsFADB2MQswCQYDVQQGEwJDTjEP
MA0GA1UECAwGc2hhbnhpMQ8wDQYDVQQHDAZhbmthbmcxFDASBgNVBAoMC3lpbnpo
ZW5namllMQ8wDQYDVQQLDAZkZXZvcHMxHjAcBgNVBAMMFWNhLnlpbnpoZW5namll
Lm9yZy5jbjAeFw0xOTEyMjEwNjI3NThaFw0yMjA5MTYwNjI3NThaMGQxCzAJBgNV
BAYTAkNOMQ8wDQYDVQQIDAZzaGFueGkxFDASBgNVBAoMC3lpbnpoZW5namllMQ8w
DQYDVQQLDAZkZXZvcHMxHTAbBgNVBAMMFCoueWluemhlbmdqaWUub3JnLmNuMIGf
MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3oS4M86TovEELm0A7JoDtjQNa4hVN
BZjM9R3vuyYy0z6mR/htJCM1I/0JzFttJSOWNJCSq1/qriEHZyxREOQ0Xwj/6wrq
KvpvR3GI+9G0fmWpUrqHLhwP9lVWQubFyjVkjJZ2x13gtteZ5Re4lf/7IsqZzNN8
bHDEsPfzhzKiRQIDAQABo3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1P
cGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQU0PJNDjLl/w2s
UbKzfCMS8qsxwXQwHwYDVR0jBBgwFoAUYT5G8Oq+f9qLpHr2iTXwmmW8BRMwDQYJ
KoZIhvcNAQELBQADggEBAClIfzj+5cKt/dzCvAs4iPuZqC7caYz2qSQtKsEnu1Bc
FnAlH0qow6UhGnkwrA6IggTd+BQiVr38z4aKz36IejS+pz9YBcwzlXFvUzlcxwv6
xWbSL9zT9IYBU/JjGwz8PMGSwsgk7Sp2Ozcgk+FHcSZdP7/VA2LCSdiE3f4cg2BD
iHe3yPI+lWPRV2z2BT23/NmAvq05ovF/uEZZsi4hp4ZT4XpDlZscM32EA12Yzshv
6wF+1YKRyeqgsWc5OyH3wlCPjbKgksbd83aF3jp3AyY+wrAnyrFEL/3idZac3PPl
1iRiZUQ6QiwITBiHQbcJTmi/nBwM8M5Qr74zp+qYv68=
-----END CERTIFICATE-----
#
# </pre>
</div>
# cat newcerts/0F.pem 　　　　　　　　　　　　　　#查看证书信息，也可以直接查看myapp.crt证书文件，因为它们是一样的</div>
3>.将证书下载到windows操作系统查看
<div class="cnblogs_code">
<pre># sz certs/myapp.crt　　　　　　　　　#如下图所示，下载文件到本地，下载时选择crt结尾的，其实下载0F.pem也可以（因为文件内容相同），但windows识别crt格式的文件可以直接查看。

# </pre>
</div>
<img alt="" data-src="https://img2018.cnblogs.com/blog/795254/201912/795254-20191221144109394-726770748.png">
 4>.颁发证书后查看文件内容变更
<div class="cnblogs_code">
<pre># tree
.
├── cacert.pem
├── certs
│ └── myapp.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── myapp.csr
├── newcerts
│ └── 0F.pem
├── private
│ └── cakey.pem
├── serial
└── serial.old

4 directories, 10 files
#
# cat index.txt　　　　　　#该文件记录了证书文件相关信息，首字母"V"表示证书有效，若证书被吊销的话，可能首字母是"R"
V 220916062758Z 0F unknown /C=CN/ST=shanxi/O=yinzhengjie/OU=devops/CN=*.yinzhengjie.org.cn
#
# cat serial
10
# 
# cat index.txt.old 　　　　#存放之前版本的信息
#
# cat serial.old 　　　　　　#存放之前的版本信息
0F
#
# cat index.txt.attr 　　　　#如果看到"unique_subject=yes"想必大家也猜到啥意思了，没错它规定了证书必须是唯一性的，也就是说我们不能对同一个证书请求多次颁发证书文件。
unique_subject = yes
# </pre>
</div>
 
五.windows导入咱们自己生成自签名证书
1>.如下图所示，咱们的操作系统"无法找到该证书的颁发者。",因此我们可以考虑将"*.yinzhengjie.org.cn"证书的颁发者证书也下载到本地导入并安装
<img src="https://img2018.cnblogs.com/blog/795254/201912/795254-20191221144352245-1641286702.png"> 
2>.下载CA服务器证书到本地并更名为"*.crt"或者"*.cer"文件后缀,如下图所示（紧接着安装证书）
<img src="https://img2018.cnblogs.com/blog/795254/201912/795254-20191221145013877-1999325802.png">
3>.如下图所示，点击"安装证书"会弹出右侧的对话框，继续点击"下一步"
<img src="https://img2018.cnblogs.com/blog/795254/201912/795254-20191221145121080-1832723295.png">
4>.如下图所示，将我们的证书选择为"受信任的根证书颁发机构"
<img src="https://img2018.cnblogs.com/blog/795254/201912/795254-20191221145254465-124525331.png">
5>.配置完成后，点击"下一步"
<img src="https://img2018.cnblogs.com/blog/795254/201912/795254-20191221145358695-1133526555.png">
6>.继续点击"完成"
<img src="https://img2018.cnblogs.com/blog/795254/201912/795254-20191221145418809-791088508.png">
7>.接下来会弹出如下图所示的对话框以确认安装证书提示，点击"是"
<img src="https://img2018.cnblogs.com/blog/795254/201912/795254-20191221145549509-1291414763.png">
8>.点击"确定"，证书导入成功
<img src="https://img2018.cnblogs.com/blog/795254/201912/795254-20191221145622775-1603997724.png">
9>.证书安装完成后，再次打开证书查看相应信息，如下图所示
<img src="https://img2018.cnblogs.com/blog/795254/201912/795254-20191221145738151-588041505.png">
 
六.使用openssl命令在命令行查看证书信息
1>.将证书文件拷贝到客户端
<div class="cnblogs_code">
<pre># ll
total 24
-rw-r--r--1 root root 1363 Dec 21 13:07 cacert.pem
drwxr-xr-x. 2 root root 23 Dec 21 14:26 certs
drwxr-xr-x. 2 root root 6 Oct 312018 crl
-rw-r--r--1 root root 92 Dec 21 14:30 index.txt
-rw-r--r--1 root root 21 Dec 21 14:30 index.txt.attr
-rw-r--r--1 root root 0 Dec 21 14:26 index.txt.old
-rw-r--r--1 root root668 Dec 21 13:58 myapp.csr
drwxr-xr-x. 2 root root 20 Dec 21 14:30 newcerts
drwx------. 2 root root 23 Dec 21 13:02 private
-rw-r--r--1 root root 3 Dec 21 14:30 serial
-rw-r--r--1 root root 3 Dec 21 14:27 serial.old
#
# tree
.
├── cacert.pem
├── certs
│   └── myapp.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── myapp.csr
├── newcerts
│   └── 0F.pem
├── private
│   └── cakey.pem
├── serial
└── serial.old

4 directories, 10 files
#
# scp certs/myapp.crt root@node108.yinzhengjie.org.cn:/data/ssl
myapp.crt 100% 3771 5.1MB/s 00:00
# </pre>
</div>
2>.客户端查看证书信息
<div class="cnblogs_code">
<pre># ll /data/ssl/
total 12
-rw-r--r-- 1 root root 3771 Dec 21 15:01 myapp.crt
-rw-r--r-- 1 root root668 Dec 21 13:53 myapp.csr
-rw------- 1 root root887 Dec 21 13:20 myapp.key
#
# openssl x509 -in /data/ssl/myapp.crt -noout -text　　　　　　　　　　#以文本方式在客户端查看证书信息
Certificate:
Data:
 Version: 3 (0x2)
 Serial Number: 15 (0xf)
Signature Algorithm: sha256WithRSAEncryption
 Issuer: C=CN, ST=shanxi, L=ankang, O=yinzhengjie, OU=devops, CN=ca.yinzhengjie.org.cn
 Validity
 Not Before: Dec 21 06:27:58 2019 GMT
 Not After : Sep 16 06:27:58 2022 GMT
 Subject: C=CN, ST=shanxi, O=yinzhengjie, OU=devops, CN=*.yinzhengjie.org.cn
 Subject Public Key Info:
 Public Key Algorithm: rsaEncryption
 Public-Key: (1024 bit)
 Modulus:
 00:b7:a1:2e:0c:f3:a4:e8:bc:41:0b:9b:40:3b:26:
 80:ed:8d:03:5a:e2:15:4d:05:98:cc:f5:1d:ef:bb:
 26:32:d3:3e:a6:47:f8:6d:24:23:35:23:fd:09:cc:
 5b:6d:25:23:96:34:90:92:ab:5f:ea:ae:21:07:67:
 2c:51:10:e4:34:5f:08:ff:eb:0a:ea:2a:fa:6f:47:
 71:88:fb:d1:b4:7e:65:a9:52:ba:87:2e:1c:0f:f6:
 55:56:42:e6:c5:ca:35:64:8c:96:76:c7:5d:e0:b6:
 d7:99:e5:17:b8:95:ff:fb:22:ca:99:cc:d3:7c:6c:
 70:c4:b0:f7:f3:87:32:a2:45
 Exponent: 65537 (0x10001)
 X509v3 extensions:
 X509v3 Basic Constraints:
 CA:FALSE
 Netscape Comment:
 OpenSSL Generated Certificate
 X509v3 Subject Key Identifier:
 D0:F2:4D:0E:32:E5:FF:0D:AC:51:B2:B3:7C:23:12:F2:AB:31:C1:74
 X509v3 Authority Key Identifier:
 keyid:61:3E:46:F0:EA:BE:7F:DA:8B:A4:7A:F6:89:35:F0:9A:65:BC:05:13

Signature Algorithm: sha256WithRSAEncryption
 29:48:7f:38:fe:e5:c2:ad:fd:dc:c2:bc:0b:38:88:fb:99:a8:
 2e:dc:69:8c:f6:a9:24:2d:2a:c1:27:bb:50:5c:16:70:25:1f:
 4a:a8:c3:a5:21:1a:79:30:ac:0e:88:82:04:dd:f8:14:22:56:
 bd:fc:cf:86:8a:cf:7e:88:7a:34:be:a7:3f:58:05:cc:33:95:
 71:6f:53:39:5c:c7:0b:fa:c5:66:d2:2f:dc:d3:f4:86:01:53:
 f2:63:1b:0c:fc:3c:c1:92:c2:c8:24:ed:2a:76:3b:37:20:93:
 e1:47:71:26:5d:3f:bf:d5:03:62:c2:49:d8:84:dd:fe:1c:83:
 60:43:88:77:b7:c8:f2:3e:95:63:d1:57:6c:f6:05:3d:b7:fc:
 d9:80:be:ad:39:a2:f1:7f:b8:46:59:b2:2e:21:a7:86:53:e1:
 7a:43:95:9b:1c:33:7d:84:03:5d:98:ce:c8:6f:eb:01:7e:d5:
 82:91:c9:ea:a0:b1:67:39:3b:21:f7:c2:50:8f:8d:b2:a0:92:
 c6:dd:f3:76:85:de:3a:77:03:26:3e:c2:b0:27:ca:b1:44:2f:
 fd:e2:75:96:9c:dc:f3:e5:d6:24:62:65:44:3a:42:2c:08:4c:
 18:87:41:b7:09:4e:68:bf:9c:1c:0c:f0:ce:50:af:be:33:a7:
 ea:98:bf:af
#
# </pre>
</div>
 
七.吊销证书
1>.吊销证书
<div class="cnblogs_code">
<pre># tree
.
├── cacert.pem
├── certs
│   └── myapp.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── myapp.csr
├── newcerts
│   └── 0F.pem
├── private
│   └── cakey.pem
├── serial
└── serial.old

4 directories, 10 files
#
# cat index.txt　　　　　　　　#注意第一个字母是"V",说明该证书是可以正常使用的
V 220916062758Z 0F unknown /C=CN/ST=shanxi/O=yinzhengjie/OU=devops/CN=*.yinzhengjie.org.cn
#
# openssl ca -revoke certs/myapp.crt 　　　　　　#我们将指定的证书吊销
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 0F.
Data Base Updated
#
# cat index.txt　　　　　　　　　　#注意观察第一个字母是"R"，说明该证书已经被吊销了
R 220916062758Z 191221071820Z 0F unknown /C=CN/ST=shanxi/O=yinzhengjie/OU=devops/CN=*.yinzhengjie.org.cn
# </pre>
</div>
2>.生成吊销证书列表CRL
<div class="cnblogs_code">
<pre># tree
.
├── cacert.pem
├── certs
│   └── myapp.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── myapp.csr
├── newcerts
│   └── 0F.pem
├── private
│   └── cakey.pem
├── serial
└── serial.old

4 directories, 11 files
#
# openssl ca -gencrl -out crl.pem
Using configuration from /etc/pki/tls/openssl.cnf
/etc/pki/CA/crlnumber: No such file or directory
error while loading CRL number
140432981714832:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/pki/CA/crlnumber','r')
140432981714832:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:
#
# echo FF > crlnumber　　　　　　　　　　　　　　　　#根据报错可知是缺少证书吊销列表的编号文件
#
# openssl ca -gencrl -out crl.pem　　　　　　　　#生成证书吊销列表
Using configuration from /etc/pki/tls/openssl.cnf
#
# cat crlnumber
0100
#
#
# tree
.
├── cacert.pem
├── certs
│   └── myapp.crt
├── crl
├── crlnumber
├── crlnumber.old
├── crl.pem
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── myapp.csr
├── newcerts
│   └── 0F.pem
├── private
│   └── cakey.pem
├── serial
└── serial.old

4 directories, 14 files
#
# </pre>
</div>
3>.查看已经被吊销的证书列表
<div class="cnblogs_code">
<pre># tree
.
├── cacert.pem
├── certs
│   └── myapp.crt
├── crl
├── crlnumber
├── crlnumber.old
├── crl.pem
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── myapp.csr
├── newcerts
│   └── 0F.pem
├── private
│   └── cakey.pem
├── serial
└── serial.old

4 directories, 14 files
#
# openssl crl -in /etc/pki/CA/crl.pem -noout -text
Certificate Revocation List (CRL):
 Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
 Issuer: /C=CN/ST=shanxi/L=ankang/O=yinzhengjie/OU=devops/CN=ca.yinzhengjie.org.cn
 Last Update: Dec 21 07:22:48 2019 GMT
 Next Update: Jan 20 07:22:48 2020 GMT
 CRL extensions:
 X509v3 CRL Number:
 255
Revoked Certificates:
Serial Number: 0F
 Revocation Date: Dec 21 07:18:20 2019 GMT
Signature Algorithm: sha256WithRSAEncryption
 b5:05:5a:ee:3d:e2:7c:d8:11:12:36:a3:01:43:b8:a7:c4:65:
 da:a7:87:9f:ff:17:c0:46:45:5e:ca:6e:46:f6:30:ed:e0:58:
 db:74:36:92:c0:52:95:a7:17:c8:f6:f5:ea:73:ec:35:1b:18:
 38:3e:b6:24:69:f5:12:8c:05:06:af:61:aa:76:2e:6c:ac:6c:
 8b:72:12:9d:1a:c1:8e:65:b0:cb:07:97:2f:00:15:99:61:76:
 cd:80:ba:1b:12:db:e5:c1:8f:ea:cd:ce:53:24:e7:ad:4c:2b:
 81:43:89:ab:fa:7e:e9:1e:f1:49:b4:87:20:31:a9:c6:24:ef:
 91:31:c5:05:1b:05:70:28:ce:5e:4d:ef:83:62:ff:ea:f6:2e:
 30:ee:cd:4f:ed:0a:a5:06:c4:83:47:75:61:d7:41:8f:b0:11:
 40:5b:0d:8c:20:c4:1f:22:1d:5e:a9:c2:a2:ba:84:6d:e8:5e:
 19:77:79:0a:fe:70:f2:8f:29:94:fa:f6:36:d0:b4:a2:d8:69:
 6f:ab:25:ae:28:43:5c:ef:ec:8d:28:51:b1:f7:d5:42:01:4e:
 02:c8:55:65:3c:c4:2c:a9:65:1e:65:86:94:5a:22:b9:2a:b1:
 f7:26:3f:4b:1f:3b:06:5c:48:96:ba:8c:5c:8f:80:86:f6:5e:
 c7:1d:61:e4
# </pre>
</div>
4>.将已经吊销的证书文件拷贝到windows操作系统
<div class="cnblogs_code">
<pre># sz crl.pem 　　　　　　　　　　#下载到windows操作系统后，由于操作系统不识别因此我们得修改文件后缀，如下图所示。

# </pre>
</div>
<img src="https://img2018.cnblogs.com/blog/795254/201912/795254-20191221153243615-520952212.png">
<div class="cnblogs_code">
<pre>　　如下图所示，我们可以查看已经被吊销的证书列表。</pre>
</div>
<img src="https://img2018.cnblogs.com/blog/795254/201912/795254-20191221153320952-1604153221.png">
 
八.验证证书的合法性
1>.验证CA自签名的证书合法性
<div class="cnblogs_code">
<pre># tree
.
├── cacert.pem
├── certs
│?? └── myapp.crt
├── crl
├── crlnumber
├── crlnumber.old
├── crl.pem
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── myapp.csr
├── newcerts
│?? └── 0F.pem
├── private
│?? └── cakey.pem
├── serial
└── serial.old

4 directories, 14 files
#
# openssl verify -CAfile cacert.pem certs/myapp.crt 　　　　　　#很显然，咱们服务器自签名的证书是合法的，输出是"OK"
certs/myapp.crt: OK
#
# </pre>
</div>
2>.验证"*cnblogs.com"证书的合法性
<div class="cnblogs_code">
<pre># ll cnblog.crt.cer
-rw-r--r-- 1 root root 1424 Dec 21 15:40 cnblog.crt.cer
#
# openssl verify -CAfile cacert.pem cnblog.crt.cer
unable to load certificate
140288852195216:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: TRUSTED CERTIFICATE
#
# </pre>
</div>
<img src="https://img2018.cnblogs.com/blog/795254/201912/795254-20191221153918340-932453380.png">
 

</div>
<div id="MySignature" role="contentinfo">
本文来自博客园，作者：尹正杰，转载请注明原文链接：https://www.cnblogs.com/yinzhengjie/p/12075752.html，个人微信: "JasonYin2020"（添加时请备注来源及意图备注，有偿付费） 

当你的才华还撑不起你的野心的时候，你就应该静下心来学习。当你的能力还驾驭不了你的目标的时候，你就应该沉下心来历练。问问自己，想要怎样的人生。 
来源：https://www.cnblogs.com/yinzhengjie/p/12075752.html

頁: [1]

琼殿技术论坛's Archiver

Linux操作系统安全-局域网私有CA(Certificate Authority)证书服务器实战篇