CA认证和证书

一些概念:

PKI:Public Key Infrastructure

  • 签证机构:CA(Certificate Authority)
  • 注册机构:RA(Register Authority)
  • 证书吊销列表:CRL(Certificate Revoke Lists)
  • 证书存取库

X.509:定义了证书的结构和认证协议的标准。包括版本号、序列号、签名算法、颁发者、有效期限、主体名称、主体公钥、CRL分发点、扩展信息、发行者签名等

获取证书的两种方法:

  • 使用证书授权机构
    • 生成签名请求(csr)
    • 将csr发送给CA
    • 从CA处接收签名
  • 自签名的证书
    • 自已签发自己的公钥

重点介绍一下自建CA颁发机构和自签名。

自建CA颁发机构和自签名

实验用两台服务器,一台做ca颁发证书,一台去请求签名证书。

证书申请及签署步骤:

  1. 生成申请请求
  2. CA核验
  3. CA签署
  4. 获取证书

我们先看一下openssl的配置文件:/etc/pki/tls/openssl.cnf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
[ ca ]
default_ca = CA_default # The default ca section(默认的CA配置,是CA_default,下面第一个小节就是)
[ CA_default ]
dir = /etc/pki/CA # Where everything is kept (dir变量)
certs = $dir/certs # Where the issued certs are kept(认证证书目录)
crl_dir = $dir/crl # Where the issued crl are kept(注销证书目录)
database = $dir/index.txt # database index file.(数据库索引文件)
new_certs_dir = $dir/newcerts # default place for new certs.(新证书的默认位置)
certificate = $dir/cacert.pem # The CA certificate(CA机构证书)
serial = $dir/serial # The current serial number(当前序号,默认为空,可以指定从01开始)
crlnumber = $dir/crlnumber # the current crl number(下一个吊销证书序号)
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL(下一个吊销证书)
private_key = $dir/private/cakey.pem# The private key(CA机构的私钥)
RANDFILE = $dir/private/.rand # private random number file(随机数文件)
x509_extensions = usr_cert # The extentions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default # Subject Name options(被颁发者,订阅者选项)
cert_opt = ca_default # Certificate field options(认证字段参数)
# Extension copying option: use with caution.
# copy_extensions = copy
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 365 # how long to certify for (默认的有效期天数是365)
default_crl_days= 30 # how long before next CRL
default_md = sha256 # use SHA-256 by default
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match # 是否匹配规则
# For the CA policy
[ policy_match ]
countryName = match # 国家名是否匹配,match为匹配
stateOrProvinceName = match # 州或省名是否需要匹配
organizationName = match # 组织名是否需要匹配
organizationalUnitName = optional # 组织的部门名字是否需要匹配
commonName = supplied # 注释
emailAddress = optional # 邮箱地址
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional

重点关注下面的几个参数:

1
2
3
4
5
6
7
8
9
10
dir = /etc/pki/CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
private_key = $dir/private/cakey.pem# The private key

1、创建所需要的文件

touch /etc/pki/CA/index.txt 生成证书索引数据库文件

echo 01 > /etc/pki/CA/serial 指定第一个颁发证书的序列号,16进制数,比如可以从1a开始,一般从01开始。

2、CA自签证书

在作为CA的服务器上操作:

  • 生成私钥
1
(umask 066;openssl genrsa -out /etc/pki/CA/private/cakey.pem 4096)

  • 生成自签名证书
1
openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 7300 -out /etc/pki/CA/cacert.pem

参数解析:

  • -new: 生成新证书签署请求
  • -x509: 专用于CA生成自签证书
  • -key: 生成请求时用到的私钥文件
  • -days n:证书的有效期限
  • -out /PATH/TO/SOMECERTFILE: 证书的保存路径

3、颁发证书

  • 在需要使用证书的主机生成证书请求。

比如给一台作为博客web服务的服务器生成私钥:

1
(umask 066; openssl genrsa -out /etc/pki/tls/private/blog.key 4096)

生成证书申请文件

1
openssl req -new -key /etc/pki/tls/private/blog.key -days 3560 -out /etc/pki/tls/blog.csr

和CA生成证书的区别是没有-x509参数,加了-x509就是CA自签名证书

  • 将证书请求文件传输给CA
1
scp /etc/pki/tls/blog.csr [email protected]:/tmp/

  • CA签署证书,并将证书颁发给请求者
1
openssl ca -in /tmp/blog.csr –out /etc/pki/CA/certs/blog.crt -days 365

注意:默认国家,省,公司名称三项必须和CA一致

  • blog.crt证书回传给申请者,申请者可以使用此证书。

证书可以放在网站里,比如tomacat服务有专门存放证书的地方,还有可能需要转化格式,此处使用方法暂略

4、吊销证书

  • 在客户端获取要吊销的证书的serial
1
openssl x509 -in /PATH/FROM/CERT_FILE -noout -serial -subject
  • 在CA上,根据客户提交的serial与subject信息,对比检验是否与index.txt文件中的信息一致,吊销证书:
1
openssl ca -revoke /etc/pki/CA/newcerts/SERIAL.pem
  • 指定第一个吊销证书的编号

注意:这里只有在第一次更新证书吊销列表前,才需要执行指定编号。

1
echo 01 > /etc/pki/CA/crlnumber
  • 更新证书吊销列表
1
openssl ca -gencrl -out /etc/pki/CA/crl/crl.pem
  • 查看crl文件:
1
openssl crl -in /etc/pki/CA/crl/crl.pem -noout -text