1 CA简介

  CA是证书的签发机构,它是PKI的核心。CA是负责签发证书、认证证书、管理已颁发证书的机关。它要制定政策和具体步骤来验证、识别用户身份,并对用户证书进行签名,以确保证书持有者的身份和公钥的拥有权。比如Alice和Bob通信,中间通信万一被黑客C监听到,冒充Alice和Bob,这样信息就会泄密,这时候通过CA来验证双方身份的真实性。证书内容包括1,证书的持有者的相关信息2,CA的相关信息3,证书的使用方法4,公钥信息PKI—public key instruction 公钥基础设施:核心是CA

2 CA建立的步骤

1 ),openssl 建立私有CA,其中包括生成秘钥;自签证书

2),节点需要:生成秘钥对;生成证书签署请求;把请求发送给CA

3),CA:验证请求者的信息;签署证书;签好的证书发送给请求者。

3,实验步骤

1,建立CA服务器,生成秘钥,文件必须是400或者是600权限

[root@localhost private]# (umask 077; openssl genrsa -out /etc/pki/CA/private/ccc.pem 2048)

Generating RSA private key, 2048 bit long modulus

................................................................................................+++

.........+++

e is 65537 (0x10001)

[root@localhost private]# ls

cakey.pem  ccc.pem

这里必须是 在/etc/pki/CA/private目录下,之前已经生成cakey.pem文件,此次用ccc.pem文件。


2 req:生成证书签署请求

   -x509 生成签署证书

   -day X 有效X天 

   -new   心情求

   -key   /path/to/keyfile:制定私钥文件

   -out   /path/to/somefile 指定加密后要保存的文件名

自签证书

[root@localhost private]# openssl req -new -x509 -key /etc/pki/CA/private/ccc.pem -out /etc/pki/CA/cace.pem -days 30

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:HA

Locality Name (eg, city) [Default City]:ZZ

Organization Name (eg, company) [Default Company Ltd]:ZZC

Organizational Unit Name (eg, section) []:SI     

Common Name (eg, your name or your server's hostname) []:localhost.localdomain

Email Address []:cc.ccc.com

[root@localhost private]# ls

cakey.pem  ccc.pem

3,我们要初始化环境

[root@localhost private]# touch /etc/pki/CA/{index1.txt,serial1}

[root@localhost private]# echo 01 > /etc/pki/CA/serial1

   

4,节点申请证书

1)生成密钥对

[root@stu31 ssl]# (umask 077; openssl genrsa -out /etc/httpd/ssl/htt.key 2048)

Generating RSA private key, 2048 bit long modulus

...................+++

.............+++

e is 65537 (0x10001)

这时是在另外一台主机上建立生成的密钥对

2)生成证书签署请求

[root@stu31 ssl]# (umask 077; openssl genrsa -out /etc/httpd/ssl/htt.key 2048)

Generating RSA private key, 2048 bit long modulus

...................+++

.............+++

e is 65537 (0x10001)

[root@stu31 ssl]# openssl  req -new -key /etc/httpd/ssl/htt.key  -out /etc/httpd/ssl/htt.csr

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:HA

Locality Name (eg, city) [Default City]:ZZ

Organization Name (eg, company) [Default Company Ltd]:ZZX

Organizational Unit Name (eg, section) []:localhost.localdomain

Common Name (eg, your name or your server's hostname) []:cc.ccc.com

Email Address []:


Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:


3)把签署请求发送给CA服务器

[root@stu31 ssl]# scp htt.csr 172.16.249.55:/etc/pki/CA/csr/

root@172.16.249.55's password: 

htt.csr                                                          100% 1009     1.0KB/s   00:00


5 CA签署证书

[root@localhost CA]# openssl ca -in csr/htt.csr -out csr/htt.crt -days 30

Using configuration from /etc/pki/tls/openssl.cnf

Check that the request matches the signature

Signature ok

The stateOrProvinceName field needed to be the same in the

CA certificate (Henan) and the request (HA)  二者不一致的话,是不签署的,所以要在从新生成一个openssl  req -new -key /etc/httpd/ssl/htt.key  -out /etc/httpd/ssl/htt.csr 


[root@localhost CA]# openssl ca -in csr/htt.csr -out csr/htt.crt -days 30

Using configuration from /etc/pki/tls/openssl.cnf

Check that the request matches the signature

Signature ok

Certificate Details:

        Serial Number: 2 (0x2)

        Validity

            Not Before: Aug  1 05:37:57 2014 GMT

            Not After : Aug 31 05:37:57 2014 GMT

        Subject:

            countryName               = CN

            stateOrProvinceName       = Henan

            organizationName          = MageEdu

            organizationalUnitName    = Ops

            commonName                = localhost.localdomain

        X509v3 extensions:

            X509v3 Basic Constraints: 

                CA:FALSE

            Netscape Comment: 

                OpenSSL Generated Certificate

            X509v3 Subject Key Identifier: 

                90:AB:55:BA:57:63:2E:06:93:FD:EA:50:4B:9E:5B:40:C1:56:43:6E

            X509v3 Authority Key Identifier: 

                keyid:59:50:01:C7:01:0A:49:70:21:71:AE:A4:26:94:25:78:1A:EA:35:14


Certificate is to be certified until Aug 31 05:37:57 2014 GMT (30 days)

Sign the certificate? [y/n]:


3 发送给请求者

[root@localhost CA]# scp csr/htt.crt 172.16.31.1:/root

root@172.16.31.1's password: 

htt.crt                                                          100% 4556     4.5KB/s   00:00  


[root@stu31 ~]# mv htt.crt  /etc/httpd/ssl  验证机在吧证书放到这个/etc/httpd/ssl目录下



一次CA签证结束,祝您成功~~~