一、私有 CA 搭建

1. 安裝openssl

# 安裝依賴
sudo yum install -y build-essential zlib1g-dev libssl-dev

# 下載，解壓，編譯，安裝
wget https://www.openssl.org/source/old/3.1/openssl-3.1.1.tar.gz

tar -xf openssl-3.1.1.tar.gz 

cd openssl-3.1.1

./config --prefix=/usr/local/ssl -Wl,-rpath=/usr/local/ssl/lib

make

sudo make install

# 驗(yàn)證
ls /usr/local/ssl/bin/

# 配置環(huán)境變量
sudo vi /etc/profile

export PATH=/usr/local/ssl/bin:$PATH
export LD_LIBRARY_PATH=/usr/local/ssl/lib:$LD_LIBRARY_PATH

# 激活環(huán)境
source /etc/profile

# 驗(yàn)證安裝
openssl version -a

2. 配置 openssl

# 修改 openssl.cnf  ，完整的 openssl.cnf 文件內(nèi)容附加在最后
sudo vim /usr/lib/ssl/openssl.cnf

修改內(nèi)容如下：

[ CA_default ]
dir = /etc/pki/CA                       # 存放和CA相關(guān)的文件的目錄（CentOS7這個(gè)文件默認(rèn)存在）

# 創(chuàng)建目錄
sudo mkdir -pv /etc/pki/CA/{certs,crl,newcerts,private}

# 證書的數(shù)據(jù)庫文件：存放證書的頒發(fā)等信息，不需要人工維護(hù)里面的內(nèi)容，只需要?jiǎng)?chuàng)建對應(yīng)的文件就行了，會自動(dòng)往里面寫入數(shù)據(jù)的
sudo touch /etc/pki/CA/index.txt

# 頒發(fā)證書的序號（十六進(jìn)制）：第一個(gè)證書頒發(fā)的時(shí)候使用的就是這個(gè)編號，后續(xù)會自動(dòng)遞增
sudo su && sudo echo 01 > /etc/pki/CA/serial

# 吊銷證書的序號（十六進(jìn)制）：第一個(gè)證書吊銷的時(shí)候使用的就是這個(gè)編號，后續(xù)會自動(dòng)遞增
sudo su && sudo echo 01 > /etc/pki/CA/crlnumber

3. 生成 CA 自己的私鑰

# 生成 CA 自己的私鑰
sudo openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048

4. 生成 CA 自己的自簽證書

# 生成 CA 自己的自簽證書
sudo openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem

選項(xiàng):
-new：創(chuàng)建一個(gè)新的證書，生成新證書簽署請求
-x509：表示證書的格式，專用于CA生成自簽證書
-key：生成請求時(shí)用到的私鑰文件
-days n：證書的有效期限
-out /PATH/TO/SOMECERTFILE: 證書的保存路徑

5. 驗(yàn)證自簽證書

# 查看證書信息
sudo openssl x509 -in /etc/pki/CA/cacert.pem -noout -text

二、向私有CA申請證書流程

1. 生成應(yīng)用私鑰文件

# 生成應(yīng)用的私鑰文件
sudo mkdir -p /data/app1 && sudo openssl genrsa -out /data/app1/app1.key 2048

2. 根據(jù)應(yīng)用私鑰生成證書申請文件

# 根據(jù)應(yīng)用私鑰生成證書申請文件
sudo openssl req -new -key /data/app1/app1.key -out /data/app1/app1.csr

	* 采用 match 策略, 默認(rèn)有三項(xiàng)內(nèi)容必須和CA一致：國家，省份，組織，如果不同，會出現(xiàn)提示
	* 采用的是 option 策略的話就不用保持一致都可以，具體使用哪種模式在 openssl.cnf 配置

3. 向CA請求頒發(fā)證書

# 根據(jù)應(yīng)用的證書申請文件通過 ca 簽名頒發(fā)證書，利用證書申請文件中的用戶私鑰來實(shí)現(xiàn)數(shù)字簽名
sudo openssl ca -in /data/app1/app1.csr -out /etc/pki/CA/certs/app1.crt -days 1000

4. 驗(yàn)證應(yīng)用證書

# 查看證書信息
sudo openssl x509 -in /etc/pki/CA/certs/app1.crt -noout -text

# 查看證書的有效性
sudo openssl ca -status 01  # 01 是證書的標(biāo)號（Serial Number）

證書文件后綴后綴規(guī)定：
.crt # certificate的縮寫，即證書。證書文件的標(biāo)識
.csr # Certificate Signing Request，證書簽名請求證書申請文件的標(biāo)識 證書申請完成后，這個(gè)證書申請文件就沒啥用了
.key # 私鑰的標(biāo)識 .pem也是私鑰的標(biāo)識，但是windows不是別pem結(jié)尾的文件
.pem # Privacy Enhanced Mail,打開看文本格式,以"-----BEGIN…"開頭, "-----END…"結(jié)尾,內(nèi)容是BASE64編碼

一個(gè)證書申請文件只能申請一次證書。如果需要實(shí)現(xiàn)一個(gè)申請文件申請多個(gè)證書的方法，需修改 “index.txt.attr” 文件，設(shè)置 unique_subject = yes

5. 吊銷證書

# 吊銷證書
sudo openssl ca -revoke /PATH/FILE

三、遇到的問題及解決方案

1. 報(bào)錯(cuò)：Can’t load /root/.rnd into RNG 139881994547648:error:2406F079:random number generator:RAND_load_file:Cannot open file:…/crypto/rand/randfile.c:88:Filename=/root/.rnd

• 1.1 解決方案

cd /root
sudo openssl rand -writerand .rnd

2. 報(bào)錯(cuò)：Can’t open ./demoCA/private/cakey.pem for reading, No such file or directory 140117822038464:error:02001002:system library:fopen:No such file or directory:

…/crypto/bio/bss_file.c:72:fopen(‘./demoCA/private/cakey.pem’,‘r’)文章來源地址http://www.zghlxwxcb.cn/news/detail-646691.html

• 2.1 解決方案
  修改 /usr/lib/ssl/openssl.cnf 文件 的 dir 屬性為自己的 ca 相關(guān)文件存放路徑

四、附件

1. openssl.cnf 文件內(nèi)容

#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#

# Note that you can include other files from the main configuration
# file using the .include directive.
#.include filename

# This definition stops the following lines choking if HOME isn't
# defined.
HOME                    = .
RANDFILE                = $ENV::HOME/.rnd

# Extra OBJECT IDENTIFIER info:
#oid_file               = $ENV::HOME/.oid
oid_section             = new_oids

# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions            =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)

[ new_oids ]

# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6

# Policies used by the TSA examples.
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7

####################################################################
[ ca ]
default_ca      = CA_default            # The default ca section

####################################################################
[ CA_default ]

dir             = /etc/pki/CA           # Where everything is kept
certs           = $dir/certs            # Where the issued certs are kept
crl_dir         = $dir/crl              # Where the issued crl are kept
database        = $dir/index.txt        # database index file.
#unique_subject = no                    # Set to 'no' to allow creation of
                                        # several certs with same subject.
new_certs_dir   = $dir/newcerts         # default place for new certs.

certificate     = $dir/cacert.pem       # The CA certificate
serial          = $dir/serial           # The current serial number
crlnumber       = $dir/crlnumber        # the current crl number
                                        # must be commented out to leave a V1 CRL
crl             = $dir/crl.pem          # The current CRL
private_key     = $dir/private/cakey.pem# The private key
RANDFILE        = $dir/private/.rand    # private random number file

x509_extensions = usr_cert              # The extensions to add to the cert

# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt        = ca_default            # Subject Name options
cert_opt        = ca_default            # Certificate field options

# Extension copying option: use with caution.
# copy_extensions = copy

# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions        = crl_ext

default_days    = 365                   # how long to certify for
default_crl_days= 30                    # how long before next CRL
default_md      = default               # use public key default MD
preserve        = no                    # keep passed DN ordering

# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy          = policy_match

# For the CA policy
[ policy_match ]
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

####################################################################
[ req ]
default_bits            = 2048
default_keyfile         = privkey.pem
distinguished_name      = req_distinguished_name
attributes              = req_attributes
x509_extensions = v3_ca # The extensions to add to the self signed cert

# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret

# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix   : PrintableString, BMPString (PKIX recommendation before 2004)
# utf8only: only UTF8Strings (PKIX recommendation after 2004).
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
string_mask = utf8only

# req_extensions = v3_req # The extensions to add to a certificate request

[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
countryName_default             = AU
countryName_min                 = 2
countryName_max                 = 2

stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = Some-State

localityName                    = Locality Name (eg, city)

0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = Internet Widgits Pty Ltd

# we can do this but it is not needed normally :-)
#1.organizationName             = Second Organization Name (eg, company)
#1.organizationName_default     = World Wide Web Pty Ltd

organizationalUnitName          = Organizational Unit Name (eg, section)
#organizationalUnitName_default =

commonName                      = Common Name (e.g. server FQDN or YOUR name)
commonName_max                  = 64

emailAddress                    = Email Address
emailAddress_max                = 64

# SET-ex3                       = SET extension number 3

[ req_attributes ]
challengePassword               = A challenge password
challengePassword_min           = 4
challengePassword_max           = 20

unstructuredName                = An optional company name

[ usr_cert ]

# These extensions are added when 'ca' signs a request.

# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.

basicConstraints=CA:FALSE

# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.

# This is OK for an SSL server.
# nsCertType                    = server

# For an object signing certificate this would be used.
# nsCertType = objsign

# For normal client use this is typical
# nsCertType = client, email

# and for everything including object signing:
# nsCertType = client, email, objsign

# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment

# This will be displayed in Netscape's comment listbox.
nsComment                       = "OpenSSL Generated Certificate"

# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer

# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move

# Copy subject details
# issuerAltName=issuer:copy

#nsCaRevocationUrl              = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName

# This is required for TSA certificates.
# extendedKeyUsage = critical,timeStamping

[ v3_req ]

# Extensions to add to a certificate request

basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

[ v3_ca ]


# Extensions for a typical CA


# PKIX recommendation.

subjectKeyIdentifier=hash

authorityKeyIdentifier=keyid:always,issuer

basicConstraints = critical,CA:true

# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign

# Some might want this also
# nsCertType = sslCA, emailCA

# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
# issuerAltName=issuer:copy

# DER hex encoding of an extension: beware experts only!
# obj=DER:02:03
# Where 'obj' is a standard or added object
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF

[ crl_ext ]

# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.

# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always

[ proxy_cert_ext ]
# These extensions should be added when creating a proxy certificate

# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.

basicConstraints=CA:FALSE

# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.

# This is OK for an SSL server.
# nsCertType                    = server

# For an object signing certificate this would be used.
# nsCertType = objsign

# For normal client use this is typical
# nsCertType = client, email

# and for everything including object signing:
# nsCertType = client, email, objsign

# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment

# This will be displayed in Netscape's comment listbox.
nsComment                       = "OpenSSL Generated Certificate"

# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer

# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move

# Copy subject details
# issuerAltName=issuer:copy

#nsCaRevocationUrl              = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName

# This really needs to be in place for it to be a proxy certificate.
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo

####################################################################
[ tsa ]

default_tsa = tsa_config1       # the default TSA section

[ tsa_config1 ]

# These are used by the TSA reply generation only.
dir             = /etc/pki/CA           # TSA root directory
serial          = $dir/tsaserial        # The current serial number (mandatory)
crypto_device   = builtin               # OpenSSL engine to use for signing
signer_cert     = $dir/tsacert.pem      # The TSA signing certificate
                                        # (optional)
certs           = $dir/cacert.pem       # Certificate chain to include in reply
                                        # (optional)
signer_key      = $dir/private/tsakey.pem # The TSA private key (optional)
signer_digest  = sha256                 # Signing digest to use. (Optional)
default_policy  = tsa_policy1           # Policy if request did not specify it
                                        # (optional)
other_policies  = tsa_policy2, tsa_policy3      # acceptable policies (optional)
digests     = sha1, sha256, sha384, sha512  # Acceptable message digests (mandatory)
accuracy        = secs:1, millisecs:500, microsecs:100  # (optional)
clock_precision_digits  = 0     # number of digits after dot. (optional)
ordering                = yes   # Is ordering defined for timestamps?
                                # (optional, default: no)
tsa_name                = yes   # Must the TSA name be included in the reply?
                                # (optional, default: no)
ess_cert_id_chain       = no    # Must the ESS cert id chain be included?
                                # (optional, default: no)
ess_cert_id_alg         = sha1  # algorithm to compute certificate
                                # identifier (optional, default: sha1)

到了這里，關(guān)于利用OpenSSL實(shí)現(xiàn)私有 CA 搭建和證書頒發(fā)的文章就介紹完了。如果您還想了解更多內(nèi)容，請?jiān)谟疑辖撬阉鱐OY模板網(wǎng)以前的文章或繼續(xù)瀏覽下面的相關(guān)文章，希望大家以后多多支持TOY模板網(wǎng)！