1. 创建环境
环境:Centos7
OpenSSL的配置文件:/etc/pki/tls/openssl.cnf
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = /etc/pki/CA # CA相关文件的存放位置
certs = $dir/certs # 签发的证书位置
crl_dir = $dir/crl # 吊销证书存放位置
database = $dir/index.txt # 生成证书索引(index)数据库文件
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate(CA公钥存放位置)
serial = $dir/serial # The current serial number(颁发证书的序列号)
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key(CA私钥)
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# 上述三种模式match、supplied、optional为匹配、支持、可选
# 匹配指的是证书申请中填写的信息必须与CA中的一致,支持代表该项必须填写,可选则是可有可无
2. 部署CA中心的相关信息
1)创建索引数据库文件index.txt
与序列文件serial
[root@localhost ~]# cd /etc/pki/CA
[root@localhost CA]# ls
certs crl newcerts private
[root@localhost CA]# touch index.txt # 生成证书索引数据库文件
[root@localhost CA]# echo 01 > serial # 指定第一个证书的序列号,01位十六进制
[root@localhost CA]# ls
certs crl index.txt newcerts private serial
[root@localhost CA]# cat serial
01
2)创建CA中心的私钥
此处的umask
用于生成新文档的默认属性
A umask of 077 is good for a completely private system. No other user can read or write your data if umask is set to 077.
[root@localhost CA]# (umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 4096)
Generating RSA private key, 4096 bit long modulus
.........................................................................................................................................................................................................................................................................................++
.........................++
e is 65537 (0x10001)
[root@localhost CA]# ls
certs crl index.txt newcerts private serial
[root@localhost CA]# cd private
[root@localhost private]# ls
cakey.pem
[root@localhost private]# ll
总用量 4
-rw------- 1 root root 3243 4月 11 19:49 cakey.pem # 可以看到 只有owner有rw两个权限
3)生成CA的自签证书
请注意证书信息的正确填写
[root@localhost private]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3650 # 通过CA私钥为CA生成x509标准的自签证书,有效期为3650天
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:Your Company Name
Organizational Unit Name (eg, section) []:Your Unit Name
Common Name (eg, your name or your server's hostname) []:Your hostname
Email Address []:camaster@admin.com
[root@localhost CA]# ls
cacert.pem certs crl index.txt newcerts private serial
4)查看CA中心的自签名证书
我们会看到如下格式的自签名证书:
[root@localhost CA]# openssl x509 -in /etc/pki/CA/cacert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
c8:f6:2b:4f:e8:5f:bd:7c
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=Beijing, L=Beijing, O=Your Company Name, OU=Your Unit Name, CN=Your Hostname/emailAddress=camaster@admin.com
Validity
Not Before: Apr 12 03:08:14 2019 GMT
Not After : Apr 9 03:08:14 2029 GMT
Subject: C=CN, ST=Beijing, L=Beijing, O=Your Company Name, OU=Your Unit Name, CN=Your Hostname/emailAddress=camaster@admin.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:9d:4b:5c:34:a6:e2:7f:c9:dc:c3:7e:6a:bb:c7:
e0:fc:d5:e0:fa:fe:7d:85:50:d0:2c:c4:a2:6c:f9:
6a:66:d0:0a:9b:46:39:47:3a:93:b1:c2:5e:51:3f:
17:36:5d:16:7d:a8:19:d9:f6:69:e5:75:84:03:ac:
aa:d3:e4:b7:b5:bf:6f:b2:1c:29:c5:94:01:97:40:
c9:52:fa:5a:5f:11:77:f9:db:aa:dd:15:32:8a:37:
77:8a:40:10:87:f4:72:31:67:1b:87:86:47:22:99:
76:a1:0c:06:be:a8:9f:49:e1:54:4b:84:98:a5:63:
85:6a:a2:dd:82:23:4e:56:5e:2f:06:b5:b2:03:42:
85:91:b0:d0:93:d9:5e:30:05:84:f5:11:8e:e5:97:
21:08:bf:4c:47:db:83:07:6f:b9:89:c5:93:05:1f:
87:eb:33:84:68:23:6e:11:66:b0:a1:03:56:f4:11:
80:5b:4e:ff:d9:bb:56:1b:88:ca:bc:d3:d1:47:9e:
ab:6d:36:45:5c:ac:04:6f:25:2f:e2:c1:08:40:09:
33:fe:08:10:ce:c3:1e:04:8e:3e:6d:49:28:00:92:
00:f0:59:71:11:9f:8c:3b:4c:9b:2d:5a:d2:00:7c:
4d:9a:54:89:c0:9d:24:e6:60:6e:ae:78:02:03:f1:
0d:33:e4:93:ae:8c:dc:3a:bb:5d:18:b7:56:7b:12:
25:f5:d0:bb:0b:36:4f:08:19:59:bf:04:bc:a7:8b:
a5:81:68:54:a9:9e:27:04:a0:de:38:60:7e:16:8b:
86:94:30:f9:6a:b3:11:21:9e:a7:95:3d:2a:40:d7:
d4:d0:a7:19:db:03:6f:db:76:a6:5b:51:72:a1:24:
d5:cc:e3:c3:ca:ff:e2:d8:29:67:21:68:da:ee:af:
f8:3b:98:e0:05:10:ed:87:f4:72:f4:d9:ab:81:cc:
46:20:f8:19:bc:ac:6b:c6:de:36:a1:19:a1:fe:c3:
eb:18:36:5d:29:c0:f8:06:32:13:60:55:9c:04:ce:
2a:ce:84:aa:a9:d2:9f:8e:fd:a9:00:23:2f:3d:1a:
2e:7d:a5:79:5b:d6:bc:84:94:c6:f2:74:cc:58:c8:
8b:ef:a0:d1:90:74:98:6a:6f:5a:46:3a:62:19:05:
3d:62:68:f8:67:e0:64:b8:67:89:28:b7:aa:59:15:
bb:b5:19:b2:15:3d:d8:fb:10:dd:e3:14:23:b5:0d:
5b:8a:84:de:d7:c3:0d:9d:37:67:f3:e1:72:16:63:
ec:87:10:36:8f:5c:7b:3e:2c:41:0c:3f:46:40:67:
5f:30:f8:d4:1b:01:be:9e:f7:e9:8a:a7:52:83:fc:
9c:96:4d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
99:F0:2F:E6:4E:6B:03:11:40:C7:83:2E:7E:48:AD:FB:2C:4F:85:AC
X509v3 Authority Key Identifier:
keyid:99:F0:2F:E6:4E:6B:03:11:40:C7:83:2E:7E:48:AD:FB:2C:4F:85:AC
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
3e:9f:e1:19:c7:f2:63:eb:bd:7f:77:4c:4c:61:50:60:91:5d:
6d:25:5c:39:7e:53:83:b2:5e:7a:56:1b:45:f3:34:6c:2c:2f:
c8:ec:58:22:23:cd:71:0e:dc:7a:17:10:0c:2c:c2:3f:e0:f1:
dd:67:02:72:36:96:c5:3c:d0:ad:84:d0:59:9b:6b:25:d3:a4:
ee:df:f9:68:b2:54:98:4e:03:2b:c3:5b:23:48:39:d3:8e:41:
4f:ca:8a:d0:ae:12:1f:56:54:d0:fe:88:57:bb:c1:db:d9:54:
e6:86:d5:62:7c:bf:4a:21:b9:4c:b3:06:8e:e8:b7:63:bb:9c:
f6:87:f2:d7:84:4e:aa:33:2a:87:d1:3e:fb:5a:b8:08:41:1d:
3a:55:6e:e7:5d:d7:d8:58:09:e5:89:30:04:b6:45:5b:33:74:
d5:8a:40:f7:07:6b:7e:64:40:2e:dc:63:65:83:fb:52:0f:51:
a8:d0:f6:6f:cd:fc:1b:6a:06:2e:3f:57:6c:2f:6f:6c:c1:ba:
d7:03:7e:95:c2:30:f1:62:bb:52:a0:cc:17:8d:e0:f6:b7:45:
5e:1b:dd:26:ef:50:cc:a7:23:2f:8b:73:ed:12:27:58:14:b3:
23:85:b9:b1:18:68:26:1a:ec:ac:41:82:88:37:d9:23:a4:0d:
4f:78:38:6f:0f:38:3c:7d:28:a4:ed:c7:a4:73:c0:b3:a6:62:
69:a1:54:31:20:f2:e0:6f:ab:23:92:d3:29:fb:c4:ac:b9:34:
d4:df:3a:d2:d0:a3:0c:ab:36:56:93:7e:37:3e:0d:f0:bb:9a:
79:7b:b8:79:ba:9a:4d:1d:4a:55:95:a2:33:1c:72:c3:c0:66:
e6:fa:19:67:60:77:56:b8:8d:ef:68:da:ae:0b:32:b8:1f:54:
87:17:20:93:c9:c4:25:63:c5:0c:65:7a:34:99:69:4a:40:46:
f8:68:e5:f6:3f:fa:5b:34:dd:44:c6:3e:9b:4d:c1:8a:6d:66:
4c:f0:c0:3f:b2:7e:31:84:56:1d:d5:d1:4e:c0:15:ed:61:f3:
e1:50:2b:51:46:b1:fd:32:a9:03:86:c2:b0:d6:aa:b5:e3:ac:
cd:10:c4:84:58:d5:88:33:cb:21:b7:5f:0a:4e:05:f7:0e:2b:
b6:77:63:d2:2f:f6:18:c3:bf:fa:3f:df:ed:52:2a:64:8f:dd:
93:70:7e:fe:6f:5b:f3:9f:c5:34:a6:1f:3e:57:53:0b:af:c4:
98:e7:8c:ed:2c:17:2b:85:2d:6f:22:23:56:d8:e6:cd:97:a6:
17:88:c1:b2:34:f6:5d:f8:77:7b:1a:ad:06:4a:83:d6:44:40:
80:0a:cf:98:d3:29:96:3c
3. 部署节点的信息(私钥、证书请求CSR)
3.1 Centos
假设现有一个服务器节点server
:
1)我们首先生成服务端的私钥server.key
[root@localhost ~]# (umask 077;openssl genrsa -out /etc/pki/tls/private/server.key 2048)
Generating RSA private key, 2048 bit long modulus
.............................+++
..........................................................+++
e is 65537 (0x10001)
[root@localhost private]# ll
总用量 4
-rw------- 1 root root 1679 4月 11 20:17 server.key
2)利用服务端的私钥生成证书的签署请求server.csr
注意请按照CA的配置文件标准,国家、省和公司名称必须与CA中心一致
[root@localhost private]# openssl req -new -key /etc/pki/tls/private/server.key -out /etc/pki/tls/private/server.csr -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
# 注意按照CA的配置文件标准,国家、省和公司名称必须与CA中心一致
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:Your Company Name
Organizational Unit Name (eg, section) []:Your Unit Name
Common Name (eg, your name or your server's hostname) []:Your hostname
Email Address []:server@website.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@localhost private]# ls
server.csr server.key
3) 将证书请求传给CA
# 暂时使用scp传输证书请求
[root@localhost private]# scp /etc/pki/tls/private/server.csr [CA_IP]:/etc/pki/CA/csr/
root@[CA_IP]'s password:
server.csr 100% 1074 13.9KB/s 00:00
# 切换到CA,查看收到的server.csr文件
[root@localhost csr]# ll
总用量 4
-rw-r--r-- 1 root root 1074 4月 11 20:35 server.csr
3.2 Debian(作为SSL连接中的Client)
生成Client私钥
(umask 077;openssl genrsa -out /etc/ssl/private/client.key 2048)
生成证书请求
openssl req -new -key /etc/ssl/private/client.key -out /etc/ssl/private/client.csr -days 365
4. CA签发证书
-in代表证书请求文件,-out(根据先前CA配置的设定)必须放置在$dir/certs
文件夹下,-days指定日期为365天
[root@localhost CA]# openssl ca -in /etc/pki/CA/csr/server.csr -out /etc/pki/CA/certs/server.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Apr 12 03:40:43 2019 GMT
Not After : Apr 11 03:40:43 2020 GMT
Subject:
countryName = CN
stateOrProvinceName = Beijing
organizationName = Your Company Name
organizationalUnitName = Your Unit Name
commonName = Your hostname
emailAddress = server@website.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
15:F3:96:B0:41:AC:16:81:F2:B7:DE:B1:82:6A:74:2E:90:F5:63:8D
X509v3 Authority Key Identifier:
keyid:99:F0:2F:E6:4E:6B:03:11:40:C7:83:2E:7E:48:AD:FB:2C:4F:85:AC
Certificate is to be certified until Apr 11 03:40:43 2020 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@localhost CA]# tree
.
├── cacert.pem
├── certs
│ └── server.crt
├── crl
├── csr
│ └── server.csr
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│ └── 01.pem
├── private
│ └── cakey.pem
├── serial
└── serial.old
5 directories, 10 files
[root@localhost CA]# cat index.txt # 可以看到第一签署的证书编号为01,与我们在serial中设定的一致
V 200411034043Z 01 unknown /C=CN/ST=Beijing/O=Your Company Name/OU=Your Unit Name/CN=Your hostname/emailAddress=server@website.com
上面结果通过
tree
命令我们可以看到:1、 serial文件发生了更新(从01到02)
2、
newcerts
文件夹内为CA刚刚签发的server
服务器的证书01.pem
将签署好的证书发还给请求者
[root@localhost CA]# scp /etc/pki/CA/certs/server.crt root@[server_ip]:/etc/pki/tls/certs
root@[server_ip]'s password:
server.crt 100% 5922 75.9KB/s 00:00
此时就可以在服务端查看到证书:
[root@localhost certs]# ll /etc/pki/tls/certs/
总用量 20
...
-rw-r--r-- 1 root root 5922 4月 11 20:48 server.crt
# 查看证书的序列号和主题
[root@localhost certs]# openssl x509 -in server.crt -noout -serial -subject
serial=01
subject= /C=CN/ST=Beijing/O=Your Company Name/OU=Your Unit Name/CN=Your hostname/emailAddress=server@website.com
5. 吊销证书
为什么SSL要设置证书有效期,知乎上的这个回答很精辟。
首先是为了安全考虑,CA机构不能保证一个网站永远是合法的,因此它需要定期检查网站。
其次,以往CA证书都非常贵,签发证书的机构通过设置期限来收费,是一种商业途径。
最后,还有最重要的原因就是吊销。
当网站的私钥丢失时,网站应该向证书颁发机构(CA)申请将他们的证书加入到证书吊销列表(CRL)里。当用户访问https站点时,浏览器会自动向CA请求吊销列表,如果用户访问的站点提供的证书在CRL里,浏览器就不信任这个证书,因为攻击者可能拥有同样的证书。所以如果证书永久有效,随着越来越多的私钥丢失,吊销列表也越来越大,因为只有加进去的,没有剔出去的,这既给CA增加流量压力,也会增加浏览器的流量。而一旦有效期只有几年,那么CA就可以将那些已经过期了的证书从CRL里剔除,因为反正浏览器也不信任过期证书。
目前最流行的Let’s encrypt签发的免费SSL证书,有效期也设置为90天。
作者:Rani
链接:https://www.zhihu.com/question/20803288/answer/229784484
来源:知乎
好了,接下来我们来使用openssl
吊销证书(假设server端私钥泄露,它向CA中心申请吊销证书)
先查看相关证书的serial
openssl x509 -in server.crt -noout -serial -subject
然后执行openssl ca
下的的revoke
操作,newcerts
文件夹下保存着CA中心对签发证书的备份,serial
替换成你要吊销的证书序列号
openssl ca -revoke /etc/pki/CA/newcerts/serial.pem
# 可以设置CRL表到期的时间
openssl ca -revoke /etc/pki/CA/newcerts/serial.pem -crldays 365
openssl ca -revoke /etc/pki/CA/newcerts/serial.pem -crlhours 365 * 24
(如果是第一次执行吊销证书),还需要生成吊销证书编号:
echo 01 > /etc/pki/CA/crlnumber
最后更新吊销证书列表(CRL list)
openssl ca -gencrl -out /etc/pki/CA/crl/CA.crl
接下来我们查看CRL列表:
[root@localhost CA]# openssl crl -noout -text -in crl/CA.crl
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: (this is your subject)
Last Update: May 21 09:24:45 2019 GMT
Next Update: Jun 20 09:24:45 2019 GMT
CRL extensions:
X509v3 CRL Number:
3
Revoked Certificates:
Serial Number: 01
Revocation Date: May 21 03:32:16 2019 GMT
Serial Number: 02
Revocation Date: May 21 03:47:37 2019 GMT
Serial Number: 03
Revocation Date: May 21 09:23:28 2019 GMT
Signature Algorithm: sha256WithRSAEncryption
4b:30:69:f2:50:13:14:e6:df:b6:3a:71:d8:8f:ed:06:06:06:
6c:c6:6a:01:07:c2:a5:e6:c8:1f:23:7e:65:0b:37:ed:f1:06:
e1:aa:86:40:a6:96:65:2f:ae:b6:2b:e8:83:4d:32:4f:09:39:
7c:9a:60:9a:bd:7c:f9:1a:9f:43:fb:04:45:51:28:5f:5b:8a:
48:b6:f7:b4:16:38:2e:70:0a:50:52:af:ac:fa:e7:3a:48:bb:
f1:bc:82:64:5e:ea:88:1c:af:34:89:65:f3:2f:47:43:68:7b:
76:39:e4:72:dc:66:5e:0e:3b:e7:a3:56:db:90:28:5d:05:54:
f1:71:bd:1c:34:e7:21:87:4d:2e:ff:01:b8:09:2c:80:d2:d2:
b5:44:3b:8d:42:ac:90:31:30:79:4f:13:78:2a:e6:3c:83:12:
31:9b:1e:55:d1:25:21:05:01:9a:5b:d6:22:9a:80:87:32:b8:
58:a1:c3:b8:d7:98:06:b1:d0:06:92:ec:8b:1a:e8:84:77:d2:
0c:13:ef:37:09:4f:93:13:50:42:1b:07:2d:d2:7f:82:02:1c:
00:5f:15:a4:06:e1:c0:fa:03:fd:9e:60:a8:66:03:07:a4:73:
2c:53:dd:77:dd:e1:28:1f:e0:1a:e7:bd:5b:fa:b1:36:26:27:
39:5f:0c:d7:39:fa:42:81:be:64:18:70:24:eb:69:bf:d8:5c:
b4:77:2c:e2:94:1d:f6:89:07:fa:90:cc:3e:5f:d5:88:7d:19:
9e:82:2b:aa:fa:24:3b:df:b3:23:8e:2d:88:f1:fc:30:be:f3:
3a:30:27:a7:a4:c9:1e:e4:63:48:1a:45:98:c1:0f:fa:fc:cb:
89:fb:84:09:94:5c:c2:f1:04:06:17:7c:fc:25:4e:ae:56:fe:
59:66:45:73:54:ab:41:47:3d:30:e3:38:6a:35:9d:4c:bc:77:
28:b5:56:eb:e3:ca:52:b5:e2:c5:5d:0e:f0:42:cc:e6:98:e8:
34:7e:81:2b:ee:5e:08:43:26:7a:ef:3c:19:ca:a7:58:57:7f:
fc:e7:ca:0b:02:90:4d:5a:99:3c:98:81:0c:95:56:11:6c:6e:
c0:04:84:e1:dd:db:26:f4:9d:4a:68:bf:d6:50:75:af:d4:69:
14:82:c1:ea:b4:ba:82:70:fa:a9:17:49:41:c0:3b:43:a5:9f:
37:85:d2:7c:77:be:01:26:de:b3:84:26:83:0b:16:81:bd:cd:
b9:85:a3:46:3f:9c:86:aa:b8:ba:e8:ce:5c:ca:1f:ba:94:bc:
75:d3:49:81:eb:d0:e8:37:58:d0:d9:36:e2:28:2e:35:36:6c:
2e:5f:ad:f8:3a:01:89:af
5.1 疑问:CRL表越来越大怎么办?
这里给了很好的解答:链接
The OpenSSL
ca
command generates its CRL by looking at the index.txt file. Each line that starts with an ‘ R ‘ is added to the CRL, after which the CRL is cryptographically signed using the CA private key.
也就是说,openssl ca -gencrl
是通过读取数据库文件index.txt生成CRL表的。标记为'R'
的证书即为被revoke的,标记'V'
即为valid。
我们可以查看index.txt
如下:
所以,在经过很长时间(CRL表已经有很多revoke数据)后,可以在index.txt
中删除已经过期的标记为'R'
的证书,重新生成CRL表就好了,毕竟SSL通信的时候,过期的证书是肯定不能被信任的。
5.2 对吊销证书后SSL连通性的测试
我们用python
来实现SSL连接,并测试吊销证书后的结果:
我们现在吊销了server端的证书,结果如下:
可以看到爆出的错误为sslv3 alert certificate revoked
,表示证书已经被吊销,无法认证,并且是在do_handshake()
方法中出现错误。
发表评论