本文参考自 OpenLDAP Setup with CA Signed Certificate on CentOS 一文,但并非中文翻译版本,故需要了解更多细节或是额外信息请通过参考部分自行阅读参考文章。

创建CA并签署证书

在我们开始安装LDAP目录服务之前,我们将关注PKI基础结构的设置,或者至少在其中的一些核心元素上。PKI由少数需要很好理解的组件组成。此外,文件通常没有明确的命名约定,而且涉及的格式可能非常混乱。

PKI组成的组件是(*):

  • 证书颁发机构(CA)
  • 登记机关
  • 中央目录
  • 证书管理系统
  • 证书政策

根据X.509的通用命名约定是(*):

  • .pem - (隐私增强型电子邮件)Base64编码的DER证书,包含在“--BEGIN CERTIFICATE--”和“--END CERTIFICATE--”之间
  • .cer, .crt, .der - 通常采用二进制DER形式,但Base64编码的证书也很常见(参见上面的.pem)
  • .p7b, .p7c - PKCS#7 SignedData结构没有数据,只有证书或CRL(s)
  • .p12 - PKCS#12,可能包含证书(公共)和私钥(密码保护)
  • .pfx - PFX,PKCS#12的前身(通常包含PKCS#12格式的数据,例如,在IIS中生成的PFX文件)

创建 CA

首先我们创建 CA(Certificate authority),即证书颁发机构。在 Cent OS 中存在一个目录 /etc/pki/,我们可以看到在我机器上存在以下文件夹:
Cent OS PKI 目录

接下来,我们编辑 /etc/pki/tls/openssl.cnf 文件:

$ cp /etc/pki/tls/openssl.cnf.bak
$ vi /etc/pki/tls/openssl.cnf

openssl.cnf 文件内容要包含如下内容:

# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
....
[ ca ]
default_ca  = CA_default        # The default ca section

[ CA_default ]
dir     = /etc/pki/CA           # Where everything is kept
certs       = $dir/certs        # Where the issued certs are kept
crl_dir     = $dir/crl          # Where the issued crl are kept
database    = $dir/index.txt    # database index file.
#unique_subject    = no         # Set to 'no' to allow creation of
                                # several ctificates with same subject.
new_certs_dir   = $dir/newcerts     # default place for new certs.

certificate = $certs/ca.crt     # CA 的证书
serial      = $dir/serial.txt   # 目前的序号
crlnumber   = $dir/crlnumber    # 目前 CRL 的序号
                                # must be commented out to leave a V1 CRL
crl     = $dir/crl.pem          # The current CRL
private_key = $dir/private/ca.key   # CA 的私钥
RANDFILE    = $dir/private/.rand    # private random number file

x509_extensions = usr_cert      # The extentions to add to the cert

# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt    = ca_default        # Subject Name options
cert_opt    = ca_default        # Certificate field options

# Extension copying option: use with caution.
copy_extensions = copy

# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions    = crl_ext

default_days    = 365           # 默认证书有效期 
default_crl_days= 30            # 默认 CRL 更新周期
default_md  = default       # use public key default MD
preserve    = no            # keep passed DN ordering

# 接下来的部分是 CA 的策略
# For the CA policy
[ policy_match ]            # 策略匹配
countryName     = match
stateOrProvinceName = match
organizationName    = match
organizationalUnitName  = optional
commonName      = supplied
emailAddress        = optional

[ signing_policy ]          # 签名策略
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ signing_req ]            # 签名请求
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer

根据配置,我们的 CA 会被创建在默认的路径 /etc/pki/CA 下,这是根据 openssl.cnf 文件中的 [CA_default] 部分指定的。同时如果不出意外,CA 的证书在 /etc/pki/CA/certs 下,私钥在 /etc/pki/CA/private,CA 用来存放信息和已签发证书的数据库文件 index.txt 将被放在 /etc/pki/CA 下。除此之外,我们还需要创建序号文件:

$ touch index.txt
$ echo '01' > serial.txt

接下来我们开始创建这个 CA,我们使用 -x509 创建 SSL 请求(req)来完成此操作。如果省略 -x509 将会为我们创建一个正常的 PKI 请求,我们在这里让它创建一个有效期为 10 年的 CA。 如果您不想使用密码来保护私钥,可以添加 -nodes 参数。但请注意:没有密码来保护的私钥安全性较低,但在测试环境中,每次签署证书时都不会提供密码。

$ cd /etc/pki/CA
$ openssl req -config /etc/pki/tls/openssl.cnf -new -x509 -extensions v3_ca -keyout private/ca.key -out certs/ca.crt -days 3650

运行指令后会有基本的配置选项:
请输入图片描述

如果需要对私钥进行必要的保护,这里可以更改私钥文件的权限:

$ chmod 0400 private/ca.key

查看 CA 证书信息

查看 CA 证书信息:

openssl x509 -in /etc/pki/tls/certs/ca.crt -text -noout

以下为我个人的 CA 证书信息:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            89:94:7d:3f:52:76:91:24
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=BeiJing, L=BeiJing, O=UCAS, OU=3331, CN=hejunlin/emailAddress=hejunlin18@mails.ucas.edu.cn
        Validity
            Not Before: Nov 14 11:31:42 2018 GMT
            Not After : Nov 14 11:31:42 2019 GMT
        Subject: C=CN, ST=BeiJing, L=BeiJing, O=UCAS, OU=3331, CN=hejunlin/emailAddress=hejunlin18@mails.ucas.edu.cn
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:e0:e1:01:9d:d4:5d:6a:6b:f7:3f:17:d1:be:83:
                    11:f8:20:be:04:6d:56:b3:07:c8:ad:80:29:d9:75:
                    db:89:93:a9:11:81:6e:a6:bb:78:bd:01:fa:a0:9a:
                    2d:3a:d3:f2:f5:89:db:14:a2:61:ed:71:97:1f:45:
                    10:b5:d0:ac:5b:c6:0b:6e:ce:f0:93:45:29:a5:21:
                    2f:af:4b:82:c3:17:73:4e:33:82:34:c4:a5:81:37:
                    08:3a:5e:20:bf:ae:30:ac:05:ec:19:7d:98:20:b7:
                    79:17:3b:d7:65:77:14:29:08:d7:19:29:11:89:c1:
                    57:24:81:83:c7:dc:39:9c:32:a1:af:d5:da:ae:be:
                    e9:bf:de:ba:d0:d5:6b:17:e4:11:52:54:ea:a8:39:
                    c0:83:e7:51:15:c8:74:50:92:30:6f:e8:e0:54:a6:
                    a0:03:2e:6d:94:0a:d3:25:9f:92:a8:6d:79:b2:46:
                    53:c9:9c:ca:dc:5b:3e:67:d3:06:47:70:e8:00:ce:
                    c8:2d:a5:49:fb:c1:30:dc:f8:70:4f:23:27:8f:77:
                    28:2f:93:6f:44:2e:21:e0:59:60:98:de:30:5e:7e:
                    b5:26:f4:15:19:64:ac:46:21:f1:44:6f:b2:c9:58:
                    52:22:5c:56:35:f1:82:e8:bf:6f:bd:82:ca:f1:41:
                    b2:c1
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                01:E7:0E:6D:6B:83:AC:4A:D4:F6:28:20:C3:B6:DE:34:1A:92:80:54
            X509v3 Authority Key Identifier: 
                keyid:01:E7:0E:6D:6B:83:AC:4A:D4:F6:28:20:C3:B6:DE:34:1A:92:80:54

            X509v3 Basic Constraints: 
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         c6:c8:88:04:ab:f2:a2:1c:fd:ef:11:d8:5f:bf:8d:12:cc:10:
         fb:86:ea:25:23:98:88:a9:f1:09:2b:80:f9:82:2c:0c:49:4e:
         42:53:24:45:e2:93:75:64:7e:e2:34:6e:f1:5d:20:33:73:75:
         e8:fb:48:70:60:69:72:38:8f:7d:2f:61:cb:6f:d5:03:b2:0b:
         11:7b:64:a2:28:d6:0d:00:23:4a:38:7c:d0:60:14:e7:3f:57:
         e1:d5:64:3f:e5:83:dd:64:cd:4b:e7:6e:fc:8b:e1:e1:e7:f8:
         41:7d:61:b0:78:3a:71:6d:c9:14:3d:9d:5f:72:b5:05:63:92:
         d7:4e:12:93:07:97:b5:cc:53:c7:d8:2a:55:cb:57:ca:66:e4:
         b8:07:32:99:ac:e0:ea:ba:0e:85:d1:bc:04:24:b9:10:2d:23:
         00:f9:ba:f5:c1:1e:3d:dd:0b:d3:6e:12:e4:db:32:20:4c:7b:
         8f:15:c1:98:8b:07:c4:12:01:5a:22:d3:ce:fb:97:5d:c8:c2:
         03:f9:26:35:b0:c9:ef:20:d6:47:65:3a:90:eb:f4:72:0a:e4:
         39:59:cf:75:8f:7f:83:34:a0:08:3d:99:ca:5e:14:50:f7:69:
         69:e1:ce:6a:0f:3e:84:2a:53:3d:1f:6a:f0:b7:dc:65:80:72:
         8b:fc:d4:36

证书签发

我在这里请求为我的网站创建一个证书:

$ openssl req -config /etc/pki/tls/openssl.cnf -newkey rsa:2048 -sha256 -nodes -out website_cert.csr -outform PEM -keyout website_key.pem

这里我们还需要填入国家、城市、组织等信息,需要注意与 CA 签名策略保持一致,否则不能通过。
请输入图片描述
同时作为 CA,我批准这个申请:

$ openssl ca -config /etc/pki/tls/openssl.cnf -policy signing_policy -extensions signing_req -out website_cert.pem -infiles website_cert.csr

请输入图片描述

查看已签发的证书

$ openssl x509 -in website_cert.pem -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=BeiJing, L=BeiJing, O=UCAS, OU=3331, CN=hejunlin/emailAddress=hejunlin18@mails.ucas.edu.cn
        Validity
            Not Before: Nov 14 12:19:16 2018 GMT
            Not After : Nov 14 12:19:16 2019 GMT
        Subject: C=CN, ST=BeiJing, O=UCAS, OU=331, CN=Wuchuan/emailAddress=ss
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:e4:39:9a:c5:ae:ba:07:39:03:d7:f9:2a:38:26:
                    c2:6e:59:ad:fc:3c:32:52:96:b6:60:fe:73:04:98:
                    a1:e9:5d:e2:d7:5f:6a:5d:6a:29:85:70:66:69:0a:
                    ec:85:b1:92:4b:00:9d:94:1c:f8:8a:39:8c:07:d6:
                    ea:c5:72:dc:8b:d7:9c:87:c3:9f:16:18:b9:a5:8c:
                    86:cb:14:54:92:b5:fa:6c:c6:09:d6:06:ca:be:06:
                    6c:d7:7e:fe:2c:16:61:09:7a:0a:d5:90:e0:6e:57:
                    3d:7d:97:60:75:08:e1:4b:9e:43:83:47:7d:f4:92:
                    d6:7d:ae:92:53:d4:44:e3:9b:96:5a:8a:03:f6:09:
                    22:2d:0b:d1:be:f1:2a:9c:60:46:e7:28:1a:2b:0c:
                    e8:e4:b3:8b:23:7a:af:47:2f:b8:b1:59:d0:cf:8f:
                    d6:04:57:b1:d6:6d:29:a4:1c:3e:89:17:d5:89:e0:
                    70:9d:4f:60:8b:02:5d:09:c6:20:78:9d:67:45:0f:
                    fd:89:d5:0e:cb:cc:71:6f:b4:16:6f:20:62:e2:ed:
                    b5:b4:9e:70:15:e0:0a:6c:98:f2:c2:2c:f7:3e:05:
                    dc:09:7f:ef:a0:91:f9:d7:13:16:62:85:67:15:46:
                    cb:0b:a1:5f:5c:ce:dd:b5:a3:14:40:d5:71:63:b5:
                    a7:4b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                55:1F:0E:A9:8D:43:DE:48:93:4E:1B:7F:C1:F7:A0:DB:DE:0D:2D:38
            X509v3 Authority Key Identifier: 
                keyid:01:E7:0E:6D:6B:83:AC:4A:D4:F6:28:20:C3:B6:DE:34:1A:92:80:54

    Signature Algorithm: sha256WithRSAEncryption
         d4:00:5e:ad:7c:00:74:4d:aa:5e:34:d3:ac:c0:45:17:4c:26:
         d0:b5:9f:da:7f:ca:8c:c2:7c:d3:92:29:11:fc:33:a3:61:f4:
         16:52:0a:61:6d:08:cd:93:0a:85:51:a5:7b:f9:0f:f4:50:22:
         0c:4a:74:60:48:3b:dc:52:b0:ee:71:40:c6:75:28:52:e0:29:
         15:df:a2:b0:b4:b2:ed:c6:b2:6f:1b:90:2f:f7:8c:a4:b3:fe:
         df:66:fd:7f:a5:39:a3:9f:9c:2d:fc:34:f9:79:bf:6d:d1:41:
         4c:33:40:96:3c:8f:ab:bf:de:e7:52:d2:32:5f:d3:74:8c:7e:
         56:a5:cd:2b:1b:cd:f6:47:79:df:5c:c6:f0:f0:d6:d9:73:91:
         0f:10:e6:51:07:2d:a1:43:46:01:2a:5d:b1:7b:90:e5:0e:2f:
         c1:b9:c7:6f:19:62:aa:c3:5a:55:77:e8:b6:47:6f:04:f1:cc:
         44:c5:29:04:6e:d4:76:d7:7a:8d:c8:32:eb:97:00:23:69:cb:
         c5:0b:ec:37:de:31:22:77:41:bf:f5:4b:86:f7:12:71:0a:3e:
         e8:bb:bf:04:e0:c3:e8:bd:31:5f:39:5e:99:93:24:26:f2:1b:
         8d:46:1e:d8:e5:6e:ac:f2:79:49:bf:ed:e0:1a:c3:f2:b6:44:
         f9:6c:8f:72

撤销证书

$ openssl ca -config /etc/pki/tls/openssl.cnf -revoke website_cert.pem

更新证书撤销列表

openssl ca -config /etc/pki/tls/openssl.cnf -gencrl -out crl/test.crl

查看证书撤销列表

openssl ca -config /etc/pki/tls/openssl.cnf -gencrl -out crl/test.crl
Certificate Revocation List (CRL):
        Version 2 (0x1)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: /C=CN/ST=BeiJing/L=BeiJing/O=UCAS/OU=3331/CN=hejunlin/emailAddress=hejunlin18@mails.ucas.edu.cn
        Last Update: Nov 14 12:32:47 2018 GMT
        Next Update: Dec 14 12:32:47 2018 GMT
        CRL extensions:
            X509v3 CRL Number: 
                2
Revoked Certificates:
    Serial Number: 01
        Revocation Date: Nov 14 12:27:08 2018 GMT
    Signature Algorithm: sha256WithRSAEncryption
         04:87:a1:e7:ca:71:d9:b0:6b:28:9d:85:09:ca:11:d1:0f:40:
         0f:9f:77:6b:4a:68:b2:58:02:68:cc:63:80:9b:39:9e:1c:93:
         dd:b7:c8:ff:4c:c4:f4:a8:ef:b7:f9:00:cd:51:3b:c3:a9:35:
         00:90:7d:85:06:7f:0e:21:c6:47:d8:cb:ff:8f:cb:bb:02:59:
         bb:5d:7f:93:66:b7:65:0a:6d:db:45:7f:db:63:bc:2a:c6:3a:
         96:d7:5f:cd:18:59:76:26:e5:84:09:0e:ce:ae:bf:0f:7b:43:
         32:8d:57:08:70:c9:d8:7e:25:e9:f8:3a:35:03:34:cf:45:86:
         cf:7d:18:09:81:10:0d:18:24:73:76:e2:9b:69:d6:18:26:08:
         bf:e3:93:1a:d6:92:24:99:21:74:f3:34:b7:68:34:7d:b1:00:
         fb:e4:05:cd:af:55:23:11:f7:35:53:b1:95:c7:32:60:b4:25:
         32:19:2b:1a:f8:43:9e:8d:66:51:7d:b2:8a:d9:15:c8:e4:84:
         e2:69:26:71:a5:6f:93:d8:5c:a4:ef:c1:60:fd:0d:bd:31:f3:
         3e:07:36:b2:08:e5:70:5f:ef:cb:29:f0:9a:42:ec:c2:91:44:
         13:58:de:4d:9d:ef:4a:14:36:66:80:59:2d:d1:ce:bf:c5:66:
         d4:d2:ed:88

将签发证书 .pem 转换为 .crt

使用以下命令:

openssl x509 -outform der -in /etc/pki/CA/website_cert.pem -out /etc/pki/CA/website_cert.crt

参考:

  1. OpenLDAP Setup with CA Signed Certificate on CentOS
  2. How do you sign a Certificate Signing Request with your Certification Authority?
  3. 使用openssl来生成CA证书、证书申请、颁发证书以及撤销证书的过程
Last modification:November 18th, 2018 at 01:00 pm
If you think my article is useful to you, please feel free to appreciate