CA和证书

安全机制

墨菲定律

如果有两种选择，其中一种将导致灾难，则必定有人会作出这种选择。即：做事不要有侥幸心理。

常用安全技术

认证、授权、审计、安全通信

加密算法和协议

对称加密算法

加密和解密使用同一个秘钥。

特性

加密、解密使用同一个秘钥，效率高
将原始数据分割为固定大小的块，逐个加密

缺陷

秘钥过多
秘钥分发
数据来源无法确认

常见算法

DES、3DES、AES、IDEA、Blowfish、RC6

非对称加密算法

秘钥是成对出现

公钥：public key，公开给所有人，主要给别人加密使用
私钥：secret key，private key，自己留存，必须保证其私密性，用于自己加密签名
特点：用公钥加密数据，只能使用与之配对的私钥解密；反之亦然

功能：

数据加密：适合加密较小数据；如：加密对称秘钥
数字签名：主要在于让接收方确认发送方身份

缺点

密钥长，算法复杂
加密解密，效率低下

常见算法

RSA、DSA、ECC

场景

非对称加密实现加密

接收者：生成公钥/秘钥对，公开公钥，保密秘钥

发送者：使用接收者的公钥来加密消息，将加密后的消息发送给接收者

接收者：使用秘钥来解密消息

非对称加密实现数字签名

发送者：生成公钥/秘钥对，公开公钥，保密秘钥，使用秘钥加密消息，将加密后的消息发送给接收者

接收者：使用发送者的公钥来解密

CA和证书

中间人攻击（MTM）

攻击者与通讯的两端分别创建独立的联系，并交换其所收到的数据，使通讯的两端认为他们正在通过一个私密的连接与对方直接对话，但事实上整个会话都被攻击者完全控制。在中间人攻击中，攻击者可以拦截通讯双方的通话并插入新的内容。

SSL/TLS

SSL：Secure Socket Layer TLS：Transport Layer Security

功能

身份验证：SSL身份验证，指在客户端与服务器之间建立SSL连接时，通过SSL证书对服务器进行身份验证的过程。SSL证书是由可信的第三方机构（称为CA机构）颁发的，用于证明服务器身份的数字证书。
数据加密：SSL数据加密，指在客户端与服务器之间建立SSL连接后，通过使用加密算法对传输的数据进行加密处理，以保证数据在传输过程中不被窃听、篡改或伪造。
数据完整性：SSL数据完整性，是指通过数字签名等技术，在客户端与服务器之间建立的SSL连接中，保证传输的数据在传输过程中不被篡改或损坏。

HTTPS

http协议 + ssl/tls协议。

工作流程

1. 客户端发起HTTPS请求

用户在浏览器里输入一个https网址，然后连接到服务器的443端口

2. 服务端的配置

采用HTTPS协议的服务器必须要有一套数字证书，可以自己制作，也可以向组织申请。区别就是自己颁发的证书需要客户端验证通过，才可以继续访问，而使用受信任的公司申请的证书则不会弹出提示页面。这套证书其实就是一对公钥和私钥

3. 传送服务器的证书给客户端

证书里其实就是公钥，并且还包含了很多信息，如证书的颁发机构，过期时间等等

4. 客户端解析验证服务器证书

这部分工作是由客户端的TLS来完成的，首先会验证公钥是否有效，比如：颁发机构，过期时间等
等，如果发现异常，则会弹出一个警告框，提示证书存在问题。如果证书没有问题，那么就生成一
个随机值。然后用证书中公钥对该随机值进行非对称加密

5. 客户端将加密信息传送服务器

这部分传送的是用证书加密后的随机值，目的就是让服务端得到这个随机值，以后客户端和服务端
的通信就可以通过这个随机值来进行加密解密了

6. 服务端解密信息

服务端将客户端发送过来的加密信息用服务器私钥解密后，得到了客户端传过来的随机值

7. 服务器加密信息并发送信息

服务器将数据利用随机值进行对称加密,再发送给客户端

8. 客户端接收并解密信息

客户端用之前生成的随机值解密服务段传过来的数据，于是获取了解密后的内容

术语

PKI：公共秘钥加密体系

CA：签证机构

RA：注册机构

CRL：证书吊销列表

证书存取库：

X.509：定义了证书的结构以及认证协议标准

版本号
序列号
签名算法
颁发者
有效期限
主体名称

证书类型

证书授权机构的证书
服务器证书
用户证书

获取证书两种方法

自签名证书：自己签发自己的公钥
使用证书授权机构：
- 生成证书请求CSR
- 将证书请求CSR发送给CA
- CA签名颁发证书

OpenSSL

OpenSSL是一个开放源代码的软件库包，应用程序可以使用这个包来进行安全通信，避免窃听，同时确认另一端连线者的身份。

组件

ibcrypto：用于实现加密和解密的库
libssl：用于实现ssl通信协议的安全库
openssl：多用途命令行工具

命令

两种运行模式

交互模式
批处理模式

三种子命令

标准命令
消息摘要命令
加密命令

单向哈希加密

工具：openssl dgst

算法：md5sum, sha1sum, sha224sum,sha256sum

生成用户密码

openssl passwd [options] [password]
常用选项：
-1：表示使用MD5加密算法
-5：表示使用SHA256加密算法
-6：表示使用SHA512加密算法，/etc/shadow使用该算法
-in：表示从文件中读取密码
-stdin：表示从标准输入读取密码
-salt：指定salt值，不使用随机产生的salt。在使用加密算法进行加密时，即使密码一样，salt不一样，所计算出来的hash值也不一样。除非密码一样，salt值也一样，计算出来的hash值才一样。

[root@centos8 ~]#echo wenzi | openssl passwd -6 -salt Y16DiwuVQtL6XCQK -stdin
$6$Y16DiwuVQtL6XCQK$MQEkn8e5iJ7haOIpJcO9cGkPS5c7gBG..7DxCVnr/9ozge2K5oAVpvoNDOWI0pBG7czyCMU4TaGmDo5W1H4c91创建新用户同时指定密码，在CentOS8和Ubuntu都通用
[root@centos8 ~]#useradd -p `echo admin | openssl passwd -6 -salt abcdefghijk -stdin` liubei
查看
[root@centos8 ~]#getent shadow liubei
liubei:$6$abcdefghijk$heeR9m6lKuX0TKg/89kyy.po/71nRAlKWIocZj5Jg7AylICvzBMi8ZSYZJoOJ1V4lxMu4bxxWWGmyG2DQUHJr.:19721:0:99999:7:::

生成随机数

openssl rand -base64

生成随机10位长度密码
[root@centos8 ~]#openssl rand -base64 9 | head -c 10
l0t440TrGA[root@centos8 ~]#tr -dc '[[:alnum:]]' < /dev/urandom | head -c 10
a1YZyCEtkB

实现PKI

文档：man genrsa

生成私钥

(umask 077;openssl genrsa -out 私钥存储路径 2048)

[root@centos8 ~]#(umask 077;openssl genrsa -out /data/test1.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
...........................+++++
.+++++
e is 65537 (0x010001)
[root@centos8 ~]#cat /data/test1.key
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAqdmKz6zw6NNUnOxd00e5qa3kTzzhvjylQvixBMd4IethRptV
HddgmYcveFR6FbDwjEhoxyRNnAYWXX2J3pUyq0qTN2r/Mk5k3PI9ucznbfH+gLz5
SJJs19eRuTUniDYLObaRqA6KhhCOauiQinQ+w+WlUpS97e9Rqy7EO/3m0IC4WhK8
X0wpIlHnIAeGHDf9VOgWLP/PuzNeVkxk+7nScQVfNCQ5eh5qfuCDhjkotAtK89IM
3cSsKHuYbnR55RqGm5Z4fVk4AziiW8UgWBVmjyMHL4SZfRDFBDo1qi0NrJMNVB1Q
SUdcfdljYewdRhCEUeL5dXhA2Jsn4CxxLVl61wIDAQABAoIBAQCTFFV21sxa4T2h
EbGB1td4jqNo1lCpOrzlDJPFjrGBteErkjEXwTzeVckOiyCZDfqPj9hjshUeqcrO
NHqh61LQL6jh0V6hgm8nQQGglkZF18tKUdoQNPPZyMtgtR3BfwMje+wPul/MDiQ1
gaRAsL71RjRuGW2Kz7VJ5hp51Lj+DT+oSFPzq85I479fXl/QGBl4G9ZoXjMRu/ef
YPE9DzXnTVa54aPr1E0lRcDfEPgcunvFRVZDOZZf0X2WBWv14tq1P5hyoBQj2aW5
k9yQkJEJWPDhmndpjvsPYw6NhnOI6tcNSjJt/PHF0/jJ0ruIPSWTz4Tu4Rsu4N7D
fDyjspoJAoGBANkNWe556n56XkQnoGcnU04kTVoJFpmsmHemAiEQaDaXYd6xSaHx
9HPQpIt0G2n4MPcoPDu86jnUBC/IDIJP6ag7wnlKOcfVu43k3+/tkiB1jJv5hxP+
aJECBIr2JMybmUZrBKGb9ZitRUj0CVpXvOhJRoWRLuIwIf1zlNIpnY79AoGBAMhT
3y2AMX6bsNsFzSqcWmPdh5oKjDrVnSC/Txf/Cd8fuC4TzVN+8UwfxmCae4EGjRyG
Hcmenmq6KVqyBZDRW8rBfQuk9Va1k01+wns6XMwf68hdHdjEN+e6Iicct6uqwsC1
GQbEBW+8isfnEv2hwmviVd8ME86AlA+/2uayuJtjAoGAN3bk8z6uQHGuowXpRFLV
Q9Oc/JPz9YMYVwLR6ncR2llmxgxRv5NfnzTCx2v9EWA9yvq6IZ3N0Mcv5rHdGHOp
Rrc2o93m0/z293R0ERCJVcgUDUt/TAmn2N5GIOhzUOG2EjuIrG95G/GzEchil3Zy
LH2FCt6lt2ELXoPplKbTv1UCgYEAh6aTp6H44fzXQ1ioV0RMyPcHjb26u1RO9A/X
pS4kJxy5gSoTjYiWKLATivLQ0sv23evLW+225BpvSmTl8+xwtdlTrYDkSPTnbEB7
vSoGEItFBAZZ4aDtIlMeMVH25Z3aBtgavEQcUk9fwoGskGbq2lcHQuRQvTLAD/Ig
brty2nUCgYB00pNNZUBr3LFJV5tQcv5dCJC6ydlVwNaljsULYq8QfHxGuFeJ//6P
ktMngrII33qb/EffNBXF/0nDhqxKfTzi77izzywN35kUYIgMkdRf9yYl8p21ijv9
CHnO9jVnYPwqR3Xtq/0f9LAbCVJekBjIK8+da6EYjj2YFNYucKDq5Q==
-----END RSA PRIVATE KEY-----

解密加密的私钥

openssl rsa -in 原私钥路径 -out 新私钥路径

生成加密的私钥
[root@centos8 data]#openssl genrsa -out /data/test1.key -des3 1024
Generating RSA private key, 1024 bit long modulus (2 primes)
..........................................+++++
.........+++++
e is 65537 (0x010001)
Enter pass phrase for /data/test1.key:
Verifying - Enter pass phrase for /data/test1.key:
[root@centos8 data]#cat /data/test1.key
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,7FB3B71681AD9D1CM/hy2ShToDhzdE4fLHNHonBZBSL3y+RVMmxwMCcsN8ZZ8fynzH9mhQI5VlF8yi8f
PLUr+G+3clQCYozZVNGsoGS/FObN2NpU+LU6hTUpQqgRnBqyB9UXcSfOK/0fUqgG
iQ0IJ7em4OsTiGwHl+wE23/xbsST6eTEnjXcYe6TszSh0YwsFcCfu7WlWtOLTvfb
P/GDnQqtaMhGcUVUqdkRok6188AmX1f9YI693I5DkJxbAhSyuhgqFjzRnt7zcyDM
kv8VT+HGmkuJZCLaQIdTbNpDkrx41rrExdYO+LdnvQQr71eEYr34egAXGf6pU7MW
fm69skDcrQJqBjt2+hyI0mp0RwQ9rYYGEdRaa7oHlwSXPnMWJu1fOg9o1wZmOgPu
pm4pu/ugu46/f0XMaIyvwMKn/5dVBuKpOpg/hj+1+3wGfYeRbFSwIsVJIZPCbfYZ
fLqAcmNaFWmD+XkuUoLppfnY2wuMf7Kf3+zGdZqx30LaDg1+U21NZN9hreyMqxIl
tvc66Vf1BiaTNiyLZibS9TzCO/DiXtERMJmPETcSx4zwdOTHJaP0rck1M/lgHSZU
4+2/ODk9le8EcKSOGO6BfksTysL1MXUxwRXCl+4UB6bV9xu33GelPM2PR8wf+c8p
SI5J85/YditCXdpO85geNPvljAizn/+0YYbJasHwPZNGUm6QGPLCECBQWWAyM3A0
2tOH7lMa3g4ZFV383GZ6CTS1U7kMZeKTysIqTnLfPirTnhcTBTJG0+C8FiThJWmt
hmfa7dSTSa5+NoToIeo+SGB12IE05ZyCvUDhwQojbivOEb8OUS9dYw==
-----END RSA PRIVATE KEY-----解密加密的私钥
[root@centos8 data]#openssl rsa -in /data/test1.key -out /data/test2.key
Enter pass phrase for /data/test1.key:
writing RSA key
[root@centos8 data]#ll /data/
total 8
-rw------- 1 root root 963 Dec 31 03:50 test1.key
-rw------- 1 root root 887 Dec 31 03:51 test2.key
[root@centos8 data]#cat test2.key
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQD3Xxxc1vhCK10Arz3ENbaMX/2QYl8MdULe6lrPhM4wsp9uzkOv
K+YD2ORT+AC70GAdE3kbGmq24z09/232iUB0AJxBvQp++MusDgTr3OpEB/1YLL9a
ZusvjEfgUIkLNL0lTVsEAu7cY2p4yPuWBDwpyEZoxzVYn/2k4xSRFPgtIQIDAQAB
AoGAITNmvx8rGtZvGRRsGdWLtrN7eNF7KFTksL6LiaatdePDej+83dnqeUG3A34Z
uxtwivZ+HqEhCYLeSV/rBlfNioCtGGL/yAbMm/Oke4ztraBmObFLYKCRj6l6pzHQ
NbPN/qOxuERFwEloHCf5jO6TaCRjnn/5c3lTQKpGylJOVzECQQD9VQ+cQdc/Sx3M
qZWZlr3vtXdAiSGG/ZGT49jPpfE55Yz+w9jUg35URRyZ83F5iblGCJpiZmvI99I7
jbP+X0wLAkEA+fn7D27PWPlusvd5nNCY5NQ3UVi98L6xyf1UjsINo6etNntYpGg1
OLHyIDJ98i513q7hCEIxj7JLVXgPspN7AwJBAIJUJHfLF6WkS2xjQmeFual8viEh
a3I7OY3QBlatlHCou+TFdOO/0logRBqft51DUWHKQ0KkVodJl4qz2AnhlQkCQQDK
lYSZpTv053CHKXgtVgASssmB62FDUcfT4rI8X5eeIa2Gkb/svWckY1HONh1Lv8tW
hHNqtfpkciILShmup0bxAkAkxNRZLVpZsTs+D07FfmuIL5DhXHCRlZ7PF5N6RouM
fpStaqpbqU+c17ffm2HdnfA8NaH5dwbzrfWxCYKDY8WG
-----END RSA PRIVATE KEY-----

从私钥中提取公钥

openssl rsa -in 私钥路径 -pubout -out 公钥存储路径

[root@centos8 ~]#openssl rsa -in /data/test1.key -pubout -out /data/test1.key.pub
writing RSA key
[root@centos8 ~]#ll /data/
total 8
-rw------- 1 root root 1679 Dec 31 03:38 test1.key
-rw-r--r-- 1 root root  451 Dec 31 03:42 test1.key.pub
[root@centos8 ~]#cat /data/test1.key.pub
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqdmKz6zw6NNUnOxd00e5
qa3kTzzhvjylQvixBMd4IethRptVHddgmYcveFR6FbDwjEhoxyRNnAYWXX2J3pUy
q0qTN2r/Mk5k3PI9ucznbfH+gLz5SJJs19eRuTUniDYLObaRqA6KhhCOauiQinQ+
w+WlUpS97e9Rqy7EO/3m0IC4WhK8X0wpIlHnIAeGHDf9VOgWLP/PuzNeVkxk+7nS
cQVfNCQ5eh5qfuCDhjkotAtK89IM3cSsKHuYbnR55RqGm5Z4fVk4AziiW8UgWBVm
jyMHL4SZfRDFBDo1qi0NrJMNVB1QSUdcfdljYewdRhCEUeL5dXhA2Jsn4CxxLVl6
1wIDAQAB
-----END PUBLIC KEY-----

建立私有CA实现证书申请颁发

openssl配置文件：/etc/pki/tls/openssl.cnf

其中重要项：

[ CA_default ]dir     = /etc/pki/CA        CA的主要目录，用于存储证书、私钥、CRL等文件。
certs       = $dir/certs         存储已颁发的证书
crl_dir     = $dir/crl       存储已签名的证书撤销列表（CRL）
database    = $dir/index.txt     数据库索引文件，存储证书对应哪个网站
#unique_subject = no            # Set to 'no' to allow creation of# several certs with same subject.
new_certs_dir   = $dir/newcerts      新证书的默认存储位置certificate = $dir/cacert.pem    CA的证书文件
serial      = $dir/serial        当前的序列号，用于标识新证书
#crlnumber   = $dir/crlnumber    # the current crl number# must be commented out to leave a V1 CRL
crl     = $dir/crl.pem       当前的CRL文件
private_key = $dir/private/cakey.pem     CA的私钥文件x509_extensions = usr_cert       要添加到证书的扩展[ policy_match ]    匹配策略，用于定义证书主题字段的匹配规则
countryName     = match
stateOrProvinceName = match
organizationName    = match
organizationalUnitName  = optional
commonName      = supplied
emailAddress        = optional

三种策略：

match：要求申请填写的信息根CA设置的信息必须一致
optional：可有可无，跟CA设置信息可不一致
supplied：必须填写这项信息

建立私有CA

OpenCA：OpenCA开源组织使用Perl对OpenSSL进行二次开发而成的一套完善的PKI免费软件
openssl：相关包 openssl和openssl-libs

1、创建CA所需要文件

生成证书索引数据库文件
touch /etc/pki/CA/index.txt

指定第一个颁发证书的序列号
echo 01 > /etc/pki/CA/serial

2、生成CA私钥

cd /etc/pki/CA;(umask 066; openssl genrsa -out private/cakey.pem 2048)

3、生成CA自签名证书

openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem

选项说明：
-new：生成新证书签署请求
-x509：专用于CA生成自签证书
-key：生成请求时用到的私钥文件
-days n：证书的有效期限
-out /PATH/TO/SOMECERTFILE: 证书的保存路径

CentOS7
从CentOS7将/etc/pki/CA目录内容复制到CentOS8，免去建立目录的步骤
[root@wenzi ~]#tree -d /etc/pki/CA
/etc/pki/CA
├── certs
├── crl
├── newcerts
└── private
[root@wenzi ~]#scp -r  /etc/pki/CA root@192.168.28.10:/etc/pki/CentOS8
生成CA私钥
[root@centos8 ~]#cd /etc/pki/CA;(umask 066; openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
.......................................................................................................+++++
........................................................................................................................................................................................+++++
e is 65537 (0x010001)
[root@centos8 CA]#ll private/cakey.pem
-rw------- 1 root root 1675 Dec 31 04:42 private/cakey.pem生成CA自签名证书
[root@centos8 CA]#openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN    国家
State or Province Name (full name) []:henan    省份
Locality Name (eg, city) [Default City]:zhengzhou    市名
Organization Name (eg, company) [Default Company Ltd]:wenzi    公司
Organizational Unit Name (eg, section) []:yunwei    部门
Common Name (eg, your name or your server's hostname) []:www.wenzi.com    使用证书的网站域名
Email Address []:999@qq.com    邮箱查看生成的CA自签证书,建议将此文件传输到windows系统，后缀改为.crt
[root@centos8 CA]#openssl x509 -in cacert.pem -noout -text
Certificate:Data:Version: 3 (0x2)Serial Number:52:27:46:0b:52:67:5f:60:c8:bf:38:25:b9:c7:0e:66:d4:52:95:6aSignature Algorithm: sha256WithRSAEncryptionIssuer: C = CN, ST = henan, L = zhengzhou, O = wenzi, OU = yunwei, CN = www.wenzi.com, emailAddress = 999@qq.comValidityNot Before: Dec 30 20:50:35 2023 GMTNot After : Dec 27 20:50:35 2033 GMTSubject: C = CN, ST = henan, L = zhengzhou, O = wenzi, OU = yunwei, CN = www.wenzi.com, emailAddress = 999@qq.comSubject Public Key Info:Public Key Algorithm: rsaEncryptionRSA Public-Key: (2048 bit)Modulus:00:bc:ac:9d:47:2c:4c:83:a6:2c:12:52:ba:f7:93:6b:33:a6:e1:f0:9b:e7:4c:51:59:b0:95:db:b2:68:ec:4a:2c:36:57:73:72:11:3c:21:6e:d3:fb:5a:0f:a4:ca:05:21:fd:d5:a6:d7:4d:1f:72:91:15:3e:60:da:cf:3a:e3:b2:c6:7b:c3:0e:4e:39:14:2c:94:f1:ae:47:30:64:27:95:76:84:12:2e:a2:e0:60:2f:7c:c9:83:3b:c9:d9:6a:4d:1f:78:a6:41:ea:ac:12:85:d3:9a:43:f9:24:c7:66:f0:09:c7:01:91:ee:6a:ec:1d:a4:7f:72:19:43:ca:91:78:ac:23:9e:6b:43:84:5e:40:09:61:5e:b6:32:f2:19:9d:c6:b7:00:f8:d0:00:fd:66:f3:f7:a2:a3:5a:81:71:1a:b0:2a:c2:e7:42:f8:a9:b7:54:f6:1e:da:47:87:4a:6a:29:26:7f:16:20:b9:e9:76:a7:92:b2:19:3a:4e:de:b0:ab:63:12:6e:7a:f3:64:e5:91:93:1f:35:09:0b:b6:79:dd:a3:27:8d:7a:2d:9a:3b:7f:a1:b1:d3:df:a2:0a:81:60:0e:ec:69:9b:1a:a7:32:19:71:fa:9a:f1:93:91:e7:48:8f:be:2a:85:a4:6d:f7:90:92:92:d7:08:06:94:65Exponent: 65537 (0x10001)X509v3 extensions:X509v3 Subject Key Identifier:5D:EE:41:48:03:D1:0D:A6:85:DA:BC:05:29:AF:81:BF:82:67:11:05X509v3 Authority Key Identifier:keyid:5D:EE:41:48:03:D1:0D:A6:85:DA:BC:05:29:AF:81:BF:82:67:11:05X509v3 Basic Constraints: criticalCA:TRUESignature Algorithm: sha256WithRSAEncryption5d:65:b2:c9:2d:8c:89:79:85:46:12:0a:17:12:87:21:3f:e1:f3:bb:f5:c4:82:24:b9:43:74:c2:d6:52:5c:80:65:75:9d:3c:45:fa:c4:88:5f:43:6d:1d:0e:3d:84:a0:e7:ab:60:35:f6:88:c0:ac:8e:c7:ca:70:f7:71:09:ea:03:6f:3a:c7:2f:4e:bd:3b:35:4c:ca:4e:ce:17:90:67:5a:8f:4b:8a:ef:3d:ce:3a:bc:9c:ee:2a:cf:7d:3a:f0:36:9b:f7:19:71:73:f5:e7:4d:30:50:8c:12:f8:f1:92:02:91:f7:3b:30:ce:07:4e:09:b9:f6:0f:72:92:4d:76:c4:11:6c:a9:e3:56:ca:2f:fc:9e:05:b5:dd:e4:86:45:6a:dd:c4:77:70:3e:bc:4a:5f:55:6e:eb:74:7d:46:4f:00:c4:db:23:bc:d3:71:74:ef:e0:e4:06:27:8a:29:b6:e0:62:b3:04:7e:fe:51:71:91:04:52:f4:61:12:55:37:48:8e:63:6a:50:05:a3:e2:15:8f:cf:e5:d1:5b:d1:9c:bc:33:b1:88:6e:1b:21:89:5b:3c:3f:34:0a:a3:b2:95:29:cf:8b:b6:fa:b9:47:28:17:56:ff:95:28:20:68:fe:94:c6:49:79:f7:8e:16:03:46:f0:68:bd:cd:a6:73:3c

申请证书并颁发证书

1、为需要使用证书的主机生成生成私钥

(umask 066; openssl genrsa -out /data/test.key 2048)

2、为需要使用证书的主机生成证书申请文件

openssl req -new -key /data/test.key -out /data/test.csr

3、在CA签署证书并将证书颁发给请求者

可以将客户端生成的申请文件发送至CA，生成证书后再把证书传送至客户端

openssl ca -in /data/test.csr -out /etc/pki/CA/certs/test.crt -days 100

注意：默认要求国家，省，公司名称三项必须和CA一致

4、查看证书中的信息

openssl x509 -in /PATH/FROM/CERT_FILE -noout -text|issuer|subject|serial|dates

查看指定编号的证书状态

openssl ca -status SERIAL

用户生成自己的私钥，私钥应该存放至各应用相应目录下
[root@wenzi ~]#(umask 066;openssl genrsa -out /data/test.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
.........................+++++
.....+++++
e is 65537 (0x010001)生成证书申请文件，其中国家代码、省名、公司名必须和CA中一致
[root@wenzi ~]#openssl req -new -key /data/test.key -out /data/test.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:henan
Locality Name (eg, city) [Default City]:luoyang
Organization Name (eg, company) [Default Company Ltd]:wenzi
Organizational Unit Name (eg, section) []:kaifa
Common Name (eg, your name or your server's hostname) []:www.wenzi.org
Email Address []:666@163.comPlease enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:将客户端证书申请文件上传至CA
[root@wenzi ~]#rsync -av /data/test.csr root@192.168.28.10:/data/
root@192.168.28.10's password:
sending incremental file list
test.csrsent 1,135 bytes  received 35 bytes  780.00 bytes/sec
total size is 1,041  speedup is 0.89在CA上颁发证书
提前创建这两个必须存在的文件，不然会报错，提示找不到文件
[root@centos8 CA]#touch /etc/pki/CA/index.txt；touch /etc/pki/CA/serial指定证书颁发起始序号
[root@centos8 CA]#echo 01 > /etc/pki/CA/serial颁发证书
[root@centos8 CA]#openssl ca -in /data/test.csr  -out   /etc/pki/CA/certs/test.crt -days 100
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:Serial Number: 1 (0x1)ValidityNot Before: Dec 31 02:41:47 2023 GMTNot After : Apr  9 02:41:47 2024 GMTSubject:countryName               = CNstateOrProvinceName       = henanorganizationName          = wenziorganizationalUnitName    = kaifacommonName                = www.wenzi.orgemailAddress              = 999@163.comX509v3 extensions:X509v3 Basic Constraints:CA:FALSENetscape Comment:OpenSSL Generated CertificateX509v3 Subject Key Identifier:35:72:9F:AE:C3:0D:1C:CE:43:34:84:F1:83:88:59:0E:DE:5E:B5:7CX509v3 Authority Key Identifier:keyid:5D:EE:41:48:03:D1:0D:A6:85:DA:BC:05:29:AF:81:BF:82:67:11:05Certificate is to be certified until Apr  9 02:41:47 2024 GMT (100 days)
Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated查看当前CA目录下文件
[root@centos8 CA]#tree /etc/pki/CA/
/etc/pki/CA/
├── cacert.pem    
├── certs
│   └── test.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│   └── 01.pem
├── private
│   └── cakey.pem
├── serial
└── serial.old查看下一个颁发证书的序号
[root@centos8 CA]#cat /etc/pki/CA/serial
02查看颁发记录。 有效期 序号 信息
[root@centos8 CA]#cat /etc/pki/CA/index.txt
V       240409024147Z           01      unknown /C=CN/ST=henan/O=wenzi/OU=kaifa/CN=www.wenzi.org/emailAddress=999@163.com查看证书信息
[root@centos8 CA]#openssl x509 -in /etc/pki/CA/certs/test.crt -noout -text
Certificate:Data:Version: 3 (0x2)Serial Number: 1 (0x1)Signature Algorithm: sha256WithRSAEncryptionIssuer: C = CN, ST = henan, L = zhengzhou, O = wenzi, OU = yunwei, CN = www.wenzi.com, emailAddress = 999@qq.comValidityNot Before: Dec 31 02:41:47 2023 GMTNot After : Apr  9 02:41:47 2024 GMTSubject: C = CN, ST = henan, O = wenzi, OU = kaifa, CN = www.wenzi.org, emailAddress = 999@163.comSubject Public Key Info:Public Key Algorithm: rsaEncryptionRSA Public-Key: (2048 bit)Modulus:00:f2:cf:6e:74:80:8f:e2:19:09:19:20:8f:3d:5b:d6:3c:96:99:30:d7:07:9e:a0:5a:7c:79:a2:9a:d6:63:cb:a9:77:f1:10:d5:5f:69:55:53:90:8a:13:66:f9:77:7b:69:2c:0d:fe:fe:56:78:fa:fe:2e:43:c7:f9:88:b9:a2:42:d2:47:4b:73:e0:5d:da:c7:66:ce:fe:3f:e8:9f:fe:93:39:46:a4:7a:05:95:74:ef:fb:91:7d:8f:63:d8:ed:d4:6a:71:77:8d:b0:f8:37:38:a2:94:cf:69:f7:02:73:8e:ba:b7:c8:7f:c6:5f:4f:71:2d:d3:b1:9f:92:03:66:79:26:cb:1e:44:67:11:29:35:17:bb:a9:c7:98:0f:8c:b9:2b:89:13:9f:32:27:69:e7:15:3e:5c:05:6c:dc:0d:e9:81:24:ad:83:2c:71:da:f4:42:04:6b:68:13:2b:ce:19:aa:a8:63:c7:3a:ac:4f:6e:4e:4b:12:69:a9:2c:96:c9:d8:df:eb:7a:17:82:3f:d4:82:5b:0c:7a:7b:01:89:3b:ac:6c:51:f7:f7:c0:3e:46:49:b2:a7:0d:65:df:ac:d9:ec:e6:21:77:8b:56:00:f7:35:b7:01:b3:76:07:63:bc:1e:28:84:a6:99:7e:91:21:17:b2:cd:cc:ab:40:1c:9dExponent: 65537 (0x10001)X509v3 extensions:X509v3 Basic Constraints:CA:FALSENetscape Comment:OpenSSL Generated CertificateX509v3 Subject Key Identifier:35:72:9F:AE:C3:0D:1C:CE:43:34:84:F1:83:88:59:0E:DE:5E:B5:7CX509v3 Authority Key Identifier:keyid:5D:EE:41:48:03:D1:0D:A6:85:DA:BC:05:29:AF:81:BF:82:67:11:05Signature Algorithm: sha256WithRSAEncryption91:8a:ba:32:4a:c4:36:0e:83:bd:e2:95:48:52:02:ce:d6:78:5a:6b:73:ea:73:59:c7:68:f8:3e:fe:f7:52:2f:0a:3a:7b:8d:4c:ac:bf:d8:d4:46:73:c3:34:25:3e:51:cd:b2:85:a5:a1:1b:03:86:92:58:dd:f9:07:d6:72:ba:23:18:79:32:42:71:7d:c2:ce:f9:0f:00:99:36:00:45:f5:c6:e3:4f:93:aa:e4:5c:aa:ad:94:89:73:ca:09:e0:9d:64:41:7a:d6:60:da:35:c8:07:d8:f7:7b:6c:46:41:3c:4c:ee:af:9a:82:b0:1e:25:e8:09:7f:88:e8:55:7e:de:4e:23:3d:9c:21:ad:1b:e7:f9:7b:df:16:13:64:bc:5f:fb:95:4f:79:15:cd:01:7b:e9:30:fa:4d:7d:0d:97:fe:9e:06:40:c6:d0:e7:1f:ec:8a:4a:fd:ee:be:b3:50:8a:7a:9c:4d:86:b6:33:81:75:af:3e:88:a2:d4:9b:6c:12:73:8a:1e:c5:46:d7:7e:41:dc:ee:c1:15:29:74:f4:59:63:09:e9:9b:f3:53:4f:b5:e9:2d:a7:cc:cd:82:17:a0:1e:54:a1:36:a7:f6:a4:3e:eb:f0:14:de:be:41:e0:cc:78:36:d5:7a:ba:bb:04:8b:84:fb:3b:40:53:81:dd将证书发送至客户端，完成
[root@centos8 CA]#rsync -a certs/test.crt root@192.168.28.20:/data/

将客户端收到的证书传递至windows系统查看