构建私有CA:
   在确定配置为CA的服务上生成一个自签证书,并为CA提供所需要的目录及文件即可;

 步骤:
  (1) 生成私钥;

[root@centos7 ~]# (umask 077; openssl genrsa -out /etc/pki/CA/private/cakey.pem 4096)

Generating RSA private key, 4096 bit long modulus

........++

..........................++

e is 65537 (0x10001)

(2) 生成自签证书;

                -new:生成新证书签署请求;
                -x509:生成自签格式证书,专用于创建私有CA时;
                -key:生成请求时用到的私有文件路径;
                -out:生成的请求文件路径;如果自签操作将直接生成签署过的书;
                -days:证书的有效时长,单位是day;
[root@centos7 ~]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3655

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:Shenzhen

Locality Name (eg, city) [Default City]:Shenzhen 

Organization Name (eg, company) [Default Company Ltd]:ctc

Organizational Unit Name (eg, section) []:It

Common Name (eg, your name or your server's hostname) []:ca.ctc.com

Email Address []:ca@ctc.com

 

检查生成文件

[root@centos7 ~]# ls /etc/pki/CA

cacert.pem  certs  crl  newcerts  private

 

(3) 为CA提供所需的目录及文件;

 [root@centos7 ~]# mkdir  -pv  /etc/pki/CA/{certs,crl,newcerts}

[root@centos7 ~]# touch  /etc/pki/CA/{serial,index.txt}

[root@centos7 ~]# echo  01 > /etc/pki/CA/serial

 

 

CA Client

步骤:(以httpd为例)CA Client端
          (1) 用到证书的主机生成私钥;

 

[root@Centos6 ~]# mkdir  /etc/httpd/ssl

[root@Centos6 ~]# cd  /etc/httpd/ssl

[root@Centos6 ssl]# (umask  077; openssl  genrsa -out  /etc/httpd/ssl/httpd.key  2048)

Generating RSA private key, 2048 bit long modulus

..........................+++

................+++

e is 65537 (0x10001)

 

(2) 生成证书签署请求

 

[root@Centos6 ssl]# openssl  req  -new  -key  /etc/httpd/ssl/httpd.key  -out /etc/httpd/ssl/httpd.csr  -days  365

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:Shenzhen

Locality Name (eg, city) [Default City]:Shenzhen

Organization Name (eg, company) [Default Company Ltd]:ctc

Organizational Unit Name (eg, section) []:It

Common Name (eg, your name or your server's hostname) []:Centos6

Email Address []:centos6@ctc.com

 

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

 

(3) 将请求通过可靠方式发送给CA主机;

 

[root@Centos6 ssl]# scp httpd.csr root@172.16.100.67:/tmp

The authenticity of host '172.16.100.67 (172.16.100.67)' can't be established.

RSA key fingerprint is 00:cb:11:7a:1f:0f:8f:74:38:3e:70:b6:bd:76:74:cf.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added '172.16.100.67' (RSA) to the list of known hosts.

root@172.16.100.67's password:

httpd.csr                                  100% 1037     1.0KB/s   00:00
               

 

 (4) 在CA主机上签署证书;

[root@centos7 ~] openssl ca  -in  /tmp/httpd.csr  -out  /etc/pki/CA/certs/httpd.crt  -days  365

Using configuration from /etc/pki/tls/openssl.cnf

Check that the request matches the signature

Signature ok

Certificate Details:

        Serial Number: 1 (0x1)

        Validity

            Not Before: Oct 31 15:16:22 2018 GMT

            Not After : Oct 31 15:16:22 2019 GMT

        Subject:

            countryName               = CN

            stateOrProvinceName       = Shenzhen

            organizationName          = ctc

            organizationalUnitName    = It

            commonName                = Centos6

            emailAddress              = centos6@ctc.com

        X509v3 extensions:

            X509v3 Basic Constraints:

                CA:FALSE

            Netscape Comment:

                OpenSSL Generated Certificate

            X509v3 Subject Key Identifier:

                08:EB:D4:55:82:32:4E:B1:A1:88:72:2C:2E:46:36:62:59:BB:34:EB

            X509v3 Authority Key Identifier:

                keyid:C7:20:00:DA:3D:8D:A0:E1:65:6F:1C:CA:35:EA:62:2F:30:A9:9F:F9

 

Certificate is to be certified until Oct 31 15:16:22 2019 GMT (365 days)

Sign the certificate? [y/n]:y

 

 

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

 

(5) 发送密钥给CA clinet端

 

[root@centos7 ~]# cd /etc/pki/CA

[root@centos7 CA]# scp certs/httpd.crt root@172.16.100.65:/etc/httpd/ssl/

The authenticity of host '172.16.100.65 (172.16.100.65)' can't be established.

RSA key fingerprint is 8b:8c:c9:e6:1f:74:36:3e:a5:0a:ba:14:9d:d5:ab:04.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added '172.16.100.65' (RSA) to the list of known hosts.

root@172.16.100.65's password:

httpd.crt                                  100% 5811     5.7KB/s   00:00   

 

查看证书中的信息:

 

[root@centos7 CA]# openssl  x509  -in /etc/pki/CA/certs/httpd.crt  -noout  -serial  -subject

serial=01

subject= /C=CN/ST=Shenzhen/O=ctc/OU=It/CN=Centos6/emailAddress=centos6@ctc.com

 

 

吊销证书::步骤:
  (1) 客户端获取要吊销的证书的serial(在使用证书的主机执行):

[root@Centos6 ~]# openssl  x509  -in /etc/httpd/ssl/httpd.crt  -noout  -serial  -subject

serial=01

subject= /C=CN/ST=Shenzhen/O=ctc/OU=It/CN=Centos6/emailAddress=centos6@ctc.com

(2) CA主机吊销证书
  先根据客户提交的serial和subject信息,对比其与本机数据库index.txt中存储的是否一致;
                                                
  吊销:

查看serial对应的.pem文件

[root@centos7 ~]# ls /etc/pki/CA/newcerts/

01.   pem

 

吊销

[root@centos7 ~]# openssl  ca  -revoke  /etc/pki/CA/newcerts/01.pem

Using configuration from /etc/pki/tls/openssl.cnf

Revoking Certificate 01.

Data Base Updated

(3) 生成吊销证书的吊销编号(第一次吊销证书时执行)

[root@centos7 ~]# echo  01  > /etc/pki/CA/crlnumber

 

  (4) 更新证书吊销列表
   openssl  ca  -gencrl  -out  thisca.crl 
                                                
   查看crl文件:
   openssl  crl  -in  thisca.crl   -noout  -text