使用OpenSSL自建CA及颁发证书、吊销证书

最新推荐文章于 2025-06-01 13:53:21 发布

miouqi

最新推荐文章于 2025-06-01 13:53:21 发布

阅读量5.6k

点赞数 1

CC 4.0 BY-SA版权

分类专栏：网络安全文章标签： openssl ca

本文链接：https://blog.youkuaiyun.com/miouqi/article/details/75268402

本文详细介绍了如何使用OpenSSL自建CA，包括创建私有CA服务器、颁发证书以及吊销证书的步骤。从生成私钥、自签名证书，到在需要证书的主机上生成私钥和证书请求，再到CA签署并颁发证书，最后讨论了吊销证书的过程，涉及到证书的serial和subject信息的验证。此外，还解析了CA生成自签名证书的命令和CA的配置文件详情。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

一、实验说明

OpenSSL 是一个安全套接字层密码库，囊括主要的密码算法、常用的密钥和证书封装管理功能及SSL协议，并提供丰富的应用程序供测试或其它目的使用。
OpenSSL是一个开源程序的套件、这个套件有三个部分组成：一是libcryto，这是一个具有通用功能的加密库，里面实现了众多的加密库；二是libssl，这个是实现ssl机制的，它是用于实现TLS/SSL的功能；三是openssl，是个多功能命令行工具，它可以实现加密解密，甚至还可以当CA来用，可以让你创建证书、吊销证书。

二、实验环境

Centos 6.9 x86_64位(申请签名机器）、Centos 7.3 x86_64位（自建CA的机器）、VMware workstaton 12.

三、实验正文

1、查看自建CA的主机是否安装OpenSSL

[root@centos7 ~]# rpm -qa openssl  # 查看openssl是否安装
openssl-1.0.1e-60.el7.x86_64
[root@centos7 ~]# rpm -ql openssl  # 列出openssl安装包下有哪些文件，等下会用到下面的一些目录
/etc/pki/CA
/etc/pki/CA/certs 
/etc/pki/CA/crl    # 吊销的证书存放目录
/etc/pki/CA/newcerts # 存放CA签署（颁发）过的数字证书（证书备份目录）
/etc/pki/CA/private  # 用于存放CA的私钥
/etc/pki/tls/certs/Makefile
/etc/pki/tls/certs/make-dummy-cert
/etc/pki/tls/certs/renew-dummy-cert
/etc/pki/tls/misc/CA
/etc/pki/tls/misc/c_hash
/etc/pki/tls/misc/c_info
/etc/pki/tls/misc/c_issuer
/etc/pki/tls/misc/c_name
/usr/bin/openssl
...(以下省略)...
[root@centos7 ~]# yum install openssl -y  # 若没有安装使用此条命令安装

2、创建私有CA服务器

a、创建所需要的文件，只有第一次使用CA时才需要

[root@centos7 ~]# touch /etc/pki/CA/index.txt   # 生成证书索引数据库
[root@centos7 ~]# echo 01 > /etc/pki/CA/serial  # 指定第一个颁发证书的序列号

b、CA生成私钥

[root@centos7 ~]# cd /etc/pki/CA/  # 切换至此目录
[root@centos7 CA]# (umask 006; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)  # 生成私钥
Generating RSA private key, 2048 bit long modulus  
.........+++
......................................+++
e is 65537 (0x10001)
[root@centos7 CA]# ls -l private/cakey.pem 
-rw-rw----. 1 root root 1675 Jul 17 17:22 cakey.pem

c、CA生成自签名证书

[root@centos7 CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days \3650 -out /etc/pki/CA/cacert.pem   # CA生成自签名
...(中间省略)...
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:Hxt
Organizational Unit Name (eg, section) []:Ops
Common Name (eg, your name or your server's hostname) []:www.hengxia.top
Email Address []:miouqi@qq.com
[root@centos7 CA]# ls -l
total 12
-rw-r--r--. 1 root root 1403 Jul 17 17:59 cacert.pem
drwxr-xr-x. 2 root root    6 Nov  6  2016 certs
drwxr-xr-x. 2 root root    6 Nov  6  2016 crl
-rw-r--r--. 1 root root    0 Jul 17 16:47 index.txt
drwxr-xr-x. 2 root root    6 Nov  6  2016 newcerts
drwx------. 2 root root   23 Jul 17 17:22 private
-rw-rw----. 1 root root 1675 Jul 17 17:18 privatecakey.pem
-rw-r--r--. 1 root root    3 Jul 17 16:48 serial

3、颁发证书

a、在需要使用证书的主机上给web服务器生成私钥

[root@centos6 ~]# (umask 066; openssl genrsa -out /etc/pki/tls/ private/test.key 2048)
Generating RSA private key, 2048 bit long modulus
.........+++
................................................+++
e is 65537 (0x10001)

b、在需要使用证书的主机上给web服务器生成证书请求

[root@centos6 ~]# openssl req -new -key /etc/pki/tls/private/test.key   -days 365 -out /etc/pki/tls/test.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN  # 默认国家要与CA一致
State or Province Name (full name) []:Beijing  # 默认省要与CA一致
Locality Name (eg, city) [Default City]:Beijing 
Organization Name (eg, company) [Default Company Ltd]:Hxt # 公司名称默认要与CA一致
Organizational Unit Name (eg, section) []:Ops 
Common Name (eg, your name or your server's hostname) []:*.testweb.com
Email Address []:test@qq.com              

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

c、将证书文件传输给CA

[root@centos6 ~]# scp /etc/pki/tls/test.csr 172.16.251.124:/tmp
The authenticity of host '172.16.251.124 (172.16.251.124)' can't be established.
RSA key fingerprint is 8e:d7:ac:fd:71:70:22:e7:ff:98:ed:61:96:85:5f:b7.
Are you sure you want to continue connecting (yes/no)? yes 
Warning: Permanently added '172.16.251.124' (RSA) to the list of known hosts.
root@172.16.251.124's password: 
test.csr                                          100% 1050     1.0KB/s   00:00

d、CA签署证书，并将证书颁发给请求者

[root@centos7 ~]# openssl ca -in  /tmp/test.csr -out /etc/pki/CA/certs/test.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity