锐客网

  1. 首页 > 睿知 > it技术 > >

第八周学习作业

IT知识作业学习学习作业

一箫一剑平生意,负尽狂名十五年。这篇文章主要讲述第八周学习作业相关的知识,希望能为你提供帮助。
1、创建私有CA并进行证书申请。
OpenCA:OpenCA开源组织使用Perl对OpenSSL进行二次开发而成的一套完善的PKI免费软件
openssl:相关包 openssl和openssl-libs
证书申请及签署步骤:
1、生成证书申请请求
2、RA核验
3、CA签署
【第八周学习作业】4、获取证书

##准备CA相关的目录结构
[root@centos84 ~]# mkdir -p /etc/pki/CA/certs,crl,newcerts,private
[root@centos84 ~]# tree /etc/pki/CA/
/etc/pki/CA/
├── certs
├── crl
├── newcerts
└── private

4 directories, 0 files
[root@centos84 ~]# cd /etc/pki/CA/
[root@centos84 CA]# ls
certscrlnewcertsprivate
##生成CA私钥
[root@centos84 CA]# openssl genrsa -out private/cakey.pem 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
...........................+++++
........+++++
e is 65537 (0x010001)
[root@centos84 CA]# tree
.
├── certs
├── crl
├── newcerts
└── private
└── cakey.pem

4 directories, 1 file
[root@centos84 CA]# ll private/cakey.pem
-rw-------. 1 root root 1679 Jan 11 04:29 private/cakey.pem

##CentOS7 建议执行,密钥的权限更安全
(umask 066; openssl genrsa -out private/cakey.pem 2048)

##生成CA自签名证书10年(默认365天)
#命令参数选项:
#-new:生成新证书签署请求
#-x509:专用于CA生成自签证书
#-key:生成请求时用到的私钥文件
#-days n:证书的有效期限
#-out /PATH/TO/SOMECERTFILE: 证书的保存路径

[root@centos84 CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ., the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:TIANJIN
Locality Name (eg, city) [Default City]:BINHAI
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your servers hostname) []:ca.magedu.org
Email Address []:admin@magedu.org
[root@centos84 CA]# tree
.
├── cacert.pem
├── certs
├── crl
├── newcerts
└── private
└── cakey.pem

4 directories, 2 files
[root@centos84 CA]#
#查看证书
[root@centos84 CA]# openssl x509 -in cacert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
4f:93:ae:3f:c8:34:e7:69:27:d3:ff:95:9d:ae:15:29:a1:e8:8d:91
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CN, ST = TIANJIN, L = BINHAI, O = magedu, OU = it, CN = ca.magedu.org, emailAddress = admin@magedu.org
Validity
Not Before: Jan 10 20:52:27 2022 GMT
Not After : Jan8 20:52:27 2032 GMT
Subject: C = CN, ST = TIANJIN, L = BINHAI, O = magedu, OU = it, CN = ca.magedu.org, emailAddress = admin@magedu.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:af:25:91:c0:5c:30:9c:62:d3:4d:65:2b:d9:bb:
ca:3f:ce:11:d1:a5:f0:ce:90:d5:4d:fa:34:8d:c9:
ee:aa:22:4a:ac:14:29:d6:d5:0d:25:39:a9:59:4a:
41:70:3a:8b:51:bb:a7:74:3b:49:e1:e6:17:25:f5:
bc:77:d0:0e:c2:d6:a9:6e:6b:c2:09:84:d7:aa:58:
1c:6c:ea:58:90:9f:91:f9:71:5f:57:be:83:da:53:
c4:35:84:a9:da:34:e5:d7:e7:89:f5:58:bf:ba:88:
d4:57:98:65:4d:6a:98:61:36:4f:2c:35:84:0a:5e:
77:e6:01:66:9d:0a:6e:98:f8:87:0c:22:30:8d:9e:
ad:33:92:62:a5:2e:76:83:92:12:40:9f:d3:ba:0c:
b1:32:be:2b:40:0b:38:8e:41:13:d6:ba:db:7b:cd:
64:b6:00:5a:20:26:d6:06:f0:e7:c4:d7:4d:33:5a:
65:10:c3:64:ff:71:1a:68:75:55:22:e5:ae:cd:6c:
dc:88:e0:ec:d6:f9:6b:0b:71:7a:55:53:67:df:19:
a7:2a:7e:b9:e9:60:c0:68:e2:ef:11:d8:3b:e6:7f:
a9:4e:9f:13:28:c3:1e:cb:d0:70:49:d3:23:45:b7:
e1:9a:5d:ff:a8:28:66:67:4a:ba:2b:ec:93:06:e6:
0d:fb
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
EA:83:5B:45:90:54:33:FB:D3:4E:59:2F:00:67:E6:35:71:14:0B:BC
X509v3 Authority Key Identifier:
keyid:EA:83:5B:45:90:54:33:FB:D3:4E:59:2F:00:67:E6:35:71:14:0B:BC

X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
47:1d:24:58:d2:06:78:74:23:a2:bf:5c:95:41:1b:0e:f0:f9:
0d:d2:ab:d4:5b:54:6f:04:73:8e:30:d2:bd:75:a8:a4:61:31:
44:72:5e:3f:8a:d6:fa:e2:a0:1b:79:67:d6:a1:0e:d7:12:9d:
3c:f8:d9:9c:5c:73:25:32:24:78:36:a3:7c:cd:7d:42:3e:fc:
71:1d:bc:8f:cc:f4:68:5c:6c:05:81:47:db:46:75:eb:9f:5b:
a1:90:c3:cb:0e:26:55:7b:f5:0e:d5:a6:4d:99:b8:76:ab:35:
12:f9:96:e3:81:fd:8a:1b:96:d4:b1:8c:4f:6c:c6:26:3a:8e:
76:8d:49:e4:ac:b6:02:b0:e3:65:7c:e1:a8:4e:7e:ed:7f:b9:
da:38:5b:fe:68:f7:54:b3:30:ed:d7:36:b0:e0:3a:c3:0f:79:
9b:e0:9a:fb:fb:85:c5:9f:62:ac:d9:cb:8c:9a:f5:82:d2:6a:
9c:47:83:7b:17:33:97:46:55:0e:76:af:fc:bc:14:d8:96:fb:
df:59:45:d9:b8:c2:40:f0:33:a7:07:db:5a:fb:2c:94:af:08:
0c:ef:97:6a:1b:99:3b:ff:70:81:a7:fc:75:a9:50:9e:75:16:
cd:14:da:8a:23:fe:bd:5d:76:61:71:92:6e:85:40:09:81:08:
06:fb:a8:d9
[root@centos84 CA]#
[root@centos84 CA]# openssl x509 -in cacert.pem -noout -dates
notBefore=Jan 10 20:52:27 2022 GMT
notAfter=Jan8 20:52:27 2032 GMT
[root@centos84 CA]# openssl x509 -in cacert.pem -noout -subject
subject=C = CN, ST = TIANJIN, L = BINHAI, O = magedu, OU = it, CN = ca.magedu.org, emailAddress = admin@magedu.org
[root@centos84 CA]#

#手动生成单服务自签名证书和私钥
[root@centos84 data]# openssl req -utf8 -newkey rsa:2048 -subj "/CN=www.magedu.org" -keyout app.key -nodes -x509 -out app.crt
Generating a RSA private key
...................................+++++
......................................................+++++
writing new private key to app.key
-----
[root@centos84 data]# ll
total 32
-rw-r--r--. 1 root root 1127 Jan 11 05:04 app.crt##自签名证书
-rw-------. 1 root root 1704 Jan 11 05:04 app.key##私钥

#CentOS7 生成自签名证书

[root@centos79 certs]# pwd
/etc/pki/tls/certs
[root@centos79 certs]# make /data/httpd.crt
umask 77 ; \\
/usr/bin/openssl genrsa -aes128 2048 > /data/httpd.key
Generating RSA private key, 2048 bit long modulus
....................................................................+++
................................+++
e is 65537 (0x10001)
Enter pass phrase:
Verifying - Enter pass phrase:
umask 77 ; \\
/usr/bin/openssl req -utf8 -new -key /data/httpd.key -x509 -days 365 -out /data/httpd.crt
Enter pass phrase for /data/httpd.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ., the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your servers hostname) []:www.magedu.org
Email Address []:admin@magedu.org
[root@centos79 certs]# ls -l /data/
total 16
-rw-------. 1 root root 1415 Jan 11 05:16 httpd.crt
-rw-------. 1 root root 1766 Jan 11 05:13 httpd.key

##用户证书私钥和证书申请文件

[root@centos84 data]# (umask 066; openssl genrsa -out /data/web/web.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
......................................................................+++++
...........................+++++
e is 65537 (0x010001)
[root@centos84 data]#
[root@centos84 data]#
[root@centos84 data]# ls -l web/
total 4
-rw-------. 1 root root 1679 Jan 11 05:26 web.key
[root@centos84 data]# openssl req -new -key /data/web/web.key -out /data/web/web.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ., the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:tianjin
Locality Name (eg, city) [Default City]:dongli
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your servers hostname) []:www.magedu.org
Email Address []:

Please enter the following extra attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@centos84 data]# ls -l web/
total 8
-rw-r--r--. 1 root root 1033 Jan 11 05:28 web.csr
-rw-------. 1 root root 1679 Jan 11 05:26 web.key

##向CA申请证书并颁发证书

[root@centos84 data]# openssl ca -in /data/web/web.csr -out /etc/pki/CA/certs/web.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
140016113215296:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:69:fopen(/etc/pki/CA/index.txt,r)
140016113215296:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:76:
##缺少证书数据库文件,创建证书数据库文件
[root@centos84 data]# touch /etc/pki/CA/index.txt
[root@centos84 data]# openssl ca -in /data/web/web.csr -out /etc/pki/CA/certs/web.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
/etc/pki/CA/serial: No such file or directory
error while loading serial number
140590487828288:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:69:fopen(/etc/pki/CA/serial,r)
140590487828288:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:76:
##缺少证书序号文件,创建文件并初始化序号00
[root@centos84 data]# echo 00 > /etc/pki/CA/serial
[root@centos84 data]#
[root@centos84 data]# openssl ca -in /data/web/web.csr -out /etc/pki/CA/certs/web.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Jan 10 21:57:01 2022 GMT
Not After : Jan 10 21:57:01 2023 GMT
Subject:
countryName= CN
stateOrProvinceName= TIANJIN
organizationName= magedu
organizationalUnitName= sales
commonName= www.magedu.org
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
81:9D:09:26:51:5A:66:27:10:E3:7B:2E:1C:61:AE:FB:49:88:A4:71
X509v3 Authority Key Identifier:
keyid:EA:83:5B:45:90:54:33:FB:D3:4E:59:2F:00:67:E6:35:71:14:0B:BC

Certificate is to be certified until Jan 10 21:57:01 2023 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries

    推荐阅读


    上一篇:10MySQL数据库安装

    下一篇:jenkins-代码质量测试