创建和管理一个CA及证书的生命周期
任务详情
1 创建一个根 CA,包括生成私钥和根证书。分析证书和0015,0034标准的符合情况
2 为一台服务器生成一个私钥和证书签署请求(CSR)。
3 使用根 CA 对服务器的 CSR 进行签名,生成服务器证书。
4 吊销该服务器的证书。
1 创建一个根 CA,包括生成私钥和根证书。分析证书和0015,0034标准的符合情况
- 根CA私钥:
openssl genpkey -algorithm RSA -out rootCA.key -aes256
- 根CA自签名证书
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 3650 -out rootCA.pem -subj "/C=CN/ST=Beijing/L=Beijing/O=MyOrganization/OU=IT Department/CN=My Root CA/emailAddress=ca@example.com"
- 标准符合情况
- 标准0015:
- 至少2048位的RSA密钥
- SHA-256或更强的哈希算法
- 标准0034:
- 特定字段和扩展
- 标准0015:
证书内容:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
75:3b:9a:34:3a:b5:e3:4d:7a:04:7d:fb:5b:a8:ea:8f:0e:bb:a9:df
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CN, ST = Beijing, L = Beijing, O = MyOrganization, OU = IT Department, CN = My Root CA, emailAddress = ca@example.com
Validity
Not Before: May 29 15:15:50 2024 GMT
Not After : May 27 15:15:50 2034 GMT
Subject: C = CN, ST = Beijing, L = Beijing, O = MyOrganization, OU = IT Department, CN = My Root CA, emailAddress = ca@example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:92:21:aa:85:8a:22:93:a6:40:c2:ba:b9:82:1b:
19:49:11:8d:f2:e2:90:29:22:62:5f:87:ab:ea:a2:
60:b6:38:a0:4a:86:5c:d4:ca:51:ae:d1:a7:54:f7:
1d:38:ba:10:db:02:5f:7b:77:d8:f3:3d:cb:d7:6a:
fe:a5:ae:7c:64:9e:e6:3c:1c:f1:55:3c:f8:63:42:
77:b0:ef:b1:25:35:0b:ee:a9:10:67:b6:d1:75:35:
e4:03:25:54:b7:c8:53:57:91:d2:8e:d2:31:41:a7:
7f:82:25:fe:78:f1:2b:11:e7:c2:3b:d7:fa:da:fd:
e9:68:64:37:1c:67:05:7c:e7:54:17:62:2d:94:5f:
7a:e7:cf:51:71:af:82:ae:25:1c:2d:81:cf:78:13:
ff:7e:72:96:20:20:95:10:d3:e4:81:5b:69:eb:23:
d6:69:d3:25:19:35:95:c0:a3:f7:d8:e8:d0:02:41:
2c:99:fa:f5:47:96:9d:75:55:fe:38:2c:b7:58:1a:
76:15:fa:e4:e7:4f:65:e4:39:43:26:e6:51:a4:25:
7a:70:2c:d9:af:5a:de:63:f6:ff:50:27:1b:2e:45:
22:35:61:ae:84:94:7d:bc:3b:20:a9:a0:b9:f5:1a:
48:54:0a:21:4a:d2:51:73:e5:8e:5e:df:4c:9a:a2:
ed:19
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
43:54:A0:A9:94:C4:12:E7:9E:CA:16:AA:4F:40:64:53:54:6D:D2:32
X509v3 Authority Key Identifier:
keyid:43:54:A0:A9:94:C4:12:E7:9E:CA:16:AA:4F:40:64:53:54:6D:D2:32
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
29:64:b7:3e:c8:3a:c9:56:4c:d4:6e:90:d9:f0:19:7d:59:f2:
50:d6:b1:0e:36:cb:b4:be:02:3d:4a:c9:6c:17:30:21:87:dc:
b0:71:fa:1a:b0:d4:7f:ef:fa:3f:1e:a0:01:5c:4f:e3:b9:8a:
3c:4d:90:1a:e6:96:ab:ec:6d:e1:28:bc:6a:d6:a7:fc:b7:e1:
95:26:e1:b7:1d:9f:f2:4a:a7:a0:fa:d2:ae:03:d2:8e:7a:89:
86:fa:f2:66:b3:98:89:5e:b0:a1:bf:d6:7b:3c:75:53:26:8e:
a0:87:4f:a1:b2:bd:f6:19:26:6a:1f:ab:43:c8:bb:a3:fe:77:
6f:ff:50:35:2e:a9:20:30:2e:59:d8:76:55:7a:f8:1e:6c:75:
f7:47:97:ea:3f:58:bf:93:41:bb:e0:a0:0b:93:ed:3d:d2:bc:
bb:03:e2:cd:61:a5:68:92:4b:f6:4b:db:8b:cc:43:23:41:32:
c9:50:b0:dd:00:69:7d:ef:49:6f:d8:43:45:de:f8:a8:59:7c:
d5:93:20:52:45:a5:38:85:81:bf:40:e6:08:d6:15:5c:66:0a:
41:86:b4:71:73:ee:89:49:07:40:b5:18:9e:79:22:c6:87:24:
a9:cd:eb:c3:7d:a6:82:b3:22:97:f1:2f:db:e5:2c:bc:8b:7b:
db:a1:c3:f2
2 为一台服务器生成一个私钥和证书签署请求(CSR)。
- 生成服务器私钥
openssl genpkey -algorithm RSA -out server.key -aes256
- 生成证书签署请求(CSR)
openssl req -new -key server.key -out server.csr -subj "/C=CN/ST=Beijing/L=Beijing/O=MyOrganization/OU=Web Services/CN=www.example.com/emailAddress=admin@example.com"
3 使用根 CA 对服务器的 CSR 进行签名,生成服务器证书。
- 签署服务器证书
openssl x509 -req -in server.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out server.crt -days 365 -sha256
4 吊销该服务器的证书。
- 创建证书吊销列表
mkdir -p demoCA/newcerts
mkdir demoCA/private
touch demoCA/index.txt
echo 1000 > demoCA/serial
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = ./demoCA
certs = $dir/certs
crl_dir = $dir/crl
new_certs_dir = $dir/newcerts
database = $dir/index.txt
serial = $dir/serial
RANDFILE = $dir/private/.rand
private_key = $dir/private/cakey.pem
certificate = $dir/cacert.pem
default_md = sha256
policy = policy_anything
x509_extensions = usr_cert
crlnumber = $dir/crlnumber
crl = $dir/crl.pem
default_crl_days = 30
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ usr_cert ]
basicConstraints = CA:FALSE
nsCertType = client,email
keyUsage = nonRepudiation,digitalSignature,keyEncipherment
extendedKeyUsage = clientAuth,emailProtection
authorityKeyIdentifier = keyid,issuer
subjectKeyIdentifier = hash
- 复制内容
cp rootCA.key demoCA/private/cakey.pem
cp rootCA.pem demoCA/cacert.pem
- 吊销证书 生成CRl
