一、CA和证书

CA（Certificate Authority）证书颁发机构主要负责证书的颁发、管理以及归档和吊销。

证书主要有三大功能：加密、签名、身份验证。
X.509：定义了证书的结构以及认证协议标准

• 版本号
• 序列号
• 签名算法
• 颁发者
• 有效期限
• 主体名称

证书类型：

• 专业的证书授权机构的证书
• 服务器证书
• 用户证书

证书的获取有两种方法：

• 自签名的证书
• 授权机构颁发的专业证书
  ①生成证书请求（csr）
  ②将证书请求csr发送给CA机构
  ③CA签名颁发证书

二、建立私有CA实现证书申请和颁发

建立私有CA两种方法：

• OpenCA：OpenCA开源组织使用Perl对OpenSSL进行二次开发而成的一套完善的PKI免费软件
• openssl

证书申请及签署步骤：
①.生成申请请求
②.RA核验
③.CA签署
④.获取证书

openssl的配置文件的详解：
配置文件存放路径：

/etc/pki/tls/openssl.cnf 

该文件主要设置了证书请求、签名、crl相关的配置。主要相关的伪命令为ca和req。对于x509不用该配置文件。
该文件从功能结构上分为4个段落：默认段、ca相关的段、req相关的段、tsa相关的段。每个段中都以name=value的格式定义。
配置文件内容（以下是CA相关段的部分内容和注释内容）：

[root@localhost ~]# cat /etc/pki/tls/openssl.cnf 
#
......
####################################################################
[ ca ]
default_ca	= CA_default		# The default ca section

####################################################################
[ CA_default ]

dir		= /etc/pki/CA		# Where everything is kept
certs		= $dir/certs		# Where the issued certs are kept（已颁发的证书路径，即CA或自签的） 
crl_dir		= $dir/crl		# Where the issued crl are kept（已颁发的crl存放目录）
database	= $dir/index.txt	# database index file.
#设置为yes则database文件中的subject列不能出现重复值
#即不能为subject相同的证书或证书请求签名
#建议设置为no，但为了保持老版本的兼容性默认是yes
#unique_subject	= no			# Set to 'no' to allow creation of
					# several certs with same subject.
new_certs_dir	= $dir/newcerts		# default place for new certs.（将来颁发的证书存放路径）

certificate	= $dir/cacert.pem 	# The CA certificate（CA自己的证书文件）
serial		= $dir/serial 		# The current serial number（提供序列号的文件）
crlnumber	= $dir/crlnumber	# the current crl number（当前crl序列号）
					# must be commented out to leave a V1 CRL
crl		= $dir/crl.pem 		# The current CRL（当前CRL）
private_key	= $dir/private/cakey.pem# The private key（签名时需要的私钥，即CA自己的私钥）
RANDFILE	= $dir/private/.rand	# private random number file（提供随机数种子的文件）

x509_extensions	= usr_cert		# The extensions to add to the cert（添加到证书中的扩展项）

# Comment out the following two lines for the "traditional"
# (and highly broken) format.
#以下两行是关于证书展示格式的，虽非必须项，但推荐设置。一般就如下格式不用修改
name_opt 	= ca_default		# Subject Name options
cert_opt 	= ca_default		# Certificate field options
#以下是copy_extensions扩展项，需谨慎使用
# Extension copying option: use with caution.
# copy_extensions = copy 
                        /* 生成证书时扩展项的copy行为，可设置为none/copy/copyall */
						/* 不设置该name时默认为none */
						/* 建议简单使用时设置为none或不设置，且强烈建议不要设置为copyall */

# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions	= crl_ext

default_days	= 365			# how long to certify for(默认证书的有效期)
default_crl_days= 30			# how long before next CRL（CRL的有效期）
default_md	= sha256		# use SHA-256 by default（默认摘要算法）
preserve	= no			# keep passed DN ordering（Distinguished Name顺序，一般设置为no）
/*设置为yes仅为了和老版本的IE兼容)*/

# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy		= policy_match
#证书匹配策略,此处表示引用[ policy_match ]的策略
#match表示请求中填写的该字段信息要和CA证书中的匹配
#optional表示该字段信息可提供可不提供
#supplied表示该字段信息必须提供
# For the CA policy
[ policy_match ]
countryName		= match
stateOrProvinceName	= match
organizationName	= match
organizationalUnitName	= optional
commonName		= supplied
emailAddress		= optional

# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
#以下是没被引用的策略扩展，只要是没被引用的都是被忽略的
[ policy_anything ]
countryName		= optional
stateOrProvinceName	= optional
localityName		= optional
organizationName	= optional
organizationalUnitName	= optional
commonName		= supplied
emailAddress		= optional

####################################################################
[ req ]
......

[root@localhost ~]# 

创建私有CA（以下内容是在Centos8以上的版本进行的操作）
Centos8以上的版本没有相关的CA目录，需要手动去创建如下

[root@localhost ~]# for dir in certs  crl  newcerts  private ;do mkdir -pv /etc/pki/CA/$dir;done
mkdir: created directory '/etc/pki/CA'
mkdir: created directory '/etc/pki/CA/certs'
mkdir: created directory '/etc/pki/CA/crl'
mkdir: created directory '/etc/pki/CA/newcerts'
mkdir: created directory '/etc/pki/CA/private'
[root@localhost ~]# tree /etc/pki/CA/
/etc/pki/CA/
├── certs
├── crl
├── newcerts
└── private

4 directories, 0 files
[root@localhost ~]# 

1、创建自签名证书步骤

1.1、创建CA所需要的文件

#生成证书索引数据库文件
touch /etc/pki/CA/index.txt
#指定第一个颁发证书的序列号
echo 01 > /etc/pki/CA/serial

1.2、生成CA私钥

[root@localhost ~]# cd /etc/pki/CA/
[root@localhost CA]# (umask 066; openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
..................................................+++++
.........................................+++++
e is 65537 (0x010001)
[root@localhost CA]# 

1.3、生成CA自签名证书

[root@localhost CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
#国家代码
Country Name (2 letter code) [XX]:CN 
#省市
State or Province Name (full name) []:beijing
#城市
Locality Name (eg, city) [Default City]:beijing
#公司机构名称
Organization Name (eg, company) [Default Company Ltd]:alibaba
#所属部门
Organizational Unit Name (eg, section) []:devops
#给谁使用就写谁的名称，可以使用通配符，例如*.swyer.com.cn
Common Name (eg, your name or your server's hostname) []:ca.alibaba.com
#电子邮件
Email Address []:[email protected]
[root@localhost CA]# 
[root@localhost CA]# ls
cacert.pem  certs  crl  index.txt  newcerts  private  serial
[root@localhost CA]# 

选项说明：

-new：生成新证书签署请求
-x509：专用于CA生成自签证书
-key：生成请求时用到的私钥文件
-days n：证书的有效期限
-out /PATH/TO/SOMECERTFILE: 证书的保存路径

国家代码查询

2、申请证书并颁发证书

2.1、为需要使用证书的主机生成生成私钥

[root@localhost CA]# (umask 066;openssl genrsa -out /data/app.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
.................+++++
.........................................................................+++++
e is 65537 (0x010001)
[root@localhost CA]# 

2.2、为需要使用证书的主机生成证书申请文件

[root@localhost CA]# (umask 066;openssl genrsa -out /data/app.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
.................+++++
.........................................................................+++++
e is 65537 (0x010001)
[root@localhost CA]# openssl req -new -key /data/app.key -out /data/app.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:haidian
Organization Name (eg, company) [Default Company Ltd]:alibaba
Organizational Unit Name (eg, section) []:hr
Common Name (eg, your name or your server's hostname) []:*.alibaba.com
Email Address []:[email protected]

注意：因为是私有CA证书，默认要求国家，省，公司名称三项必须和CA一致

2.3、在CA签署证书并将证书颁发给请求者

[root@localhost CA]# openssl ca -in /data/app.csr -out /etc/pki/CA/certs/app.crt -days 100
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Feb  4 14:13:38 2020 GMT
            Not After : May 14 14:13:38 2020 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = beijing
            organizationName          = alibaba
            organizationalUnitName    = hr
            commonName                = *.alibaba.com
            emailAddress              = [email protected]
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                F6:29:09:21:68:8F:13:AA:3C:68:30:1F:B9:B7:EC:BC:01:09:24:F1
            X509v3 Authority Key Identifier: 
                keyid:CD:83:3E:13:6E:75:E0:F7:21:53:AD:6C:6C:C1:39:71:8C:8E:F5:88

Certificate is to be certified until May 14 14:13:38 2020 GMT (100 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@localhost CA]# 

2.4、查看证书中的信息

[root@localhost CA]# ls
cacert.pem  crl        index.txt.attr  newcerts  serial
certs       index.txt  index.txt.old   private   serial.old
[root@localhost CA]# cd certs/
[root@localhost certs]# ls
app.crt
[root@localhost certs]# openssl x509 -in app.crt -noout -text

#查看指定编号的证书状态
[root@localhost CA]# ls
cacert.pem  crl        index.txt.attr  newcerts  serial
certs       index.txt  index.txt.old   private   serial.old
[root@localhost CA]# cat serial.old 
01
[root@localhost CA]# openssl ca -status 01
Using configuration from /etc/pki/tls/openssl.cnf
01=Valid (V)
[root@localhost CA]# 

3、吊销证书

3.1、在客户端获取要吊销的证书的serial

[root@localhost CA]# openssl x509 -in certs/app.crt -noout -serial
serial=01
[root@localhost CA]# openssl x509 -in certs/app.crt -noout -serial -subject
serial=01
subject=C = CN, ST = beijing, O = alibaba, OU = hr, CN = *.alibaba.com, emailAddress = [email protected]
[root@localhost CA]# 

3.2、在CA上，根据客户提交的serial与subject信息，对比检验是否与

index.txt文件中的信息一致，吊销证书
[root@localhost CA]# cd newcerts/
[root@localhost newcerts]# ls
01.pem
[root@localhost newcerts]# openssl ca -revoke /etc/pki/CA/newcerts/01.pem
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 01.
Data Base Updated
[root@localhost newcerts]# 

指定第一个吊销证书的编号,注意：第一次更新证书吊销列表前，才需要执行

[root@localhost CA]# echo 01 > /etc/pki/CA/crlnumber

更新证书吊销列表

[root@localhost CA]# openssl ca -gencrl -out /etc/pki/CA/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf

查看crl文件

[root@localhost CA]# openssl crl -in /etc/pki/CA/crl.pem -noout -text
Certificate Revocation List (CRL):
        Version 2 (0x1)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = CN, ST = beijing, L = beijing, O = alibaba, OU = devops, CN = ca.alibaba.com, emailAddress = [email protected]
        Last Update: Feb  4 14:28:20 2020 GMT
        Next Update: Mar  5 14:28:20 2020 GMT
        CRL extensions:
            X509v3 CRL Number: 
                1
Revoked Certificates:
    Serial Number: 01
        Revocation Date: Feb  4 14:24:30 2020 GMT
    Signature Algorithm: sha256WithRSAEncryption
         8a:25:37:ff:b3:05:3e:df:ac:79:1c:ad:23:7e:81:81:00:60:
         f7:77:f2:fd:7a:86:70:90:d1:5f:fb:1e:69:d1:5a:bc:15:08:
         7b:11:9f:8e:80:e0:14:af:d2:b7:a0:e3:21:a2:31:13:ad:51:
         ce:9b:2e:74:1d:ae:21:cf:04:a5:19:bd:f3:cc:5f:60:42:f3:
         4c:db:27:ea:04:cd:5d:f2:62:0e:39:85:f9:51:e8:0c:8c:bf:
         88:8c:62:3f:b7:11:3d:68:05:ef:23:95:87:c4:c8:df:8d:ca:
         e7:e9:c8:76:34:06:0a:c9:a4:9b:93:7b:b1:9e:56:39:30:4b:
         62:01:35:40:d3:02:07:63:c9:6d:c8:c1:c5:f7:11:33:8c:d9:
         f9:54:8b:0e:70:97:0c:e4:cd:73:36:bd:ab:d1:b1:5f:8a:b2:
         2a:c9:0b:1b:28:a4:85:80:b7:4e:51:4e:a4:4a:a9:e0:3a:0f:
         aa:3e:6e:49:6a:9a:4c:71:7f:06:57:5e:bc:a7:0f:0a:18:90:
         f9:58:4a:78:eb:54:ec:18:79:69:d9:27:49:74:92:ce:aa:d4:
         59:58:79:62:f4:57:5a:cc:5d:d1:f5:90:fd:e6:e3:1f:9c:20:
         73:90:2a:71:62:61:91:b3:be:a9:48:50:20:c5:3f:d7:8b:5b:
         45:12:3e:f2
[root@localhost CA]#