|
|
一个自己写的CA证书创建的脚本,写之前以为这是一个简单的脚本,当开始写后才发现这是个坑
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
| #!/bin/bash
#########################################################################
# File Name: MakeCA.sh
# Author: LookBack
# Email: taoxiaoyuzy@vip.qq.com
# Created Time: 2014年08月02日 星期六 21时55分51秒
#########################################################################
CADir="/etc/pki/CA/"
privateDir="${CADir}private/"
[ -n `which openssl` ] || yum -y install opensll
[ ! -d "$privateDir" ] && mkdir -p $privateDir
InfoInput() {
read -p "请输入CA自签证书的$1: " $1
#until [ -n "$(eval echo \$$1 | grep -E "$2")" ]; do
until [ -n "$(echo "${!1}" | grep -E "$2")" ]; do
clear
echo "CA自签证书的$1输入错误"
read -p "请重新输入CA自签证书的$1: " $1
done
#eval echo \$$1
echo ${!1}
}
makeCA() {
(umask 077; openssl genrsa -out ${privateDir}cakey.pem 2048)
openssl req -new -x509 -key ${privateDir}cakey.pem -out ${CADir}cacert.pem -days 365 &> /dev/null << EOF
$1
$2
$3
$4
$5
$6
$7
EOF
}
InfoInput CountryName "^[[:upper:]]{2}$"
InfoInput ProvinceName "^[[:alpha:]]{3,}$"
InfoInput LocalityName "^[[:alpha:]]{3,}$"
InfoInput OrganizationName ".{3,}"
InfoInput OrganizationalUnitName ".{3,}"
InfoInput CommonName "^([a-Z0-9_\-\.\+\-]\.){0,}[a-Z0-9_\-\.\+\-]{1,63}\.[a-Z]{2,5}$"
InfoInput Email "^[a-Z0-9_\-\.\+\-]+@([a-Z0-9_\-\.\+\-]\.){0,}[a-Z0-9_\-\.\+\-]{1,63}\.[a-Z]{2,5}$"
cat << EOF
CountryName: $CountryName
ProvinceName: $ProvinceName
LocalityName: $LocalityName
OrganizationName: $OrganizationName
OrganizationalUnitName: $OrganizationalUnitName
CommonName: $CommonName
Email: $Email
EOF
makeCA $CountryName $ProvinceName $LocalityName $OrganizationName $OrganizationalUnitName $CommonName $Email
|
OpenSSL是套开放源代码的软件库包,实现了SSL与TLS协议。其主要库是以C语言所写成,实现了基本的加密功能。
OpenSSL可以运行在绝大多数类Unix操作系统上(包括Solaris,Linux,Mac OS X与各种版本的开放源代码BSD操作系统),OpenVMS与 Microsoft Windows。它也提供了一个移植版本,可以在IBM i(OS/400)上运作。
此软件是以Eric Young以及Tim Hudson两人所写的SSLeay为基础所发展的,SSLeay随着两人前往RSA公司任职而停止开发。
虽然此软件是开放源代码的,但其授权书条款与GPL有冲突之处,故GPL软件使用OpenSSL时(如Wget)必须对OpenSSL给予例外。
在Linux环境下,我们能够利用它来搭建一个CA来实现证书的发放,可以用于企业内部使用的加密工具
1安装openssl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
| [iyunv@localhost ~]# yum install openssl
Loaded plugins: fastestmirror, langpacks
base | 3.6 kB 00:00:00
extras | 3.3 kB 00:00:00
updates | 3.4 kB 00:00:00
(1/4): base/7/x86_64/group_gz | 157 kB 00:00:05
(2/4): extras/7/x86_64/primary_db | 15 kB 00:00:07
(3/4): base/7/x86_64/primary_db | 4.9 MB 00:00:23
(4/4): updates/7/x86_64/primary_db | 2.1 MB 00:00:42
Determining fastest mirrors
* base: mirror.bit.edu.cn
* extras: mirror.bit.edu.cn
* updates: mirror.bit.edu.cn
Resolving Dependencies
--> Running transaction check
---> Package openssl.x86_64 1:1.0.1e-34.el7 will be updated
---> Package openssl.x86_64 1:1.0.1e-34.el7_0.3 will be an update
--> Processing Dependency: openssl-libs(x86-64) = 1:1.0.1e-34.el7_0.3 for package: 1:openssl-1.0.1e-34.el7_0.3.x86_64
--> Running transaction check
---> Package openssl-libs.x86_64 1:1.0.1e-34.el7 will be updated
---> Package openssl-libs.x86_64 1:1.0.1e-34.el7_0.3 will be an update
--> Finished Dependency Resolution
Dependencies Resolved
==========================================================================================================================================================
Package Arch Version Repository Size
==========================================================================================================================================================
Updating:
openssl x86_64 1:1.0.1e-34.el7_0.3 updates 705 k
Updating for dependencies:
openssl-libs x86_64 1:1.0.1e-34.el7_0.3 updates 939 k
Transaction Summary
==========================================================================================================================================================
Upgrade 1 Package (+1 Dependent package)
Total download size: 1.6 M
Is this ok [y/d/N]: y
Downloading packages:
Delta RPMs disabled because /usr/bin/applydeltarpm not installed.
warning: /var/cache/yum/x86_64/7/updates/packages/openssl-1.0.1e-34.el7_0.3.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID f4a80eb5: NOKEY0:00:00 ETA
Public key for openssl-1.0.1e-34.el7_0.3.x86_64.rpm is not installed
(1/2): openssl-1.0.1e-34.el7_0.3.x86_64.rpm | 705 kB 00:00:09
(2/2): openssl-libs-1.0.1e-34.el7_0.3.x86_64.rpm | 939 kB 00:00:09
----------------------------------------------------------------------------------------------------------------------------------------------------------
Total 163 kB/s | 1.6 MB 00:00:10
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
Importing GPG key 0xF4A80EB5:
Userid : "CentOS-7 Key (CentOS 7 Official Signing Key) <security@centos.org>"
Fingerprint: 6341 ab27 53d7 8a78 a7c2 7bb1 24c6 a8a7 f4a8 0eb5
Package : centos-release-7-0.1406.el7.centos.2.3.x86_64 (@anaconda)
From : /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
Is this ok [y/N]: y
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Updating : 1:openssl-libs-1.0.1e-34.el7_0.3.x86_64 1/4
Updating : 1:openssl-1.0.1e-34.el7_0.3.x86_64 2/4
Cleanup : 1:openssl-1.0.1e-34.el7.x86_64 3/4
Cleanup : 1:openssl-libs-1.0.1e-34.el7.x86_64 4/4
Verifying : 1:openssl-libs-1.0.1e-34.el7_0.3.x86_64 1/4
Verifying : 1:openssl-1.0.1e-34.el7_0.3.x86_64 2/4
Verifying : 1:openssl-libs-1.0.1e-34.el7.x86_64 3/4
Verifying : 1:openssl-1.0.1e-34.el7.x86_64 4/4
Updated:
openssl.x86_64 1:1.0.1e-34.el7_0.3
Dependency Updated:
openssl-libs.x86_64 1:1.0.1e-34.el7_0.3
Complete!
|
2创建CA自签证书
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| [iyunv@localhost ~]# (umask 077; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
................................+++
.+++
e is 65537 (0x10001)
#命令解释:
在Linux 中使用()可以让()创建一个子shell让()内命令执行完毕会关闭这个子shell,
由于我们需要对生成CAKEY.pem文件做权限设置,这时候我们直接用umask改变默认权限就Ok了,再在()内执行就可以达到新建文件默认的权限设置不影响当前系统环境配置。
使用 openssl创建一个2048位证书
genrsa :生成私钥
存放路径为 :/etc/pki/CA/private/
文件名为 :cakey.pem
#注意:这地方的路径和文件名不能随便修改哦
|
2生成自签证书
1
2
3
4
5
6
7
8
9
10
11
| [iyunv@localhost ~]# openssl req -new -x509 -days 1000 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem &> /dev/null << EOF
CN
BeiJing
BeiJing
51CTOblog
FangKe
mondeolove.blog.
taoxiaoyuzy@vip.qq.com
EOF
|
命令解释
3、创建3个必要的文件
1
2
3
4
5
6
7
8
| touch /etc/pki/CA/{serial,index.txt,crlnumber}
echo 01 | tee /etc/pki/CA/{serial,crlnumber}
#echo 01 >> /etc/pki/CA/{serial,crlnumber} 这样做是不行的,所以借助tee命令做多文件的重定向
#命令解释:
在/etc/pki/CA/目录下创建 serial index.txt crlnumber这3个文件
然后在serial crlnumber 追加01内容进去
/etc/pki/CA/serial #生成证书的序列号
/etc/pki/CA/crlnumber #生成吊销证书的开始序列号
|
4、证书生成签署请求(这个是在客户端生成)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
| [iyunv@localhost ~]# mkdir -p /etc/ssl/CA/
[iyunv@localhost ~]# (umask 077; openssl genrsa -out /etc/ssl/CA/httpd.key 2048)
Generating RSA private key, 2048 bit long modulus
.............................................................................+++
...+++
e is 65537 (0x10001)
[iyunv@localhost ~]# openssl req -new -key /etc/ssl/CA/httpd.key -out /etc/ssl/CA/httpd.csr &> /dev/null << EOF
CN
BeiJing
BeiJing
51CTOblog
FangKe
mondeolove.blog.
admin@mondeolove.blog.
EOF
|
5、给客户端颁发证书(由于是测试环境所以这里CA和客户端都是一台电脑)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
| [iyunv@localhost ~]# openssl ca -in /etc/ssl/CA/httpd.csr -out /etc/ssl/CA/httpd.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Aug 2 13:27:17 2014 GMT
Not After : Apr 28 13:27:17 2017 GMT
Subject:
countryName = CN
stateOrProvinceName = BeiJing
organizationName = 51CTOblog
organizationalUnitName = FangKe
commonName = mondeolove.blog.
emailAddress = admin@mondeolove.blog.
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
EB:A6:79:60:DF:56:E8:B7:56:81:BD:D6:D9:A1:9D:BD:8E:F2:13:0E
X509v3 Authority Key Identifier:
keyid:B6:6B:52:5F:D5:B2:6B:87:9D:F0:E3:A0:67:9D:7D:B0:D8:77:70:80
Certificate is to be certified until Apr 28 13:27:17 2017 GMT (1000 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[iyunv@localhost ~]# ls /etc/ssl/CA/
httpd.crt httpd.csr httpd.key
|
到了这里就实现了自建CA 并且能给客户颁发证书了,客户的证书就是
这个文件,由于这里是测试环境,在实际环境中,我们还需要把这个证书返还给客户端的
|
|
QQ群⑧:
窥视卡
雷达卡
发表于 2014-8-4 09:25:24
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡