CA 인증에 대한 구체적인 실험 단계

박문 목록
CA 인증 프로필은/etc/pki/tls/opensl입니다.cnf
서버 작업
1./etc/pki/CA 아래 진입

  index.txt，serial，crlnumber 
 
[root@centos6 ~]# cd /etc/pki/CA
[root@centos6 CA]# touch index.txt
[root@centos6 CA]# touch serial
[root@centos6 CA]# touch crlnumber
[root@centos6 CA]# echo 01 > serial 
[root@centos6 CA]# echo 01 > crlnumber

2. 개인 키 파일 만들기

[root@centos6 CA]# (umask 077 ; openssl genrsa -out /etc/pki/CA/private/cakey.pem 4096 )
Generating RSA private key, 4096 bit long modulus
..................................................++
.....................................................................................................................................................................................++
e is 65537 (0x10001)
#() shell,umask 077  shell 
#openssl genrsa -out    4096
[root@centos6 CA]# tree                               # CA 
.
├── cacert.pem
├── certs
├── crl
├── crlnumber
├── index.txt
├── newcerts
├── private
│   └── cakey.pem
└── serial
4 directories, 5 files

3. 자신에게 CA 인증

[root@centos6 CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem  -out /etc/pki/CA/cacert.pem -days 36500
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN                                                                       #  
State or Province Name (full name) []:beijing                                                          #  / 
Locality Name (eg, city) [Default City]:beijing                                                          #  
Organization Name (eg, company) [Default Company Ltd]:bta                             #  
Organizational Unit Name (eg, section) []:yunwei                                                   #  
Common Name (eg, your name or your server's hostname) []:bta.com             #  
Email Address []:[email protected]                                                                                  # Email

클라이언트
클라이언트는/etc/pki/tls/에서 조작해야 합니다
1./etc/pki/tls에 들어가서 개인 키 파일 만들기

[root@go ~]$cd /etc/pki/tls/
[root@go tls]$(umask 077; openssl genrsa -out /etc/pki/tls/private/TianRandai.key 2048)
Generating RSA private key, 2048 bit long modulus
....+++
..+++
e is 65537 (0x10001
[root@go tls]$tree private/    # TianRandai.key 
private/
└── TianRandai.key
0 directories, 1 file

2. 인증서 내보내기

root@go tls]$openssl req -new -key private/TianRandai.key -out TianRandai.csr 
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN  
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:bta
Organizational Unit Name (eg, section) []:yunwei
Common Name (eg, your name or your server's hostname) []:www.bta.com
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
# match 

3. 인증서를 서버에 복사

[root@go tls]$scp TianRandai.csr 172.18.17.21:/etc/pki/CA
[email protected]'s password: 
TianRandai.csr                                                                                                                                            100% 1041     1.0KB/s   00:00

서버
1. 클라이언트 파일 보기

[root@centos6 CA]# tree
.
├── cacert.pem
├── certs
├── crl
├── crlnumber
├── index.txt
├── newcerts
├── private
│   └── cakey.pem
├── serial
└── TianRandai.csr

# 클라이언트 파일이 복사되었습니다.
4 directories, 6 files
2. 인증 클라이언트 파일에서 CA 인증서 생성

[root@centos6 CA]# openssl ca -in TianRandai.csr -out TianRandai.crt -days 365    
#-days  ， 
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Feb 21 01:57:04 2017 GMT
            Not After : Feb 21 01:57:04 2018 GMT
        Subject:
            countryName       = CN
            stateOrProvinceName   = beijing
            organizationName     = bta
            organizationalUnitName  = yunwei
            commonName        = www.bta.com
            emailAddress              = [email protected]
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                2C:2E:03:82:0A:2C:95:11:7E:0F:71:DC:41:B8:B6:F8:F3:32:3B:1F
            X509v3 Authority Key Identifier: 
                keyid:98:9B:95:79:0B:0A:25:93:17:06:D1:02:92:1A:EF:A0:6F:6B:95:D8
Certificate is to be certified until Feb 21 01:57:04 2018 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

3. 윈도우즈에 복사해서 열어보니 문제가 있었다