图解SSL和加密解密(2)

b.生成证书签署请求
[root@localhost ssl]# openssl req -new -key /etc/httpd/ssl/httpd.key -out /etc/httpd/ssl/httpd.csr -days 365
 
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:CH
Organizational Unit Name (eg, section) []:Ops
Common Name (eg, your name or your server's hostname) []:   
Email Address []:
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

c.将请求通过可靠方式发送给CA服务器

[root@localhost ssl]# scp httpd.csr root@172.18.20.4:/tmp/

以上操作是在http服务器端操作

--------------------------------------------------------------------------------

4.在CA主机上签署证书
[root@ch tmp]# openssl ca -in /tmp/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365
 
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Mar 26 04:17:02 2016 GMT
            Not After : Mar 26 04:17:02 2017 GMT
        Subject:
            countryName              = CN
            stateOrProvinceName      = Beijing
            organizationName          = CH
            organizationalUnitName    = Ops
            commonName                =
 
Certificate is to be certified until Mar 26 04:17:02 2017 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n] y
Write out database with 1 new entries
Data Base Updated

5.查看证书中的信息
[root@ch tmp]# openssl x509 -in /etc/pki/CA/certs/httpd.crt -noout -serial -subject
serial=01
subject= /C=CN/ST=Beijing/O=CH/OU=Ops/CN=www.test.com

--------------------------------------------------------------------------------

如果http服务的私钥丢了，这个时候我们需要吊销证书

(a).客户端获取要吊销的证书的serial
[root@localhost ssl]# openssl  x509  -in /etc/pki/CA/certs/httpd.crt  -noout  -serial  -subject
serial=01
subject= /C=CN/ST=Beijing/O=CH/OU=Ops/CN=CH

(2).CA服务器根据客户提交的serial和subject信息，对比其与本机数据库index.txt中存储的是否一致
[root@ch tmp]# cd /etc/pki/CA/
[root@ch CA]# cat index.txt
V  170326041702Z  01  unknown /C=CN/ST=Beijing/O=CH/OU=Ops/CN=www.test.com

(3).CA服务器吊销证书
[root@ch CA]# openssl ca -revoke /etc/pki/CA/newcerts/01.pem
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 01.
Data Base Updated

(4).生成吊销证书的吊销编号（仅在第一次吊销证书时执行）
[root@ch CA]#  echo  01  > /etc/pki/CA/crlnumber

(5).更新证书吊销列表
[root@ch CA]# openssl ca -gencrl -out /etc/pki/CA/httpd.crl

查看crl文件
[root@ch CA]# openssl crl -in httpd.crl -noout  -text