来源:蜘蛛抓取(WebSpider)
时间:2015-07-11 05:40
标签:
高校代理服务器
基于根CA的数字证书验证服务的设计与实现(专业)计算机系统结构。声明:知识水坝..
扫扫二维码,随身浏览文档
手机或平板扫扫即可继续访问
基于根CA的数字证书验证服务的设计与实现
举报该文档为侵权文档。
举报该文档含有违规或不良信息。
反馈该文档无法正常浏览。
举报该文档为重复文档。
推荐理由:
将文档分享至:
分享完整地址
文档地址:
粘贴到BBS或博客
flash地址:
支持嵌入FLASH地址的网站使用
html代码:
&embed src='/DocinViewer-4.swf' width='100%' height='600' type=application/x-shockwave-flash ALLOWFULLSCREEN='true' ALLOWSCRIPTACCESS='always'&&/embed&
450px*300px480px*400px650px*490px
支持嵌入HTML代码的网站使用
您的内容已经提交成功
您所提交的内容需要审核后才能发布,请您等待!
3秒自动关闭窗口汇聚2000万达人的兴趣社区下载即送20张免费照片冲印
扫码下载App
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!&&|&&
LOFTER精选
网易考拉推荐
用微信&&“扫一扫”
将文章分享到朋友圈。
用易信&&“扫一扫”
将文章分享到朋友圈。
阅读(3050)|
用微信&&“扫一扫”
将文章分享到朋友圈。
用易信&&“扫一扫”
将文章分享到朋友圈。
历史上的今天
loftPermalink:'',
id:'fks_',
blogTitle:'独立根CA服务器的建立及web证书的申请',
blogAbstract:'
1.安装CA服务,添加或删除程序---WINDOWS组件向导
选择证书服务
出现该提示请认真查看,如果CA所在的网络为域模式,请慎重考虑此计算机是否需要改名字,或是更改域成员身份,确认后再安装证书服务。
选择独立根CA,只有域模式时才可以选择企业CA,下一步
blogTag:'证书',
blogUrl:'blog/static/',
isPublished:1,
istop:false,
modifyTime:3,
publishTime:0,
permalink:'blog/static/',
commentCount:0,
mainCommentCount:0,
recommendCount:0,
bsrk:-100,
publisherId:0,
recomBlogHome:false,
currentRecomBlog:false,
attachmentsFileIds:[],
groupInfo:{},
friendstatus:'none',
followstatus:'unFollow',
pubSucc:'',
visitorProvince:'',
visitorCity:'',
visitorNewUser:false,
postAddInfo:{},
mset:'000',
remindgoodnightblog:false,
isBlackVisitor:false,
isShowYodaoAd:true,
hostIntro:'',
hmcon:'0',
selfRecomBlogCount:'0',
lofter_single:''
{list a as x}
{if x.moveFrom=='wap'}
{elseif x.moveFrom=='iphone'}
{elseif x.moveFrom=='android'}
{elseif x.moveFrom=='mobile'}
${a.selfIntro|escape}{if great260}${suplement}{/if}
{list a as x}
推荐过这篇日志的人:
{list a as x}
{if !!b&&b.length>0}
他们还推荐了:
{list b as y}
转载记录:
{list d as x}
{list a as x}
{list a as x}
{list a as x}
{list a as x}
{if x_index>4}{break}{/if}
${fn2(x.publishTime,'yyyy-MM-dd HH:mm:ss')}
{list a as x}
{if !!(blogDetail.preBlogPermalink)}
{if !!(blogDetail.nextBlogPermalink)}
{list a as x}
{if defined('newslist')&&newslist.length>0}
{list newslist as x}
{if x_index>7}{break}{/if}
{list a as x}
{var first_option =}
{list x.voteDetailList as voteToOption}
{if voteToOption==1}
{if first_option==false},{/if}&&“${b[voteToOption_index]}”&&
{if (x.role!="-1") },“我是${c[x.role]}”&&{/if}
&&&&&&&&${fn1(x.voteTime)}
{if x.userName==''}{/if}
网易公司版权所有&&
{list x.l as y}
{if defined('wl')}
{list wl as x}{/list}建立你自己的 CA 服务:OpenSSL 命令行 CA 操作快速指南
查看: 1820|
这些是关于使用 OpenSSL 生成证书授权(CA)、中间证书授权和末端证书的速记随笔,内容包括 OCSP、CRL 和 CA 颁发者信息,以及指定颁发和有效期限等。
我们将建立我们自己的根 CA,我们将使用根 CA 来生成一个中间 CA 的例子,我们将使用中间 CA 来签署末端用户证书。
创建根 CA 授权目录并切换到该目录:
mkdir ~/SSLCA/root/
cd ~/SSLCA/root/
为我们的根 CA 生成一个8192位长的 SHA-256 RSA 密钥:
openssl genrsa -aes256 -out rootca.key 8192
样例输出:
Generating RSA private key, 8192 bit long modulus
.........++
....................................................................................................................++
如果你想要用密码保护该密钥,请添加 -aes256 选项。
创建自签名根 CA 证书 ca.crt;你需要为你的根 CA 提供一个身份:
openssl req -sha256 -new -x509 -days 1826 -key rootca.key -out rootca.crt
样例输出:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:NL
State or Province Name (full name) [Some-State]:Zuid Holland
Locality Name (eg, city) []:Rotterdam
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Sparkling Network
Organizational Unit Name (eg, section) []:Sparkling CA
Common Name (e.g. server FQDN or YOUR name) []:Sparkling Root CA
Email Address []:
创建一个存储 CA 序列的文件:
touch certindex
echo 1000 & certserial
echo 1000 & crlnumber
放置 CA 配置文件,该文件持有 CRL 和 OCSP 末端的存根。
# vim ca.conf
default_ca = myca
[ crl_ext ]
issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always
new_certs_dir = $dir
unique_subject = no
certificate = $dir/rootca.crt
database = $dir/certindex
private_key = $dir/rootca.key
serial = $dir/certserial
default_days = 730
default_md = sha1
policy = myca_policy
x509_extensions = myca_extensions
crlnumber = $dir/crlnumber
default_crl_days = 730
[ myca_policy ]
commonName = supplied
stateOrProvinceName = supplied
countryName = optional
emailAddress = optional
organizationName = supplied
organizationalUnitName = optional
[ myca_extensions ]
basicConstraints = critical,CA:TRUE
keyUsage = critical,any
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
keyUsage = digitalSignature,keyEncipherment,cRLSign,keyCertSign
extendedKeyUsage = serverAuth
crlDistributionPoints = @crl_section
subjectAltName
= @alt_names
authorityInfoAccess = @ocsp_section
basicConstraints = critical,CA:TRUE,pathlen:0
keyUsage = critical,any
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
keyUsage = digitalSignature,keyEncipherment,cRLSign,keyCertSign
extendedKeyUsage = serverAuth
crlDistributionPoints = @crl_section
subjectAltName
= @alt_names
authorityInfoAccess = @ocsp_section
[alt_names]
DNS.0 = Sparkling Intermidiate CA 1
DNS.1 = Sparkling CA Intermidiate 1
[crl_section]
URI.0 = /SparklingRoot.crl
URI.1 = /SparklingRoot.crl
[ocsp_section]
caIURI.0 = /SparklingRoot.crt
caIURI.1 = /SparklingRoot.crt
OCSP;URI.0 = /ocsp/
OCSP;URI.1 = /ocsp/
如果你需要设置某个特定的证书生效/过期日期,请添加以下内容到[myca]:
# format: YYYYMMDDHHMMSS
default_enddate = 11
default_startdate = 11
创建中间 CA
生成中间 CA (名为 intermediate1)的私钥:
openssl genrsa -out intermediate1.key 4096
生成中间 CA 的 CSR:
openssl req -new -sha256 -key intermediate1.key -out intermediate1.csr
样例输出:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:NL
State or Province Name (full name) [Some-State]:Zuid Holland
Locality Name (eg, city) []:Rotterdam
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Sparkling Network
Organizational Unit Name (eg, section) []:Sparkling CA
Common Name (e.g. server FQDN or YOUR name) []:Sparkling Intermediate CA
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
确保中间 CA 的主体(CN)和根 CA 不同。
用根 CA 签署中间 CA 的 CSR:
openssl ca -batch -config ca.conf -notext -in intermediate1.csr -out intermediate1.crt
样例输出:
Using configuration from ca.conf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName
:PRINTABLE:'NL'
stateOrProvinceName
:ASN.1 12:'Zuid Holland'
localityName
:ASN.1 12:'Rotterdam'
organizationName
:ASN.1 12:'Sparkling Network'
organizationalUnitName:ASN.1 12:'Sparkling CA'
commonName
:ASN.1 12:'Sparkling Intermediate CA'
Certificate is to be certified until Mar 30 15:07:43 2017 GMT (730 days)
Write out database with 1 new entries
Data Base Updated
生成 CRL(同时采用 PEM 和 DER 格式):
openssl ca -config ca.conf -gencrl -keyfile rootca.key -cert rootca.crt -out rootca.crl.pem
openssl crl -inform PEM -in rootca.crl.pem -outform DER -out rootca.crl
每次使用该 CA 签署证书后,请生成 CRL。
如果你需要撤销该中间证书:
openssl ca -config ca.conf -revoke intermediate1.crt -keyfile rootca.key -cert rootca.crt
配置中间 CA
为该中间 CA 创建一个新文件夹,然后进入该文件夹:
mkdir ~/SSLCA/intermediate1/
cd ~/SSLCA/intermediate1/
从根 CA 拷贝中间证书和密钥:
cp ~/SSLCA/root/intermediate1.key ./
cp ~/SSLCA/root/intermediate1.crt ./
创建索引文件:
touch certindex
echo 1000 & certserial
echo 1000 & crlnumber
创建一个新的 ca.conf 文件:
# vim ca.conf
default_ca = myca
[ crl_ext ]
issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always
new_certs_dir = $dir
unique_subject = no
certificate = $dir/intermediate1.crt
database = $dir/certindex
private_key = $dir/intermediate1.key
serial = $dir/certserial
default_days = 365
default_md = sha1
policy = myca_policy
x509_extensions = myca_extensions
crlnumber = $dir/crlnumber
default_crl_days = 365
[ myca_policy ]
commonName = supplied
stateOrProvinceName = supplied
countryName = optional
emailAddress = optional
organizationName = supplied
organizationalUnitName = optional
[ myca_extensions ]
basicConstraints = critical,CA:FALSE
keyUsage = critical,any
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
keyUsage = digitalSignature,keyEncipherment
extendedKeyUsage = serverAuth
crlDistributionPoints = @crl_section
subjectAltName
= @alt_names
authorityInfoAccess = @ocsp_section
[alt_names]
DNS.1 = example.org
[crl_section]
URI.0 = /SparklingIntermidiate1.crl
URI.1 = /SparklingIntermidiate1.crl
[ocsp_section]
caIURI.0 = /SparklingIntermediate1.crt
caIURI.1 = /SparklingIntermediate1.crt
OCSP;URI.0 = /ocsp/
OCSP;URI.1 = /ocsp/
修改 [alt_names] 部分,添加你需要的主体备选名。如果你不需要主体备选名,请移除该部分包括subjectAltName = @alt_names的行。
如果你需要设置一个指定的生效/到期日期,请添加以下内容到 [myca]:
# format: YYYYMMDDHHMMSS
default_enddate = 11
default_startdate = 11
生成一个空白 CRL(同时以 PEM 和 DER 格式):
openssl ca -config ca.conf -gencrl -keyfile rootca.key -cert rootca.crt -out rootca.crl.pem
openssl crl -inform PEM -in rootca.crl.pem -outform DER -out rootca.crl
生成末端用户证书
我们使用这个新的中间 CA 来生成一个末端用户证书,请重复以下操作来使用该 CA 为每个用户签署。
mkdir enduser-certs
生成末端用户的私钥:
openssl genrsa -out enduser-certs/.key 4096
生成末端用户的 CSR:
openssl req -new -sha256 -key enduser-certs/.key -out enduser-certs/.csr
样例输出:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:NL
State or Province Name (full name) [Some-State]:Noord Holland
Locality Name (eg, city) []:Amsterdam
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example Inc
Organizational Unit Name (eg, section) []:IT Dept
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
使用中间 CA 签署末端用户的 CSR:
openssl ca -batch -config ca.conf -notext -in enduser-certs/.csr -out enduser-certs/.crt
样例输出:
Using configuration from ca.conf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName
:PRINTABLE:'NL'
stateOrProvinceName
:ASN.1 12:'Noord Holland'
localityName
:ASN.1 12:'Amsterdam'
organizationName
:ASN.1 12:'Example Inc'
organizationalUnitName:ASN.1 12:'IT Dept'
commonName
:ASN.1 12:''
Certificate is to be certified until Mar 30 15:18:26 2016 GMT (365 days)
Write out database with 1 new entries
Data Base Updated
生成 CRL(同时以 PEM 和 DER 格式):
openssl ca -config ca.conf -gencrl -keyfile intermediate1.key -cert intermediate1.crt -out intermediate1.crl.pem
openssl crl -inform PEM -in intermediate1.crl.pem -outform DER -out intermediate1.crl
每次你使用该 CA 签署证书后,都需要生成 CRL。
如果你需要撤销该末端用户证书:
openssl ca -config ca.conf -revoke enduser-certs/.crt -keyfile intermediate1.key -cert intermediate1.crt
样例输出:
Using configuration from ca.conf
Revoking Certificate 1000.
Data Base Updated
通过连接根证书和中间证书来创建证书链文件。
cat ../root/rootca.crt intermediate1.crt & enduser-certs/.chain
发送以下文件给末端用户:
你也可以让末端用户提供他们自己的 CSR,而只发送给他们这个 .crt 文件。不要把它从服务器删除,否则你就不能撤销了。
你可以对证书链使用以下命令来验证末端用户证书:
openssl verify -CAfile enduser-certs/.chain enduser-certs/.crt
enduser-certs/.crt: OK
你也可以针对 CRL 来验证。首先,将 PEM 格式的 CRL 和证书链相连接:
cat ../root/rootca.crt intermediate1.crt intermediate1.crl.pem & enduser-certs/.crl.chain
验证证书:
openssl verify -crl_check -CAfile enduser-certs/.crl.chain enduser-certs/.crt
没有撤销时的输出:
enduser-certs/.crt: OK
撤销后的输出如下:
enduser-certs/.crt: CN = , ST = Noord Holland, C = NL, O = Example Inc, OU = IT Dept
error 23 at 0 depth lookup:certificate revoked
作者:Remy van Elst 译者: 校对:
原创翻译, 荣誉推出
上一篇:下一篇:
分享到微信朋友圈
打开微信,点击底部的“发现”,
使用“扫一扫”即可将网页分享至朋友圈。使用企业根ca在web服务器上设置ssl_百度文库
两大类热门资源免费畅读
续费一年阅读会员,立省24元!
评价文档:
使用企业根ca在web服务器上设置ssl
计​算​机
阅读已结束,如果下载本文需要使用
想免费下载本文?
把文档贴到Blog、BBS或个人站等:
普通尺寸(450*500pix)
较大尺寸(630*500pix)
你可能喜欢
