HTTPS 证书吊销

环境说明

由于这篇笔记与上篇笔记时间间隔很远,当时环境已经没有,所以这里启用新的环境,同时当时创建CA以及生成证书的操作也并不规范,所以这篇文章尽量尝试规范下操作

1. 相关脚本说明

由于之前都是执行命令来创建,重复的操作比较多,而且不利于自动化,所以这里统一使用脚本完成

修改默认CA相关配置

系统中在安装openssl包后,会自动生成一个openssl相关的配置文件,配置文件其中包括了CA相关的配置,这个配置会影响到我们创建CA,所以需要提前配置下

可以通过openssl ca查看配置文件位置

# openssl ca 
Using configuration from /usr/lib/ssl/openssl.cnf
Error opening CA private key ./demoCA/private/cakey.pem
139873004865184:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('./demoCA/private/cakey.pem','r')
139873004865184:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:

其中主要CA默认配置块如下

[ CA_default ]

dir             = ./demoCA              # Where everything is kept
certs           = $dir/certs            # Where the issued certs are kept
crl_dir         = $dir/crl              # Where the issued crl are kept
database        = $dir/index.txt        # database index file.
#unique_subject = no                    # Set to 'no' to allow creation of
                                        # several ctificates with same subject.
new_certs_dir   = $dir/newcerts         # default place for new certs.

certificate     = $dir/cacert.pem       # The CA certificate
serial          = $dir/serial           # The current serial number
crlnumber       = $dir/crlnumber        # the current crl number
                                        # must be commented out to leave a V1 CRL
crl             = $dir/crl.pem          # The current CRL
private_key     = $dir/private/cakey.pem# The private key 
RANDFILE        = $dir/private/.rand    # private random number file

x509_extensions = usr_cert              # The extentions to add to the cert

修改CA主目录路径

dir             = /root/CA

创建CA脚本

#!/bin/bash -e

# 创建CA根证书
# 非交互式方式创建以下内容:
# 国家名(2个字母的代号)
C=CN
# 省
ST=Beijing
# 市
L=Beijing
# 公司名
O=test
# 组织或部门名
OU=技术部
# 服务器FQDN或颁发者名
CN=test
# 邮箱地址
emailAddress=test@example.com
# CA主目录
CA_PATH="/root/CA"
# 创建相关私钥及证书目录

mkdir -p ${CA_PATH}/{private,newcerts}
# CA数据库索引文件,每行是一条证书信息,包括证书的状态、过期时间、撤销时间、证书序号等等
touch ${CA_PATH}/index.txt
# 指明一个txt文件,用来给下一个证书做序号
[ ! -f ${CA_PATH}/seria ] && echo 01 > ${CA_PATH}/serial
# 这也是序号,但这是仅提供给CRL
[ ! -f ${CA_PATH}/crlnumber ] && echo 01 > ${CA_PATH}/crlnumber
# 创建CA私钥和证书并设置相关证书属性
[ ! -f ${CA_PATH}/cacert.pem ] && openssl req -utf8 -new -x509 -days 36500 -newkey rsa:2048 -nodes -keyout ${CA_PATH}/private/cakey.pem -out ${CA_PATH}/cacert.pem -subj "/C=${C}/ST=${ST}/L=${L}/O=${O}/OU=${OU}/CN=${CN}/emailAddress=${emailAddress}"
# 生成ca.crl,CUL(certificate revocation list) 证书撤销清单
[ ! -f ${CA_PATH}/private/ca.crl ] && openssl ca -crldays 36500 -gencrl -out "${CA_PATH}/private/ca.crl"

创建客户端证书脚本

#!/bin/bash -e

show_help() {
    echo "$0 [-h|-?|--help] [--ou ou] [--cn cn] [--email email]"
    echo "-h|-?|--help    显示帮助"
    echo "--ou            设置组织或部门名,如: 技术部"
    echo "--cn            设置FQDN或所有者名,如: Da"
    echo "--email         设置FQDN或所有者邮件,如: [email protected]"
}

# 创建客户端证书
# 非交互式方式创建以下内容:
# 国家名(2个字母的代号)
C=CN
# 省
ST=Beijing
# 市
L=Beijing
# 公司名
O=test
# 组织或部门名
OU=${OU:-IT}
# 服务器FQDN或授予者名
CN="bai.xiao"
# 邮箱地址
emailAddress="[email protected]"

CA_PATH="/root/CA"
# 创建客户端证书目录
[ ! -d ${CA_PATH}/client_crts/${CN} ] && mkdir -p ${CA_PATH}/client_crts/${CN}
# 生成客户端私钥以及证书请求
[ ! -f "${CA_PATH}/client_crts/${CN}/${CN}.key" ] && openssl req -utf8 -nodes -newkey rsa:2048 -keyout "${CA_PATH}/client_crts/${CN}/${CN}.key" -new -days 36500 -out "${CA_PATH}/client_crts/${CN}/${CN}.csr" -subj "/C=${C}/ST=${ST}/L=${L}/O=${O}/OU=${OU}/CN=${CN}/emailAddress=${emailAddress}"
# 签发客户端证书
[ ! -f "${CA_PATH}/client_crts/${CN}/${CN}.crt" ] && openssl ca -utf8 -batch -days 36500 -in "${CA_PATH}/client_crts/${CN}/${CN}.csr" -out "${CA_PATH}/client_crts/${CN}/${CN}.crt"
# 创建p12格式证书,以便于浏览器导入使用
[ ! -f "${CA_PATH}/client_crts/${CN}/${CN}.p12" ] && openssl pkcs12 -export -clcerts -CApath ${CA_PATH} -inkey "${CA_PATH}/client_crts/${CN}/${CN}.key" -in "${CA_PATH}/client_crts/${CN}/${CN}.crt" -certfile "${CA_PATH}/cacert.pem" -passout pass: -out "${CA_PATH}/client_crts/${CN}/${CN}.p12"

撤销客户端证书脚本

#!/bin/bash -e

# 吊销一个签证过的证书
CA_PATH="/root/CA"
# 撤销客户端证书
openssl ca -revoke "${CA_PATH}/client_crts/${1}/${1}.crt"
# 更新CRL文件
openssl ca -gencrl -out "${CA_PATH}/private/ca.crl"

2. Nginx相关配置

        ssl_certificate /opt/tengine/conf/ssl/orange.crt;
        ssl_certificate_key /opt/tengine/conf/ssl/orange.key;
        ssl_client_certificate /root/CA/cacert.pem;
        # 开启客户端证书验证
        ssl_verify_client on;
        # 开启服务端OCSP,OCSP: Online Certificate Status Protocol
        ssl_stapling on;
        # 这里证书状态校验,校验的不是客户端证书,而是服务器端证书
        ssl_stapling_verify on;
        # 证书撤销清单文件路径,
        ssl_crl /root/CA/private/ca.crl;

3. 创建CA证书

# bash create_ca_cert.sh

4. 创建客户端证书

# bash create_client_crt.sh <客户端名称>

5. 测试客户端证书

  • 浏览器导入p12格式证书
  • 代码导入crt格式证书

6. 撤销客户端证书

# bash revoke_client_crt.sh <客户端名称>

7. 重载Nginx刷新撤销证书清单生效

# /opt/tengine/sbin/nginx -t
# /opt/tengine/sbin/nginx -s reload

补充文档

results matching ""

    No results matching ""