Shulou(Shulou.com)06/01 Report--

Issue private secondary 2 CA [root@www openssl] # cp-rf root-CA/* sub-CA/ [root@www openssl] # cd sub-CA/ [root@www sub-CA] # rm-rf root-ca.cnf private/* root_ cacert.crt [root @ www sub-CA] # vim sub- ca.cnf [default] name = sub-cadomain_suffix = a-company.comaia_url = http://$name.$domain_suffix/$name.crtcrl_url = http://$name.$domain _ suffix/$name.crlocsp_url = http://ocsp.$name.$domain_suffix:9081default_ca = ca_defaultname_opt = utf8 Esc_ctrl,multiline,lname Ali [ca _ dn] countryName = "CN" organizationName = "A-company" commonName = "sub-CA" [ca_default] home = / usr/local/openssl/sub-CAdatabase = $home/index.txtserial = $home/serialcrlnumber = $home/crlnumbercertificate = $home/second_cacert.crtprivate_key = $home/private/randomnew_certs_dir = $home/newcertsunique_subject = nocopy_extensions = copydefault_days = 365default_crl_days = 30default_md = sha256policy = policy_subCA _ match [policy _ subCA_match] countryName = matchstateOrProvinceName = optionallocalityName = optionalorganizationName = optionalcommonName = suppliedemailAddress = optional [req] default_bits = yesdefault_md = sha256utf8 = yesstring_mask = utf8onlyprompt = nodistinguished_name = ca_dn#req_extensions = ca_ ext[ CRL _ info] URI.0 = $crl_ URL [issuer _ info] caIssuers URI.0 = $aia_urlOCSP URI.0 = $ocsp_ URL [ocsp _ ext] authorityKeyIdentifier = keyid:alwaysbasicConstraints = critical,CA:falseextendedKeyUsage = OCSPSigningkeyUsage = critical,digitalSignaturesubjectKeyIdentifier = hash [server _ ext] authorityInfoAccess = @ issuer_infoauthorityKeyIdentifier = keyid:alwaysbasicConstraints = critical,CA:falsecrlDistributionPoints = @ crl_infoextendedKeyUsage = clientAuth,serverAuthkeyUsage = critical,digitalSignature,keyEnciphermentsubjectKeyIdentifier = hash [client _ ext] authorityInfoAccess = @ issuer_infoauthorityKeyIdentifier = keyid:alwaysbasicConstraints = critical,CA:falsecrlDistributionPoints = @ crl_infoextendedKeyUsage = clientAuthkeyUsage = critical DigitalSignaturesubjectKeyIdentifier = hash [root@www sub-CA] # cd test# generate secondary CA private key [root@www test] # openssl ecparam-genkey-name prime256v1-out second_cakey_ecdsa.pem# AES256 encryption (password redhat) [root@www test] # openssl ec-aes256-in second_cakey_ecdsa.pem-out second_cakey_ecdsa.pem read EC keywriting EC keyEnter PEM pass phrase:Verifying-Enter PEM pass phrase:# generate certificate request for secondary CA [root@www test] # openssl Req-new-config / usr/local/openssl/sub-CA/sub-ca.cnf-key second_cakey_ecdsa.pem-out second_cacert.csr-subj / C=CN/ST=BeiJing/L=BeiJing/O=A_company/OU=subca/CN=sub01_CA/emailAddress=sub01adm@test.com Enter pass phrase for second_cakey_ecdsa.pem:# uses the root certificate to sign the secondary CA certificate [root@www test] # openssl ca-config / usr/local/openssl/root-CA/root-ca.cnf-extensions subca_ext- Days 730-in second_cacert.csr-out second_cacert.crt-batch-notextUsing configuration from / usr/local/openssl/root-CA/root-ca.cnfEnter pass phrase for / usr/local/openssl/root-CA//private/root_cakey_ecdsa.pem:Check that the request matches the signatureSignature okCertificate Details:Certificate: Data: Version: 3 (0x2) Serial Number: 88:40:ac:09:86:09:b6:19:9d: Fa:33:71:f2:cb:f7:ad Issuer: countryName = CN stateOrProvinceName = BeiJing localityName = BeiJing organizationName = A_company organizationalUnitName = rootca commonName = rootCA emailAddress = adm@test.com Validity Not Before: Nov 28 13:18:46 2018 GMT Not After: Nov 27 13:18:46 2020 GMT Subject: countryName = CN stateOrProvinceName = BeiJing localityName = BeiJing organizationName = A_company organizationalUnitName = subca commonName = sub01_CA EmailAddress = sub01adm@test.com Subject PublicKey Info: PublicKey Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:d7:e4:9d:be:12:50:5b:c4:05:c3:d5:e7:b9:7c: 18:c1:9b: 31:a8:c2:8e:08:a7:4b:9c:62:02:25:f9: df:dc:c1:74:64:0e:70:5d:74:22:2e:22:83:06:c0: 7a:70:5e:4b:d5:87:c7:c9:8a:3b:bb:bd:77:91:76: 97:56:c3: 2c:e4 ASN1 OID: prime256v1 NIST CURVE: Pmur256 X509v3 extensions: Authority Information Access: CA Issuers-URI: http://root-ca.a-company.com/root-ca.crt OCSP-URI: http://ocsp.root-ca.a-company.com:9080 X509v3 Authority Key Identifier: Keyid:76:79:14:46:B7:7C:E5:8A:E8:47:77:F5:B6:2B:B3:17:BC:2D:05:02 X509v3 Basic Constraints: critical CA:TRUE Pathlen:0 X509v3 CRL Distribution Points: Full Name: URI: http://root-ca.a-company.com/root-ca.crl X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication X509v3 Key Usage: critical Certificate Sign CRL Sign X509v3 Name Constraints: Permitted: DNS:test05.com DNS:test.org Excluded: IP:0.0.0.0/0.0.0.0 IP:0:0:0:0:0:0:0:0/0:0:0:0:0:0 0:0 X509v3 Subject Key Identifier: 9B:EC:B4:AF:12:B8:23:58:BC:12:86:8A:10:E2:5A:3C:B9:CA:2D:94Certificate is to be certified until Nov 27 13:18:46 2020 GMT (730 days) Write out database with 1 new entriesData Base Updated [root@www test] # mv second_cakey_ecdsa.pem.. / private/ [root@www test] # mv second_cacert.crt.. /

Use secondary CA to issue a server-side certificate # to generate the private key and request (note that the private key is not encrypted here) [root@www test] # openssl ecparam-genkey-name prime256v1-out server_ ecdsa.key [root @ www test] # openssl req-new-key server_ecdsa.key-config.. / sub-ca.cnf-out server.csr-subj / clocked CNG. Test] # openssl ca-config.. / sub-ca.cnf-in server.csr-out server.crt-extensions server_ext-batch-notextUsing configuration from.. / sub-ca.cnfEnter pass phrase for / usr/local/openssl/sub-CA/private/second_cakey_ecdsa.pem:Check that the request matches the signatureSignature okCertificate Details:Certificate: Data: Version: 3 (0x2) Serial Number: 88:40:ac:09:86:09:b6 : 19:9d:fa:33:71:f2:cb:f7:ad Issuer: countryName = CN stateOrProvinceName = BeiJing localityName = BeiJing organizationName = A_company organizationalUnitName = subca commonName = sub01_CA emailAddress = sub01adm@test .com Validity Not Before: Nov 28 13:40:52 2018 GMT Not After: Nov 28 13:40:52 2019 GMT Subject: countryName = CN stateOrProvinceName = BeiJing localityName = A_company organizationalUnitName = server commonName = www.test05.com emailAddress = test05adm@test.com Subject PublicKey Info: PublicKey Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:cb:0a:18:1e:3f:9f:09:a6:85:1c:a9:26:7b:ee: 41:37:68:5b:e5:89:84:12:93:14:6b:d0:bd:5e:d8: ff:27:e6:dd:f3:43:57:70:0e:ac:43:69:d1:29:9a: 3a:2e:e2:b3:b4:2c:ff:7f:c1:60:c0:6b:de:2a:bd: 72:08:f5:7c:00 ASN1 OID: prime256v1 NIST CURVE: Pmur256 X509v3 extensions: Authority Information Access: CA Issuers-URI: http://sub-ca.a-company.com/sub-ca.crt OCSP-URI: http://ocsp.sub-ca.a-company.com:9081 X509v3 Authority Key Identifier: keyid:9B:EC:B4:AF:12:B8:23:58:BC:12:86:8A:10:E2:5A:3C:B9:CA:2D:94 X509v3 Basic Constraints: critical CA:FALSE X509v3 CRL Distribution Points: Full Name: URI: http://sub-ca.a-company.com/sub-ca .crl X509v3 Extended Key Usage: TLS Web Client Authentication TLS Web Server Authentication X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Subject Key Identifier: 86:F3:C8:69:7C:0A:00:7E:FF:F6:0C:61:05:6B:83:45:9D:86:40:4BCertificate is to be certified until Nov 28 13:40:52 2019 GMT (TLS Web Server Authentication X509v3 Key Usage days) Write out database with 1 new entriesData Base Updated

Use server.crt and second_cacert.crt to synthesize a certificate chain # pay attention to the order: the server-side certificate is placed in the first place, and the second-level CA certificate is followed by it; if there is another layer of third-level CA, first append the third-level CA certificate, and then append the second-level CA certificate. [root@www test] # cat server.crt. / second_cacert.crt > chain.crt [root@www test] # ll chain.crt-rw-r--r--. 1 root root 2534 November 28 21:50 chain.crt [root@www test] # cp chain.crt server_ecdsa.key / project/nginx1.15.0/conf/certs/ [root@www test] # cd / project/nginx1.15.0/conf/ [root@www conf] # vim nginx.conf.server_name www.linuxplus.com www.test05.com;ssl_certificate certs/chain.crt;ssl_certificate_key certs/server_ecdsa.key [root@www conf] #.. / sbin/nginx-tnginx: the configuration file / project/nginx1.15.0/conf/nginx.conf syntax is oknginx: configuration file / project/nginx1.15.0/conf/nginx.conf test is successful [root@www conf] #.. / sbin/nginx-s reload [root@www ~] # cd / usr/local/openssl/root-CA [root@www root-CA] # sz-y root_cacert.crt

Issue client certificate using secondary CA [root@www ~] # cd / usr/local/openssl/sub-CA/test/ [root@www test] # openssl ecparam-genkey-name prime256v1-out client01_ecdsa.key# generate request [root@www test] # openssl req-new-key client01_ecdsa.key-out client01.csr-subj / C=CN/ST=BeiJing/L=BeiJing/O=A_company/OU=client01/CN=www.test05.com/emailAddress=clientadm@test.com# issue client certificate [root Www test] # openssl ca-config.. / sub-ca.cnf-days 60-in client01.csr-out client01.crt-extensions client_ext-batch-notext Using configuration from.. / sub-ca.cnfEnter pass phrase for / usr/local/openssl/sub-CA/private/second_cakey_ecdsa.pem:Check that the request matches the signatureSignature okCertificate Details:Certificate: Data: Version: 3 (0x2) Serial Number: 88:40: Ac:09:86:09:b6:19:9d:fa:33:71:f2:cb:f7:ae Issuer: countryName = CN stateOrProvinceName = BeiJing localityName = BeiJing organizationName = A_company organizationalUnitName = subca commonName = sub01_CA emailAddress = sub01adm@test.com Validity Not Before: Nov 30 15:17:31 2018 GMT Not After: Jan 29 15:17:31 2019 GMT Subject: countryName = CN stateOrProvinceName = BeiJing localityName = BeiJing organizationName = A_company organizationalUnitName = client01 CommonName = www.test05.com emailAddress = clientadm@test.com Subject PublicKey Info: PublicKey Algorithm: id-ecPublicKey Public-Key: (256bit) pub: 04:e5:30:48:de:2b:2d:fc:6b:89:d1:9a:fd:f8: 62: 72:72:26:e6:ca:82:2b:fd:c0:c5:c2:ce:8d:dc:ba: d0:e0:52:84:75:6b:6a:78:64:c3:09:9b:c8:9d:fe: e1:af:5c:85:b1:c3:a5:6c:6d:fe:b0:57:5a:37: D5: ec:d4:b6:56:2a ASN1 OID: prime256v1 NIST CURVE: Pmur256 X509v3 extensions: Authority Information Access: CA Issuers-URI: http://sub-ca.a-company.com/sub-ca.crt OCSP-URI: http://ocsp.sub-ca.a-company.com: 9081 X509v3 Authority Key Identifier: keyid:9B:EC:B4:AF:12:B8:23:58:BC:12:86:8A:10:E2:5A:3C:B9:CA:2D:94 X509v3 Basic Constraints: critical CA:FALSE X509v3 CRL Distribution Points: Full Name: URI: http://sub-ca. A-company.com/sub-ca.crl X509v3 Extended Key Usage: TLS Web Client Authentication X509v3 Key Usage: critical Digital Signature X509v3 Subject Key Identifier: 29:44:F5:60:40:8C:DD:ED:D2:D0:0E:E8:E7:D5:5C:67:6D:CF:12:9ECertificate is to be certified until Jan 29 15:17: 31 2019 GMT (60 days) Write out database with 1 new entriesData Base Updated# format converted to pkcs12 [root@www test] # openssl pkcs12-export-clcerts-passout pass:123456-in client01.crt-inkey client01_ecdsa.key-out client01.p12 [root@www test] # cd.. [root@www sub-CA] # openssl ca-config sub-ca.cnf-gencrl-out crl.pem Using configuration from sub-ca.cnfEnter pass phrase for / usr/local/openssl/sub-CA/private/second_ Cakey_ecdsa.pem: [root @ www test] # cd [root@www ~] # cd / project/nginx1.15.0/conf/ [root@www conf] # vim nginx.conf# enable client authentication ssl_verify_client on # specify the depth of the client certificate to the root certificate ssl_verify_depth 2 cross # specify other CA certificates ssl_trusted_certificate / usr/local/openssl/root-CA/root_cacert.crt that need to be included in the complete certificate chain of the CA certificate ssl_client_certificate / usr/local/openssl/root-CA/root_cacert.crt where the client certificate is issued # Certificate revocation list. Nginx needs to reload ssl_crl / usr/local/openssl/sub-CA/crl.pem; [root@www conf] #.. / sbin/nginx-tnginx: the configuration file / project/nginx1.15.0/conf/nginx.conf syntax is oknginx: configuration file / project/nginx1.15.0/conf/nginx.conf test is successful [root@www conf] #.. / sbin/nginx-s reload when updated

Note: client certificate verification is enabled in the nginx configuration file, and the site can be accessed normally by installing the certificate on the client. Note that if you are using a second-level CA to sign the crl and the client certificate in nginx, the ssl_crl must also contain the crl list of the root certificate signature. Similar to the concept of certificate chain, the ssl_client_certificate configuration can be either a certificate chain or a second-level CA (if only a second-level CA is configured, the ssl_trusted_certificate must configure the root certificate). Cat.. xx/sub-ca/crl.pem.. xx/root-CA/crl.pem > crl_chain.pemssl_crl.... xx/xx/crl_chain.pem [root@www sub-CA] # cd. [root@www openssl] # cd root-CA/ [root@www root-CA] # openssl ca-config root-ca.cnf-gencrl-out crl.pem Using configuration from root-ca.cnfEnter pass phrase for / usr/local/openssl/root-CA//private/root_cakey_ecdsa.pem: [root @ www root-CA] # cd. [root@www openssl] # cd sub-CA/ [root@www sub-CA] # cat crl.pem .. / root-CA/crl.pem > crl_chain.pem# modify Nginx configuration # Certificate revocation list Nginx needs to reload ssl_crl / usr/local/openssl/sub-CA/crl_chain.pem when there is an update Multi-domain name certificate and pan-domain name certificate [root@www ~] # cd / usr/local/openssl/sub-CA/ [root@www sub-CA] # vim sub- ca.cnf.[ req] default_bits = 4096encrypt_key = yesdefault_md = yesstring_mask = utf8onlyprompt = ca_dn#req_extensions = ca_extreq_extensions = dns_ext # modify content # add content [dns_ext] subjectAltName = @ alt_ Namespace [alt _ names] DNS.0=list.test05.comDNS.1=login.test05.comDNS.2=admin.test05.com. [root@www sub-CA] # cd test# generates the private key [root@www test] # openssl ecparam-name prime256v1-genkey-out server01_ ecdsa.keyroot @ www test] # openssl req-new-config.. / sub-ca.cnf-key server01_ecdsa.key-out server01.csr-subj / Cellular CNG STENTHANGSTEREBEREGUBG Beijin and OUBENGANGANGCONTRY OUBING server01 and CNUBSEVERVO1 Multi/emailAddress=server01adm@test.com# uses second-level CA to sign a multi-domain name certificate [root@www test] # openssl ca-config.. / sub-ca.cnf-in server01.csr-out server01.crt-extensions server_ext-batch-notext Using configuration from.. / sub-ca.cnfEnter pass phrase for / usr/local/openssl/sub-CA/private/second_cakey_ecdsa.pem:Check that the request matches the signatureSignature okCertificate Details:Certificate: Data: Version : 3 (0x2) Serial Number: 88:40:ac:09:86:09:b6:19:9d:fa:33:71:f2:cb:f7:af Issuer: countryName = CN stateOrProvinceName = BeiJing localityName = BeiJing organizationName = A_company organizationalUnitName = subca CommonName = sub01_CA emailAddress = sub01adm@test.com Validity Not Before: Dec 1 06:38:21 2018 GMT Not After: Dec 1 06:38:21 2019 GMT Subject: countryName = CN stateOrProvinceName = BeiJing localityName = BeiJing OrganizationName = A_company organizationalUnitName = server01 commonName = server01_multi emailAddress = server01adm@test.com Subject PublicKey Info: PublicKey Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:7f:67:e9: 70:07:08:0f:0d:0b:a9:46:03:db:35: 16:72:fa:e3:18:2e:40:ee:f4:1a:78:2e:31:30:ce: 55:d4:e5:7c:10:73:67:57:17:01:e2:8b:5c:64:24: 07:da:7b:46: 64:25:21:03:a3:d3:3f:7d:30:24:da: d5:e2:76:40:5e ASN1 OID: prime256v1 NIST CURVE: Pmur256 X509v3 extensions: Authority Information Access: CA Issuers-URI: http://sub-ca.a-company.com/sub-ca.crt OCSP-URI: http://ocsp.sub-ca.a-company.com:9081 X509v3 Authority Key Identifier: keyid:9B:EC:B4:AF:12:B8:23:58:BC:12:86:8A:10:E2:5A:3C:B9:CA:2D:94 X509v3 Basic Constraints: critical CA:FALSE X509v3 CRL Distribution Points: Full Name : URI: http://sub-ca.a-company.com/sub-ca.crl X509v3 Extended Key Usage: TLS Web Client Authentication TLS Web Server Authentication X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Subject Key Identifier: 86:75:3A:EA:E0:E4:5E:6D:80:AC:5B:FD:56:7C:E0:49:A1:96:05:A6 X509v3 Subject Alternative Name: DNS:list.test05.com, DNS:login.test05.com DNS:admin.test05.comCertificate is to be certified until Dec 1 06:38:21 2019 GMT (365days) Write out database with 1 new entriesData Base Updated [root@www test] # cat server01.crt. / second_cacert.crt > chain2.crt [root@www test] # cp chain2.crt server01_ecdsa.key / project/nginx1.15.0/conf/certs/ [root@www ~] # cd / project/nginx1.15.0/conf/ [root@www conf] # vim nginx.conf.server_name * .test05.com Ssl_certificate certs/chain2.crt;ssl_certificate_key certs/server01_ecdsa.key; [root@www conf] #.. / sbin/nginx-tnginx: the configuration file / project/nginx1.15.0/conf/nginx.conf syntax is oknginx: configuration file / project/nginx1.15.0/conf/nginx.conf test is successful [root@www conf] #.. / sbin/nginx-s reload

-Database file index.txt description [root@www CA] # cat index.txtV 190901132740Z 92F43BDFF9AC3B5CAA3189D661C69AFA unknown / C=CN/ST=ShanDong/L=QingDao/O=Devops/OU=Devops/CN=www.linuxplus.com/emailAddress=admin@linuxplus.comV 191110141723Z 92F43BDFF9AC3B5CAA3189D661C69AFB unknown / C=CN/ST=ShanXi/L=XiAn/O=Devops01/OU=DevOps01/CN=www.linuxplus01.com/emailAddress=admin@linuxplus.comV 191110143215Z 92F43BDFF9AC3B5CAA3189D661C69AFC unknown / C=CN/ST=ShanDong/L=QingDao/O=Devops/OU=Devops/ CN=www.linuxplus.com/emailAddress=admin@linuxplus.comR 191111060653Z 181111142637Z 92F43BDFF9AC3B5CAA3189D661C69AFD unknown / C=CN/ST=ShanXi/L=XiAn/O=Devops01/OU=Devops01/CN=www.linuxplus.com/emailAddress=adm@linuxplus.comV 191111140018Z 92F43BDFF9AC3B5CAA3189D661C69AFE unknown / C=CN/ST=ShanXi/L=XiAn/O=Devops02/OU=Devops02/CN=www.linuxplus.com/emailAddress=adm@linuxplus.com each line includes 6 values separated by tabs (1) status flag: v for valid valid R for revoked revoked, E for expired expired (2) expiration time (in YYMMDDHHMMSSZ format) (3) revocation date, if not revoked, empty (4) sequence number (hexadecimal) (5) file path (display unknown if you don't know) (6) subject (owner) name constraint has a name constraint nameConstraints nameConstraints = @ name_constraints name constraint in the root certificate configuration file Indicates that the CN of the certificate issued by the secondary CA should comply with the rules of the name constraint, permitted DNS.0=test05.com indicates that the CN of the signed certificate should conform to xxxxtest05.com, such as www.test05.com or abc.test05.com, not test05.com.xxx. You can't use wildcards either; if the name constraint is .test05.com, then www.test05.com can't either; and www.*.test05.com can, that is, CN must be followed by a string given by the name constraint. If you are issuing a client certificate, the name constraint does not require the use of a domain name. You can customize a string, such as cli-admin.a.company, etc. If you are issuing a certificate to the server, you should pay attention to the certificate issued within the name constraint and in the format of the domain name. [name_constraints] permitted;DNS.0=test05.compermitted;DNS.1=test.orgexcluded;IP.0=0.0.0.0/0.0.0.0excluded;IP.1=0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.