====== OpenSSL 廢止憑證方式 ======
===== - 修改 openssl.cnf 參數檔 =====
* openssl.cnf 參數檔 : /etc/pki/tls/openssl.cnf
* 建立自己的憑證參數 Exp. CA_trysoft
++++ 看修改 openssl.cnf 內容|
:
[ca]
default_ca = CA_default # The default ca section
trysoft_ca = CA_trysoft # Trysoft Corp. ca section
:
[ CA_trysoft ]
dir = /home/jonathan/ca/trysoft
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/RootCA.crt # The CA certificate
serial = $dir/RootCA.srl # The current serial number
crlnumber = $dir/CRL.srl # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl/trysoft.crl # The current CRL
private_key = $dir/private/RootCA.key # The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
# Extension copying option: use with caution.
# copy_extensions = copy
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = sha1 # which md to use.
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match
:
:
[ req ]
default_bits = 2048
:
[ req_distinguished_name ]
:
countryName_default = TW
:
stateOrProvinceName_default = Taiwan
:
localityName_default = Taipei
:
++++
* 將 **[[tech:openssl_caserver]]** 所產生的相關憑證資料放入相對應的目錄內。
/home/jonathan/ca/trysoft/
|-- RootCA.crt
|-- RootCA.srl
|-- certs
| |-- ClientCA.crt
|-- crl
|-- jonathan
| |-- ClientCA.crt
| |-- ClientCA.key
| |-- ClientCA.pem
| `-- ClientCA.pfx
|-- mail.ichiayi.com
| |-- ServerCA.crt
| `-- ServerCA.key
|-- newcerts
`-- private
`-- RootCA.key
===== - 產生設定檔內相關檔案 =====
cd /home/jonathan/ca/trysoft/
touch index.txt
cp RootCA.srl CRL.srl
===== - 測試進行廢止 ClientCA =====
* 廢止以下這個憑證
/home/jonathan/ca/trysoft/
|-- certs
|-- ClientCA.crt
cd /home/jonathan/ca/trysoft/certs
openssl ca -name CA_trysoft -revoke ClientCA.crt
++++看執行結果|
[jonathan@pd920 certs]$ openssl ca -name CA_trysoft -revoke ClientCA.crt
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /home/jonathan/ca/trysoft/private/RootCA.key: <-- 輸入 RootCA 密碼
Adding Entry with serial number E0B893FC9733381E to DB for /C=TW/ST=Taiwan/L=Taipei/O=Test Corp./CN=Test Corp./emailAddress=test@ichiayi.com
Revoking Certificate E0B893FC9733381E.
Data Base Updated
++++
===== - 產生 CRL 檔 trysoft.crl =====
cd /home/jonathan/ca/trysoft/crl
openssl ca -name CA_trysoft -gencrl -out trysoft.crl
++++看執行結果|
[jonathan@pd920 certs]$ cd /home/jonathan/ca/trysoft/crl
[jonathan@pd920 crl]$ openssl ca -name CA_trysoft -gencrl -out trysoft.crl
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /home/jonathan/ca/trysoft/private/RootCA.key: <-- 輸入 RootCA 密碼
++++
* 要轉成 DER 格式可執行以下命令
openssl crl -in trysoft.crl -outform DER -out trysoft.crl
===== - 執行後檔案目錄結果 =====
/home/jonathan/ca/trysoft/
|-- CRL.srl
|-- CRL.srl.old
|-- RootCA.crt
|-- RootCA.srl
|-- certs
| |-- ClientCA.crt
|-- crl
| `-- trysoft.crl
|-- index.txt
|-- index.txt.attr
|-- index.txt.attr.old
|-- index.txt.old
|-- jonathan
| |-- ClientCA.crt
| |-- ClientCA.key
| |-- ClientCA.pem
| `-- ClientCA.pfx
|-- mail.ichiayi.com
| |-- ServerCA.crt
| `-- ServerCA.key
|-- newcerts
`-- private
`-- RootCA.key
| {{:tech:ca_ssl_01.png?300}} | {{:tech:ca_ssl_02.png?300}} |
===== 參考網址 =====
* http://www.javaworld.com.tw/roller/snpshu/entry/2006_11_2_dis_cert_by_openssl
{{tag>ca openssl crl pki}}