Red Hat 資料安全(四)

使用 CA 製作數位憑證

有第三方認證的需求,就產生了專門為人認證的組織 ,比較大的憑證機構的公開金鑰就會內建在瀏覽器中,如 VeriSign、VISA、IPS、Entrust、America Online、DST 等。

取得 CA 憑證流程:

=========================================

一、產生 CertReq 憑證申請書

WebServer 產生 Cert Req 憑證申請書,內含 WebServer 的 UserInfo、WebServer 的 Public Key。

# cd /etc/pki/tls/misc (進入本目錄)

# ls -al
drwxr-xr-x 2 root root 4096  3月 19 22:06 .
drwxr-xr-x 5 root root 4096  1月 12 07:34 ..
-rwxr-xr-x 1 root root 3758 12月  1  2006 CA      (產生 Cert Req 的執行檔)
-rwxr-xr-x 1 root root  119 12月  1  2006 c_hash
-rwxr-xr-x 1 root root  152 12月  1  2006 c_info
-rwxr-xr-x 1 root root  112 12月  1  2006 c_issuer
-rwxr-xr-x 1 root root  110 12月  1  2006 c_name


# ./CA -newreq (產生憑證申請書)
Generating a 1024 bit RSA private key
……………++++++
……………..++++++
writing new private key to ‘newkey.pem’      (產生 Private Key)
Enter PEM pass phrase:      (為自己的 Private Key 建立密碼保護)
Verifying – Enter PEM pass phrase:
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [GB]:TW (輸入國家)
State or Province Name (full name) [Berkshire]:Taiwan (地區)
Locality Name (eg, city) [Newbury]:Taipei (城市)
Organization Name (eg, company) [My Company Ltd]:ISHM Studio (公司名稱)
Organizational Unit Name (eg, section) []:ISHM (部門)
Common Name (eg, your name or your server’s hostname) []:ishm.idv.tw (重要:一定要和 https:// 後面的網址一樣)
Email Address []:admin@ishm.idv.tw (電子郵件信箱)
(以下選填,可不用填)
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Request is in newreq.pem, private key is in newkey.pem

# ls -al
總計 72
drwxr-xr-x 2 root root 4096  3月 19 22:06 .
drwxr-xr-x 5 root root 4096  1月 12 07:34 ..
-rwxr-xr-x 1 root root 3758 12月  1  2006 CA
-rwxr-xr-x 1 root root  119 12月  1  2006 c_hash
-rwxr-xr-x 1 root root  152 12月  1  2006 c_info
-rwxr-xr-x 1 root root  112 12月  1  2006 c_issuer
-rwxr-xr-x 1 root root  110 12月  1  2006 c_name
-rw-r–r– 1 root root  963  3月 19 22:06 newkey.pem
-rw-r–r– 1 root root  700  3月 19 22:06 newreq.pem

看一下金鑰是什麼樣子:

# cat newkey.pem
—–BEGIN RSA PRIVATE KEY—–
Proc-Type: 4,ENCRYPTED      (表示有輸入密碼加密過)
DEK-Info: DES-EDE3-CBC,E1144CBD1E3F1734

wVCv/7TscvHRFRmwKTZHcueNU8wc4mroRp/8KKniHBF3701/rxJrLfEnS/utL6A2
r9QJPXVN1YWGyTmMBZd82F4WFZnAacUDNrGijql1cPL3xel4sIYhpHHQwrTTwfpk
Of8JoE7xG4H4lpHDNZGZUFFbr0S1+cMl5G8budTywY9x2VuwJOP89acLhwBDxEZn
fB461HBTwAB70UFjLMR5kudxJz3oy6QhOL53BipJwrIR0ZNd+HuNe0IcfK+on0qR
eK0Ama+xx17qTYWUH6KpJWIQx1Hs/9WpfswPhMafKh/PwR48nAiivAi0s1qEcOvy
biAnIPrJP0fjqQKmWbNNKY+WHK0cQ6OvNg6v8B/iznv5LFCAB1M62d64bGkKQ1wm
z+B6jMToa445DyXVCF6H4Bx4DqY/mOkGhUFZT17DarUZRn8ZGOtihymA9Dq2Tucl
CcVW4Zd6dpxiWU6WMG+XsHzT+wuBSyBTbtaCkRWsFAb4uMUwn3N1uKJzYaqPvJg7
LwYm9nVqB2lk16bA+18FWQBJCVkEmee8OXRJ6pwjiXCb2bwnom/O0Qv2H4uYsE51
gjxtgYcGsu4peElaQeRD48c/kYkVADkIvDqR6p6B7mUqCqUun28A4mMY/IklWnJG
yCUhFxcU/Yfhan1K3yU6jFcLOWMIzFyWADnAETWBIJDrnQGAceS7+1CvNldzn4hC
IqgyDoOlkA6b+l1XHbbt9439XyPCe1o1Ew1GXzXajcnLMbtQVaYupQ==
—–END RSA PRIVATE KEY—–

=========================================

二、憑證送交 CA 單位

# cat newreq.pem (查看 newreq.pem 內容)
—–BEGIN CERTIFICATE REQUEST—–
MIIByzCCATQCAQAwgYoxCzAJBgNVBAYTAlRXMQ8wDQYDVQQIEwZUYWl3YW4xDzAN
BgNVBAcTBlRhaXBlaTEUMBIGA1UEChMLSVNITSBTdHVkaW8xDTALBgNVBAsTBElT
SE0xFDASBgNVBAMTC2lzaG0uaWR2LnR3MR4wHAYJKoZIhvcNAQkBFg9pc2htQHRw
Yy5lZHUudHcwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJctkOi4Ro1XKItP
3JWyEJQ4CynP29G0wUJEcTIsgD+/VfSipdizZ3ek454yvaUTFVDwMzphke8yCOD8
sWujeSkO3PCvI4lbBagtTy5zpdgkXIqXugV4r65ZMYBEvquvqZn2GZ2MQUnWdW6c
su16i20tmEcZ/tLhPF05jhjfrV0RAgMBAAGgADANBgkqhkiG9w0BAQUFAAOBgQAI
WsrZuOIwGMHbqNQtckFuOp6CvIFauS38nGQbYjO02xzllwLKKz9yVsAOGBJeXhRr
6MQTL0vpyJz/I9ep+GyuZ8tvxzKseHuZU5/e3Gmg2Q==
—–END CERTIFICATE REQUEST—–

看一下剛才產生的 newreq.pem 是否正確

# openssl req -noout -text -in newreq.pem
Certificate Request:
Data:      (輸入的資料在此)
Version: 0 (0x0)
Subject: C=TW, ST=Taiwan, L=Taipei, O=ISHM Studio, OU=ISHM, CN=ishm.idv.tw/emailAddress=admin@ishm.idv.tw
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)      (順便給對方一把金鑰)
Modulus (1024 bit):
00:e6:ab:c3:5a:9f:93:b2:28:77:ad:59:4e:20:ab:
51:98:8c:9c:e6:47:cc:8c:85:16:17:a0:86:10:c7:
96:76:44:2b:2d:cd:7d:52:42:08:d5:2c:b0:cf:e1:
f7:4e:14:63:5c:9c:0d:d2:0e:b1:b6:4b:e6:ac:36:
cf:bf:06:4e:cf:1b:d2:72:31:ea:68:c3:87:e9:ea:
34:62:06:f3:e1:2e:19:da:bc:6c:43:fa:ca:67:d8:
0f:df:d3:28:00:af:c0:44:57:2a:21:7f:b1:61:93:
71:95:79:d8:00:02:db:6f:ed
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha1WithRSAEncryption
af:73:1e:ba:bb:d9:b8:3f:ab:3d:be:d8:b1:ca:31:b5:19:00:
78:3d:2b:63:90:c8:05:d6:1b:f1:10:e6:cb:07:52:a4:79:48:
c1:c2:da:dd:5e:b3:6e:6a:d3:40:48:f5:21:0b:3d:a4:06:4c:
6b:6c:b9:1e:a6:de:89:86:f8:c8:f8:35:ed:4d:c6:c1:6f:a6:
29:ff:a6:b7:82:1b:21:bb:a1:e1:2f:1d:c3:b3:f3:33:2c:5a:
27:ae:de:ed:29:e2:dd:b8:29:3b:9f:8a:c1:ed:d7:98:b2:71:
2f:63
===========================================

將 newreq.pem 送交 CA 憑證單位認證,每年大概幾萬元臺幣吧……..!

如果覺得太貴了,可以自己當 CA 憑證單位:

1. 產生 Root CA

# ./CA -newca

CA certificate filename (or enter to create)

Making CA certificate …
Generating a 1024 bit RSA private key
…………………++++++
….++++++
writing new private key to ‘../../CA/private/./cakey.pem’
Enter PEM pass phrase:      (輸入 CA 的 Private Key,幫人家簽章時也會用到)
Verifying – Enter PEM pass phrase:
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [GB]:TW
State or Province Name (full name) [Berkshire]:Taiwan
Locality Name (eg, city) [Newbury]:Taipei
Organization Name (eg, company) [My Company Ltd]:ISHM CA Inc.
Organizational Unit Name (eg, section) []:Certificate Authority
Common Name (eg, your name or your server’s hostname) []:ca.example.com
Email Address []:admin@ca.example.com

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ../../CA/private/./cakey.pem:      (再次輸入 CA 的 Private Key 密碼)
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Mar 19 14:53:12 2009 GMT
Not After : Mar 18 14:53:12 2012 GMT
Subject:
countryName               = TW
stateOrProvinceName       = Taiwan
organizationName          = ISHM CA Inc.
organizationalUnitName    = Certificate Authority
commonName                = ca.example.com
emailAddress              = admin@ca.example.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
F5:A6:3D:0D:95:28:5A:05:BF:9A:10:1D:B4:98:78:E1
X509v3 Authority Key Identifier:
keyid:F5:A6:3D:0D:95:28:5A:05:BF:9A:10:1D:49:D4:78:E1

Certificate is to be certified until Mar 18 14:53:12 2012 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated
=========================================

CA 憑證位置

# pwd
/etc/pki/CA
# ls -al
-rw-r–r– 1 root root 3327  3月 19 22:53 cacert.pem

Private Key 位置
# pwd
/etc/pki/CA/private
# ls -al
-rw-r–r– 1 root root  963  3月 19 22:52 cakey.pem
=========================================

2. 進行簽章

至 /etc/pki/tls/misc 對 newreq.pem 進行簽章:

# cd /etc/pki/tls/misc
# ./CA -sign
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ../../CA/private/cakey.pem:      (輸入 CA 的 Private Key 密碼)
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Mar 19 15:02:19 2009 GMT
Not After : Mar 19 15:02:19 2010 GMT
Subject:      (以下是在製作 newreq.pem 時自己輸入的資料)
countryName               = TW
stateOrProvinceName       = Taiwan
localityName              = Taipei
organizationName          = ISHM Studio
organizationalUnitName    = ISHM
commonName                = ishm.idv.tw
emailAddress              = admin@ishm.idv.tw
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
22:1D:86:54:B6:C2:0F:46:AB:91:63:2D:3D:65:96:CC
X509v3 Authority Key Identifier:
keyid:F5:A6:3D:0D:95:28:5A:05:BF:9A:10:B4:ED:D4:78:E1

Certificate is to be certified until Mar 19 15:02:19 2010 GMT (365 days)
Sign the certificate? [y/n]:y (是否簽署這份認證)

1 out of 1 certificate requests certified, commit? [y/n]y (確定)
Write out database with 1 new entries
Data Base Updated
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=TW, ST=Taiwan, O=ISHM CA Inc., OU=Certificate Authority, CN=ca.example.com/emailAddress=admin@ca.example.com
Validity
Not Before: Mar 19 15:02:19 2009 GMT
Not After : Mar 19 15:02:19 2010 GMT
Subject: C=TW, ST=Taiwan, L=Taipei, O=ISHM Studio, OU=ISHM, CN=ishm.idv.tw/emailAddress=admin@ishm.idv.tw
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:97:2d:90:e8:b8:46:8d:57:28:8b:4f:dc:95:b2:
10:94:38:0b:29:cf:db:d1:b4:c1:42:44:71:32:2c:
80:3f:bf:55:f4:a2:a5:d8:b3:67:77:a4:e3:9e:32:
bd:a5:13:15:50:f0:33:3a:61:91:ef:32:08:e0:fc:
b1:6b:a3:79:29:0e:dc:f0:af:23:89:5b:05:a8:2d:
31:80:44:be:ab:af:a9:99:f6:19:9d:8c:41:49:d6:
75:6e:9c:b2:ed:7a:8b:6d:2d:98:47:19:fe:d2:e1:
3c:5d:39:8e:18:df:ad:5d:11
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
22:1D:86:54:B6:C2:0F:46:AB:91:63:2D:2E:3D65:96:CC
X509v3 Authority Key Identifier:
keyid:F5:A6:3D:0D:95:28:5A:05:BF:9A:10:1D:B4:ED:D4:78:E1

Signature Algorithm: sha1WithRSAEncryption
cd:bf:e3:ef:30:56:dc:27:6a:ee:b4:74:1a:8e:69:f6:3c:73:
0e:26:c4:c7:83:60:d1:1d:42:78:a9:9f:31:88:e2:4e:39:c6:
81:21:de:8c:41:a5:8d:4d:1f:76:21:b6:22:55:d0:0d:59:43:
36:dd:f3:07:2b:5c:d7:28:20:84:f1:03:e9:82:a4:5e:1f:74:
25:ce:0a:92:e9:eb:bf:77:41:46:7f:42:94:d5:1b:ae:74:c3:
eb:b5:a4:ec:11:57:43:3f:fb:58:3f:9f:c9:ee:4f:f7:78:13:
b9:73
—–BEGIN CERTIFICATE—–
MIIDEDCCAnmgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBkzELMAkGA1UEBhMCVFcx
DzANBgNVBAgTBlRhaXdhbjEVMBMGA1UEChMMSVNITSBDQSBJbmMuMR4wHAYDVQQL
ExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxFzAVBgNVBAMTDmNhLmV4YW1wbGUuY29t
MSMwIQYJKoZIhvcNAQkBFhRhZG1pbkBjYS5leGFtcGxlLmNvbTAeFw0wOTAzMTkx
NTAyMTlaFw0xMDAzMTkxNTAyMTlaMIGKMQswCQYDVQQGEwJUVzEPMA0GA1UECBMG
VGFpd2FuMQ8wDQYDVQQHEwZUYWlwZWkxFDASBgNVBAoTC0lTSE0gU3R1ZGlvMQ0w
CwYDVQQLEwRJU0hNMRQwEgYDVQQDEwtpc2htLmlkdi50dzEeMBwGCSqGSIb3DQEJ
ARYPaXNobUB0cGMuZWR1LnR3MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCX
LZDouEaNVyiLT9yVshCUOAspz9vRtMFCRHEyLIA/v1X0oqXYs2d3pOOeMr2lExVQ
8DM6YZHvMgjg/LFro3kpDtzwryOJWwWoLU8uc6XYJFyKl7oFeK+uWTGARL6rr6mZ
9hmdjEFJ1nVunLLteottLZhHGf7S4TxdOY4Y361dEQIDAQABo3sweTAJBgNVHRME
AjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0
ZTAdBgNVHQ4EFgQUIh2GVLbCD0arkWMtLj19FOVllswwHwYDVR0jBBgwFoAU9aY9
DGo5p9jxzDibEx4Ng0R1CeKmfMYjiTjnGgSHejEGljU0fdiG2IlXQDVlDNt3zBytc
1ygghPED6YKkXh90oPKG2SGWutE08XY2/HMH0JPlJc4Kkunrv3dBRn9ClNUbrnTD
67Wk7BFXQz/7WD+fye5P93gTuXM=
—–END CERTIFICATE—–
Signed certificate is in newcert.pem      (產生的憑證檔名)
===========================================

來看一下 CA 憑證的內容

# cat newcert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=TW, ST=Taiwan, O=ISHM CA Inc., OU=Certificate Authority, CN=ca.example.com/emailAddress=admin@ca.example.com
Validity
Not Before: Mar 19 15:02:19 2009 GMT
Not After : Mar 19 15:02:19 2010 GMT
Subject: C=TW, ST=Taiwan, L=Taipei, O=ISHM Studio, OU=ISHM, CN=ishm.idv.tw/emailAddress=admin@ishm.idv.tw

Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:97:2d:90:e8:b8:46:8d:57:28:8b:4f:dc:95:b2:
10:94:38:0b:29:cf:db:d1:b4:c1:42:44:71:32:2c:
80:3f:bf:55:f4:a2:a5:d8:b3:67:77:a4:e3:9e:32:
bd:a5:13:15:50:f0:33:3a:61:91:ef:32:08:e0:fc:
b1:6b:a3:79:29:0e:dc:f0:af:23:89:5b:05:a8:2d:
31:80:44:be:ab:af:a9:99:f6:19:9d:8c:41:49:d6:
75:6e:9c:b2:ed:7a:8b:6d:2d:98:47:19:fe:d2:e1:
3c:5d:39:8e:18:df:ad:5d:11
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
22:1D:86:54:B6:C2:0F:46:AB:91:63:2D:2E:3D:7D:65:96:CC
X509v3 Authority Key Identifier:
keyid:F5:A6:3D:0D:95:28:5A:05:BF:9A:10:1D:B4:49:ED:D4:78:E1

Signature Algorithm: sha1WithRSAEncryption
cd:bf:e3:ef:30:56:dc:27:6a:ee:b4:74:1a:8e:69:f6:3c:73:
0e:26:c4:c7:83:60:d1:1d:42:78:a9:9f:31:88:e2:4e:39:c6:
81:21:de:8c:41:a5:8d:4d:1f:76:21:b6:22:55:d0:0d:59:43:
36:dd:f3:07:2b:5c:d7:28:20:84:f1:03:e9:82:a4:5e:1f:74:
a0:f2:86:d9:21:96:ba:d1:34:f1:76:36:fc:73:07:d0:93:e5:
eb:b5:a4:ec:11:57:43:3f:fb:58:3f:9f:c9:ee:4f:f7:78:13:
b9:73
—–BEGIN CERTIFICATE—–
MIIDEDCCAnmgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBkzELMAkGA1UEBhMCVFcx
DzANBgNVBAgTBlRhaXdhbjEVMBMGA1UEChMMSVNITSBDQSBJbmMuMR4wHAYDVQQL
ExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxFzAVBgNVBAMTDmNhLmV4YW1wbGUuY29t
MSMwIQYJKoZIhvcNAQkBFhRhZG1pbkBjYS5leGFtcGxlLmNvbTAeFw0wOTAzMTkx
NTAyMTlaFw0xMDAzMTkxNTAyMTlaMIGKMQswCQYDVQQGEwJUVzEPMA0GA1UECBMG
VGFpd2FuMQ8wDQYDVQQHEwZUYWlwZWkxFDASBgNVBAoTC0lTSE0gU3R1ZGlvMQ0w
CwYDVQQLEwRJU0hNMRQwEgYDVQQDEwtpc2htLmlkdi50dzEeMBwGCSqGSIb3DQEJ
ARYPaXNobUB0cGMuZWR1LnR3MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCX
LZDouEaNVyiLT9yVshCUOAspz9vRtMFCRHEyLIA/v1X0oqXYs2d3pOOeMr2lExVQ
8DM6YZHvMgjg/LFro3kpDtzwryOJWwWoLU8uc6XYJFyKl7oFeK+uWTGARL6rr6mZ
9hmdjEFJ1nVunLLteottLZhHGf7S4TxdOY4Y361dEQIDAQABo3sweTAJBgNVHRME
AjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0
ZTAdBgNVHQ4EFgQUIh2GVLbCD0arkWMtLj19FOVllswwHwYDVR0jBBgwFoAU9aY9
Go5p9jxzDibEx4Ng0R1CeKmfMYjiTjnGgSHejEGljU0fdiG2IlXQDVlDNt3zBytc
1ygghPED6YKkXh90oPKG2SGWutE08XY2/HMH0JPlJc4Kkunrv3dBRn9ClNUbrnTD
67Wk7BFXQz/7WD+fye5P93gTuXM=
—–END CERTIFICATE—–

=========================================

—–BEGIN CERTIFICATE—–

—–END CERTIFICATE—–

這一段是上面那一段資料的加密檔,用 CA 單位的 Private Key 加密過的資料。

=========================================