建立自己的OCSP伺服器主要是利用OpenSSL來製作並設定OCSP。以下是如何產生憑證,從所創建的OCSP伺服器獲得憑證的OCSP回應。
許多伺服器和客戶端現在都支援較新的SSL/TLS功能,為了使用這些功能,這裡我們建立自己的OCSP伺服器來提供憑證的狀態(撤銷或有效)。
安裝OpenSSL
若您的系統尚未安裝OpenSSL,請先進行安裝。
移動到/etc/pki/tls資料夾下
建立所需的資料夾和檔案
1
2
3
4
|
mkdir -p demoCA/newcerts
cd demoCA
touch index.txt
echo '01' > serial
|
創建並修改配置文件
複製/etc/pki/tls/openssl.cnf的内容到新的文件,例如/etc/pki/tls/validation.cnf。並在[ usr_cert ]下增加一行。
validation.cnf的範例在此
生成根CA的私鑰
1
|
openssl genrsa -out rootCA.key 1024
|
根據私鑰生成根CA的憑證
1
|
openssl req -new -x509 -days 3650 -key rootCA.key -out rootCA.crt -config validation.cnf
|
生成用戶的私鑰和憑證
1
2
|
openssl genrsa -out certKey.key 1024
openssl req -new -x509 -days 3650 -key certKey.key -out certificate.crt -config validation.cnf
|
生成用戶的憑證簽名請求(CSR)
1
|
openssl x509 -x509toreq -in certificate.crt -out CSR.csr -signkey certKey.key
|
使用根CA簽名客户端憑證
1
|
openssl ca -batch -startdate 150813080000Z -enddate 250813090000Z -keyfile rootCA.key -cert rootCA.crt -policy policy_anything -config validation.cnf -notext -out certificate.crt -infiles CSR.csr
|
啟動OCSP伺服器
1
|
openssl ocsp -index demoCA/index.txt -port 8080 -rsigner rootCA.crt -rkey rootCA.key -CA rootCA.crt -text -out log.txt &
|
驗證憑證撤銷
1
|
openssl ocsp -CAfile rootCA.crt -issuer rootCA.crt -cert certificate.crt -url http://xxx.xxx.xxx.xxx:8080 -resp_text -noverify
|
參考
validation.cnf
[ CA_default ]部分主要是將demoCA有關的項目做出調整[ usr_cert ]部分主要是設定authorityInfoAccess和basicConstraints[ v3_req ]和[ v3_OCSP ]部分全部都要替換成一模一樣的狀態
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
|
[ CA_default ]
dir = /etc/pki/tls # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/demoCA/index.txt # database index file.
unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/demoCA/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/demoCA/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
# Extension copying option: use with caution.
# copy_extensions = copy
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = sha256 # use SHA-256 by default
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match
# For the CA policy
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
authorityInfoAccess = OCSP;URI:http://xxx.xxx.xxx.xxx:8080
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "OpenSSL Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
# This is required for TSA certificates.
# extendedKeyUsage = critical,timeStamping
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment,
extendedKeyUsage = OCSPSigning
[ v3_OCSP ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = OCSPSigning
|
維持openssl常駐開啟
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
#!/bin/bash
while true
do
# 檢查openssl ocsp程式是否正常進行
if ! pgrep -x "openssl" > /dev/null
then
# 如果沒有正常執行,則啟動
nohup openssl ocsp -index demoCA/index.txt -port 8080 -rsigner rootCA.crt -rkey rootCA.key -CA rootCA.crt -text -out log.txt &
fi
# 等待60秒後再次檢查
sleep 60
done
|
將以上程式碼存檔,並取名成monitor_ocsp.sh,並執行以下命令給予程式可被執行的權限
1
|
chmod +x monitor_ocsp.sh
|
最後使用nohup和&在後台執行該程式碼,而不因終端中斷而停止
1
|
nohup ./monitor_ocsp.sh &
|
