debian10安装配置_如何在Debian10上设置和配置证书颁发机 构(CA)
debian10安装配置
介绍 (Introduction)
A (CA) is an entity responsible for issuing digital certificates to verify identities on the internet. Although public CAs are a popular choice for verifying the identity of websites and other services that are provided to the general public, private CAs are typically used for closed groups and private services.
(CA)是负责颁发数字证书以在Internet上验证⾝份的实体。 尽管公共CA是验证提供给公众的⽹站和其他服务的⾝份的流⾏选择,但私有CA通常⽤于封闭组和私有服务。
Building a private Certificate Authority will enable you to configure, test, and run programs that require encrypted connections between a client and a server. With a private CA, you can issue certificates for users, servers, or individual programs and services within your infrastructure.
构建专⽤的证书颁发机构将使您能够配置,测试和运⾏需要客户端与服务器之间进⾏加密连接的程序。 使⽤专⽤CA,您可以为基础结构中的⽤户,服务器或单个程序和服务颁发证书。 Some examples of programs on Linux that use their own private CA are and . You can also configure your web server to use certificates issued by a private CA in order to make development and staging environments match production servers that use TLS to encrypt connections.
Linux上使⽤⾃⼰的专⽤CA的程序的⼀些⽰例是和 。 您还可以将Web服务器配置为使⽤私有CA颁发的证书,以使开发和登台环境与使⽤TLS加密连接的⽣产服务器匹配。
中国武术职业联赛
In this guide, we’ll learn how to set up a private Certificate Authority on a Debian 10 server, and how to generate and sign a testing certificate using your new CA. You will also learn how to import the CA server’s public certificate into your operating system’s certificate store so that you can verify the chain of trust between the CA and remote servers or users. Finally you will learn how to revoke certificates and distribute a Certificate Revocation List to make sure only authorized users and systems can use services that rely on your CA.
在本指南中,我们将学习如何在Debian 10服务器上设置私有证书颁发机构,以及如何使⽤新的CA⽣成并签署测试证书。 您还将学习如何将CA服务器的公共证书导⼊到操作系统的证书存储中,以便可以验证CA与远程服务器或⽤户之间的信任链。 最后,您将学习如何吊销证书和分发证书吊销列表,以确保只有授权的⽤户和系统才能使⽤依赖您的CA的服务。
李雯
先决条件 (Prerequisites)
To complete this tutorial, you will need access to a Debian 10 server to host your CA server. You will need to configure a non-root user with sudo privileges before you start this guide. You can follow our to set up a user with appropriate permissions. The linked tutorial will also set up a firewall, which is assumed to be in place throughout this guide.
要完成本教程,您将需要访问Debian 10服务器来托管您的CA服务器。 在开始本指南之前,您将需要使⽤sudo特权配置⾮root⽤户。 您可以按照我们的来设置具有适当权限的⽤户。 链接的教程还将设置⼀个防⽕墙 ,在本指南中假定该防⽕墙已安装到位。
This server will be referred to as the CA Server in this tutorial.
在本教程中,此服务器将称为CA Server 。
Ensure that the CA Server is a standalone system. It will only be used to import, sign, and revoke certificate requests. It should not run any other services, and ideally it will be offline or completely shut down when you are not actively working with your CA.
确保CA Server是独⽴系统。 它仅⽤于导⼊,签名和吊销证书申请。 它不应运⾏任何其他服务,并且
理想情况下,当您不积极使⽤CA时,它将脱机或完全关闭。
Note: The last section of this tutorial is optional if you would like to learn about signing and revoking certificates. If you choose to complete those practice steps, you will need a second Debian 10 server or you can also use your own local Linux computer running Debian or Ubuntu, or distributions derived from either of those.
注意:如果您想了解有关签名和吊销证书的信息,本教程的最后⼀部分是可选的。 如果选择完成这些练习步骤,则将需要第⼆台Debian
10服务器,或者也可以使⽤⾃⼰的运⾏Debian或Ubuntu的本地Linux计算机,或者从这两个服务器衍⽣的发⾏版。
第1步-安装Easy-RSA (Step 1 — Installing Easy-RSA)
The first task in this tutorial is to install the easy-rsa set of scripts on your CA Server. easy-rsa is a Certificate Authority management tool that you will use to generate a private key, and public root certificate, which you will then use to sign requests from clients and servers that will rely on your CA.
本教程的⾸要任务是在CA Server上安装easy-rsa脚本集。 easy-rsa是⼀个证书颁发机构管理⼯具,将
⽤于⽣成私钥和公共根证书,然后将其⽤于对来⾃依赖于CA的客户端和服务器的请求进⾏签名。
Login to your CA Server as the non-root sudo user that you created during the initial setup steps and run the following:
以您在初始设置步骤中创建的⾮根sudo⽤户⾝份登录到CA Server,然后运⾏以下命令: sudo apt update
sudo apt更新
sudo apt install easy-rsa
sudo apt安装easy-rsa
You will be prompted to download the package and install it. Press y to confirm you want to install the package.
系统将提⽰您下载软件包并安装。 按y确认您要安装该软件包。
At this point you have everything you need set up and ready to use Easy-RSA. In the next step you
will create a Public Key Infrastructure, and then start building your Certificate Authority.
⾄此,您已经准备就绪,可以使⽤Easy-RSA。 在下⼀步中,您将创建⼀个公共密钥基础结构,然后开始构建您的证书颁发机构。
步骤2 —准备公钥基础结构⽬录 (Step 2 — Preparing a Public Key Infrastructure Directory)
Now that you have installed easy-rsa, it is time to create a skeleton (PKI) on the CA Server. Ensure that you are still logged in as your non-root user and create an easy-rsa directory. Make sure that you do not use sudo to run any of the following commands, since your normal user should manage and interact with the CA without elevated privileges.
现在,您已经安装了easy-rsa ,是时候在CA Server上创建⾻架 (PKI)了。 确保您仍以⾮root⽤户⾝份登录并创建⼀个easy-rsa⽬录。 确保不要使⽤sudo运⾏以下任何命令,因为普通⽤户应在没有提升特权的情况下管理CA并与之交互。
mkdir ~/easy-rsa
mkdir〜/ easy-rsa
This will create a new directory called easy-rsa in your home folder. We’ll use this directory to create symbolic links pointing to the easy-rsa package files that we’ve installed in the previous step. These files are located in the /usr/share/easy-rsa folder on the CA Server.
这将在您的主⽂件夹中创建⼀个名为easy-rsa的新⽬录。 我们将使⽤此⽬录创建指向上⼀步中安装的easy-rsa软件包⽂件的符号链接。 这些⽂件位于CA Server上的/usr/share/easy-rsa⽂件夹中。
Create the symlinks with the ln command:
使⽤ln命令创建符号链接:
ln -s /usr/share/easy-rsa/* ~/easy-rsa/
ln -s / usr / share / easy-rsa / *〜/ easy-rsa /
Note: While other guides might instruct you to copy the easy-rsa package files into your PKI directory, this tutorial adopts a symlink approach. As a result, any updates to the easy-rsa package will be automatically reflected in your PKI’s scripts.
注意:虽然其他指南可能会指导您将easy-rsa软件包⽂件复制到PKI⽬录中,但本教程采⽤了符号链接⽅法。 因此,对easy-rsa软件包的任何更新将⾃动反映在您的PKI脚本中。
To restrict access to your new PKI directory, ensure that only the owner can access it using the chmod command:
要限制对新PKI⽬录的访问,请确保只有所有者可以使⽤chmod命令访问它:
chmod 700 /home/sammy/easy-rsa
chmod 700 /家庭/ sammy / easy-rsa
Finally, initialize the PKI inside the easy-rsa directory:
最后,在easy-rsa⽬录中初始化PKI:
cd ~/easy-rsa
光盘〜/ easy-rsa
./easyrsa init-pki
./easyrsa init-pki
Output
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /home/sammy/easy-rsa/pki
After completing this section you have a directory that contains all the files that are needed to create a Certificate Authority. In the next section you will create the private key and public certificate for your CA.
完成本节后,您将拥有⼀个⽬录,其中包含创建证书颁发机构所需的所有⽂件。 在下⼀部分中,您将为CA创建私钥和公共证书。
步骤3 —创建证书颁发机构 (Step 3 — Creating a Certificate Authority)
Before you can create your CA’s private key and certificate, you need to create and populate a file called vars with some default values. First you will cd into the easy-rsa directory, then you will create and edit the vars file with nano or your preferred text editor:
在创建CA的私钥和证书之前,需要使⽤⼀些默认值创建并填充⼀个名为vars的⽂件。 ⾸先,您将进⼊cd easy-rsa⽬录,然后使⽤nano或您喜欢的⽂本编辑器创建和编辑vars⽂件:
cd ~/easy-rsa
光盘〜/ easy-rsa
nano vars
纳⽶变种
Once the file is opened, paste in the following lines and edit each highlighted value to reflect your own organization info. The important part here is to ensure that you do not leave any of the values blank:
打开⽂件后,粘贴以下⾏并编辑每个突出显⽰的值以反映您⾃⼰的组织信息。 这⾥的重要部分是确保不要将任何值留为空⽩:
~/easy-rsa/vars
set_var EASYRSA_REQ_COUNTRY "US"
set_var EASYRSA_REQ_PROVINCE "NewYork"
set_var EASYRSA_REQ_CITY "New York City"
set_var EASYRSA_REQ_ORG "DigitalOcean"
set_var EASYRSA_REQ_EMAIL "admin@example"
set_var EASYRSA_REQ_OU "Community"
set_var EASYRSA_ALGO "ec"
set_var EASYRSA_DIGEST "sha512"
When you are finished, save and close the file. If you are using nano, you can do so by pressing CTRL+X, then Y and ENTER to confirm. You are now ready to build your CA.
完成后,保存并关闭⽂件。 如果您使⽤的是nano ,则可以通过按CTRL+X ,然后按Y和ENTER进⾏确认。 您现在准备建⽴CA。
To create the root public and private key pair for your Certificate Authority, run the ./easy-rsa command again, this time with the build-ca option:
要为证书颁发机构创建根公⽤和专⽤密钥对,请再次运⾏./easy-rsa命令,这次使⽤build-ca选项:
.
/easyrsa build-ca
./easyrsa build-ca
In the output, you’ll see some lines about the OpenSSL version and you will be prompted to enter a passphrase for your key pair. Be sure to choose a strong passphrase, and note it down somewhere safe. You will need to input the passphrase any time that you need to interact with your CA, for example to sign or revoke a certificate.
在输出中,您将看到⼀些有关OpenSSL版本的⾏,并且将提⽰您输⼊密钥对的密码。 确保选择⼀个强密码短语,并记在安全的地⽅。 您需要在与CA进⾏交互的任何时间输⼊密码,例如签署或撤销证书。
You will also be asked to confirm the Common Name (CN) for your CA. The CN is the name used to refer to this machine in the context of the Certificate Authority. You can enter any string of characters for the CA’s Common Name but for simplicity’s sake, press ENTER to accept the default name.
您还将被要求确认您的CA的通⽤名称(CN)。 CN是在证书颁发机构的上下⽂中⽤于引⽤此计算机的名称。 您可以输⼊任何字符串作为CA 的通⽤名称,但是为了简单起见,请按Enter以接受默认名称。
构建和谐社会的意义
Output
. . .
偏心轴承Enter New CA Key Passphrase:
Re-Enter New CA Key Passphrase:
. . .
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/home/sammy/easy-rsa/
Note: If you don’t want to be prompted for a password every time you interact with your CA, you can run the build-ca command with the nopass option, like this:
注意:如果不想在每次与CA交互时提⽰您输⼊密码,则可以使⽤nopass选项运⾏build-ca命令,如下所⽰:
./easyrsa build-ca nopass
./easyrsa build-ca nopass
You now have two important files — ~/easy-rsa/ and ~/easy-rsa/pki/private/ca.key — which make up the public and private components of a Certificate Authority.
现在,您有两个重要⽂件~/easy-rsa/和~/easy-rsa/pki/private/ca.key ,它们构成了证书颁发机构的公共和私有组件。
< is the CA’s public certificate file. Users, servers, and clients will use this certificate to verify that they are part of the same web of trust. Every user and server that uses your CA will need to have a copy of this file. All parties will rely on the public certificate to ensure that someone is not impersonating a system and performing a .
<是CA的公共证书⽂件。 ⽤户,服务器和客户端将使⽤此证书来验证它们是否属于同⼀信任⽹络。 使⽤您的CA的每个⽤户和服务器都需要拥有该⽂件的副本。 各⽅都将依靠公共证书来确保有⼈
不会冒充系统并进⾏ 。
ca.key is the private key that the CA uses to sign certificates for servers and clients. If an attacker gains access to your CA and, in turn, your ca.key file, you will need to destroy your CA. This is why your ca.key file should only be on your CA machine and that, ideally, your CA machine should be kept offline when not signing certificate requests as an extra security measure.
籼稻ca.key是CA⽤于签署服务器和客户端证书的私钥。 如果攻击者获得对您的CA的访问权,然后⼜对您的ca.key⽂件进⾏访问,则需要销毁您的CA。 这就是为什么ca.key⽂件应仅位于CA机器上的原因,并且在理想情况下,当不对证书请求进⾏签名时,作为额外的安全措施,CA机器应保持脱机状态。
蜂房哈夫尼菌
With that, your CA is in place and it is ready to be used to sign certificate requests, and to revoke certificates.
这样,您的CA就位了,可以⽤来签署证书请求和吊销证书了。
步骤4 —分发证书颁发机构的公共证书 (Step 4 — Distributing your Certificate Authority’s Public Certificate)
Now your CA is configured and ready to act as a root of trust for any systems that you want to config
ure to use it. You can add the CA’s certificate to your OpenVPN servers, web servers, mail servers, and so on. Any user or server that needs to verify the identity of another user or server in your network should have a copy of file imported into their
operating system’s certificate store.
现在,您的CA已配置完毕,可以⽤作要配置为使⽤它的所有系统的信任根。 您可以将CA的证书添加到OpenVPN服务器,Web服务器,邮件服务器等。 任何需要验证⽹络中其他⽤户或服务器的⾝份的⽤户或服务器,都应将ca.crt⽂件的副本导⼊其操作系统的证书存储中。
To import the CA’s public certificate into a second Linux system like another server or a local computer, first obtain a
copy of file from your CA server. You can use the cat command to output it in a terminal, and then copy and paste it into a file on the second computer that is importing the certificate. You can also use tools like scp, rsync to transfer the file between systems. However we’ll use copy and paste with nano in this step since it will work on all systems.
要将CA的公共证书导⼊到另⼀个服务器或本地计算机等第⼆个Linux系统中,请⾸先从您的CA服务器获取ca.crt⽂件的副本。 您可以使
⽤cat命令将其输出到终端中,然后将其复制并粘贴到第⼆台导⼊证书的计算机上的⽂件中。 您还可以使⽤诸如scp , rsync类的⼯具在系统之间传输⽂件。 但是,在此步骤中,我们将使⽤nano进⾏复制和粘贴,因为它适⽤于所有系统。
As your non-root user on the CA Server, run the following command:
以您在CA Server上的⾮root⽤户⾝份,运⾏以下命令:
cat ~/easy-rsa/
猫〜/ easy-rsa / pki / ca.crt
There will be output in your terminal that is similar to the following:
豫公网安备41160202000603
站长QQ:729038198
关于我们
投诉建议