OpenCA介绍.ppt

1、OpenCA的介绍,OpenCA的体系结构 OpenCA软件系统的预编译 OpenCA安装与配置 OpenCA简明操作步骤,OpenCA的体系结构,OpenCA是树状层次结构 Node CA（Certificate Authority） RA（Registration Authority） LDAP Public,Node,发布/撤销证书,注册信息/提出申请,OpenCA的体系结构,Node: 这个接口管理本地节点的数据库，以及处理数据交换（与上级或下级节点交换数据）功能。 CA: 创建证书和CRLs RA：编辑请求、批准请求，删除错误请求等。 LDAP：管理LDAP数据库，查看有效或无效的证

2、书。 Public：面向用户，为不同的浏览器生成证书请求，生成证书撤销请求，查询证书等。,OpenCA中各种系统对象的生命周期,OpenCA的介绍,OpenCA的体系结构 OpenCA软件系统的预编译 OpenCA安装与配置 OpenCA简明操作步骤,OpenCA软件系统的预编译,OpenSSL ( 0.9.7+ ) 提供加密算法。用于https加密解密，CA签名。 Apache Web Server & mod_ssl 提供https的Web服务 BerkeleyDatabase(or MySQL or DB2) 后台数据库 Perl (5.8+ with DBM or DBI suppor

3、t) CGI的脚本语言 OpenLDAP 存储证书,OpenCA软件系统的预编译,OpenSSL ( 0.9.7+ ) tar zxvf openssl-0.9.7.tar.gz cd openssl-0.9.7b ./config -prefix=/usr/local/openssl make make test make install,OpenCA软件系统的预编译,Apache Web Server & mod_ssl (for Apache) cd mod_ssl-2.8.55-1.3.28 ./configure -with-apache=./apache_1.3.28 cd ./a

4、pache_1.3.28 SSL_BASE=/usr/local/openssl ./configure -prefix=/usr/local/apache -enable-module=ssl -enable-shared=ssl -enable-module=so make make install,OpenCA软件系统的预编译,BerkeleyDatabase cd Bdb cd build_unix ./dist/configure -prefix=/usr/local/openca/bdb -enable-dynamic make make install,OpenCA软件系统的预编

5、译,Perl (5.8+ with DBM or DBI support) tar zxvf ActivePerl-06-i686-linux.tar.gz cd ActivePerl-06 ./install.sh （提示输入:/usr/local/perl） 安装DBI1.38 tar DBI1.38.tar.gz cd DBI1.38 /usr/local/perl/bin/perl Makefile.PL make make test make install,OpenCA软件系统的预编译,OpenLDAP 1. tar xzvf openldap-2.1.

6、23.tgz 2. cd openldap-2.1.23 3. CPPFLAGS=-I/usr/local/Bdb/include LDFLAGS=-L/usr/local/Bdb/lib ./configure -prefix=OPENLDAP (BerkeleyDB为安装bdb的目录,OPENLDAP为ldap安装目录) 4. make 5. make depend 6. make test 7. make install,OpenCA的介绍,OpenCA的体系结构 OpenCA软件系统的预编译 OpenCA安装与配置 OpenCA简明操作步骤,OpenCA安装与配置,OpenCA安装，O

7、penCA有两部分：CA和RA。 CA节点不连接任何网络，主要负责签发证书，撤销证书，与RA数据交换，以及CA自身节点的管理。 RA节点连接网络，分三部分。 PUB接口主要面向用户，用户可通过次web接口提交证书申请，证书撤销申请，下载签发后的证书以及CA的证书。 RA接口主要面向RA管理员，RA管理员审核用户的证书请求，审核通过后签发申请，然后把数据传给CA，以及RA节点自身的管理。 LDAP接口也是面向RA管理员，负责把证书从ldap数据库中导入/导出。,OpenCA安装与配置,OpenCA安装与配置,CA的安装 1./configure -prefix=/usr/local/openca

8、 -exec-prefix=/usr/local/openca -with-openssl-prefix=/usr/local/openssl -with-web-host=56 -with-httpd-host= -with-httpd-user=nobody -with-httpd-group=nobody -with-httpd-fs-prefix=/var/www/openca -with-htdocs-fs-prefix=/var/www/openca -with-ca-organization=SDG -with-ca-locality=Beijing -wi

9、th-ca-country=cn -with-hierarchy-level=ca -enable-sendmail -with-sendmail=/usr/lib/sendmail -with-service-mail-account= -with-module-prefix=/usr/local/perl 2make ca 3. make install-ca,OpenCA安装与配置,3安装后修改/usr/local/openca/OpenCA/etc/servers/ca.conf文件中的参数 # Dataexchange section # = # please see *_node.

10、conf for more details # dataexchange with a lower level of the hierarchy EXPORT_IMPORT_DOWN_DEVICE /tmp/ca/ca-down.tar # local dataexchange (backup, recovery and batchprocessors) EXPORT_IMPORT_LOCAL_DEVICE /tmp/ca/ca-local.tar EXPORT_IMPORT_MODULES LOG_ENROLL_DIR /usr/local/openca/OpenCA/var/log/enr

11、oll LOG_RECEIVE_DIR /usr/local/openca/OpenCA/var/log/receive ENROLL_CA_CERTIFICATE_STATES VALID DN_TYPE_BASIC_ELEMENT_3_SELECT Internet Partners Employees Trustcenter CNIC SET_CERTIFICATE_SERIAL_IN_DN N CERTIFICATE_SERIAL_NAME serialNumber,OpenCA安装与配置,4安装后修改/usr/local/openca/OpenCA/etc/servers/ca_no

12、de.conf文件中的参数 # Dataexchange section # = # dataexchange with a higher level of the hierarchy EXPORT_IMPORT_UP_DEVICE /tmp/ca/ca-up.tar 指定上传文件 # dataexchange with a lower level of the hierarchy EXPORT_IMPORT_DOWN_DEVICE /tmp/ca/ca-down.tar 指定下载文件 # local dataexchange (backup, recovery and batchproces

13、sors) EXPORT_IMPORT_LOCAL_DEVICE /tmp/ca/ca-local.tar 指定本地文件 #添加项如下 ENROLL_CERTIFICATE_STATES VALID ENROLL_CRL_STATES VALID ENROLL_CSR_STATES VALID ENROLL_CRR_STATES VALID ENROLL_MAIL_STATES VALID VALID_MAIL_DIR /usr/local/openca/OpenCA/var/mail/default 执行3，4步骤之后，在tmp目录下建立ca子目录，并把拥有者改为nobody。,OpenCA

14、安装与配置,RA的配置参数： 1./configure -prefix=/usr/local/openca-ra -exec-prefix=/usr/local/openca-ra -with-openssl-prefix=/usr/local/openssl -with-web-host=56 -with-httpd-user=nobody -with-httpd-group=nobody -with-node-htdocs-url-prefix= -with-ra-htdocs-url-prefix= -with-ldap-htdocs-url-prefix= -wi

15、th-pub-htdocs-url-prefix= -with-httpd-fs-prefix=/var/www/openca-ra -with-htdocs-fs-prefix=/var/www/openca-ra -with-ca-organization=SDG -with-ca-locality=Beijing -with-ca-country=cn -with-ldap-host=56 -with-ldap-root=cn=Manager,ou=CNIC,o=SDG,c=cn -with-ldap-root-pwd=secret -with-ldap-prefi

16、x=/usr/local/ldap -with-hierarchy-level=ra -enable-update-ldap-automatic -enable-send-mail-automatic -with-sendmail=/usr/lib/sendmail -with-service-mail-account= 2Make ext 3. make install-ext,OpenCA安装与配置,5修改ra.conf # create key # = RegistrationAuthority Trustcenter itself SDG RA 6修改ra_node.conf # Da

17、taexchange section # = # dataexchange with a higher level of the hierarchy EXPORT_IMPORT_UP_DEVICE /tmp/ra/ra-up.tar # dataexchange with a lower level of the hierarchy EXPORT_IMPORT_DOWN_DEVICE /tmp/ra/ra-down.tar # local dataexchange (backup, recovery and batchprocessors) EXPORT_IMPORT_LOCAL_DEVICE

18、 /tmp/ra/ra-local.tar 7. 安装 ra，ca 证书到相应管理员的浏览器内。 Windows环境下，copy capicom.dll到windows的system32目录下， 运行 regsvr32.exe CAPICOM.DLL,OpenCA安装与配置,vi /usr/local/openldap/etc/openldap/slapd.conf #添加root的suffix database bdb suffix ou=CNIC,o=SDG,c=CN rootdn cn=Manager,ou=CNIC,o=SDG, c=CN access to * by * write,

19、OpenCA安装与配置,以CA节点为例（RA节点目录结构类似） CA的目录结构/usr/local/OpenCA/目录下 etc：包含配置文件，子目录有database openssl rbac servers lib：函数库 var：包含动态数据，子目录有batch crypto db log mail scep tmp,OpenCA安装与配置,CA的web接口目录，/var/www/openca/ Ca/ ca操作的web页面所在目录 Ca_node/ ca节点管理的web页面所在目录 Cgi/ca/ ca操作的cgi脚本 Cgi/ca_node/ ca节点管理的cgi脚本,OpenCA的介绍,OpenCA的体系结构