用于私有网络中自建CA中心并进行证书的签发和认证
2019-06-28
v1.2
- 增加日志(默认项目根目录下的
ca_server.log)- 删除签发证书api下的
csr_name字段- 修改handler类下的请求处理函数为异步
- 杀臭虫
2019-06-25
v1.1
- 使用
aes-256-cfb代替fingerprint的验证方式- 杀死了部分臭虫
2019-06-04
v1.0
- 初始版本,完成各个接口
| Method | API URL | Remarks | Status |
|---|---|---|---|
| GET | /api/ca/cacert | 获取CA中心的根证书 | ✔️ |
| GET | /api/ca/crl | 获取CA中心的CRL | ✔️ |
| POST | /api/ca/sign | 签发证书 | ✔️ |
| DELETE | /api/ca/revoke | 吊销证书 | ✔️ |
GET /api/ca/cacert
HTTP/1.1 200 OK
Server: TornadoServer/6.0.2
Content-Type: application/x-pem-file
Date: Mon, 03 Jun 2019 07:11:40 GMT
Content-Disposition: attachment; filename=cacert.pem
Etag: "234847b704fa446e60c766c8e2a4d1225ed3e404"
Content-Length: 2114
Connection: close
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----未找到根证书
GET /api/ca/crl
HTTP/1.1 200 OK
Server: TornadoServer/6.0.2
Content-Type: application/x-pem-file
Date: Mon, 03 Jun 2019 07:57:27 GMT
Content-Disposition: attachment; filename=ca_crl.pem
Etag: "1a35bbbeff23273b9d435833d443267eca5229fd"
Content-Length: 1060
Connection: close
-----BEGIN X509 CRL-----
...
-----END X509 CRL-----v1.1以后不会返回404,如果CRL找不到会自动生成
POST /api/ca/sign
- csr_body: 用
aes-256-cfb加密后的base64格式的X509Req
此处为了方便,不通过状态码区分返回结果,状态码一律返回200
签发失败将返回:
{
status: -1,
msg: "ERROR Message"
}message的具体信息如下表:
| status | message | Remarks |
|---|---|---|
| -1 | [Request error]: Missing parameters! | 必要参数缺失 |
| [Request error]: 'csr_body' field must be base64 type! | csr_body不是base64格式 | |
| [ERROR]: Something is error with signing processing! | 签发证书超时 | 签发失败 | |
| [ERROR]: Please do not repeat the application for certificate! | 重复签发 | |
| [ERROR]: Wrong certificate request (X509Req) format! | csr文件格式不正确,无法加载 |
签发成功将返回:
{
status: 0,
cert: "[Your Cert Data]"
}DELETE /api/ca/revoke
有两种模式:通过序列号(证书丢失)和证书来进行吊销操作
- serial: 需要吊销的证书序列号(与cert二选一),需为16进制格式
- cert: 需要吊销的证书(与serial二选一)
注意:serial和cert都必须为用
aes-256-cfb加密后的base64格式
状态码一律返回200
吊销失败将返回:
{
status: -1,
msg: '[ERROR Message]'
}其中error message具体信息如下表:
| status | message | Remarks |
|---|---|---|
| -1 | [Request error]: Missing parameters! | 必要参数缺失 |
| [ERROR]: Wrong certificate format! | 证书格式不正确 | |
| [ERROR]: This may be an invalid serial number! | 证书序列号无效 | |
| [ERROR]: This certificate is revoked! | 该证书已经被吊销 | |
| [ERROR]: Revoke failed, unknown error! | 吊销失败,未知错误 |
吊销成功则返回:
其中Serial Number为已吊销证书的序列号,以16进制表示
{
"status": 0,
"msg": "Revoke Certificate success!",
"Serial Number": "3166306230653066383662636431643b"
}