创建CA:
一、安装openssl
[root@localhost ~]# yum install -y openssl
二、创建CA的相关文件及目录
mkdir /opt/root_ca &&\ cd root_ca &&\ mkdir newcerts private crl &&\ touch index.txt &&\ touch serial &&\ echo 01 >serial &&\
说明: #newcerts目录用于存放CA签署(颁发)过的数字证书(证书备份目录)。 #private目录用于存放CA的私钥。 #文件serial和index.txt分别用于存放下一个证书的序列号和证书信息数据库。 #文件serial填写第一个证书序列号(如10000001),之后每前一张证书,序列号自动加1。
三、修改openssl配置文件
vim /etc/pki/tls/openssl.cnf[ CA_default ]dir = /opt/root_ca[ policy_match ]countryName = matchstateOrProvinceName = optionalorganizationName = optionalorganizationalUnitName = optionalcommonName = suppliedemailAddress = optional
说明: match 表示严格校验国家名称 optional 表示可选 这个“匹配”指的是在颁发证书的时候,检查请求中的信息是否和根证书中所对应的信息匹配; 加粗的部分为需要修改的配置,具体配置根据实际情况修改
四、生成CA私钥
[root@localhost root_ca] openssl genrsa -out private/ca.keyGenerating RSA private key, 2048 bit long modulus..................+++...............................+++e is 65537 (0x10001)
五、使用私钥生成CA请求信息
[root@localhost root_ca]# openssl req -new -key private/ca.key -out ca.csrYou are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:CNState or Province Name (full name) []:BJLocality Name (eg, city) [Default City]:BJOrganization Name (eg, company) [Default Company Ltd]:ESTRENDOrganizational Unit Name (eg, section) []:ITCommon Name (eg, your name or your server's hostname) []:www.estrend.comEmail Address []:admin@estrend.comPlease enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:
六、使用CA私钥和证书请求,生成CA根证书
[root@localhost root_ca]# openssl x509 -req -days 3650 -in ca.csr -signkey private/ca.key -out ca.crtSignature oksubject=/C=CN/ST=BJ/L=BJ/O=ESTREND/OU=IT/CN=www.estrend.com/emailAddress=admin@estrend.comGetting Private key
颁发证书:
一、生成私钥
[root@localhost s1]# openssl genrsa -out server.key Generating RSA private key, 2048 bit long modulus..................+++...............................+++e is 65537 (0x10001)
二、生成请求
[root@localhost server]# openssl req -new -key server.key -out server.csrYou are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:CNState or Province Name (full name) []:BJLocality Name (eg, city) [Default City]:BJOrganization Name (eg, company) [Default Company Ltd]:ESTRENDOrganizational Unit Name (eg, section) []:ITCommon Name (eg, your name or your server's hostname) []:www.123.comEmail Address []:admin@123.comPlease enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:
三、颁发证书
[root@localhost server]# openssl ca -in server.csr -cert /opt/root_ca/ca.crt -keyfile /opt/root_ca/private/ca.key -out server.crt -days 3650Using configuration from /etc/pki/tls/openssl.cnfCheck that the request matches the signatureSignature okCertificate Details: Serial Number: 1 (0x1) Validity Not Before: May 9 07:50:01 2019 GMT Not After : May 6 07:50:01 2029 GMT Subject: countryName = CN stateOrProvinceName = BJ organizationName = ESTREND organizationalUnitName = IT commonName = www.123.com emailAddress = admin@123.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: EA:DB:4B:E6:18:C6:23:15:33:86:EA:C2:7B:D5:60:85:FB:45:41:D4 X509v3 Authority Key Identifier: DirName:/C=CN/ST=BJ/L=BJ/O=ESTREND/OU=IT/CN=www.estrend.com/emailAddress=admin@estrend.com serial:B8:7C:0A:A8:8D:2E:AF:23Certificate is to be certified until May 6 07:50:01 2029 GMT (3650 days)Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base Updated