创建CA:
一、安装openssl
[root@localhost ~]# yum install -y openssl
二、创建CA的相关文件及目录
mkdir /opt/root_ca &&\
cd root_ca &&\
mkdir newcerts private crl &&\
touch index.txt &&\
touch serial &&\
echo >serial &&\
说明:
#newcerts目录用于存放CA签署(颁发)过的数字证书(证书备份目录)。
#private目录用于存放CA的私钥。
#文件serial和index.txt分别用于存放下一个证书的序列号和证书信息数据库。
#文件serial填写第一个证书序列号(如10000001),之后每前一张证书,序列号自动加1。
三、修改openssl配置文件
vim /etc/pki/tls/openssl.cnf [ CA_default ]
dir = /opt/root_ca [ policy_match ]
countryName = match
stateOrProvinceName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
说明:
match 表示严格校验国家名称
optional 表示可选
这个“匹配”指的是在颁发证书的时候,检查请求中的信息是否和根证书中所对应的信息匹配;
加粗的部分为需要修改的配置,具体配置根据实际情况修改
四、生成CA私钥
[root@localhost root_ca] openssl genrsa -out private/ca.key
Generating RSA private key, bit long modulus
..................+++
...............................+++
e is (0x10001)
五、使用私钥生成CA请求信息
[root@localhost root_ca]# openssl req -new -key private/ca.key -out ca.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name ( letter code) [XX]:CN
State or Province Name (full name) []:BJ
Locality Name (eg, city) [Default City]:BJ
Organization Name (eg, company) [Default Company Ltd]:ESTREND
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:www.estrend.com
Email Address []:admin@estrend.com Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
六、使用CA私钥和证书请求,生成CA根证书
[root@localhost root_ca]# openssl x509 -req -days -in ca.csr -signkey private/ca.key -out ca.crt
Signature ok
subject=/C=CN/ST=BJ/L=BJ/O=ESTREND/OU=IT/CN=www.estrend.com/emailAddress=admin@estrend.com
Getting Private key
颁发证书:
一、生成私钥
[root@localhost s1]# openssl genrsa -out server.key
Generating RSA private key, bit long modulus
..................+++
...............................+++
e is (0x10001)
二、生成请求
[root@localhost server]# openssl req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name ( letter code) [XX]:CN
State or Province Name (full name) []:BJ
Locality Name (eg, city) [Default City]:BJ
Organization Name (eg, company) [Default Company Ltd]:ESTREND
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:www.123.com
Email Address []:admin@.com Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
三、颁发证书
[root@localhost server]# openssl ca -in server.csr -cert /opt/root_ca/ca.crt -keyfile /opt/root_ca/private/ca.key -out server.crt -days
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: (0x1)
Validity
Not Before: May :: GMT
Not After : May :: GMT
Subject:
countryName = CN
stateOrProvinceName = BJ
organizationName = ESTREND
organizationalUnitName = IT
commonName = www..com
emailAddress = admin@.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
EA:DB:4B:E6::C6:::::EA:C2:7B:D5:::FB:::D4
X509v3 Authority Key Identifier:
DirName:/C=CN/ST=BJ/L=BJ/O=ESTREND/OU=IT/CN=www.estrend.com/emailAddress=admin@estrend.com
serial:B8:7C:0A:A8:8D:2E:AF: Certificate is to be certified until May :: GMT ( days)
Sign the certificate? [y/n]:y
out of certificate requests certified, commit? [y/n]y
Write out database with new entries
Data Base Updated