把centos7上的目录传到rockylinux上
scp -r /etc/pki/CA 192.168.57.130:/etc/pki/
[root@zhao pki]# tree /etc/pki/CA
/etc/pki/CA
├── certs
├── crl
├── newcerts
└── private
实际上就是这几个目录 自己创建也行

生成证书索引数据库文件

touch /etc/pki/CA/index.txt

指定第一个颁发证书的序列号

echo 01 > /etc/pki/CA/serial

生成CA私钥
cd /etc/pki/CA/
openssl genrsa -out private/cakey.pem

生成CA自签名证书
openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 36500 -out /etc/pki/CA/cacert.pem
Country Name (2 letter code) [XX]:CN 中国
State or Province Name (full name) []:beijing 省
Locality Name (eg, city) [Default City]:beijing 城市
Organization Name (eg, company) [Default Company Ltd]:magedu 公司
Organizational Unit Name (eg, section) []:M48 部门
Common Name (eg, your name or your server's hostname) []:ca.magedu.org 域名
Email Address []:admin@magedu.org 邮箱

假如有网站需要证书，重复下面的步骤
为需要使用证书的主机生成生成私钥
openssl genrsa -out /data/www.key

为需要使用证书的主机生成证书申请文件
openssl req -new -key /data/www.key -out /data/www.csr
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:bj
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:M49
Common Name (eg, your name or your server's hostname) []:www.magedu.org
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

在CA签署证书并将证书颁发给请求者
openssl ca -in /data/www.csr -out /etc/pki/CA/certs/www.crt -days 100

总共3个文件cacert.pem www.crt www.key

注意：默认要求 国家，省，公司名称三项必须和CA一致

再模拟一次k8s的证书
openssl genrsa -out /data/k8s.key
openssl req -new -key /data/k8s.key -out /data/k8s.csr
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:bj
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:m50
Common Name (eg, your name or your server's hostname) []:k8s.magedu.org
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

openssl ca -in /data/k8s.csr -out /etc/pki/CA/certs/k8s.crt -days 100

吊销证书
[root@zhao CA]# pwd
/etc/pki/CA
[root@zhao CA]# cat index.txt
V 230404145141Z 01 unknown /C=CN/ST=beijing/O=magedu/OU=M49/CN=www.magedu.org
V 230404150425Z 02 unknown /C=CN/ST=beijing/O=magedu/OU=m50/CN=k8s.magedu.org

openssl ca -revoke /etc/pki/CA/newcerts/02.pem
指定第一个吊销证书的编号,注意：第一次更新证书吊销列表前，才需要执行
echo 01 > /etc/pki/CA/crlnumber
更新证书吊销列表
openssl ca -gencrl -out /etc/pki/CA/crl.pem