1 建立CA
[root@centos7localdomain ~]# cd /etc/pki/CA
[root@centos7localdomain CA]# (umask 077;openssl genrsa -out private/cakey.pem 4096) #生成秘钥文件 私钥
Generating RSA private key, 4096 bit long modulus
...........................................++
...................................++
e is 65537 (0x10001)
[root@centos7localdomain CA]# tree
.
├── certs
├── crl
├── newcerts
└── private
└── cakey.pem 私钥
[root@centos7localdomain CA]# openssl req -new -x509 -key private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3650 <<EOF
> cn 国家 #必须一致 x509 自发签证使用 -days 3650证书天数 默认一年
> shanghai 省份 #必须一致
> shanghai 城市
> et 公司 #必须一致
> it 部门
> ca.et.com 网址
> admin@qq.com 邮箱
> EOF
[root@centos7localdomain CA]# openssl x509 -in cacert.pem -noout -text #查看证书内容
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
db:11:ab:ab:44:97:96:14
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=cn, ST=shanghai, L=shanghai, O=et, OU=it, CN=ca.et.com/emailAddress=admin@qq.com
Validity
Not Before: Jun 22 01:25:48 2020 GMT
Not After : Jun 20 01:25:48 2030 GMT
Subject: C=cn, ST=shanghai, L=shanghai, O=et, OU=it, CN=ca.et.com/emailAddress=admin@qq.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:db:83:1f:0f:bd:22:01:35:dc:9c:3a:0e:dd:c6:
c7:65:54:b8:7d:b9:df:b5:39:e8:89:07:ad:80:e6:
18:10:fd:db:3b:cc:1e:c9:9f:89:0f:ec:c3:f8:15:
44:1a:69:a8:79:62:5b:86:46:43:fe:6f:94:c9:f4:
0f:3e:9a:f8:2d:ec:a9:9e:05:d7:70:5c:a5:a0:3d:
4b:e5:b1:a7:8a:7f:ab:e5:5d:bc:92:dc:4f:a6:73:
a6:09:76:2f:6c:d0:d3:b0:2e:1b:19:c2:e1:04:69:
3f:2d:87:07:8a:de:4c:80:04:c6:d1:c4:2d:b2:e8:
74:c1:3e:ba:e6:46:7a:99:68:d0:0e:25:72:ee:30:
52:13:10:9c:02:76:d4:c3:fc:57:0e:ad:56:d5:25:
98:d7:7a:82:31:53:63:90:8c:45:8d:96:c4:17:d2:
4 directories, 1 file
[root@centos7localdomain CA]# tree
.
├── cacert.pem 公钥
├── certs
├── crl
├── newcerts
└── private
└── cakey.pem 私钥
4 directories, 2 files
[root@centos7localdomain CA]#touch /etc/pki/CA/index.txt
[root@centos7localdomain CA]#echo 0F > /etc/pki/CA/serial
2 申请
[root@localhost app]# (umask066;openssl genrsa -out app.key 2048) 用户生成私钥
bash: umask066: command not found...
Generating RSA private key, 2048 bit long modulus
..........................................+++
...................................+++
e is 65537 (0x10001)
[root@localhost app]# ls
app.key
[root@localhost app]# openssl req -new -key app.key -out app.csr 利用私钥生成公钥
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:shanghai
Locality Name (eg, city) [Default City]:shanghai
Organization Name (eg, company) [Default Company Ltd]:et
Organizational Unit Name (eg, section) []:fn
Common Name (eg, your name or your server's hostname) []:app
Email Address []:app@qq.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@localhost app]# ll
total 8
-rw-r--r--. 1 root root 1025 Jun 22 09:50 app.csr
-rw-r--r--. 1 root root 1679 Jun 22 09:45 app.key
[root@localhost app]# scp /data/app/app.csr 192.168.8.10:/data/ 将公钥发送给CA服务器
3 颁发证书
[root@centos7localdomain CA]# openssl ca -in /data/app.csr -out /etc/pki/CA/certs/app.crt -days 100
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 31 (0x1f)
Validity
Not Before: Jun 22 02:27:32 2020 GMT
Not After : Sep 30 02:27:32 2020 GMT
Subject:
countryName = CN
stateOrProvinceName = shanghai
organizationName = et
organizationalUnitName = fn
commonName = app
emailAddress = app@qq.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
BD:58:64:12:A1:5D:AA:01:69:A3:E6:BF:71:A4:14:C8:A5:A5:0C:7D
X509v3 Authority Key Identifier:
keyid:AC:3B:3E:0C:A3:30:A0:2A:68:EC:6B:13:47:F1:66:10:C3:B9:41:7F
Certificate is to be certified until Sep 30 02:27:32 2020 GMT (100 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@192 CA]# tree
.
├── cacert.pem
├── certs
│ └── app.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│ └── 1F.pem
├── private
│ └── cakey.pem
├── serial
└── serial.old
将生成的 app.crt或1F.pem发送给客户端
用于更改默认选项 城市 省份 公司
vim /etc/pki/tls/openssl.cnf
# For the CA policy
[ policy_match ]
countryName = match 必须相同 optional 可选
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
为用户生成一个/多个证书文件
vim /etc/pki/CA/index.txt.attr
unique_subject = yes 一个 no 多个
4 证书吊销
root@centos7localdomain app]# tree /etc/pki/CA/
/etc/pki/CA/
├── cacert.pem
├── certs
│ ├── app1.crt
│ ├── app2.crt
│ └── app.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── newcerts
│ ├── 00.pem
│ ├── 01.pem
│ └── 02.pem
├── private
│ └── cakey.pem
├── serial
└── serial.old
4 directories, 14 files
[root@centos7localdomain app]# openssl ca -revoke /etc/pki/CA/newcerts/02.pem
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 02.
Data Base Updated
[root@centos7localdomain app]# cat /etc/pki/CA/index.txt
V 230319031112Z 00 unknown /C=CN/ST=shanghai/O=et/OU=fn/CN=app/emailAddress=app@qq.com
V 230320104706Z 01 unknown /C=CN/ST=shanghai/O=et/OU=it/CN=www.app2.com/emailAddress=app@qq.com
R 230320105431Z 200623105942Z 02 unknown /C=CN/ST=shanghai/O=it/OU=fn/CN=www.it.vn/emailAddress=it@qq.com
指定第一个吊销证书的编号,注意:第一次更新证书吊销列表前,才需要执行
echo 01 > /etc/pki/CA/crlnumber
更新证书吊销列表
openssl ca -gencrl -out /etc/pki/CA/crl.pem
查看crl文件:
openssl crl -in /etc/pki/CA/crl.pem -noout -text
