rhel6.3下使用openssl来生成CA证书并颁发证书实例解析
一、配置OPENSSL
[root@test1 /]# rpm -qa|grep openssl
openssl-1.0.0-20.el6_2.5.i686
[root@test1 /]# cd /etc/pki/tls
[root@test1 tls]# ls
cert.pem certs misc openssl.cnf private
[root@test1 tls]# vim openssl.cnf
####################################################################
[ CA_default ]
dir = /etc/pki/CA # Where everything is kept (CA中心的目录)
certs = $dir/certs # Where the issued certs are kept (证书保存目录)
crl_dir = $dir/crl # Where the issued crl are kept (被吊销证书的目录)
database = $dir/index.txt # database index file. (证书索引文件)
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.(经过CA中心签名的证书备份目录)
certificate = $dir/my-ca.crt # The CA certificate (CA的公钥文件名)
serial = $dir/serial # The current serial number (CA中心的颁发证书序列号)
crlnumber = $dir/crlnumber # the current crl number (已吊销证书序列号)
# must be commented out to leave a V1 CRL
crl = $dir/my-ca.crl # The current CRL (证书吊销列表)
private_key = $dir/private/my-ca.key # The private key (CA私钥文件)
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
default_days = 365 # how long to certify for (证书有效期)
default_crl_days= 30 # how long before next CRL
default_md = default # use public key default MD
preserve = no # keep passed DN ordering
[ policy_match ] #此段为证书相关信息选项,其中match指定的项,要求被签名证书一定要与CA的对应项一致。
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
#
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = CN (国家代码需要自己修改)
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Hebei (州或省名需要自己修改)
localityName = Locality Name (eg, city)
localityName_default = Beijing (地点名称需要自己修改)
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Tianli Company (组织或公司名需要自己修改)
[root@test1 tls]# cd ../CA/
[root@test1 CA]# ls
certs crl newcerts private
注:需要有这几个目录,如果没有可以自己新建
[root@test1 CA]# touch index.txt
[root@test1 CA]# echo "00"> serial
[root@test1 CA]# ls
certs crl index.txt newcerts private serial
二、创建密钥过程
创建私钥
[root@test1 CA]#(umask 077;openssl genrsa -out private/my-ca.key -des3 2048)
Generating RSA private key, 2048 bit long modulus
............................................................+++
..........+++
e is 65537 (0x10001)
Enter pass phrase for private/my-ca.key:
Verifying - Enter pass phrase for private/my-ca.key:
由私钥生成公钥
[root@test1 CA]#openssl req -new -x509 -key private/my-ca.key -days 365 > my-ca.crt
Enter pass phrase for private/my-ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:CN
State or Province Name (full name) []:Hebei
Locality Name (eg, city) [Beijing]:Beijing
Organization Name (eg, company) [Default Company Ltd]:Tianli Company
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:test1
Email Address []:
[root@test1 CA]# ls
certs crl index.txt my-ca.crt newcerts private serial
三、客户端验证CA服务
主机端(192.168.1.130)上:
[root@test1 CA]#yum -y install httpd
[root@test1 CA]#service httpd start
[root@test1 CA]#mkdir -p /var/www/html/yum
[root@test1 CA]#cp my-ca.crt /var/www/html/yum 将my-ca.crt,即公钥放到http服务器,供其他人下载
另外客户端(192.168.1.117)上:
[root@test2 Desktop]#openssl genrsa 1024 > test2.key
Generating RSA private key, 1024 bit long modulus
.....................++++++
.......++++++
e is 65537 (0x10001)
[root@test2 Desktop]#openssl req -new -key test2.key -out dovecot.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Hebei
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:Tianli Company
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:test2
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@test2 Desktop]# scp dovecot.csr root@192.168.1.130:/root/
root@192.168.1.130's password:
dovecot.csr 100% 668 0.7KB/s 00:00
四、服务端签发CA证书
在CA认证服务器上
[root@test1 ~]# openssl ca -in dovecot.csr -out dovecot.cst
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/my-ca.key:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jan 22 10:44:36 2013 GMT
Not After : Jan 22 10:44:36 2014 GMT
Subject:
countryName = CN
stateOrProvinceName = Hebei
organizationName = Tianli Company
commonName = test2
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
56:69:58:12:67:C7:FC:9E:AC:70:1D:2A:2C:56:A4:E1:61:97:B2:23
X509v3 Authority Key Identifier:
keyid:4C:45:25:5F:60:7F:F8:6E:6F:B4:53:C4:FB:BD:A3:C6:82:AE:2A:62
Certificate is to be certified until Jan 22 10:44:36 2014 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
最后签发成功。
补充:在签发证书的过程中容易出现的两个问题
[root@test1 ~]# openssl ca -in dovecot.csr -out dovecot.cst
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/my-ca.key:
unable to load number from /etc/pki/CA/serial
error while loading serial number
3078239980:error:0D066096:asn1 encoding routines:a2i_ASN1_INTEGER:short line:f_int.c:215:
提示error while loading serial number,一般是因为serial文件中没有赋初值
解决办法
[root@test1 ~]#cd /etc/pki/CA
[root@test1 CA]# echo "00" >serial
[root@test1 CA]# cat serial
00
还有一个问题在CA签名时,最后出现failed to update database错误
[root@test1 ~]#openssl ca -in dovecot.csr -out dovecot.crt
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/my-ca.key:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 2 (0x2)
Validity
Not Before: Jan 23 02:23:39 2013 GMT
Not After : Jan 23 02:23:39 2014 GMT
Subject:
countryName = CN
stateOrProvinceName = Hebei
organizationName = Tianli Company
commonName = test2
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
96:86:28:B7:ED:2E:96:79:32:88:7E:C3:23:37:02:BC:43:1C:76:87
X509v3 Authority Key Identifier:
keyid:4C:45:25:5F:60:7F:F8:6E:6F:B4:53:C4:FB:BD:A3:C6:82:AE:2A:62
Certificate is to be certified until Jan 23 02:23:39 2014 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Certificate is to be certified until Jan 23 02:17:38 2014 GMT (365 days)
Sign the certificate? [y/n]:y
failed to update database
TXT_DB error number 2
遇到这个错误,只需要清空/etc/pki/CA/index.txt的内容再签发就可以成功了。
吊销证书:
[root@test1 ~]# openssl ca -revoke my-ca.crt
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/my-ca.key:
Adding Entry with serial number B443BCCFCD08C1CD to DB for /C=CN/ST=Hebei/L=Beijing/O=Default Company Ltd/CN=test1
Revoking Certificate B443BCCFCD08C1CD.
Data Base Updated
生成吊销证书列表
[root@test1 ~]# openssl ca -gencrl -out my-ca.crl
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/my-ca.key:
unable to load number from /etc/pki/CA/crlnumber
error while loading CRL number
3079087852:error:0D066096:asn1 encoding routines:a2i_ASN1_INTEGER:short line:f_int.c:215:
出现error while loading CRL number,解决办法给crlnumber赋值
[root@test1 ~]# echo "00" >/etc/pki/CA/crlnumber
[root@test1 ~]# openssl ca -gencrl -out my-ca.crl
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/my-ca.key:
[root@test1 ~]# ls
anaconda-ks.cfg dovecot.csr install.log my-ca.crl Public
dead.letter dovecot.cst install.log.syslog my-ca.crt Templates
Desktop dovecot.pem Music test2.key
Documents Downloads Pictures Videos
[root@test1 ~]# cat my-ca.crl
-----BEGIN X509 CRL-----
MIIB1DCBvQIBATANBgkqhkiG9w0BAQUFADBdMQswCQYDVQQGEwJDTjEOMAwGA1UE
CAwFSGViZWkxEDAOBgNVBAcMB0JlaWppbmcxHDAaBgNVBAoME0RlZmF1bHQgQ29t
cGFueSBMdGQxDjAMBgNVBAMMBXRlc3QxFw0xMzAxMjQwMzMyMzRaFw0xMzAyMjMw
MzMyMzRaMBwwGgIJALRDvM/NCMHNFw0xMzAxMjQwMzIzMDVaoA4wDDAKBgNVHRQE
AwIBADANBgkqhkiG9w0BAQUFAAOCAQEAhUevJlfn+W4VpX2SWn1RA9Y+qqEHB9i1
9rPSBDpC+NUpiKhF09n1eZRGqbInGQ+KVGxWF7iRAQ/znVV06wJiRU1i1/os3f9E
s2PiYYx8fltLOmaR027BhOB1ZO2mQmF/rvl+Soox+XH/YXD9T6wyD9STwm9jzFnD
iY86D+dgCRFCa3GWJyCFV1jr+79gY4q9rNV5Cmpozyxtz+szVgk8D+03X52KSg35
Ow7eCwK9W0rToq31+nR9+EQ3Cx7dUNrXftfzTCbFFhr87/b4w7iH+G9/3hfv91rt
zLuEriAlumiLVNAVk4gU0VJImAbArCOewaNmarzG8N8U9KYAcAWITw==
-----END X509 CRL-----
rhel6.3下使用openssl来生成CA证书并颁发证书实例解析相关推荐
- rhel6.3下使用openssl来生成CA证书并颁发证书实例解
• 一.配置OPENSSL [root@test1 /]#rpm -qa|grep openssl openssl-1.0.0-20.el6_2.5.i686 [root@test1 /]# ...
- OpenSSL创建生成CA证书、服务器、客户端证书及密钥
使用OpenSSL创建生成CA证书.服务器.客户端证书及密钥 目录 使用OpenSSL创建生成CA证书.服务器.客户端证书及密钥 (一)生成CA证书 (二)生成服务器证书 (三)生成客户端证书 (四) ...
- ca 自建 颁发证书_openssl自建CA后颁发证书
一 自签证书实践 在介绍颁发证书之前先做一个试验,用自签证书来通过chrome访问: 1 通过openssl一键自签证书,生成证书和私钥: sudo openssl req -x509 -nodes ...
- OpenSSL生成CA自签名根证书和颁发证书和证书提取
CA根证书 生成流程 第一步 生成CA证书私钥 1.#生成ca私钥 (.key 和 pem 只是格式不一样) openssl genrsa -aes128 -passout pass:Test@202 ...
- 新手入坑GMSSL(一)Windows下编译GMSSL并生成CA证书
首先申明,我不是密码学的专业人员,没有这方面知识基础,这个以及接下来的博客都是我根据网上能找到的资料.博客,一点点摸索总结出来的,问了很多前辈和博主,但是可能都没有看到都没有回复我 = = .但项目必 ...
- openssl学习笔记--CA及https网站证书配置
一.需求分析: 证书服务器自建CA,网页服务器通过CA创建网页主机证书,以实现网站内容安全传输. 二.拓扑图: 三.相关配置: 1. 证书服务器(ns1)创建自签证书: [root@ns1 ~]# c ...
- 使用openssl命令 生成指定有效时间的ssl证书,cer格式
使用openssl 命令生成cer证书: openssl genrsa -out openssl.key 1024 openssl req -new -x509 -key openssl.key -o ...
- ca 自建 颁发证书_自建 ca 及使用 ca 颁发证书
创建CA: 一.安装openssl [root@localhost ~]# yum install -y openssl 二.创建CA的相关文件及目录 mkdir /opt/root_ca & ...
- 搭建开源CA认证-申请颁发证书
文章目录 一.CA机构分级管理 二.OpenSSL (一)生成随机数: (二)ASCII编码与Base64编码转换: (三)随机数生成器: 三.搭建私有CA (一)证书申请及签署步骤: (二)搭建CA ...
最新文章
- codeforces524E
- Webstorm2017安装以及破解和汉化
- 魔方游戏实现:任意阶魔方的表示
- php-fpm配置笔记
- Cocos2d-JS v3.0 alpha
- 北方大学 ACM 多校训练赛 第十五场 蜘蛛牌A
- 脚本可以放在html外,关于把script脚本放在html结束标签外的运行结果???
- ZZULIOJ 1106: 回文数(函数专题)
- 美团回应整改;贾跃亭卷土重来;乐视再度换帅| CSDN极客头条
- 【FlexSim2019】自学笔记:交通工具路径设置 | NetworkNode | 操作员固定路径 | 叉车固定路径
- php 多任务,PHP并行多任务研究(笔记)
- caxa自动保存的文件在哪里_怎样删除CAXA的临时文件
- TIFF图像文件格式详解
- mac电脑投屏到小米盒子_苹果手机,小米盒子投屏,连接不上,什么情况?
- 【学校联考】CQYZ_Vijos_P3755 轰炸
- RAID磁盘阵列是什么(一看就懂)
- hdfs datanode 清除回收站的命令
- 【汽车安全】ISO26262概要
- 跨库查询——mysql
- 次要和主要等位基因的定义