opensslca(签署和自建CA)-创新互联
openssl ca(签署和自建CA)
自建CA总结:
#建立数据库索引文件和序列文件
[root@linux5 ~]# touch /etc/pki/CA/index.txt
[root@linux5 ~]# echo "01" > /etc/pki/CA/serial
#生成私钥
[root@linux5 ~]# openssl genrsa -out /etc/pki/CA/private/cakey.pem
#创建CA请求文件
[root@linux5 ~]# openssl req -new -key /etc/pki/CA/private/cakey.pem -out rootCA.csr
#自签署
[root@linux5 ~]# openssl ca -selfsign -in rootCA.csr
#把自签的证书放到/etc/pki/CA/下
[root@linux5 ~]# cp /etc/pki/CA/newcerts/01.pem /etc/pki/CA/cacert.pem
然后使用该CA给老王颁发证书总结
#老王生成私钥
[wang@linux5 ~]$ openssl genrsa -out wangkey.pem
#老王生成请求文件
[wang@linux5 ~]$ openssl req -new -key wangkey.pem -out wangwangwang.csr
#老王将证书请求文件发给CA机构(国家,域名,组织必须和subject一致)
[wang@linux5 ~]$ scp wangwangwang.csr root@192.168.38.146:/root/
#CA帮忙签
[root@linux5 ~]# openssl ca -in wangwangwang.csr
#CA将证书发给老王
[root@linux5 ~]# scp /etc/pki/CA/newcerts/02.pem wang@192.168.38.146:~/
证书请求文件使用CA的私钥签署之后就是证书,签署之后将证书发给申请者就是颁发证书。在签署时,为了保证证书的完整性和一致性,还应该对签署的证书生成数字摘要,即使用单向加密算法。
创新互联专注于丰润企业网站建设,响应式网站开发,成都商城网站开发。丰润网站建设公司,为丰润等地区提供建站服务。全流程按需制作,专业设计,全程项目跟踪,创新互联专业和态度为您提供的服务在配置文件中指定了签署证书时所需文件的结构,默认openssl.cnf中的结构要求如下
[ CA_default ]
dir = /etc/pki/CA # 定义路径变量
certs = $dir/certs # 已颁发证书的保存目录
database = $dir/index.txt # 数据库索引文件
new_certs_dir = $dir/newcerts # 新签署的证书保存目录
certificate = $dir/cacert.pem # CA证书路径名
serial = $dir/serial # 当前证书序列号
private_key = $dir/private/cakey.pem # CA的私钥路径名
其中目录/etc/pki/CA/{certs,newcerts,private}在安装openssl后就默认存在,所以无需独立创建,但证书的database文件index.txt和序列文件serial必须创建好,且序列号文件中得先给定一个序号,如"01"
创建数据库索引文件和序列文件
[root@linux5 ~]# touch /etc/pki/CA/index.txt
[root@linux5 ~]# echo "01" > /etc/pki/CA/serial
创建私钥
另外,要签署证书请求,需要CA自己的私钥文件以及CA自己的证书,先创建好CA的私钥,存放位置为配置文件中private_key所指定的值,默认为/etc/pki/CA/private/cakey.pem。
[root@linux5 ~]# openssl genrsa -out /etc/pki/CA/private/cakey.pem
使用openssl ca自建CA
要提供CA自己的证书,测试环境下CA只能自签署,使用"openssl req -x509"、"openssl x509"和"openssl ca"都可以自签署证书请求文件,此处仅介绍openssl ca命令自身自签署的方法。
先创建CA的证书请求文件,建议使用CA的私钥文件/etc/pki/CA/private/cakey.pem来创建待自签署的证书请求文件,虽非必须,但方便管理。创建请求文件时,其中Country Name、State or Province Name、Organization Name和Common Name默认是必须提供的。
创建CA的证书请求文件
[root@linux5 ~]# openssl req -new -key /etc/pki/CA/private/cakey.pem -out rootCA.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BJ
Locality Name (eg, city) [Default City]:BJ
Organization Name (eg, company) [Default Company Ltd]:MG
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:www.baidu.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
然后使用openssl ca命令自签署该证书请求文件。
如果有两次交互式询问则表示自签署将成功,如果失败,则考虑数据库文件index.txt是否创建、序列号文件serial是否存在且有序号值、私钥文件cakey.pem是否路径正确、创建证书请求文件时是否该提供的没有提供等情况。
[root@linux5 ~]# openssl ca -selfsign -in rootCA.csr
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Sep 1 12:18:39 2019 GMT
Not After : Aug 31 12:18:39 2020 GMT
Subject:
countryName = CN
stateOrProvinceName = BJ
organizationName = MG
organizationalUnitName = IT
commonName = www.baidu.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
78:5F:19:3D:9B:CD:5D:60:5A:00:E5:DA:95:7D:4C:EC:2C:20:B1:3F
X509v3 Authority Key Identifier:
keyid:78:5F:19:3D:9B:CD:5D:60:5A:00:E5:DA:95:7D:4C:EC:2C:20:B1:3F
Certificate is to be certified until Aug 31 12:18:39 2020 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=BJ, O=MG, OU=IT, CN=www.baidu.com
Validity
Not Before: Sep 1 12:18:39 2019 GMT
Not After : Aug 31 12:18:39 2020 GMT
Subject: C=CN, ST=BJ, O=MG, OU=IT, CN=www.baidu.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b8:1d:69:b1:34:dc:9d:68:77:3d:9a:66:62:74:
f4:45:46:80:64:78:21:a5:b0:b5:7c:89:9a:6e:72:
2f:01:2a:e7:30:57:1c:cd:3b:5e:e5:97:b9:a5:80:
7d:87:5d:6a:59:8c:5f:b9:0c:6f:d4:33:05:63:c2:
ff:50:12:11:29:7b:5f:e6:74:4a:11:c5:97:71:c4:
67:63:2d:36:d2:6f:b4:3a:7c:59:4a:80:79:35:b6:
e6:9f:c9:7b:82:18:11:95:19:c8:37:f7:9a:28:00:
98:6c:a3:73:00:01:4f:fe:7b:8e:d8:c5:82:06:c2:
c8:9e:44:8d:36:ca:05:0e:50:8a:17:32:05:91:18:
d1:e8:9b:a5:52:43:88:3f:99:01:84:7e:8b:c2:46:
23:d0:c1:91:a8:9e:f5:ef:c8:91:22:06:9e:b0:30:
1f:8c:f9:3e:f5:30:8c:27:95:54:05:03:82:ac:70:
f9:30:f9:0e:a2:8f:e6:9a:53:b5:f4:82:f1:ab:17:
6a:22:f9:b2:c4:0b:8d:6e:49:51:35:f9:dd:8c:4f:
eb:ee:ba:f0:08:1d:70:fd:90:11:47:0d:34:bd:b2:
3e:71:c5:a7:d5:c9:61:88:79:76:2a:59:74:b2:32:
fd:37:a4:2e:e0:8b:2f:98:76:ae:ae:19:57:23:93:
cb:3d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
78:5F:19:3D:9B:CD:5D:60:5A:00:E5:DA:95:7D:4C:EC:2C:20:B1:3F
X509v3 Authority Key Identifier:
keyid:78:5F:19:3D:9B:CD:5D:60:5A:00:E5:DA:95:7D:4C:EC:2C:20:B1:3F
Signature Algorithm: sha256WithRSAEncryption
33:c4:da:33:67:d6:f8:c5:80:17:c0:db:b2:dd:5a:4e:f2:0c:
3a:21:fa:f6:da:86:0a:b3:66:fe:31:23:ed:00:8d:2a:0f:26:
c5:0b:9b:af:1c:0b:31:ba:60:d6:d7:24:74:29:0f:3a:8a:a1:
1f:f2:e9:de:96:1f:05:19:50:67:2f:5e:20:0b:8a:21:f4:95:
3b:30:88:2b:7c:2c:13:c9:b5:b4:17:c7:0c:84:20:0d:68:d8:
4d:31:ad:03:77:66:11:d3:96:68:38:d4:48:75:e3:2c:3a:fe:
ad:63:2b:89:61:9b:7e:07:97:c0:45:20:e7:4c:f4:1a:c3:6e:
49:81:16:33:f1:79:74:d3:f5:08:2c:21:42:b4:bd:65:a3:c2:
9d:56:7d:a8:3f:52:d0:55:94:ba:69:45:28:2a:05:13:4b:a2:
d5:00:dd:47:3d:92:27:7e:b0:23:f6:5a:96:0e:9b:e7:fd:7f:
57:3a:f0:43:88:05:60:73:db:3d:d8:f0:0e:90:97:18:94:f1:
53:56:e0:e6:0c:5a:60:f7:bb:86:bf:70:82:b2:d2:2a:64:c0:
b1:a6:13:69:ee:ae:ce:d6:8b:fa:b2:05:42:69:79:74:2a:6b:
04:e9:29:cc:55:6d:7d:4a:0f:43:63:2a:83:bb:de:0d:09:dd:
fa:f5:9c:70
-----BEGIN CERTIFICATE-----
MIIDjjCCAnagAwIBAgIBATANBgkqhkiG9w0BAQsFADBMMQswCQYDVQQGEwJDTjEL
MAkGA1UECAwCQkoxCzAJBgNVBAoMAk1HMQswCQYDVQQLDAJJVDEWMBQGA1UEAwwN
d3d3LmJhaWR1LmNvbTAeFw0xOTA5MDExMjE4MzlaFw0yMDA4MzExMjE4MzlaMEwx
CzAJBgNVBAYTAkNOMQswCQYDVQQIDAJCSjELMAkGA1UECgwCTUcxCzAJBgNVBAsM
AklUMRYwFAYDVQQDDA13d3cuYmFpZHUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAuB1psTTcnWh4PZpmYnT0RUaAZHghpbC1fImabnIvASrnMFcc
zTte5Ze5pYB9h21qWYxfuQxv1DMFY8L/UBIRKXtf5nRKEcWXccRnYy020m+0OnxZ
SoB5Nbbmn8l7ghgRlRnIN/eaKACYbKNzAAFP/nuO2MWCBsLInkSNNsoFDlCKFzIF
kRjR6JulUkOIP5kBhH6LwkYj0MGRqJ7178iRIgaesDAfjPk+9TCMJ5VUBQOCrHD5
MPkOoo/mmlO19ILxqxdqIvmyxAuNbklRNfndjE/r7rrwCB1w/ZARRw00vbI+ccWn
1clhiHl2Kll0sjL9N6Qu4IsvmHaurhlXI5PLPQIDAQABo3sweTAJBgNVHRMEAjAA
MCwGCWCGSAGG+EIBDQQfFh2PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAd
BgNVHQ4EFgQUeF8ZPZvNXWBaAOXalX1M7CwgsT8wHwYDVR0jBBgwFoAUeF8ZPZvN
XWBaAOXalX1M7CwgsT8wDQYJKoZIhvcNAQELBQADggEBADPE2jNn1vjFgBfA27Ld
Wk7yDDoh+vbahgqzZv4xI+0AjSoPJsULm68cCzG6YNbXJHQpDzqKoR/y6d6WHwUZ
UGcvXiALiiH0lTswiCt8LBPJtbQXxwyEIA1o2E0xrQN3ZhHTlmg41Eh24yw6/q1j
K4lhm34Hl8BFIOdM9BrDbkmBFjPxeXTT9QgsIUK0vWWjwp1Wfag/UtBVlLppRSgq
BRNLotUA3Uc9kid+sCP2WpYOm+f9f1c68EOIBWBz2z3Y8A6QlxiU8VNW4OYMWmD3
u4a/cIKy0ipkwLGmE2nurs7Wi/qyBUJpeXQqawTpKcxVbX1KD0NjKoO73g0J3fr1
nHA=
-----END CERTIFICATE-----
Data Base Updated
自签署成功后,在/etc/pki/CA目录下将生成一系列文件。
[root@linux5 ~]# tree -C /etc/pki/CA
/etc/pki/CA
|-- certs
|-- crl
|-- index.txt
|-- index.txt.attr
|-- index.txt.old
|-- newcerts
| `-- 01.pem
|-- private
| `-- cakey.pem
|-- serial
`-- serial.old
其中newcerts目录下的01.pem即为刚才自签署的证书文件,因为它是CA自身的证书,所以根据配置文件中的"certificate=$dir/cacert.pem"项,应该将其放入/etc/pki/CA目录下,且命名为cacert.pem,只有这样以后才能签署其它证书请求。
将自签证书放到/etc/pki/CA/目录下面
[root@linux5 ~]# cp /etc/pki/CA/newcerts/01.pem /etc/pki/CA/cacert.pem
至此,自建CA就完成了,
查看下数据库索引文件和序列号文件。
[root@linux5 ~]# cat /etc/pki/CA/index.txt
V 200831121839Z 01 unknown /C=CN/ST=BJ/O=MG/OU=IT/CN=www.baidu.com
那么,下次签署证书请求时,序列号将是"02"。
自签CA命令总结
[root@linux5 ~]# touch /etc/pki/CA/index.txt
[root@linux5 ~]# echo "01" > /etc/pki/CA/serial
[root@linux5 ~]# openssl genrsa -out /etc/pki/CA/private/cakey.pem
[root@linux5 ~]# openssl req -new -key /etc/pki/CA/private/cakey.pem -out rootCA.csr
[root@linux5 ~]# openssl ca -selfsign -in rootCA.csr
[root@linux5 ~]# cp /etc/pki/CA/newcerts/01.pem /etc/pki/CA/cacert.pem
以上过程是完全读取默认配置文件创建的,其实很多过程是没有那么严格的,openssl ca命令自身可以指定很多选项覆盖配置文件中的项,但既然提供了默认的配置文件及目录结构,为了方便管理,仍然建议完全采用配置文件中的项。
给老王颁发个证书
1、老王生成自己的私钥
[wang@linux5 ~]$ openssl genrsa -out wangkey.pem
2、老王生成证书请求文件
[wang@linux5 ~]$ openssl req -new -key wangkey.pem -out wangwangwang.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BJ
Locality Name (eg, city) [Default City]:BJ
Organization Name (eg, company) [Default Company Ltd]:MG
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:www.wangwangwang.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
其中Country Name、State or Province Name、Organization Name和Common Name必须提供,且前三者必须和CA的subject中的对应项完全相同。这些是由配置文件中的匹配策略决定的。
[ ca ]
default_ca = CA_default # The default ca section
[ CA_default ]
policy = policy_match
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
3、laowang将请求文件发给CA
[wang@linux5 ~]$ scp wangwangwang.csr root@192.168.38.146:/root/
4、CA帮忙签
[root@linux5 ~]# openssl ca -in wangwangwang.csr
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 2 (0x2)
Validity
Not Before: Sep 1 12:52:13 2019 GMT
Not After : Aug 31 12:52:13 2020 GMT
Subject:
countryName = CN
stateOrProvinceName = BJ
organizationName = MG
commonName = www.wangwangwang.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
5C:B0:F3:C6:8B:F0:96:40:73:5C:B6:A8:2F:E4:DF:8C:2E:5B:C5:C5
X509v3 Authority Key Identifier:
keyid:78:5F:19:3D:9B:CD:5D:60:5A:00:E5:DA:95:7D:4C:EC:2C:20:B1:3F
Certificate is to be certified until Aug 31 12:52:13 2020 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=BJ, O=MG, OU=IT, CN=www.baidu.com
Validity
Not Before: Sep 1 12:52:13 2019 GMT
Not After : Aug 31 12:52:13 2020 GMT
Subject: C=CN, ST=BJ, O=MG, CN=www.wangwangwang.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d5:44:3a:e8:1e:de:4b:06:df:24:bc:4e:99:f3:
9a:a0:1c:84:e2:b2:32:cf:9d:f3:a1:e1:1e:9b:65:
d3:84:96:f1:73:7f:88:32:ea:d7:fa:c9:35:82:60:
86:b0:b1:33:b9:45:a9:a9:62:33:7d:b7:23:56:08:
d2:00:ef:c1:e4:e1:bb:ca:e7:a7:26:de:43:76:e1:
07:7f:92:06:b4:88:61:6a:38:27:88:e4:5e:82:c4:
90:b4:88:b2:46:bf:3a:6f:44:95:01:94:be:33:be:
62:74:bd:7c:01:d1:3f:a3:95:26:d4:21:87:de:2d:
e2:f9:96:09:25:6b:19:aa:30:c8:c9:68:7c:73:fe:
35:0e:b5:7c:68:6c:2e:3d:99:40:d8:b4:ee:cc:88:
a2:53:b3:1e:31:ac:f5:ce:ad:5c:93:b9:ba:eb:fb:
d2:0c:46:90:8b:fc:ae:b9:42:dd:d1:00:61:96:47:
1a:3f:58:df:7f:c1:b6:ee:ca:b5:5e:4f:91:ca:3d:
4e:8a:39:36:58:26:a2:7e:97:a2:72:89:27:ef:9d:
2b:4e:4d:cc:91:bf:2e:66:f3:25:8f:f4:6f:97:da:
2b:6a:d1:64:2d:f9:c6:4f:72:6b:59:d0:96:48:6e:
4b:58:97:6e:78:0e:57:75:a1:da:c4:85:90:d4:08:
cd:45
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
5C:B0:F3:C6:8B:F0:96:40:73:5C:B6:A8:2F:E4:DF:8C:2E:5B:C5:C5
X509v3 Authority Key Identifier:
keyid:78:5F:19:3D:9B:CD:5D:60:5A:00:E5:DA:95:7D:4C:EC:2C:20:B1:3F
Signature Algorithm: sha256WithRSAEncryption
25:f1:7a:b5:e2:8f:25:6e:90:1d:dc:40:7e:73:8d:88:84:3c:
72:ea:15:3f:fe:93:a5:e9:e3:f3:3f:d2:47:75:39:72:55:98:
89:a7:99:ee:07:fb:03:a6:4d:84:fa:49:7b:98:07:2e:7b:53:
c4:16:5e:30:1f:6e:62:ba:a8:b0:01:07:bc:a0:82:1f:7f:a3:
77:36:74:f5:d1:e6:7e:fe:e1:0d:05:d6:b2:28:76:2d:21:57:
73:67:37:91:40:a2:4b:74:e3:b7:39:10:32:f2:8f:03:34:be:
2d:c3:d7:c9:84:00:39:1f:44:dc:08:cc:5f:91:ec:7a:72:48:
4b:5e:f8:de:a2:ed:29:c9:d0:48:ca:9c:a5:d9:48:31:c2:52:
d2:6d:2c:14:b6:7c:c7:f3:9b:16:7e:0e:e2:26:0d:03:57:92:
e2:a0:fa:11:ed:26:cd:1e:ef:8c:c5:03:1c:80:91:af:06:4a:
2b:78:42:1a:23:02:1b:d7:67:4f:0d:ec:07:7c:6d:1b:9f:85:
38:c9:69:22:2f:e4:d0:bf:91:26:73:20:e5:fa:09:b1:30:80:
de:ad:97:c0:53:3c:02:a1:5b:5f:4a:55:4f:b3:cf:fb:6b:24:
95:82:2c:45:71:39:70:c4:2b:44:68:b6:5e:d7:6f:23:f5:fb:
46:31:93:f9
-----BEGIN CERTIFICATE-----
MIIDiDCCAnCgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBMMQswCQYDVQQGEwJDTjEL
MAkGA1UECAwCQkoxCzAJBgNVBAoMAk1HMQswCQYDVQQLDAJJVDEWMBQGA1UEAwwN
d3d3LmJhaWR1LmNvbTAeFw0xOTA5MDExMjUyMTNaFw0yMDA4MzExMjUyMTNaMEYx
CzAJBgNVBAYTAkNOMQswCQYDVQQIDAJCSjELMAkGA1UECgwCTUcxHTAbBgNVBAMM
FHd3dy53YW5nd2FuZ3dhbmcuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEA1UQ66B7eSwbfJLxOmfOaoByE4rIyz53zoeEem2XThJbxc3+IMurX+sk1
gmCGsLEzuUWpqWIzfbcjVgjSAO/B5OG7yuenJt5DduEHf5IGtIhhajgniORegsSQ
tIiyRr86b0SVAZS+M75idL18AdE/o5Um1CGH3i3i+ZYJJWsZqjDIyWh8c/41DrV8
aGwuPZlA2LTuzIiiU7MeMaz1zq1ck7m66/vSDEaQi/yuuULd0QBhlkcaP1jff8G2
7sq1Xk+Ryj1Oijk2WCaifpeicokn750rTk3Mkb8uZvMlj/Rvl9oratFkLfnGT3Jr
WdCWSG5LWJdueA5XdaHaxIWQ1AjNRQIDAQABo3sweTAJBgNVHRMEAjAAMCwGCWCG
SAGG+EIBDQQfFh2PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4E
FgQUXLDzxovwlkBzXLaoL+TfjC5bxcUwHwYDVR0jBBgwFoAUeF8ZPZvNXWBaAOXa
lX1M7CwgsT8wDQYJKoZIhvcNAQELBQADggEBACXxerXijyVukB3cQH5zjYiEPHLq
FT/+k6Xp4/M/0kd1OXJVmImnme4H+wOmTYT6SXuYBy57U8QWXjAfbmK6qLABB7yg
gh9/o3c2dPXR5n7+4Q0F1rIodi0hV3NnN5FAokt047c5EDLyjwM0vi3D18mEADkf
RNwIzF+R7HpySEte+N6i7SnJ0EjKnKXZSDHCUtJtLBS2fMfzmxZ+DuImDQNXkuKg
+hHtJs0e74zFAxyAka8GSit4QhojAhvXZ08N7Ad8bRufhTjJaSIv5NC/kSZzIOX6
CbEwgN6tl8BTPAKhW19KVU+zz/trJJWCLEVxOXDEK0Rotl7XbyP1+0Yxk/k=
-----END CERTIFICATE-----
Data Base Updated
5、签署完成,查看下目录结构
[root@linux5 ~]# tree -C /etc/pki/CA
/etc/pki/CA
|-- cacert.pem
|-- certs
|-- crl
|-- index.txt
|-- index.txt.attr
|-- index.txt.attr.old
|-- index.txt.old
|-- newcerts
| |-- 01.pem
| `-- 02.pem
|-- private
| `-- cakey.pem
|-- serial
`-- serial.old
6、其中"02.pem"就是刚才签署成功的证书,将此证书发送给申请者即表示颁发完成。
7、再看下数据库索引文件和序列号文件
[root@linux5 ~]# cat /etc/pki/CA/index.txt
V 200831121839Z 01 unknown /C=CN/ST=BJ/O=MG/OU=IT/CN=www.baidu.com
V 200831125213Z 02 unknown /C=CN/ST=BJ/O=MG/CN=www.wangwangwang.com
[root@linux5 ~]# cat /etc/pki/CA/serial
03
给老王颁发证书总结
#老王生成私钥
[wang@linux5 ~]$ openssl genrsa -out wangkey.pem
#老王生成请求文件
[wang@linux5 ~]$ openssl req -new -key wangkey.pem -out wangwangwang.csr
#老王将证书请求文件发给CA机构(国家,域名,组织必须和subject一致)
[wang@linux5 ~]$ scp wangwangwang.csr root@192.168.38.146:/root/
#CA帮忙签
[root@linux5 ~]# openssl ca -in wangwangwang.csr
#CA将证书发给老王
[root@linux5 ~]# scp /etc/pki/CA/newcerts/02.pem wang@192.168.38.146:~/
另外有需要云服务器可以了解下创新互联cdcxhl.cn,海内外云服务器15元起步,三天无理由+7*72小时售后在线,公司持有idc许可证,提供“云服务器、裸金属服务器、高防服务器、香港服务器、美国服务器、虚拟主机、免备案服务器”等云主机租用服务以及企业上云的综合解决方案,具有“安全稳定、简单易用、服务可用性高、性价比高”等特点与优势,专为企业上云打造定制,能够满足用户丰富、多元化的应用场景需求。
新闻名称:opensslca(签署和自建CA)-创新互联
浏览地址:http://scyanting.com/article/dhiide.html