自建 ca 及使用 ca 頒發證書

本文轉載自查看原文 2019-05-09 16:16 631 ssl

創建CA：

一、安裝openssl

[root@localhost ~]# yum install -y openssl

二、創建CA的相關文件及目錄

mkdir /opt/root_ca &&\
　　cd root_ca &&\
　　mkdir newcerts private crl &&\
　　touch index.txt &&\
　　touch serial &&\
　　echo 01 >serial &&\

說明：　　
　　#newcerts目錄用於存放CA簽署（頒發）過的數字證書（證書備份目錄）。 
　　#private目錄用於存放CA的私鑰。 
　　#文件serial和index.txt分別用於存放下一個證書的序列號和證書信息數據庫。 
　　#文件serial填寫第一個證書序列號（如10000001），之后每前一張證書，序列號自動加1。

三、修改openssl配置文件

vim /etc/pki/tls/openssl.cnf

[ CA_default ]
dir = /opt/root_ca

[ policy_match ]
countryName = match stateOrProvinceName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional

說明：
　　match 　　表示嚴格校驗國家名稱
　　optional 表示可選
　　這個“匹配”指的是在頒發證書的時候，檢查請求中的信息是否和根證書中所對應的信息匹配；
　　加粗的部分為需要修改的配置，具體配置根據實際情況修改

四、生成CA私鑰

[root@localhost root_ca] openssl genrsa -out private/ca.key
Generating RSA private key, 2048 bit long modulus
..................+++
...............................+++
e is 65537 (0x10001)

五、使用私鑰生成CA請求信息

[root@localhost root_ca]# openssl req -new -key private/ca.key -out ca.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BJ
Locality Name (eg, city) [Default City]:BJ
Organization Name (eg, company) [Default Company Ltd]:ESTREND
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:www.estrend.com
Email Address []:admin@estrend.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

六、使用CA私鑰和證書請求，生成CA根證書

[root@localhost root_ca]# openssl x509 -req -days 3650 -in ca.csr -signkey private/ca.key -out ca.crt
Signature ok
subject=/C=CN/ST=BJ/L=BJ/O=ESTREND/OU=IT/CN=www.estrend.com/emailAddress=admin@estrend.com
Getting Private key

頒發證書：

一、生成私鑰

[root@localhost s1]# openssl genrsa -out server.key   
Generating RSA private key, 2048 bit long modulus
..................+++
...............................+++
e is 65537 (0x10001)

二、生成請求

[root@localhost server]# openssl req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BJ
Locality Name (eg, city) [Default City]:BJ
Organization Name (eg, company) [Default Company Ltd]:ESTREND
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:www.123.com
Email Address []:admin@123.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

三、頒發證書

[root@localhost server]# openssl ca -in server.csr -cert /opt/root_ca/ca.crt -keyfile /opt/root_ca/private/ca.key -out server.crt -days 3650
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: May  9 07:50:01 2019 GMT
            Not After : May  6 07:50:01 2029 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = BJ
            organizationName          = ESTREND
            organizationalUnitName    = IT
            commonName                = www.123.com
            emailAddress              = admin@123.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                EA:DB:4B:E6:18:C6:23:15:33:86:EA:C2:7B:D5:60:85:FB:45:41:D4
            X509v3 Authority Key Identifier: 
                DirName:/C=CN/ST=BJ/L=BJ/O=ESTREND/OU=IT/CN=www.estrend.com/emailAddress=admin@estrend.com
                serial:B8:7C:0A:A8:8D:2E:AF:23

Certificate is to be certified until May  6 07:50:01 2029 GMT (3650 days)
Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

免責聲明！

本站轉載的文章為個人學習借鑒使用，本站對版權不負任何法律責任。如果侵犯了您的隱私權益，請聯系本站郵箱yoyou2525@163.com刪除。

猜您在找 數字證書的理解以及自建CA機構頒發證書部署自建CA頒發證書實現https加密基於OpenSSL自建CA和頒發SSL證書使用OpenSsl自己CA根證書,二級根證書和頒發證書(親測步驟) OpenSSL - 利用OpenSSL自簽證書和CA頒發證書建立自己的CA，簽發證書 Https、OpenSSL自建CA證書及簽發證書、nginx單向認證、雙向認證及使用Java訪問搭建自己的CA證書頒發機構 CA認證和頒發吊銷證書創建自己的證書頒發機構(CA)