基礎環境
mkdir Test
cd Test
mkdir -p ./CA/{private,newcerts}
touch CA/index.txt
touch CA/serial
touch CA/crlnumber
echo 01 > CA/serial
echo 01 > CA/crlnumber
cp /etc/pki/tls/openssl.cnf ./
# 修改dir為當前CA目錄
vim openssl.cnf
[ CA_default ]
dir = ./CA
# 增強型密鑰,客戶端身份認證
[ v3_req ]
keyUsage = nonRepudiation,digitalSignature
extendedKeyUsage = clientAuth
生成CA證書
# 生成CA私鑰
(umask 077;openssl genrsa -des3 -out ./CA/private/cakey.pem 2048)
# 生成ca證書
openssl req -new -x509 -days 365 -key ./CA/private/cakey.pem -out ./CA/cacert.pem -subj "/C=CN/ST=GD/L=SZ/O=organization/OU=dev/CN=organization.com/emailAddress=aa@organization.com"
生成用戶證書
# user私鑰
(umask 077;openssl genrsa -out userkey.pem 2048) # 簽署請求
openssl req -new -days 365 -key userkey.pem -out userreq.pem -subj "/C=CN/ST=GD/L=SZ/O=organization/OU=dev/CN=organization.com/emailAddress=aa@organization.com"
# 生成user證書
openssl ca -in userreq.pem -out usercert.pem -extensions v3_req -config openssl.cnf
# 生成pkcs12證書
openssl pkcs12 -export -inkey userkey.pem -in usercert.pem -out user.pfx
# rm ./CA/index.txt && touch ./CA/index.txt 重新生成user證書
吊銷用戶證書
# 吊銷user證書
openssl ca -revoke usercert.pem -cert ./CA/cacert.pem -keyfile ./CA/private/cakey.pem
# 生成user證書吊銷列表
openssl ca -gencrl -out rootca.crl -cert ./CA/cacert.pem -keyfile ./CA/private/cakey.pem -config openssl.cnf
