./demoCA - main CA directory ./demoCA/cacert.pem - 证书,也就是自签名公钥 ./demoCA/private/cakey.pem - 自签名私钥 ./demoCA/serial - CA serial number file ./demoCA/serial.old - CA serial number backup file ./demoCA/index.txt - 数据库文件 ./demoCA/index.txt.old - CA text database backup file ./demoCA/certs - 颁发的证书存放目录 ./demoCA/.rnd - CA random seed information
1. 创建私有 CA
私有 CA 的目录位置在 openssl.conf 中可以更改,默认设置如下,我们就不改了。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
[ CA_default ]
dir = /etc/pki/CA # Where everything is kept certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. #unique_subject = no # Set to 'no' to allow creation of # several certs with same subject. new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate serial = $dir/serial # The current serial number crlnumber = $dir/crlnumber # the current crl number # must be commented out to leave a V1 CRL crl = $dir/crl.pem # The current CRL private_key = $dir/private/cakey.pem# The private key
[root@centos8 CA]$openssl req -new -x509 -key private/cakey.pem -days 3650 -out cacert.pem You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:henan Locality Name (eg, city) [Default City]: Organization Name (eg, company) [Default Company Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:ljk Email Address []:ljk@qq.com [root@centos8 CA]$ [root@centos8 CA]$openssl x509 -noout -in cacert.pem -text Certificate: Data: Version: 3 (0x2) Serial Number: 26:c2:97:d3:b0:0e:f4:8d:d7:3e:1c:a1:e2:95:08:31:20:aa:f1:b7 Signature Algorithm: sha256WithRSAEncryption Issuer: C = CN, ST = henan, L = Default City, O = Default Company Ltd, CN = ljk, emailAddress = ljk@qq.com Validity Not Before: Sep 8 08:17:04 2020 GMT Not After : Sep 6 08:17:04 2030 GMT Subject: C = CN, ST = henan, L = Default City, O = Default Company Ltd, CN = ljk, emailAddress = ljk@qq.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:bc:30:93:e4:81:8f:aa:ed:c7:27:c3:66:6b:17: 7d:f2:40:f2:1c:5e:12:86:89:5a:ca:e1:d2:6d:61: fa:3c:0e:36:d6:88:bc:c3:1c:e9:a3:a4:f7:28:14: 4b:7f:5a:48:e0:1f:3e:3a:dc:45:12:27:a9:ef:94: 51:95:1b:84:79:ae:6b:11:3d:77:92:a4:72:ee:4a: 47:c9:c6:13:84:03:f7:be:48:48:8d:ac:d4:b5:7b: fd:36:04:6a:90:22:6f:5d:06:cc:52:c6:21:a2:0f: 48:fb:d1:cb:5b:66:f7:05:e5:35:10:14:6a:07:bc: 35:66:fd:d9:c4:30:35:91:bb:ca:6c:bb:77:79:4d: e2:9e:03:71:72:e4:bd:7b:cf:2e:96:30:0e:7e:2d: 10:c4:5a:b3:66:03:7a:68:95:78:e1:31:28:86:35: 43:f6:be:7c:b8:d2:36:8f:ed:d0:0e:0a:98:49:59: 63:42:45:70:f2:a1:8d:30:b9:6b:6f:b2:49:c9:e2: ae:0c:08:b2:47:bf:48:c7:be:d6:e8:26:8c:21:07: e4:a9:16:e9:f1:c6:30:e0:41:de:3c:d8:81:fd:fe: 86:b2:6f:b1:04:35:73:ac:67:36:a8:39:ee:ff:15: 6b:4c:30:7e:6f:dd:9e:02:16:af:ae:46:e1:5c:e9: b1:e5 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 62:CE:34:13:29:DA:F0:67:D8:CB:8D:6C:90:1A:3C:C8:E5:15:4D:D9 X509v3 Authority Key Identifier: keyid:62:CE:34:13:29:DA:F0:67:D8:CB:8D:6C:90:1A:3C:C8:E5:15:4D:D9 X509v3 Basic Constraints: critical CA:TRUE Signature Algorithm: sha256WithRSAEncryption 4c:87:4d:25:3f:3d:5f:b9:9e:b1:35:2f:7e:be:26:da:6b:e0: 4a:77:56:79:80:9e:a7:8b:80:02:71:75:1c:12:28:e7:73:49: c8:b4:44:41:3f:1a:b4:b6:db:8e:33:8e:29:8f:01:2f:9e:dc: 34:1c:45:78:a2:8c:82:25:9e:da:5f:69:fb:3c:15:98:db:36: d7:a7:41:09:bc:b0:36:b7:ae:77:10:7a:7a:0e:00:ed:cd:22: 28:99:d3:a1:28:47:cd:6a:01:88:e5:d4:cc:42:be:d5:2a:16: 72:af:44:d8:b0:b9:83:99:e9:f3:08:c1:ea:f6:b1:11:ee:51: d7:83:b8:1e:7c:45:47:25:0d:bc:5e:9d:78:cc:c1:26:0c:33: 5b:78:e5:1a:5f:31:79:11:54:a7:42:3a:dc:ed:43:66:b5:6c: e1:f5:61:82:d5:92:19:f6:6c:e8:20:01:b4:0a:07:9f:5b:63: 1e:29:49:f0:58:4a:ed:ef:1a:67:a3:f1:ec:e3:e6:b3:50:3a: c4:5b:ef:23:55:13:69:0a:ac:42:77:22:4b:0b:34:c1:f4:e9: 80:89:ff:ff:43:af:84:4e:a7:ef:f0:28:7a:14:c0:ce:f9:4b: aa:db:29:4b:fb:5c:ac:bf:c9:5f:ce:cd:45:62:dc:6e:18:a0: cc:f5:07:e9 [root@centos8 CA]$ [root@centos8 CA]$tree . ├── cacert.pem ├── certs ├── crl ├── index.txt ├── newcerts ├── private │ └── cakey.pem └── serial 4 directories, 4 files
[root@centos8 data]$openssl req -new -key ./test.key -out ./test.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:henan Locality Name (eg, city) [Default City]: Organization Name (eg, company) [Default Company Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:ljk Email Address []:ljk@qq.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:123456 An optional company name []:ljk
三种策略:默认是 match
match:要求申请填写的信息跟 CA 设置信息必须一致,
optional:可有可无,跟 CA 设置信息可不一致
supplied:必须填写这项申请信息
CA 签署证书
1
[root@centos8 data]$openssl ca -in ./test.csr -out /etc/pki/CA/certs/test.pem -days 100
# 查看serial与subject信息,对比检验是否与index.txt文件中的信息一致,一致则删除 [root@centos8 certs]$openssl x509 -in ./test.crt -noout -serial -subject serial=01 subject=C = CN, ST = henan, O = Default Company Ltd, CN = ljk, emailAddress = ljk@qq.com [root@centos8 certs]$ [root@centos8 certs]$cat ../index.txt V 201217092506Z 01 unknown /C=CN/ST=henan/O=Default Company Ltd/CN=ljk/emailAddress=ljk@qq.com
# 吊销之前,查看一下状态 [root@centos8 certs]$openssl ca -status 1 Using configuration from /etc/pki/tls/openssl.cnf 01=Valid (V)
# 吊销,注意目录 [root@centos8 certs]$openssl ca -revoke ../newcerts/01.pem Using configuration from /etc/pki/tls/openssl.cnf Revoking Certificate 01. Data Base Updated
# 吊销之后,再看一下状态 [root@centos8 certs]$openssl ca -status 1 Using configuration from /etc/pki/tls/openssl.cnf 01=Revoked (R)
# 指定第一个吊销证书的编号,注意:第一次更新证书吊销列表前,才需要执行 [root@centos8 certs]$echo 01 > /etc/pki/CA/crlnumber # 更新证书吊销列表 [root@centos8 certs]$openssl ca -gencrl -out /etc/pki/CA/crl.pem Using configuration from /etc/pki/tls/openssl.cnf
# 查看crl文件 [root@centos8 certs]$openssl crl -in /etc/pki/CA/crl.pem -noout -text Certificate Revocation List (CRL): Version 2 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: C = CN, ST = henan, L = Default City, O = Default Company Ltd, CN = ljk, emailAddress = ljk@qq.com Last Update: Sep 8 09:39:42 2020 GMT Next Update: Oct 8 09:39:42 2020 GMT CRL extensions: X509v3 CRL Number: 1 Revoked Certificates: Serial Number: 01 Revocation Date: Sep 8 09:35:55 2020 GMT Signature Algorithm: sha256WithRSAEncryption 09:a1:00:89:ed:5a:4d:71:3d:39:f0:34:72:7a:df:49:91:a1: 82:86:4f:76:7f:f9:b9:54:13:b1:b5:05:18:aa:4b:88:28:33: 7a:cf:0e:e5:ff:e4:41:36:33:62:95:82:20:aa:de:1e:76:f5: 61:10:11:d7:1e:da:19:2e:cc:b5:3a:96:17:4d:98:b2:f3:23: 78:1a:af:20:7b:e9:f9:eb:3a:a7:b5:58:46:67:c1:60:8c:e6: 2f:79:3b:16:24:f6:09:fc:09:12:96:de:60:09:2e:78:60:e4: 18:1a:36:aa:b2:eb:a1:31:23:7c:33:9a:dc:59:7c:b0:dd:a6: fa:a6:72:23:9b:35:b7:4e:d3:98:44:49:44:66:9c:d4:82:56: 07:0d:23:da:1e:62:3e:6e:87:de:9e:6e:88:0f:0d:e7:50:3f: 67:9f:3f:86:89:c3:6a:bc:b8:bc:89:c4:8e:e8:d6:7b:12:81: 7f:85:07:3b:e0:34:d7:29:fd:67:fb:cb:7f:f3:51:f2:3f:a4: 68:ce:e2:f1:3c:c2:49:fd:72:e0:27:f5:e6:23:e8:ae:a6:8f: b4:ba:eb:bc:1b:c3:4b:dd:1b:9e:39:5e:a8:ed:87:1d:5b:9f: ef:42:02:68:2a:b4:c3:2d:31:24:3c:85:e7:d7:66:40:e2:07: 2e:61:77:0f