标签:证书 私有 CA openssl echo certs key make
建立私有CA:
- OpenCA:OpenCA开源组织使用Perl对OpenSSL进行二次开发而成的一套完善的PKI免费软件
- openssl:相关包 openssl和openssl-libs
证书申请及签署步骤:
- 1、生成证书申请请求
- 2、RA核验
- 3、CA签署
- 4、获取证书
配置文件:
[root@centos8 ~]#cat /etc/pki/tls/openssl.cnf # ...... #################################################################### [ ca ] default_ca = CA_default # The default ca section #################################################################### [ CA_default ] dir = /etc/pki/CA # Where everything is kept certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. #unique_subject = no # Set to 'no' to allow creation of # several certs with same subject. new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/cacert.pem # The CA certificate serial = $dir/serial # The current serial number crlnumber = $dir/crlnumber # the current crl number # must be commented out to leave a V1 CRL crl = $dir/crl.pem # The current CRL private_key = $dir/private/cakey.pem# The private key RANDFILE = $dir/private/.rand # private random number file x509_extensions = usr_cert # The extensions to add to the cert # Comment out the following two lines for the "traditional" # (and highly broken) format. name_opt = ca_default # Subject Name options cert_opt = ca_default # Certificate field options default_days = 365 # how long to certify for default_crl_days= 30 # how long before next CRL default_md = sha256 # use SHA-256 by default preserve = no # keep passed DN ordering policy = policy_match # For the CA policy [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional # For the 'anything' policy # At this point in time, you must list all acceptable 'object' # types. [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional ......
创建私有CA
mkdir /etc/pki/CA/certs /etc/pki/CA/crl /etc/pki/CA/newcerts /etc/pki/CA/private -pv
tree /etc/pki/CA/
/etc/pki/CA/
├── certs
├── crl
├── newcerts
└── private
生成CA私钥:
openssl genrsa -out private/cakey.pem
生成CA自签名证书:
[root@CentOS8-8 CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:beijing Locality Name (eg, city) [Default City]:beijing Organization Name (eg, company) [Default Company Ltd]:will Organizational Unit Name (eg, section) []:linux43 Common Name (eg, your name or your server's hostname) []: *.will.org Email Address []:admin@will.org [root@CentOS8-8 CA]# ll total 4 -rw-r--r-- 1 root root 1428 Jan 14 14:32 cacert.pem drwxr-xr-x 2 root root 6 Jan 14 14:14 certs drwxr-xr-x 2 root root 6 Jan 14 14:14 crl drwxr-xr-x 2 root root 6 Jan 14 14:14 newcerts drwxr-xr-x 2 root root 23 Jan 14 14:22 private
查看证书
openssl x509 -in cacert.pem -noout -text
生成自签名证书(一个服务的时候使用)
openssl req -utf8 -newkey rsa:1024 -subj "/CN=www.magedu.org" -keyout app.key -nodes -x509 -out app.crt
申请证书并颁发证书
[root@CentOS8-8 ~]# mkdir /data/app/certs -p [root@CentOS8-8 ~]# cd /data/app/certs/
1、为需要使用证书的主机生成生成私钥
#(umask 066; openssl genrsa -out /data/test.key 2048)(范例) openssl genrsa -out app.key
2、为需要使用证书的主机生成证书申请文件
openssl req -new -key app.key -out app.csr
创建所需文件:
[root@CentOS8-8 certs]# touch /etc/pki/CA/index.txt [root@CentOS8-8 certs]# echo 0F > /etc/pki/CA/serial
3、在CA签署证书并将证书颁发给请求者
[root@CentOS8-8 certs]# openssl ca -in /data/app/certs/app.csr -out /etc/pki/CA/certs/app.crt -days 100
注意:默认要求 国家,省,公司名称三项必须和CA一致
一条命令申请证书
openssl req -newkey rsa:1024 -nodes -keyout app2.key -out app2.csr
颁发请求者报错:
[root@CentOS8-8 pki]# openssl ca -in /data/app/certs/app2.csr -out /etc/pki/CA/certs/app.crt -days 200 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok The countryName field is different between CA certificate (CN) and the request (US)
解决方法:
vim /etc/pki/tls/openssl.cnf #修改配置文件第99行 policy = policy_match #改成 policy = policy_anything
检查证书是否有效
openssl ca -status 0F
吊销证书
获取要吊销的证书的信息
openssl x509 -in newcerts/10.pem -noout -text
在CA上,根据客户提交的serial与subject信息,对比检验是否与index.txt文件中的信息一致,吊销证 书:
openssl ca -revoke /etc/pki/CA/newcerts/10.pem #吊销证书
指定第一个吊销证书的编号,注意:第一次更新证书吊销列表前,才需要执行
echo 01 > /etc/pki/CA/crlnumber
更新证书吊销列表
openssl ca -gencrl -out /etc/pki/CA/crl.pem
查看crl文件:
openssl crl -in /etc/pki/CA/crl.pem -noout -text
CentOS 7 创建自签名证书
[root@centos7 ~]#cd /etc/pki/tls/certs
[root@centos7 certs]#make
This makefile allows you to create:
o public/private key pairs
o SSL certificate signing requests (CSRs)
o self-signed SSL test certificates
To create a key pair, run "make SOMETHING.key".
To create a CSR, run "make SOMETHING.csr".
To create a test certificate, run "make SOMETHING.crt".
To create a key and a test certificate in one file, run "make SOMETHING.pem".
To create a key for use with Apache, run "make genkey".
To create a CSR for use with Apache, run "make certreq".
To create a test certificate for use with Apache, run "make testcert".
To create a test certificate with serial number other than random, add
SERIAL=num
You can also specify key length with KEYLEN=n and expiration in days with DAYS=n
Any additional options can be passed to openssl req via EXTRA_FLAGS
Examples:
make server.key
make server.csr
make server.crt
make stunnel.pem
make genkey
make certreq
make testcert
make server.crt SERIAL=1
make stunnel.pem EXTRA_FLAGS=-sha384
make testcert DAYS=600
[root@centos7 certs]#ls
ca-bundle.crt ca-bundle.trust.crt make-dummy-cert Makefile renew-dummy-cert
[root@centos7 certs]#cat Makefile
UTF8 := $(shell locale -c LC_CTYPE -k | grep -q charmap.*UTF-8 && echo -utf8)
DAYS=365
KEYLEN=2048
TYPE=rsa:$(KEYLEN)
EXTRA_FLAGS=
ifdef SERIAL
EXTRA_FLAGS+=-set_serial $(SERIAL)
endif
.PHONY: usage
.SUFFIXES: .key .csr .crt .pem
.PRECIOUS: %.key %.csr %.crt %.pem
usage:
@echo "This makefile allows you to create:"
@echo " o public/private key pairs"
@echo " o SSL certificate signing requests (CSRs)"
@echo " o self-signed SSL test certificates"
@echo
@echo "To create a key pair, run \"make SOMETHING.key\"."
@echo "To create a CSR, run \"make SOMETHING.csr\"."
@echo "To create a test certificate, run \"make SOMETHING.crt\"."
@echo "To create a key and a test certificate in one file, run \"make
SOMETHING.pem\"."
@echo
@echo "To create a key for use with Apache, run \"make genkey\"."
@echo "To create a CSR for use with Apache, run \"make certreq\"."
@echo "To create a test certificate for use with Apache, run \"make
testcert\"."
@echo
@echo "To create a test certificate with serial number other than random,
add SERIAL=num"
@echo "You can also specify key length with KEYLEN=n and expiration in days
with DAYS=n"
@echo "Any additional options can be passed to openssl req via EXTRA_FLAGS"
@echo
@echo Examples:
@echo " make server.key"
@echo " make server.csr"
@echo " make server.crt"
@echo " make stunnel.pem"
@echo " make genkey"
@echo " make certreq"
@echo " make testcert"
@echo " make server.crt SERIAL=1"
@echo " make stunnel.pem EXTRA_FLAGS=-sha384"
@echo " make testcert DAYS=600"
%.pem:
umask 77 ; \
PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
/usr/bin/openssl req $(UTF8) -newkey $(TYPE) -keyout $$PEM1 -nodes -x509 -
days $(DAYS) -out $$PEM2 $(EXTRA_FLAGS) ; \
cat $$PEM1 > $@ ; \
echo "" >> $@ ; \
cat $$PEM2 >> $@ ; \
$(RM) $$PEM1 $$PEM2
%.key:
umask 77 ; \
/usr/bin/openssl genrsa -aes128 $(KEYLEN) > $@
%.csr: %.key
umask 77 ; \
/usr/bin/openssl req $(UTF8) -new -key $^ -out $@
%.crt: %.key
umask 77 ; \
/usr/bin/openssl req $(UTF8) -new -key $^ -x509 -days $(DAYS) -out $@
$(EXTRA_FLAGS)
TLSROOT=/etc/pki/tls
KEY=$(TLSROOT)/private/localhost.key
CSR=$(TLSROOT)/certs/localhost.csr
CRT=$(TLSROOT)/certs/localhost.crt
genkey: $(KEY)
certreq: $(CSR)
testcert: $(CRT)
$(CSR): $(KEY)
umask 77 ; \
/usr/bin/openssl req $(UTF8) -new -key $(KEY) -out $(CSR)
$(CRT): $(KEY)
umask 77 ; \
/usr/bin/openssl req $(UTF8) -new -key $(KEY) -x509 -days $(DAYS) -out
$(CRT) $(EXTRA_FLAGS)
[root@centos7 certs]#
[root@centos7 certs]#make app.crt
umask 77 ; \
/usr/bin/openssl genrsa -aes128 2048 > app.key
Generating RSA private key, 2048 bit long modulus
...............+++
............................................+++
e is 65537 (0x10001)
Enter pass phrase:
Verifying - Enter pass phrase:
umask 77 ; \
/usr/bin/openssl req -utf8 -new -key app.key -x509 -days 365 -out app.crt
Enter pass phrase for app.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:hubei
Locality Name (eg, city) [Default City]:wuhan
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:www.magedu.org
Email Address []:admin@magedu.org
[root@centos7 certs]#ls
app.crt app.key ca-bundle.crt ca-bundle.trust.crt make-dummy-cert Makefile
renew-dummy-cert
[root@centos7 certs]#openssl x509 -in app.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
90:d7:97:6a:21:21:f8:5e
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=hubei, L=wuhan, O=magedu, OU=it,
CN=www.magedu.org/emailAddress=admin@magedu.org
Validity
Not Before: Feb 5 00:28:31 2020 GMT
Not After : Feb 4 00:28:31 2021 GMT
Subject: C=CN, ST=hubei, L=wuhan, O=magedu, OU=it,
CN=www.magedu.org/emailAddress=admin@magedu.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:f8:dd:d3:ea:0b:f1:97:0f:27:de:44:a2:32:77:
fb:5c:73:74:17:7b:5f:a4:9c:a2:d4:3b:d4:49:4c:
da:e0:a2:6a:41:05:6e:10:1e:96:dc:95:34:ed:08:
05:18:ba:27:c5:e5:f0:7c:65:15:78:f8:9b:bf:ee:
41:ef:1c:6f:7f:35:29:fd:f5:cf:4a:f1:36:7e:0c:
37:96:b1:01:e5:aa:7f:6e:a0:56:b0:33:28:ed:db:
7a:56:34:67:83:be:bd:ad:3d:e7:80:d9:cf:6a:c7:
c9:7f:d1:83:73:33:7f:77:27:a5:2e:17:84:82:c7:
50:3d:20:d8:20:f1:5e:61:d2:69:07:8f:0e:cd:ea:
c2:51:bd:aa:a0:ce:61:18:6f:00:43:13:21:8d:6d:
3b:85:13:d8:93:ed:fc:65:28:ec:12:d1:67:40:d0:
98:54:9a:59:1e:10:4f:c5:8c:b5:b1:26:55:2f:e1:
53:1d:6b:71:88:64:e2:b1:21:28:8c:c7:04:3a:70:
87:c7:48:41:44:95:43:2f:e8:da:5f:f8:93:1a:9a:
de:e4:e3:82:57:60:6a:49:08:2e:5f:57:f7:62:b2:
bb:8a:1f:8b:2b:dc:40:dd:35:30:42:c1:f4:c6:1a:
0b:61:df:37:ed:bd:25:39:4c:5f:27:32:57:9e:d0:
11:9d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
28:48:D7:B5:02:7E:D7:4B:A1:74:A7:86:4B:3C:E5:FC:39:7B:F4:2E
X509v3 Authority Key Identifier:
keyid:28:48:D7:B5:02:7E:D7:4B:A1:74:A7:86:4B:3C:E5:FC:39:7B:F4:2E
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
a3:66:1b:85:dc:9e:1b:c7:c8:e4:29:3c:32:b2:fc:71:c9:79:
9e:ad:db:78:bd:a4:42:1a:ef:d7:7f:4a:84:d9:46:e1:60:fa:
9f:04:83:67:88:74:fd:99:d2:e3:7b:34:86:27:a1:d0:3c:be:
5f:93:d0:17:e9:d1:f6:19:2b:d5:e7:48:1f:56:ac:65:22:ec:
64:6f:a3:05:0c:83:2f:29:a8:ef:cc:25:51:d0:16:21:93:9e:
85:fc:82:d4:8c:ba:14:47:6e:fd:33:44:71:a7:c4:7f:92:2a:
01:40:f9:69:70:73:27:89:73:82:ea:21:95:48:e2:c1:5d:b8:
ed:e7:61:49:88:1c:b6:8a:a6:bd:cc:83:6b:2c:19:b9:07:21:
46:f8:1f:dc:cb:3c:9c:6d:b9:b1:dc:03:b0:5a:00:de:41:7c:
96:d8:3a:f3:06:fc:24:03:60:54:35:85:a2:1e:79:fc:cb:6e:
fd:e2:c3:7b:16:6e:7c:56:17:d4:64:c9:15:e9:a4:b0:9a:a7:
c5:d6:f8:c8:e4:99:b1:b0:f0:8b:b4:ea:8e:a9:29:c1:4a:19:
69:7a:d7:51:93:23:51:b6:0b:63:e1:45:a7:3f:65:4d:89:55:
e8:52:29:0a:41:d2:fb:76:20:7e:14:da:a8:ad:e6:fc:b0:a9:
5f:10:b0:d3
[root@centos7 certs]#
标签:证书,私有,CA,openssl,echo,certs,key,make 来源: https://www.cnblogs.com/will-/p/14278118.html
本站声明: 1. iCode9 技术分享网(下文简称本站)提供的所有内容,仅供技术学习、探讨和分享; 2. 关于本站的所有留言、评论、转载及引用,纯属内容发起人的个人观点,与本站观点和立场无关; 3. 关于本站的所有言论和文字,纯属内容发起人的个人观点,与本站观点和立场无关; 4. 本站文章均是网友提供,不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属;如您发现该文章侵犯了您的权益,可联系我们第一时间进行删除; 5. 本站为非盈利性的个人网站,所有内容不会用来进行牟利,也不会利用任何形式的广告来间接获益,纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。