第一种:
申请私钥
[root@cs1 ~]# openssl genrsa -out ca.key 4096
Generating RSA private key, 4096 bit long modulus (2 primes)
...............................................................++++
....................................................................................................................................++++
e is 65537 (0x010001)直接生成证书
[root@cs1 ~]# openssl req -new -x509 -key ca.key -out ca.crt
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HN
Locality Name (eg, city) [Default City]:ZZ
Organization Name (eg, company) [Default Company Ltd]:skills
Organizational Unit Name (eg, section) []:system
Common Name (eg, your name or your server's hostname) []:skills.com
Email Address []:第二种
申请证书请求文件
openssl req -new -key ca.key -out ca.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HN
Locality Name (eg, city) [Default City]:ZZ
Organization Name (eg, company) [Default Company Ltd]:skills
Organizational Unit Name (eg, section) []:system
Common Name (eg, your name or your server's hostname) []:skills.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:生成证书
[root@cs1 ~]# openssl x509 -req -in ca.csr -sginkey ca.key -out apache.cert
x509: Unrecognized flag sginkey
x509: Use -help for summary.
[root@cs1 ~]# openssl x509 -req -in ca.csr -signkey ca.key -out apache.cert
Signature ok
subject=C = CN, ST = HN, L = ZZ, O = skills, OU = system, CN = skills.com
Getting Private key第三种:
创建ca必要的文件夹
mkdir /etc/pki/CA/{certs,newcerts,crl,private} -p
创建引索文件和证书序列号
touch index.txt
echo 01 > serial创建cakey.pem私钥
cd /etc/pki/CA
genrsa -out private/cakey.pem 4096
Generating RSA private key, 4096 bit long modulus (2 primes)
..................++++
.....................................................................................................................++++
e is 65537 (0x010001)创建证书请求文件
openssl req -new -key private/cakey.pem -out ca.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HN
Locality Name (eg, city) [Default City]:ZZ
Organization Name (eg, company) [Default Company Ltd]:skills
Organizational Unit Name (eg, section) []:system
Common Name (eg, your name or your server's hostname) []:skills.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:创建cacert.pem证书 名字要正确
[root@cs1 CA]# openssl x509 -req -in ca.csr -signkey private/cakey.pem -out cacert.pem
Signature ok
subject=C = CN, ST = HN, L = ZZ, O = skills, OU = system, CN = skills.com
Getting Private keyca 颁发证书
openssl ca -in ca.csr -out ca.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Mar 16 11:19:33 2022 GMT
Not After : Mar 16 11:19:33 2023 GMT
Subject:
countryName = CN
stateOrProvinceName = HN
organizationName = skills
organizationalUnitName = system
commonName = skills.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
B5:26:B1:E7:25:19:13:E7:3A:61:9A:0F:CC:8B:60:94:D6:4C:2E:2E
X509v3 Authority Key Identifier:
DirName:/C=CN/ST=HN/L=ZZ/O=skills/OU=system/CN=skills.com
serial:55:AE:60:2F:5D:B8:17:FB:94:55:0F:3D:C9:B7:08:A2:7D:F7:B1:F6
Certificate is to be certified until Mar 16 11:19:33 2023 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated查看证书
openssl x509 -in ca.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CN, ST = HN, L = ZZ, O = skills, OU = system, CN = skills.com
Validity
Not Before: Mar 16 11:19:33 2022 GMT
Not After : Mar 16 11:19:33 2023 GMT
Subject: C = CN, ST = HN, O = skills, OU = system, CN = skills.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit)
Modulus:
00:a5:d0:47:69:8e:ca:8a:c7:cb:72:90:74:ff:1d:
a8:13:27:85:47:77:73:63:2f:83:41:71:78:5f:8a:
ae:84:59:87:4a:9d:14:7e:46:e5:ea:3e:49:0f:dc:
5c:ab:47:b9:89:2e:88:d7:58:94:3a:d1:5a:04:93:
df:64:92:22:f7:fd:44:7f:ae:93:7b:3e:5b:78:e2:
e6:80:f7:c6:c9:95:14:36:c1:ec:28:cb:58:e6:19:
d6:ad:7b:62:2b:4e:2a:22:77:20:de:c6:6c:49:a3:
04:ba:1b:17:32:53:7b:41:b9:da:b3:2d:b2:db:c5:
28:5d:cf:5a:c7:a1:2e:f2:79:01:cb:6a:d6:1b:ff:
a3:48:df:a0:45:fe:55:d6:1e:73:2f:e6:e1:d3:d0:
32:2d:42:da:28:4a:94:1d:ae:fd:0c:ec:c2:55:13:
dc:70:3e:24:67:dd:9c:6e:7e:7d:53:13:49:ab:f2:
6c:4f:5a:d9:31:4e:da:d3:18:62:47:e6:8b:46:ce:
97:d5:fe:9d:c7:ea:50:73:44:62:52:71:08:be:78:
72:6a:32:13:8e:c4:73:63:52:b2:88:74:e4:a0:57:
68:d3:4d:c2:71:24:24:8c:22:57:7e:7e:22:d3:be:
0a:a1:38:3e:94:7a:fa:4c:ed:9b:ee:a9:b7:c1:f1:
ad:4e:25:e9:d0:85:13:6a:09:b1:28:3a:d2:95:d7:
85:e6:ba:3f:58:45:04:31:45:9f:d2:c1:cf:2b:03:
1c:dd:73:1f:8e:05:0f:a0:22:08:9c:38:84:1d:1f:
ae:49:65:a5:59:f1:d5:43:0b:42:80:35:63:64:c3:
7f:01:2b:8d:ce:46:6f:4f:5e:d3:ab:ef:33:03:b0:
19:34:2e:b9:82:fe:2a:cd:3c:ea:84:d9:51:c2:07:
d0:49:51:6c:3d:19:31:e9:33:6f:0d:9c:a4:aa:19:
fd:1d:8a:62:e7:1a:b2:41:a1:87:0b:2e:d9:34:aa:
e8:6a:5a:ce:eb:0f:1b:96:52:59:d3:8d:41:60:b5:
01:29:18:66:d4:0c:12:7a:86:ae:b9:15:50:84:ab:
80:11:38:5d:47:89:e3:db:40:03:dd:27:7f:d9:98:
4d:c4:e2:9c:a6:ac:3d:97:7b:ff:fb:84:20:a8:af:
83:62:de:e1:28:41:c1:06:ea:83:7b:82:ec:58:3c:
7b:00:8a:2f:48:b3:07:e3:06:db:48:79:f9:84:61:
8a:a3:88:09:da:32:28:63:91:7c:ae:5b:d0:53:92:
3c:ab:3d:c5:ac:d7:3e:42:d3:1a:d5:c8:8e:96:00:
54:4e:38:ac:a0:a0:3d:85:e5:77:0c:8f:c8:0d:d3:
b0:a1:6f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
B5:26:B1:E7:25:19:13:E7:3A:61:9A:0F:CC:8B:60:94:D6:4C:2E:2E
X509v3 Authority Key Identifier:
DirName:/C=CN/ST=HN/L=ZZ/O=skills/OU=system/CN=skills.com
serial:55:AE:60:2F:5D:B8:17:FB:94:55:0F:3D:C9:B7:08:A2:7D:F7:B1:F6
Signature Algorithm: sha256WithRSAEncryption
58:41:af:de:68:8a:5c:90:62:ba:81:67:80:ca:f6:13:e8:71:
33:fa:19:bb:ed:4c:50:7a:71:64:9a:5b:0a:12:13:0f:4f:f5:
a8:75:73:89:a2:06:ff:3a:db:19:77:07:e1:25:e5:b1:ad:a8:
3b:14:03:17:60:9f:24:b0:47:58:74:e6:bc:1d:1c:54:f5:82:
97:06:16:49:77:f5:ed:bc:7c:6e:11:0b:35:3e:9a:fb:6d:a1:
5d:b0:68:46:dc:04:36:09:39:d9:bd:39:c1:b8:b1:53:ac:51:
97:87:12:b5:5e:63:e2:52:fc:7f:5d:2a:3d:53:b7:fe:1f:49:
81:43:b3:77:56:7c:14:b9:79:8f:85:a2:85:61:c3:27:44:23:
56:34:f9:61:fb:15:a6:37:57:2b:cc:0c:15:3c:6d:fb:99:f8:
e6:55:8d:53:fc:32:3b:1c:e3:69:07:bc:3e:d2:8b:6d:d7:9d:
e6:03:79:3f:76:d1:05:f8:42:87:74:6c:42:ae:18:eb:4f:5d:
6d:10:61:0a:5c:24:2b:7e:f4:59:4b:be:e0:a0:87:9c:ad:aa:
2f:9b:52:0a:dc:c8:74:47:48:5c:e3:d8:64:dc:0c:1a:cf:f2:
55:95:a7:3e:0e:03:da:4e:a3:74:f7:be:16:56:49:79:48:07:
8d:66:1c:98:49:42:fb:e7:51:a7:7b:87:5a:d6:d2:8a:90:bc:
fe:12:ea:95:9f:05:b6:50:03:eb:4e:23:6e:d5:ec:37:2f:9a:
d9:c5:bc:4a:ae:c7:b4:ae:8a:ad:44:88:72:a4:b6:94:f1:67:
67:a7:16:b3:71:e8:db:91:d1:cf:02:1b:ad:f0:ab:93:05:dd:
b0:df:76:56:40:d5:b6:f0:e7:c8:72:4f:8f:5d:d8:f1:ed:dc:
68:3d:62:aa:3d:35:94:55:d1:b9:1f:67:9f:3c:96:97:15:0d:
b2:00:13:7e:41:cc:e2:63:f2:51:dc:0d:9b:0c:d8:1c:ed:db:
14:98:cd:26:4e:ff:cf:21:67:99:08:28:55:de:63:ce:0e:dc:
90:ca:bf:80:bd:43:7d:d4:e1:01:03:66:79:ef:d6:d2:e3:28:
67:ff:60:32:a4:95:11:fb:0c:28:58:7d:8c:35:c1:a0:7e:1d:
fd:d1:3c:5b:44:a6:49:9b:a8:81:66:8e:cb:d6:24:d9:31:e2:
6a:78:30:cb:14:af:4e:87:ad:00:0e:ef:8b:09:57:ae:62:a7:
c9:c6:de:eb:5b:fc:3e:89:89:ca:41:72:9f:6f:03:cd:8d:dc:
cf:96:68:d9:5b:67:cd:43:e4:89:69:98:10:d5:1c:fc:07:57:
ff:69:01:c8:1b:b4:c0:b3然后就可以给其他的客户端颁发证书了
2806
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
