ca子命令使用事前准备的CSR文件,可通过-selfsign选项指定私钥生成自签名证书。使用req子命令也可以生成自签名证书,自签名证书在实际的使用中用处一般是用来创建ca证书的,这篇文章介绍一下如何使用x509子命令结合自签名的ca证书对其他证书签名请求CSR文件进行签名。
事前准备: 准备自签名证书
有多种方式可以生成自签名证书,这里使用最为简单的方式,直接生成可以用作ca的私钥和证书文件。
[root@liumiaocn x509]# openssl req -new -x509 -keyout ca.key -nodes -out ca.crt -subj "/C=CN/ST=LiaoNing/L=DaLian/O=devops/OU=unicorn/CN=devops.com"
Generating a RSA private key
...........................................................................................................................................+++++
............+++++
writing new private key to 'ca.key'
-----
[root@liumiaocn x509]# ls -l
total 8
-rw-r--r--. 1 root root 1342 Dec 14 21:04 ca.crt
-rw-------. 1 root root 1708 Dec 14 21:04 ca.key
[root@liumiaocn x509]#
结果确认
[root@liumiaocn x509]# openssl x509 -noout -in ca.crt -issuer -subject
issuer=C = CN, ST = LiaoNing, L = DaLian, O = devops, OU = unicorn, CN = devops.com
subject=C = CN, ST = LiaoNing, L = DaLian, O = devops, OU = unicorn, CN = devops.com
[root@liumiaocn x509]#
[root@liumiaocn x509]# openssl x509 -noout -in ca.crt -dates
notBefore=Dec 15 02:04:19 2019 GMT
notAfter=Jan 14 02:04:19 2020 GMT
[root@liumiaocn x509]#
详细信息如下所示:
[root@liumiaocn x509]# cat ca.key
-----BEGIN PRIVATE KEY-----
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDVriM5yVAuDDOx
RO8i5h1ttuN405U+FvOqBPKvkSB9bOP5ewfUnQpJZqR45H1dXqQU3nSyZtbGMyvI
vbfu4ZItbcNuDUiPVeZIt938PfXauzTLJFneSkBMh3e08D4IIQC7xfRGY0eNljvN
E9aaQ610W5sn8UsHNS+M8/TQFuP7wHr4OUtVjkdQTgNdFZxIvuNbmZ47YxmsULgh
OpuRvLkluh4fJ1go7ourZRzyP+vTRmfQCsuwcx5P0aOGt1Sf7P7OjVyKaif5hJWl
fJaCr7fcUCggici9eWZq+AjfIGCzN9vAJ+ypQPhNrdOA1mk6IbBN5CiUOnPHMj+9
XOehzP6vAgMBAAECggEACxAN8NL0XL3y+y2Hd/YT9fcvBbVml6VWjindaquH1BaM
IwF0oVRUEQLIZx3lQ60/r3jo78eVPQOvM6Bm4m45RDLXmF4FsK4Q0xj53DJVBTMG
A7JpGLIdbBjjYLHDdGZJBG+2OuKu9KyfgfmR9cClPU301XePm9rsEE8d