SSL基础:21:使用ca子命令为其他证书签名

最新推荐文章于 2022-03-29 18:29:09 发布
最新推荐文章于 2022-03-29 18:29:09 发布
阅读量1.6k 收藏 3
点赞数
分类专栏: 加密算法与证书 文章标签: OpenSSL ca 证书 签名 openssl.cnf
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/liumiaocn/article/details/103546370
版权

在这里插入图片描述
ca子命令使用事前准备的CSR文件,可通过-selfsign选项指定私钥生成自签名证书。使用req子命令也可以生成自签名证书,自签名证书在实际的使用中用处一般是用来创建ca证书的,上篇文章介绍了如何使用x509子命令结合自签名的ca证书对其他证书签名请求CSR文件进行签名,这篇文章介绍一下使用ca子命令的方式。

事前准备: 准备自签名证书

准备私钥和CSR文件

可以分别使用genrsa子命令和req -new来分别准备私钥和CSR文件,也可以直接使用req -newkey一次直接生成。

[root@liumiaocn ca]# openssl req -newkey rsa:2048 -keyout ca.key  -nodes -out request.csr -subj "/C=CN/ST=LiaoNing/L=DaLian/O=devops/OU=unicorn/CN=devops.com"
Generating a RSA private key
...........................+++++
.........+++++
writing new private key to 'ca.key'
-----
[root@liumiaocn ca]# ls
ca.key  request.csr
[root@liumiaocn ca]#

确认私钥和CSR内容

[root@liumiaocn ca]# openssl req -text -noout -verify -in request.csr
verify OK
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: C = CN, ST = LiaoNing, L = DaLian, O = devops, OU = unicorn, CN = devops.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:9a:18:76:96:e8:29:f6:f0:e7:ad:39:38:31:92:
                    23:7e:3d:f8:88:5f:8f:5f:27:c7:9c:07:6e:b1:3d:
                    13:05:85:37:44:a1:1c:e9:d2:05:40:a7:99:e7:92:
                    0b:6a:2e:4b:1c:54:b6:5f:ea:4e:db:0c:78:64:74:
                    e8:33:35:bd:f9:6e:65:58:5e:e7:a6:93:c5:32:99:
                    27:df:e3:34:01:a7:b8:32:18:b3:d1:2d:54:df:ec:
                    65:99:88:55:12:45:9b:6f:d5:f8:6f:6c:10:fd:85:
                    c0:f4:ab:38:a9:41:6b:91:42:6f:fd:f3:5c:c9:ec:
                    e0:f6:5e:81:9d:e1:10:56:ad:16:b9:26:e9:93:23:
                    20:f0:a3:3c:86:f8:bc:a3:2e:4e:0d:b0:3f:33:9c:
                    79:c1:0e:8d:37:66:8c:97:d8:78:4a:a8:5f:5a:f9:
                    1b:d7:b7:cc:8e:c9:24:a3:d6:1b:b0:7e:c4:a8:74:
                    dc:fb:b5:81:6c:97:69:92:92:39:69:e5:f3:26:12:
                    aa:af:33:05:31:41:9e:65:90:f0:b7:94:44:9d:41:
                    7e:b8:04:97:00:b4:2a:50:54:79:bf:35:09:8a:29:
                    27:39:06:e7:b3:23:c2:cf:43:d1:ec:69:8d:db:5a:
                    c7:e3:7f:55:09:4f:e4:e0:52:d6:98:fb:b7:1d:38:
                    4b:c3
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: sha256WithRSAEncryption
         6f:bd:e4:40:de:3f:0b:d1:37:03:74:e3:d6:e3:81:12:d8:bb:
         9e:e0:f0:d6:f3:7a:90:80:09:78:c1:8e:2f:22:d3:5e:06:89:
         01:10:2f:b3:46:dd:91:95:c9:28:4f:cc:71:fe:cc:a4:70:37:
         e7:3d:fb:73:5d:9c:6a:40:b8:7a:bd:93:61:a5:53:7f:ba:59:
         b3:c4:47:25:2b:d1:4b:f5:cd:99:df:64:1b:85:19:88:37:5a:
         b2:6a:00:26:b0:8e:5e:d4:29:f8:09:eb:bb:75:9b:38:d8:6d:
         35:e5:79:b6:fc:fb:e0:f5:1e:03:eb:1e:34:74:f9:f7:e0:f4:
         4e:a4:03:ac:17:8a:39:86:82:b4:0c:ed:b1:94:a3:ed:c8:e6:
         f2:f7:ef:12:5b:32:50:e4:f2:b0:e4:42:e3:22:84:f1:86:5e:
         77:d8:c9:b1:19:df:f1:0d:88:38:1f:2f:af:ad:63:3a:b8:a3:
         bf:aa:35:c1:de:84:ff:d3:4a:85:6d:e4:fd:56:a3:f7:72:99:
         e0:29:35:35:d3:9b:48:ac:0c:f3:5e:45:7f:a6:21:19:a9:40:
         b3:ab:a7:ac:80:4b:e8:84:a0:e7:77:1e:b6:ff:e1:f6:bf:51:
         1d:d9:d6:85:6c:7a:ce:c2:00:9a:4e:c3:9c:6b:51:59:a3:ce:
         a6:d6:66:43
[root@liumiaocn ca]#

步骤2: 使用CA对CSR文件签名

执行命令:openssl ca -selfsign -keyfile ca.key -in request.csr -out test-cert.crt -config openssl.cnf -days 365 -batch

配置文件设定示例

结合前面对配置文件选项的说明,此处使用如下示例配置文件,此配置文件为最小程度所需要配置的内容

[root@liumiaocn ca]# vi openssl.cnf
[root@liumiaocn ca]# mkdir newcerts
[root@liumiaocn ca]# touch index.txt
[root@liumiaocn ca]# echo "01" > serial
[root@liumiaocn ca]# cat serial 
01
[root@liumiaocn ca]# cat openssl.cnf 
[ ca ]
default_ca	= CA_default		# The default ca section

[ CA_default ]
dir		= .
new_certs_dir	= $dir/newcerts		# default place for new certs.
database	= $dir/index.txt	# database index file.
default_md	= sha256		# use SHA-256 by default
policy		= policy_match
serial		= $dir/serial 		# The current serial number

[ policy_match ]
countryName		= match
stateOrProvinceName	= match
organizationName	= match
organizationalUnitName	= optional
commonName		= supplied
emailAddress		= optional
[root@liumiaocn ca]#

配置说明:配合上述设定内容,所以设定了newcerts目录用于存放新生成的证书存放路径,同时使用设定serial用于存放当前序列号字符串

创建自签名证书

[root@liumiaocn ca]# openssl ca -selfsign -keyfile ca.key -in request.csr -out test-cert.crt  -config openssl.cnf -days 365 -batch
Using configuration from openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'CN'
stateOrProvinceName   :ASN.1 12:'LiaoNing'
localityName          :ASN.1 12:'DaLian'
organizationName      :ASN.1 12:'devops'
organizationalUnitName:ASN.1 12:'unicorn'
commonName            :ASN.1 12:'devops.com'
Certificate is to be certified until Dec 14 03:07:57 2020 GMT (365 days)

Write out database with 1 new entries
Data Base Updated
[root@liumiaocn ca]#

结果确认

[root@liumiaocn ca]# tree .
.
├── ca.key
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│   └── 01.pem
├── openssl.cnf
├── request.csr
├── serial
├── serial.old
└── test-cert.crt

1 directory, 10 files
[root@liumiaocn ca]#

使用x509子命令进行签名

步骤1: 生成证书签名请求CSR文件

签名的动作是需要求前提的,CSR文件就是这个前提,而实际向各个CA机构进行收费的证书申请也是需要提供CSR文件,只是可能会以另外一种格式出现,最终CA机构也是类似的需要生成类似的CSR文件。

执行示例文件:openssl req -new -out request-dev.csr -nodes -subj “/C=CN/ST=LiaoNing/L=DaLian/O=devops/OU=dev/CN=dev.com”

比如这里生成如下的CSR文件:

[root@liumiaocn ca]# openssl req -new -out request-dev.csr -nodes -subj "/C=CN/ST=LiaoNing/L=DaLian/O=devops/OU=dev/CN=dev.com"
Generating a RSA private key
..........................+++++
........................................................................................................................................................................................................................................................................................+++++
writing new private key to 'privkey.pem'
-----
[root@liumiaocn ca]# ls
ca.key     index.txt.attr  newcerts     privkey.pem  request-dev.csr  serial.old
index.txt  index.txt.old   openssl.cnf  request.csr  serial           test-cert.crt
[root@liumiaocn ca]#

步骤2: 使用x509子命令和ca证书进行签名

使用CA和CAkey指定CA的私钥和证书文件,然后对CSR文件进行签名,得到签名之后的证书文件02.pem

证书签名命令示例:openssl ca -in request-dev.csr -keyfile ca.key -cert newcerts/01.pem -config openssl.cnf -days 90 -batch

[root@liumiaocn ca]# openssl ca -in request-dev.csr -keyfile ca.key -cert newcerts/01.pem -config openssl.cnf -days 90 -batch
Using configuration from openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'CN'
stateOrProvinceName   :ASN.1 12:'LiaoNing'
localityName          :ASN.1 12:'DaLian'
organizationName      :ASN.1 12:'devops'
organizationalUnitName:ASN.1 12:'dev'
commonName            :ASN.1 12:'dev.com'
Certificate is to be certified until Mar 14 03:10:23 2020 GMT (90 days)

Write out database with 1 new entries
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 2 (0x2)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=LiaoNing, O=devops, OU=unicorn, CN=devops.com
        Validity
            Not Before: Dec 15 03:10:23 2019 GMT
            Not After : Mar 14 03:10:23 2020 GMT
        Subject: C=CN, ST=LiaoNing, O=devops, OU=dev, CN=dev.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:ac:3c:66:ee:17:f0:60:9c:5c:3c:cb:82:72:57:
                    5e:a2:1a:c7:36:39:53:e9:96:76:ea:b0:60:9a:6f:
                    74:0a:fb:88:ae:16:bf:94:a1:9d:e9:f9:93:9b:13:
                    6d:48:af:29:b4:ab:4c:8d:77:59:05:5d:cf:86:14:
                    db:f8:4c:63:c0:bf:2c:8d:46:b7:19:4a:91:3f:a0:
                    70:41:d0:5f:e8:cd:6a:60:08:da:96:31:74:6c:4d:
                    18:b4:1e:d7:af:0d:db:0a:f2:87:8b:be:a9:6c:48:
                    c7:3d:55:76:5e:15:a6:86:1f:b8:58:ec:70:1d:4d:
                    fb:ab:9e:9e:66:66:f1:43:e0:22:b6:ea:65:5f:35:
                    75:35:8d:41:a2:1e:af:21:b5:53:ac:3e:7b:3f:c2:
                    83:f2:af:cd:d1:63:9f:83:d2:16:19:13:30:f1:a3:
                    93:05:16:93:fb:3c:1a:5b:8d:c5:82:7a:70:cb:78:
                    95:58:be:94:6a:bb:8e:86:1f:59:24:d2:43:cd:39:
                    36:22:b9:3b:1e:d4:a4:4b:23:36:43:a3:44:2d:be:
                    89:56:e3:de:04:a1:68:6f:9a:d0:a2:ea:4a:ff:f3:
                    e6:31:95:c4:3d:f1:a5:52:cb:08:44:67:8e:f0:f0:
                    36:43:2d:67:77:a2:32:01:9d:45:51:0b:bf:6b:4f:
                    b1:f5
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha256WithRSAEncryption
         81:99:be:7b:c8:b4:f0:b5:5f:5c:a2:39:bc:47:bb:b0:e1:46:
         b9:63:54:33:c0:89:d2:4b:f1:16:b2:08:ef:63:a9:7d:26:45:
         95:08:62:a6:11:d1:45:c3:78:db:cd:05:95:77:a1:30:cd:b5:
         59:70:2b:35:11:23:c7:92:48:d1:19:b2:d0:e6:de:53:47:59:
         bd:c7:c2:d7:b1:19:54:8c:66:86:34:4c:26:14:90:43:63:35:
         19:44:79:cf:f0:b9:e3:04:74:6b:c0:ee:5d:58:db:c4:a8:18:
         fa:b6:43:71:ee:41:b9:f0:cb:0c:b9:0c:a5:09:49:11:72:7b:
         d3:cb:f0:25:99:e2:61:74:c2:20:3c:d8:06:f8:b4:fe:70:f1:
         c4:c9:1c:fb:c4:89:87:16:34:39:f0:de:03:da:a3:b7:f5:5f:
         16:cf:58:68:2c:fc:a0:86:49:20:49:a6:1e:09:bf:6d:6b:2f:
         0c:af:df:df:8c:42:6f:95:69:ed:26:90:07:35:66:3b:e1:9a:
         b8:18:6c:14:91:0c:10:3c:25:0a:ff:97:fe:e9:ca:13:61:22:
         c0:7e:16:63:92:c5:a5:88:f2:38:e8:e9:fb:a0:62:54:e6:e2:
         fb:3d:71:e7:9f:b3:3b:f1:0d:2b:a4:d0:18:13:0f:25:b5:77:
         76:b4:21:b8
-----BEGIN CERTIFICATE-----
MIIDHTCCAgUCAQIwDQYJKoZIhvcNAQELBQAwWDELMAkGA1UEBhMCQ04xETAPBgNV
BAgMCExpYW9OaW5nMQ8wDQYDVQQKDAZkZXZvcHMxEDAOBgNVBAsMB3VuaWNvcm4x
EzARBgNVBAMMCmRldm9wcy5jb20wHhcNMTkxMjE1MDMxMDIzWhcNMjAwMzE0MDMx
MDIzWjBRMQswCQYDVQQGEwJDTjERMA8GA1UECAwITGlhb05pbmcxDzANBgNVBAoM
BmRldm9wczEMMAoGA1UECwwDZGV2MRAwDgYDVQQDDAdkZXYuY29tMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArDxm7hfwYJxcPMuCcldeohrHNjlT6ZZ2
6rBgmm90CvuIrha/lKGd6fmTmxNtSK8ptKtMjXdZBV3PhhTb+ExjwL8sjUa3GUqR
P6BwQdBf6M1qYAjaljF0bE0YtB7Xrw3bCvKHi76pbEjHPVV2XhWmhh+4WOxwHU37
q56eZmbxQ+AituplXzV1NY1Boh6vIbVTrD57P8KD8q/N0WOfg9IWGRMw8aOTBRaT
+zwaW43Fgnpwy3iVWL6UaruOhh9ZJNJDzTk2Irk7HtSkSyM2Q6NELb6JVuPeBKFo
b5rQoupK//PmMZXEPfGlUssIRGeO8PA2Qy1nd6IyAZ1FUQu/a0+x9QIDAQABMA0G
CSqGSIb3DQEBCwUAA4IBAQCBmb57yLTwtV9cojm8R7uw4Ua5Y1QzwInSS/EWsgjv
Y6l9JkWVCGKmEdFFw3jbzQWVd6EwzbVZcCs1ESPHkkjRGbLQ5t5TR1m9x8LXsRlU
jGaGNEwmFJBDYzUZRHnP8LnjBHRrwO5dWNvEqBj6tkNx7kG58MsMuQylCUkRcnvT
y/AlmeJhdMIgPNgG+LT+cPHEyRz7xImHFjQ58N4D2qO39V8Wz1hoLPyghkkgSaYe
Cb9tay8Mr9/fjEJvlWntJpAHNWY74Zq4GGwUkQwQPCUK/5f+6coTYSLAfhZjksWl
iPI46On7oGJU5uL7PXHnn7M78Q0rpNAYEw8ltXd2tCG4
-----END CERTIFICATE-----
Data Base Updated
[root@liumiaocn ca]#

结果确认如下所示

[root@liumiaocn ca]# tree .
.
├── ca.key
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── newcerts
│   ├── 01.pem
│   └── 02.pem
├── openssl.cnf
├── privkey.pem
├── request.csr
├── request-dev.csr
├── serial
├── serial.old
└── test-cert.crt

1 directory, 14 files
[root@liumiaocn ca]# 
[root@liumiaocn ca]# openssl x509 -noout -in newcerts/02.pem -issuer -subject -dates
issuer=C = CN, ST = LiaoNing, O = devops, OU = unicorn, CN = devops.com
subject=C = CN, ST = LiaoNing, O = devops, OU = dev, CN = dev.com
notBefore=Dec 15 03:10:23 2019 GMT
notAfter=Mar 14 03:10:23 2020 GMT
[root@liumiaocn ca]#

简化证书签名

因为ca子命令使用配置文件,所以可以通过设定配置文件减少证书签名时所需要输入的参数,修改证书配置如下:

[root@liumiaocn ca]# cat openssl.cnf 
[ ca ]
default_ca	= CA_default		# The default ca section

[ CA_default ]
dir		= .
new_certs_dir	= $dir/newcerts		# default place for new certs.
database	= $dir/index.txt	# database index file.
default_md	= sha256		# use SHA-256 by default
policy		= policy_match
serial		= $dir/serial 		# The current serial number
private_key	= $dir/private/ca.key   # The private key
certificate	= $dir/ca.crt   	# The CA certificate
default_days	= 90 			# how long to certify for

[ policy_match ]
countryName		= match
stateOrProvinceName	= match
organizationName	= match
organizationalUnitName	= optional
commonName		= supplied
emailAddress		= optional
[root@liumiaocn ca]#

然后根据设定,做如下准备

[root@liumiaocn ca]# cp newcerts/01.pem ca.crt
[root@liumiaocn ca]# mkdir private
[root@liumiaocn ca]# cp ca.key private/ca.key
[root@liumiaocn ca]# tree .
.
├── ca.crt
├── ca.key
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── newcerts
│   ├── 01.pem
│   └── 02.pem
├── openssl.cnf
├── private
│   └── ca.key
├── privkey.pem
├── request.csr
├── request-dev.csr
├── serial
├── serial.old
└── test-cert.crt

2 directories, 16 files
[root@liumiaocn ca]#

生成CSR命令示例:openssl req -new -out request-test.csr -nodes -subj “/C=CN/ST=LiaoNing/L=DaLian/O=devops/OU=test/CN=test.com”

[root@liumiaocn ca]# openssl req -new -out request-test.csr -nodes -subj "/C=CN/ST=LiaoNing/L=DaLian/O=devops/OU=test/CN=test.com"
Generating a RSA private key
.........+++++
....................................................................................+++++
writing new private key to 'privkey.pem'
-----
[root@liumiaocn ca]#

证书签名命令示例:openssl ca -config openssl.cnf -batch -in request-test.csr

[root@liumiaocn ca]# openssl ca -config openssl.cnf -batch -in request-test.csr 
Using configuration from openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'CN'
stateOrProvinceName   :ASN.1 12:'LiaoNing'
localityName          :ASN.1 12:'DaLian'
organizationName      :ASN.1 12:'devops'
organizationalUnitName:ASN.1 12:'test'
commonName            :ASN.1 12:'test.com'
Certificate is to be certified until Mar 14 05:07:14 2020 GMT (90 days)

Write out database with 1 new entries
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 3 (0x3)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=LiaoNing, O=devops, OU=unicorn, CN=devops.com
        Validity
            Not Before: Dec 15 05:07:14 2019 GMT
            Not After : Mar 14 05:07:14 2020 GMT
        Subject: C=CN, ST=LiaoNing, O=devops, OU=test, CN=test.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:b2:28:1e:a6:1b:2c:67:69:6d:7d:bf:ec:a5:df:
                    d7:87:f1:b6:42:3c:48:87:39:36:08:13:29:1e:48:
                    ab:dd:45:33:77:44:81:00:6f:95:63:1a:3f:58:d7:
                    6d:70:ff:f7:d8:3c:c7:50:9d:e5:d9:d2:49:16:cb:
                    92:dc:20:11:46:96:67:d6:16:ba:cd:c2:67:d1:6b:
                    a2:c4:a7:aa:d0:cf:34:2a:b8:98:8d:30:b1:c0:86:
                    d2:a8:77:85:de:29:11:7f:6a:cf:83:b2:c9:c3:a4:
                    4f:f2:4b:c2:51:14:7e:cc:db:d4:a9:e5:65:50:a4:
                    a1:95:f8:d0:a0:c6:71:85:3b:c1:89:69:8b:e8:60:
                    c8:d2:b4:ee:85:35:56:a1:5a:db:b4:d6:66:ff:16:
                    cd:55:fe:7d:61:d6:51:7f:3e:30:ff:63:9c:0d:5f:
                    af:24:7a:c6:21:ee:57:80:d2:a3:d8:1d:10:42:54:
                    b0:27:cd:dc:7c:da:8a:8e:3a:68:89:09:5d:4b:7e:
                    04:d0:5e:ec:a4:ea:2e:a5:ea:06:52:8a:8e:f4:72:
                    8e:b8:ff:e6:1b:36:11:a9:1e:f0:02:25:c2:8f:05:
                    f8:0e:e2:43:18:a2:43:4b:6f:23:f4:3f:96:54:3e:
                    68:de:6c:9e:98:a7:44:5e:6a:17:ac:2a:70:01:cb:
                    d5:1f
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha256WithRSAEncryption
         0c:6e:41:38:29:ad:a4:5d:0b:05:1c:f7:fb:1b:d7:14:29:8c:
         70:fe:61:78:5c:d7:3f:ab:b9:da:e9:44:ca:c0:9c:8f:2a:1c:
         75:4a:7d:c3:29:fe:9a:8f:8f:60:e7:54:cc:f1:7c:36:05:d9:
         9a:11:e8:c5:d2:44:78:65:2e:24:21:84:22:41:09:50:9c:72:
         82:4f:b0:54:4b:a9:55:cc:fc:87:b7:9b:de:af:98:34:b0:3d:
         1f:fb:cc:ad:c3:c3:b7:47:0a:e2:05:47:70:2c:25:92:48:3f:
         38:8e:df:24:69:80:6d:99:f3:6e:db:ac:57:1e:9b:88:44:dd:
         e8:12:03:ac:03:8c:07:a4:49:6f:00:96:6a:70:e3:a7:55:1b:
         78:82:a2:89:14:eb:3a:d9:d7:e7:2c:62:79:65:11:e1:8a:51:
         f2:3e:aa:98:d7:fe:c8:89:5a:05:1b:1e:b4:65:c5:a4:b0:ba:
         e9:25:58:07:14:02:6e:54:6a:58:75:af:05:5a:5e:01:c8:3f:
         b6:37:76:e2:4e:a0:ff:5f:c5:f9:c3:15:d3:27:7f:5d:fa:a5:
         64:f5:2b:c5:14:01:5c:12:ec:1f:c7:a2:86:31:c2:7c:9e:cf:
         44:8f:da:96:ae:a9:dd:aa:18:78:02:6d:1b:b1:4c:2a:76:cb:
         f1:0b:1d:79
-----BEGIN CERTIFICATE-----
MIIDHzCCAgcCAQMwDQYJKoZIhvcNAQELBQAwWDELMAkGA1UEBhMCQ04xETAPBgNV
BAgMCExpYW9OaW5nMQ8wDQYDVQQKDAZkZXZvcHMxEDAOBgNVBAsMB3VuaWNvcm4x
EzARBgNVBAMMCmRldm9wcy5jb20wHhcNMTkxMjE1MDUwNzE0WhcNMjAwMzE0MDUw
NzE0WjBTMQswCQYDVQQGEwJDTjERMA8GA1UECAwITGlhb05pbmcxDzANBgNVBAoM
BmRldm9wczENMAsGA1UECwwEdGVzdDERMA8GA1UEAwwIdGVzdC5jb20wggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCyKB6mGyxnaW19v+yl39eH8bZCPEiH
OTYIEykeSKvdRTN3RIEAb5VjGj9Y121w//fYPMdQneXZ0kkWy5LcIBFGlmfWFrrN
wmfRa6LEp6rQzzQquJiNMLHAhtKod4XeKRF/as+DssnDpE/yS8JRFH7M29Sp5WVQ
pKGV+NCgxnGFO8GJaYvoYMjStO6FNVahWtu01mb/Fs1V/n1h1lF/PjD/Y5wNX68k
esYh7leA0qPYHRBCVLAnzdx82oqOOmiJCV1LfgTQXuyk6i6l6gZSio70co64/+Yb
NhGpHvACJcKPBfgO4kMYokNLbyP0P5ZUPmjebJ6Yp0ReahesKnABy9UfAgMBAAEw
DQYJKoZIhvcNAQELBQADggEBAAxuQTgpraRdCwUc9/sb1xQpjHD+YXhc1z+rudrp
RMrAnI8qHHVKfcMp/pqPj2DnVMzxfDYF2ZoR6MXSRHhlLiQhhCJBCVCccoJPsFRL
qVXM/Ie3m96vmDSwPR/7zK3Dw7dHCuIFR3AsJZJIPziO3yRpgG2Z827brFcem4hE
3egSA6wDjAekSW8Almpw46dVG3iCookU6zrZ1+csYnllEeGKUfI+qpjX/siJWgUb
HrRlxaSwuuklWAcUAm5Ualh1rwVaXgHIP7Y3duJOoP9fxfnDFdMnf136pWT1K8UU
AVwS7B/HooYxwnyez0SP2pauqd2qGHgCbRuxTCp2y/ELHXk=
-----END CERTIFICATE-----
Data Base Updated
[root@liumiaocn ca]#

生成的03.pem即是生成的证书文件

[root@liumiaocn ca]# tree .
.
├── ca.crt
├── ca.key
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── newcerts
│   ├── 01.pem
│   ├── 02.pem
│   └── 03.pem
├── openssl.cnf
├── private
│   └── ca.key
├── privkey.pem
├── request.csr
├── request-dev.csr
├── request-test.csr
├── serial
├── serial.old
└── test-cert.crt

2 directories, 18 files
[root@liumiaocn ca]# openssl x509 -in newcerts/03.pem -noout -issuer -subject -dates
issuer=C = CN, ST = LiaoNing, O = devops, OU = unicorn, CN = devops.com
subject=C = CN, ST = LiaoNing, O = devops, OU = test, CN = test.com
notBefore=Dec 15 05:07:14 2019 GMT
notAfter=Mar 14 05:07:14 2020 GMT
[root@liumiaocn ca]#
淼叔
关注
专栏目录
SSL基础:20:使用x509命令为其他证书签名
知行合一 止于至善
12-15 2312
ca命令使用事前准备的CSR文件,可通过-selfsign选项指定私钥生成自签名证书使用req命令也可以生成自签名证书,自签名证书在实际的使用中用处一般是用来创建ca证书的,这篇文章介绍一下如何使用x509命令结合自签名ca证书对其他证书签名请求CSR文件进行签名
SSL基础:19:使用ca命令创建自签名证书
知行合一 止于至善
12-15 2005
ca命令使用事前准备的CSR文件,可通过-selfsign选项指定私钥生成自签名证书。本文将通过具体示例说明使用方法。
使用openssl生成自签CA证书,并用其签发其他证书
﹎际遇 ╭..
11-15 6338
openssl生成自签名ca证书,以及使用ca证书签发中间证书颁发机构,以及签发服务端和客户端证书
CA证书自签详解
z344945251的博客
06-05 7415
原文链接:http://blog.csdn.net/liunian_siyu/article/details/53024407 首先需要安装opensslopenssl的配置文件是openssl.cnf,我们一般就是用默认配置就可以。如果证书有特殊要求的话,可以修改配置适应需求。这样必须把相关的文件放到配置文件指定的目录下面。 首先需要利用openssl生成根证书
使用 OpenSSL 生成自签名证书
cfycyf的博客
03-29 298
https://www.ibm.com/docs/zh/api-connect/10.0.1.x?topic=overview-generating-self-signed-certificate-using-openssl 基本环境 [root@localhost build]# rpm -q centos-release centos-release-7-9.2009.1.el7.centos.x86_64 [root@localhost build]# openssl req -newkey r
CA数字证书签名
feng_junwei的博客
02-14 2481
CA数字证书签名的原理 通过第三方CA认证机构,对电签名的持有人身份进行认证,然后制作相应的电数据,并形成一个硬件USB发放给到持有人,后续持有人在使用的时候,在电脑上插上USB就可以直接调用。同时可以配备使用的密码,使用时进行人脸识别及手机短信验证等。 出现的背景 CA数字证书签名出现的背景是电签名技术不够成熟,没有一种技术方法能够实现身份的认定、签名行为的认定,这时候就引入第三方认证机构,相当于在软件实力不够的情况下,加一个保护锁,由CA机构一起来分摊风险。 ...
SSL基础:11:使用req命令创建自签名证书
知行合一 止于至善
12-11 1719
这篇文章通过具体的示例,创建CA的私钥以及证书签名请求文件,并使用私钥对证书签名请求文件进行签名生成证书
Nginx配置SSL签名证书的方法
09-30
4. **自签发证书**:使用`openssl x509`命令,结合之前生成的CSR和私钥,自签发一个有效期为365天的证书,`openssl x509 -req -days 365 -in domain.csr -signkey domain.key -out domain.crt`。 接下来,我们需要...
mkcert证书创建自签名工具SSL证书CA证书颁发
05-05
可省去choco下载安装的步骤,直接使用mkcert创建和签名证书,通过mkcert -install命令创建ca证书,傻瓜式零配置签发证书
Openssl生成证书流程
weixin_34068198的博客
03-23 8705
Openssl生成证书流程偶然想到在内网配置https,就梳理了下利用opensslca生成证书的过程。生成过程分为服务端跟客户端,这里我在一台上测试。一.介绍CA是Certificate Authority的缩写,也就是认证中心。CA的功能有:颁发证书,更新证书,撤销证书和验证证书,相当于公安局的户籍部门。CA证书的作用是作身份认证。数字证书认证过程:×××办理过程: 带上户口本-》当地派出...
使用OpenSSL工具制作X.509证书的方法及其注意事项总结
cheung10086的博客
11-14 802
如何使用OpenSSL工具生成根证书与应用证书 一、步骤简记 //生成顶级CA的公钥证书和私钥文件,有效期10年(RSA1024bits,默认) opensslreq-new-x509-days3650-keyoutCARoot1024.key-outCARoot...
openssl 证书请求和自签名命令req详解
weixin_30783629的博客
04-20 558
1、密钥、证书请求、证书概要说明 在证书申请签发过程中,客户端涉及到密钥、证书请求、证书这几个概念,初学者可能会搞不清楚三者的关系,网上有的根据后缀名来区分三者,更让人一头雾水。我们以申请证书的流程说明三者的关系。客户端(相对于CA)在申请证书的时候,大体上有三个步骤: 第一步:生成客户端的密钥,即客户端的公私钥对,且要保证私钥只有客户端自己拥有。 第二步:以客户端的密钥和客户端自身...
openstack结合glusterfs存储 其二(部署以及优化)
weixin_34233618的博客
05-06 212
3、部署O+G环境3.1、每台机器上安装gfs组件# yum install -y glusterfs-server 3.2、在YUN21上安装packstack,并部署openstack首先更新每台机器# yum update -y && reboot这里在更新的时候由于系统的原因(和最简化系统对比),没有在Centos软件源中找到google为开头的两...
iOS面试题(七)
热门推荐
技术熊的博客小窝
01-17 4万+
1、http 的post与get区别与联系,实践中如何选择它们? (1)get是从服务器上获取数据,post是向服务器传送数据。 (2)在客户端,Get方式在通过URL提交数据,数据在URL中可以看到;POST方式,数据放置在HTML HEADER内提交。 (3)对于get方式,服务器端用Request.QueryString获取变量的值,对于post方式,服务器端用Request.Form获取提...
使用OpenSSL实现CA证书的搭建过程
weixin_34345560的博客
09-14 478
个人博客地址:http://www.pojun.tech/欢迎访问什么是CACA,Catificate Authority,通俗的理解就是一种认证机制。它的作用就是提供证书(也就是服务端证书,由域名,公司信息,序列号,签名信息等等组成)来加强客户端与服务器端访问信息的安全性,同时提供证书的发放等相关工作。国内的大部分互联网公司都在国际CA机构申请了CA证书,并且在用户进行访...
RSA的公钥和私钥的ASN.1编码
wzj_whut的专栏
01-14 1万+
RSA的公钥和私钥的ASN.1编码 ASN.1 BER编码 https://blog.csdn.net/wzj_whut/article/details/86241935 pkcs-1定义 ftp://ftp.rsa.com/pub/pkcs/ascii/pkcs-1.asc https://tools.ietf.org/html/rfc2313 https://tools.ietf.org/html/rfc5280 X.509中的...
证书
小菜鸟的天地
02-26 1150
                                                        证书1.CA自签证书cd /etc/pki/CA/private生成密钥:[root@station116 private]# openssl genrsa 2048 > ca.keyGenerating RSA private key, 2048 bit long
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值