SSL基础:21:使用ca子命令为其他证书签名

在这里插入图片描述
ca子命令使用事前准备的CSR文件,可通过-selfsign选项指定私钥生成自签名证书。使用req子命令也可以生成自签名证书,自签名证书在实际的使用中用处一般是用来创建ca证书的,上篇文章介绍了如何使用x509子命令结合自签名的ca证书对其他证书签名请求CSR文件进行签名,这篇文章介绍一下使用ca子命令的方式。

事前准备: 准备自签名证书

准备私钥和CSR文件

可以分别使用genrsa子命令和req -new来分别准备私钥和CSR文件,也可以直接使用req -newkey一次直接生成。

[root@liumiaocn ca]# openssl req -newkey rsa:2048 -keyout ca.key  -nodes -out request.csr -subj "/C=CN/ST=LiaoNing/L=DaLian/O=devops/OU=unicorn/CN=devops.com"
Generating a RSA private key
...........................+++++
.........+++++
writing new private key to 'ca.key'
-----
[root@liumiaocn ca]# ls
ca.key  request.csr
[root@liumiaocn ca]#

确认私钥和CSR内容

[root@liumiaocn ca]# openssl req -text -noout -verify -in request.csr
verify OK
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: C = CN, ST = LiaoNing, L = DaLian, O = devops, OU = unicorn, CN = devops.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:9a:18:76:96:e8:29:f6:f0:e7:ad:39:38:31:92:
                    23:7e:3d:f8:88:5f:8f:5f:27:c7:9c:07:6e:b1:3d:
                    13:05:85:37:44:a1:1c:e9:d2:05:40:a7:99:e7:92:
                    0b:6a:2e:4b:1c:54:b6:5f:ea:4e:db:0c:78:64:74:
                    e8:33:35:bd:f9:6e:65:58:5e:e7:a6:93:c5:32:99:
                    27:df:e3:34:01:a7:b8:32:18:b3:d1:2d:54:df:ec:
                    65:99:88:55:12:45:9b:6f:d5:f8:6f:6c:10:fd:85:
                    c0:f4:ab:38:a9:41:6b:91:42:6f:fd:f3:5c:c9:ec:
                    e0:f6:5e:81:9d:e1:10:56:ad:16:b9:26:e9:93:23:
                    20:f0:a3:3c:86:f8:bc:a3:2e:4e:0d:b0:3f:33:9c:
                    79:c1:0e:8d:37:66:8c:97:d8:78:4a:a8:5f:5a:f9:
                    1b:d7:b7:cc:8e:c9:24:a3:d6:1b:b0:7e:c4:a8:74:
                    dc:fb:b5:81:6c:97:69:92:92:39:69:e5:f3:26:12:
                    aa:af:33:05:31:41:9e:65:90:f0:b7:94:44:9d:41:
                    7e:b8:04:97:00:b4:2a:50:54:79:bf:35:09:8a:29:
                    27:39:06:e7:b3:23:c2:cf:43:d1:ec:69:8d:db:5a:
                    c7:e3:7f:55:09:4f:e4:e0:52:d6:98:fb:b7:1d:38:
                    4b:c3
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: sha256WithRSAEncryption
         6f:bd:e4:40:de:3f:0b:d1:37:03:74:e3:d6:e3:81:12:d8:bb:
         9e:e0:f0:d6:f3:7a:90:80:09:78:c1:8e:2f:22:d3:5e:06:89:
         01:10:2f:b3:46:dd:91:95:c9:28:4f:cc:71:fe:cc:a4:70:37:
         e7:3d:fb:73:5d:9c:6a:40:b8:7a:bd:93:61:a5:53:7f:ba:59:
         b3:c4:47:25:2b:d1:4b:f5:cd:99:df:64:1b:85:19:88:37:5a:
         b2:6a:00:26:b0:8e:5e:d4:29:f8:09:eb:bb:75:9b:38:d8:6d:
         35:e5:79:b6:fc:fb:e0:f5:1e:03:eb:1e:34:74:f9:f7:e0:f4:
         4e:a4:03:ac:17:8a:39:86:82:b4:0c:ed:b1:94:a3:ed:c8:e6:
         f2:f7:ef:12:5b:32:50:e4:f2:b0:e4:42:e3:22:84:f1:86:5e:
         77:d8:c9:b1:19:df:f1:0d:88:38:1f:2f:af:ad:63:3a:b8:a3:
         bf:aa:35:c1:de:84:ff:d3:4a:85:6d:e4:fd:56:a3:f7:72:99:
         e0:29:35:35:d3:9b:48:ac:0c:f3:5e:45:7f:a6:21:19:a9:40:
         b3:ab:a7:ac:80:4b:e8:84:a0:e7:77:1e:b6:ff:e1:f6:bf:51:
         1d:d9:d6:85:6c:7a:ce:c2:00:9a:4e:c3:9c:6b:51:59:a3:ce:
         a6:d6:66:43
[root@liumiaocn ca]#

步骤2: 使用CA对CSR文件签名

执行命令:openssl ca -selfsign -keyfile ca.key -in request.csr -out test-cert.crt -config openssl.cnf -days 365 -batch

配置文件设定示例

结合前面对配置文件选项的说明,此处使用如下示例配置文件,此配置文件为最小程度所需要配置的内容

[root@liumiaocn ca]# vi openssl.cnf
[root@liumiaocn ca]# mkdir newcerts
[root@liumiaocn ca]# touch index.txt
[root@liumiaocn ca]# echo "01" > serial
[root@liumiaocn ca]# cat serial 
01
[root@liumiaocn ca]# cat openssl.cnf 
[ ca ]
default_ca	= CA_default		# The default ca section

[ CA_default ]
dir		= .
new_certs_dir	= $dir/newcerts		# default place for new certs.
database	= $dir/index.txt	# database index file.
default_md	= sha256		# use SHA-256 by default
policy		= policy_match
serial		= $dir/serial 		# The current serial number

[ policy_match ]
countryName		= match
stateOrProvinceName	= match
organizationName	= match
organizationalUnitName	= optional
commonName		= supplied
emailAddress		= optional
[root@liumiaocn ca]# 

配置说明:配合上述设定内容,所以设定了newcerts目录用于存放新生成的证书存放路径,同时使用设定serial用于存放当前序列号字符串

创建自签名证书

[root@liumiaocn ca]# openssl ca -selfsign -keyfile ca.key -in request.csr -out test-cert.crt  -config openssl.cnf -days 365 -batch
Using configuration from openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'CN'
stateOrProvinceName   :ASN.1 12:'LiaoNing'
localityName          :ASN.1 12:'DaLian'
organizationName      :ASN.1 12:'devops'
organizationalUnitName:ASN.1 12:'unicorn'
commonName            :ASN.1 12:'devops.com'
Certificate is to be certified until Dec 14 03:07:57 2020 GMT (365 days)

Write out database with 1 new entries
Data Base Updated
[root@liumiaocn ca]# 

结果确认

[root@liumiaocn ca]# tree .
.
├── ca.key
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│   └── 01.pem
├── openssl.cnf
├── request.csr
├── serial
├── serial.old
└── test-cert.crt

1 directory, 10 files
[root@liumiaocn ca]# 

使用x509子命令进行签名

步骤1: 生成证书签名请求CSR文件

签名的动作是需要求前提的,CSR文件就是这个前提,而实际向各个CA机构进行收费的证书申请也是需要提供CSR文件,只是可能会以另外一种格式出现,最终CA机构也是类似的需要生成类似的CSR文件。

执行示例文件:openssl req -new -out request-dev.csr -nodes -subj “/C=CN/ST=LiaoNing/L=DaLian/O=devops/OU=dev/CN=dev.com”

比如这里生成如下的CSR文件:

[root@liumiaocn ca]# openssl req -new -out request-dev.csr -nodes -subj "/C=CN/ST=LiaoNing/L=DaLian/O=devops/OU=dev/CN=dev.com"
Generating a RSA private key
..........................+++++
........................................................................................................................................................................................................................................................................................+++++
writing new private key to 'privkey.pem'
-----
[root@liumiaocn ca]# ls
ca.key     index.txt.attr  newcerts     privkey.pem  request-dev.csr  serial.old
index.txt  index.txt.old   openssl.cnf  request.csr  serial           test-cert.crt
[root@liumiaocn ca]# 

步骤2: 使用x509子命令和ca证书进行签名

使用CA和CAkey指定CA的私钥和证书文件,然后对CSR文件进行签名,得到签名之后的证书文件02.pem

证书签名命令示例:openssl ca -in request-dev.csr -keyfile ca.key -cert newcerts/01.pem -config openssl.cnf -days 90 -batch

[root@liumiaocn ca]# openssl ca -in request-dev.csr -keyfile ca.key -cert newcerts/01.pem -config openssl.cnf -days 90 -batch
Using configuration from openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'CN'
stateOrProvinceName   :ASN.1 12:'LiaoNing'
localityName          :ASN.1 12:'DaLian'
organizationName      :ASN.1 12:'devops'
organizationalUnitName:ASN.1 12:'dev'
commonName            :ASN.1 12:'dev.com'
Certificate is to be certified until Mar 14 03:10:23 2020 GMT (90 days)

Write out database with 1 new entries
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 2 (0x2)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=LiaoNing, O=devops, OU=unicorn, CN=devops.com
        Validity
            Not Before: Dec 15 03:10:23 2019 GMT
            Not After : Mar 14 03:10:23 2020 GMT
        Subject: C=CN, ST=LiaoNing, O=devops, OU=dev, CN=dev.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:ac:3c:66:ee:17:f0:60:9c:5c:3c:cb:82:72:57:
                    5e:a2:1a:c7:36:39:53:e9:96:76:ea:b0:60:9a:6f:
                    74:0a:fb:88:ae:16:bf:94:a1:9d:e9:f9:93:9b:13:
                    6d:48:af:29:b4:ab:4c:8d:77:59:05:5d:cf:86:14:
                    db:f8:4c:63:c0:bf:2c:8d:46:b7:19:4a:91:3f:a0:
                    70:41:d0:5f:e8:cd:6a:60:08:da:96:31:74:6c:4d:
                    18:b4:1e:d7:af:0d:db:0a:f2:87:8b:be:a9:6c:48:
                    c7:3d:55:76:5e:15:a6:86:1f:b8:58:ec:70:1d:4d:
                    fb:ab:9e:9e:66:66:f1:43:e0:22:b6:ea:65:5f:35:
                    75:35:8d:41:a2:1e:af:21:b5:53:ac:3e:7b:3f:c2:
                    83:f2:af:cd:d1:63:9f:83:d2:16:19:13:30:f1:a3:
                    93:05:16:93:fb:3c:1a:5b:8d:c5:82:7a:70:cb:78:
                    95:58:be:94:6a:bb:8e:86:1f:59:24:d2:43:cd:39:
                    36:22:b9:3b:1e:d4:a4:4b:23:36:43:a3:44:2d:be:
                    89:56:e3:de:04:a1:68:6f:9a:d0:a2:ea:4a:ff:f3:
                    e6:31:95:c4:3d:f1:a5:52:cb:08:44:67:8e:f0:f0:
                    36:43:2d:67:77:a2:32:01:9d:45:51:0b:bf:6b:4f:
                    b1:f5
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha256WithRSAEncryption
         81:99:be:7b:c8:b4:f0:b5:5f:5c:a2:39:bc:47:bb:b0:e1:46:
         b9:63:54:33:c0:89:d2:4b:f1:16:b2:08:ef:63:a9:7d:26:45:
         95:08:62:a6:11:d1:45:c3:78:db:cd:05:95:77:a1:30:cd:b5:
         59:70:2b:35:11:23:c7:92:48:d1:19:b2:d0:e6:de:53:47:59:
         bd:c7:c2:d7:b1:19:54:8c:66:86:34:4c:26:14:90:43:63:35:
         19:44:79:cf:f0:b9:e3:04:74:6b:c0:ee:5d:58:db:c4:a8:18:
         fa:b6:43:71:ee:41:b9:f0:cb:0c:b9:0c:a5:09:49:11:72:7b:
         d3:cb:f0:25:99:e2:61:74:c2:20:3c:d8:06:f8:b4:fe:70:f1:
         c4:c9:1c:fb:c4:89:87:16:34:39:f0:de:03:da:a3:b7:f5:5f:
         16:cf:58:68:2c:fc:a0:86:49:20:49:a6:1e:09:bf:6d:6b:2f:
         0c:af:df:df:8c:42:6f:95:69:ed:26:90:07:35:66:3b:e1:9a:
         b8:18:6c:14:91:0c:10:3c:25:0a:ff:97:fe:e9:ca:13:61:22:
         c0:7e:16:63:92:c5:a5:88:f2:38:e8:e9:fb:a0:62:54:e6:e2:
         fb:3d:71:e7:9f:b3:3b:f1:0d:2b:a4:d0:18:13:0f:25:b5:77:
         76:b4:21:b8
-----BEGIN CERTIFICATE-----
MIIDHTCCAgUCAQIwDQYJKoZIhvcNAQELBQAwWDELMAkGA1UEBhMCQ04xETAPBgNV
BAgMCExpYW9OaW5nMQ8wDQYDVQQKDAZkZXZvcHMxEDAOBgNVBAsMB3VuaWNvcm4x
EzARBgNVBAMMCmRldm9wcy5jb20wHhcNMTkxMjE1MDMxMDIzWhcNMjAwMzE0MDMx
MDIzWjBRMQswCQYDVQQGEwJDTjERMA8GA1UECAwITGlhb05pbmcxDzANBgNVBAoM
BmRldm9wczEMMAoGA1UECwwDZGV2MRAwDgYDVQQDDAdkZXYuY29tMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArDxm7hfwYJxcPMuCcldeohrHNjlT6ZZ2
6rBgmm90CvuIrha/lKGd6fmTmxNtSK8ptKtMjXdZBV3PhhTb+ExjwL8sjUa3GUqR
P6BwQdBf6M1qYAjaljF0bE0YtB7Xrw3bCvKHi76pbEjHPVV2XhWmhh+4WOxwHU37
q56eZmbxQ+AituplXzV1NY1Boh6vIbVTrD57P8KD8q/N0WOfg9IWGRMw8aOTBRaT
+zwaW43Fgnpwy3iVWL6UaruOhh9ZJNJDzTk2Irk7HtSkSyM2Q6NELb6JVuPeBKFo
b5rQoupK//PmMZXEPfGlUssIRGeO8PA2Qy1nd6IyAZ1FUQu/a0+x9QIDAQABMA0G
CSqGSIb3DQEBCwUAA4IBAQCBmb57yLTwtV9cojm8R7uw4Ua5Y1QzwInSS/EWsgjv
Y6l9JkWVCGKmEdFFw3jbzQWVd6EwzbVZcCs1ESPHkkjRGbLQ5t5TR1m9x8LXsRlU
jGaGNEwmFJBDYzUZRHnP8LnjBHRrwO5dWNvEqBj6tkNx7kG58MsMuQylCUkRcnvT
y/AlmeJhdMIgPNgG+LT+cPHEyRz7xImHFjQ58N4D2qO39V8Wz1hoLPyghkkgSaYe
Cb9tay8Mr9/fjEJvlWntJpAHNWY74Zq4GGwUkQwQPCUK/5f+6coTYSLAfhZjksWl
iPI46On7oGJU5uL7PXHnn7M78Q0rpNAYEw8ltXd2tCG4
-----END CERTIFICATE-----
Data Base Updated
[root@liumiaocn ca]#

结果确认如下所示

[root@liumiaocn ca]# tree .
.
├── ca.key
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── newcerts
│   ├── 01.pem
│   └── 02.pem
├── openssl.cnf
├── privkey.pem
├── request.csr
├── request-dev.csr
├── serial
├── serial.old
└── test-cert.crt

1 directory, 14 files
[root@liumiaocn ca]# 
[root@liumiaocn ca]# openssl x509 -noout -in newcerts/02.pem -issuer -subject -dates
issuer=C = CN, ST = LiaoNing, O = devops, OU = unicorn, CN = devops.com
subject=C = CN, ST = LiaoNing, O = devops, OU = dev, CN = dev.com
notBefore=Dec 15 03:10:23 2019 GMT
notAfter=Mar 14 03:10:23 2020 GMT
[root@liumiaocn ca]# 

简化证书签名

因为ca子命令使用配置文件,所以可以通过设定配置文件减少证书签名时所需要输入的参数,修改证书配置如下:

[root@liumiaocn ca]# cat openssl.cnf 
[ ca ]
default_ca	= CA_default		# The default ca section

[ CA_default ]
dir		= .
new_certs_dir	= $dir/newcerts		# default place for new certs.
database	= $dir/index.txt	# database index file.
default_md	= sha256		# use SHA-256 by default
policy		= policy_match
serial		= $dir/serial 		# The current serial number
private_key	= $dir/private/ca.key   # The private key
certificate	= $dir/ca.crt   	# The CA certificate
default_days	= 90 			# how long to certify for

[ policy_match ]
countryName		= match
stateOrProvinceName	= match
organizationName	= match
organizationalUnitName	= optional
commonName		= supplied
emailAddress		= optional
[root@liumiaocn ca]#

然后根据设定,做如下准备

[root@liumiaocn ca]# cp newcerts/01.pem ca.crt
[root@liumiaocn ca]# mkdir private
[root@liumiaocn ca]# cp ca.key private/ca.key
[root@liumiaocn ca]# tree .
.
├── ca.crt
├── ca.key
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── newcerts
│   ├── 01.pem
│   └── 02.pem
├── openssl.cnf
├── private
│   └── ca.key
├── privkey.pem
├── request.csr
├── request-dev.csr
├── serial
├── serial.old
└── test-cert.crt

2 directories, 16 files
[root@liumiaocn ca]#

生成CSR命令示例:openssl req -new -out request-test.csr -nodes -subj “/C=CN/ST=LiaoNing/L=DaLian/O=devops/OU=test/CN=test.com”

[root@liumiaocn ca]# openssl req -new -out request-test.csr -nodes -subj "/C=CN/ST=LiaoNing/L=DaLian/O=devops/OU=test/CN=test.com"
Generating a RSA private key
.........+++++
....................................................................................+++++
writing new private key to 'privkey.pem'
-----
[root@liumiaocn ca]#

证书签名命令示例:openssl ca -config openssl.cnf -batch -in request-test.csr

[root@liumiaocn ca]# openssl ca -config openssl.cnf -batch -in request-test.csr 
Using configuration from openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'CN'
stateOrProvinceName   :ASN.1 12:'LiaoNing'
localityName          :ASN.1 12:'DaLian'
organizationName      :ASN.1 12:'devops'
organizationalUnitName:ASN.1 12:'test'
commonName            :ASN.1 12:'test.com'
Certificate is to be certified until Mar 14 05:07:14 2020 GMT (90 days)

Write out database with 1 new entries
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 3 (0x3)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=LiaoNing, O=devops, OU=unicorn, CN=devops.com
        Validity
            Not Before: Dec 15 05:07:14 2019 GMT
            Not After : Mar 14 05:07:14 2020 GMT
        Subject: C=CN, ST=LiaoNing, O=devops, OU=test, CN=test.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:b2:28:1e:a6:1b:2c:67:69:6d:7d:bf:ec:a5:df:
                    d7:87:f1:b6:42:3c:48:87:39:36:08:13:29:1e:48:
                    ab:dd:45:33:77:44:81:00:6f:95:63:1a:3f:58:d7:
                    6d:70:ff:f7:d8:3c:c7:50:9d:e5:d9:d2:49:16:cb:
                    92:dc:20:11:46:96:67:d6:16:ba:cd:c2:67:d1:6b:
                    a2:c4:a7:aa:d0:cf:34:2a:b8:98:8d:30:b1:c0:86:
                    d2:a8:77:85:de:29:11:7f:6a:cf:83:b2:c9:c3:a4:
                    4f:f2:4b:c2:51:14:7e:cc:db:d4:a9:e5:65:50:a4:
                    a1:95:f8:d0:a0:c6:71:85:3b:c1:89:69:8b:e8:60:
                    c8:d2:b4:ee:85:35:56:a1:5a:db:b4:d6:66:ff:16:
                    cd:55:fe:7d:61:d6:51:7f:3e:30:ff:63:9c:0d:5f:
                    af:24:7a:c6:21:ee:57:80:d2:a3:d8:1d:10:42:54:
                    b0:27:cd:dc:7c:da:8a:8e:3a:68:89:09:5d:4b:7e:
                    04:d0:5e:ec:a4:ea:2e:a5:ea:06:52:8a:8e:f4:72:
                    8e:b8:ff:e6:1b:36:11:a9:1e:f0:02:25:c2:8f:05:
                    f8:0e:e2:43:18:a2:43:4b:6f:23:f4:3f:96:54:3e:
                    68:de:6c:9e:98:a7:44:5e:6a:17:ac:2a:70:01:cb:
                    d5:1f
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha256WithRSAEncryption
         0c:6e:41:38:29:ad:a4:5d:0b:05:1c:f7:fb:1b:d7:14:29:8c:
         70:fe:61:78:5c:d7:3f:ab:b9:da:e9:44:ca:c0:9c:8f:2a:1c:
         75:4a:7d:c3:29:fe:9a:8f:8f:60:e7:54:cc:f1:7c:36:05:d9:
         9a:11:e8:c5:d2:44:78:65:2e:24:21:84:22:41:09:50:9c:72:
         82:4f:b0:54:4b:a9:55:cc:fc:87:b7:9b:de:af:98:34:b0:3d:
         1f:fb:cc:ad:c3:c3:b7:47:0a:e2:05:47:70:2c:25:92:48:3f:
         38:8e:df:24:69:80:6d:99:f3:6e:db:ac:57:1e:9b:88:44:dd:
         e8:12:03:ac:03:8c:07:a4:49:6f:00:96:6a:70:e3:a7:55:1b:
         78:82:a2:89:14:eb:3a:d9:d7:e7:2c:62:79:65:11:e1:8a:51:
         f2:3e:aa:98:d7:fe:c8:89:5a:05:1b:1e:b4:65:c5:a4:b0:ba:
         e9:25:58:07:14:02:6e:54:6a:58:75:af:05:5a:5e:01:c8:3f:
         b6:37:76:e2:4e:a0:ff:5f:c5:f9:c3:15:d3:27:7f:5d:fa:a5:
         64:f5:2b:c5:14:01:5c:12:ec:1f:c7:a2:86:31:c2:7c:9e:cf:
         44:8f:da:96:ae:a9:dd:aa:18:78:02:6d:1b:b1:4c:2a:76:cb:
         f1:0b:1d:79
-----BEGIN CERTIFICATE-----
MIIDHzCCAgcCAQMwDQYJKoZIhvcNAQELBQAwWDELMAkGA1UEBhMCQ04xETAPBgNV
BAgMCExpYW9OaW5nMQ8wDQYDVQQKDAZkZXZvcHMxEDAOBgNVBAsMB3VuaWNvcm4x
EzARBgNVBAMMCmRldm9wcy5jb20wHhcNMTkxMjE1MDUwNzE0WhcNMjAwMzE0MDUw
NzE0WjBTMQswCQYDVQQGEwJDTjERMA8GA1UECAwITGlhb05pbmcxDzANBgNVBAoM
BmRldm9wczENMAsGA1UECwwEdGVzdDERMA8GA1UEAwwIdGVzdC5jb20wggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCyKB6mGyxnaW19v+yl39eH8bZCPEiH
OTYIEykeSKvdRTN3RIEAb5VjGj9Y121w//fYPMdQneXZ0kkWy5LcIBFGlmfWFrrN
wmfRa6LEp6rQzzQquJiNMLHAhtKod4XeKRF/as+DssnDpE/yS8JRFH7M29Sp5WVQ
pKGV+NCgxnGFO8GJaYvoYMjStO6FNVahWtu01mb/Fs1V/n1h1lF/PjD/Y5wNX68k
esYh7leA0qPYHRBCVLAnzdx82oqOOmiJCV1LfgTQXuyk6i6l6gZSio70co64/+Yb
NhGpHvACJcKPBfgO4kMYokNLbyP0P5ZUPmjebJ6Yp0ReahesKnABy9UfAgMBAAEw
DQYJKoZIhvcNAQELBQADggEBAAxuQTgpraRdCwUc9/sb1xQpjHD+YXhc1z+rudrp
RMrAnI8qHHVKfcMp/pqPj2DnVMzxfDYF2ZoR6MXSRHhlLiQhhCJBCVCccoJPsFRL
qVXM/Ie3m96vmDSwPR/7zK3Dw7dHCuIFR3AsJZJIPziO3yRpgG2Z827brFcem4hE
3egSA6wDjAekSW8Almpw46dVG3iCookU6zrZ1+csYnllEeGKUfI+qpjX/siJWgUb
HrRlxaSwuuklWAcUAm5Ualh1rwVaXgHIP7Y3duJOoP9fxfnDFdMnf136pWT1K8UU
AVwS7B/HooYxwnyez0SP2pauqd2qGHgCbRuxTCp2y/ELHXk=
-----END CERTIFICATE-----
Data Base Updated
[root@liumiaocn ca]# 

生成的03.pem即是生成的证书文件

[root@liumiaocn ca]# tree .
.
├── ca.crt
├── ca.key
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── newcerts
│   ├── 01.pem
│   ├── 02.pem
│   └── 03.pem
├── openssl.cnf
├── private
│   └── ca.key
├── privkey.pem
├── request.csr
├── request-dev.csr
├── request-test.csr
├── serial
├── serial.old
└── test-cert.crt

2 directories, 18 files
[root@liumiaocn ca]# openssl x509 -in newcerts/03.pem -noout -issuer -subject -dates
issuer=C = CN, ST = LiaoNing, O = devops, OU = unicorn, CN = devops.com
subject=C = CN, ST = LiaoNing, O = devops, OU = test, CN = test.com
notBefore=Dec 15 05:07:14 2019 GMT
notAfter=Mar 14 05:07:14 2020 GMT
[root@liumiaocn ca]# 
淼叔 CSDN认证博客专家 神经网络 TensorFlow NLP
资深架构师,PMP、OCP、CSM、HPE University讲师,EXIN DevOps Professional与DevOps Master认证讲师,曾担任HPE GD China DevOps & Agile Leader,帮助企业级客户提供DevOps咨询培训以及实施指导。熟悉通信和金融领域,有超过十年金融外汇行业的架构设计、开发、维护经验,在十几年的IT从业生涯中拥有了软件开发设计领域接近全生命周期的经验和知识积累,著有企业级DevOps技术与工具实战。
已标记关键词 清除标记
©️2020 CSDN 皮肤主题: 数字20 设计师:CSDN官方博客 返回首页