CFSSL: 证书管理工具:2:创建CA私钥与CA证书

在这里插入图片描述
使用OpenSSL有多种方式生成CA的私钥和自签名证书,而使用CFSSL也同样非常简单。

事前准备

准备CA的私钥的长度以及CSR的Subject的配置信息,可通过cfssl print-defaults来生成csr文件的模版,然后在此基础上进行修改

生成CSR文件模版

[root@liumiaocn cfssl]# ls
cfssl  cfssl-certinfo  cfssljson
[root@liumiaocn cfssl]# mkdir ca
[root@liumiaocn cfssl]# cd ca
[root@liumiaocn ca]# ../cfssl version
Version: 1.2.0
Revision: dev
Runtime: go1.6
[root@liumiaocn ca]# 
[root@liumiaocn ca]# ../cfssl print-defaults list
Default configurations are available for:
	config
	csr
[root@liumiaocn ca]# 
[root@liumiaocn ca]# ../cfssl print-defaults csr
{
    "CN": "example.net",
    "hosts": [
        "example.net",
        "www.example.net"
    ],
    "key": {
        "algo": "ecdsa",
        "size": 256
    },
    "names": [
        {
            "C": "US",
            "L": "CA",
            "ST": "San Francisco"
        }
    ]
}

[root@liumiaocn ca]# 
[root@liumiaocn ca]# ../cfssl print-defaults csr >ca-csr.json
[root@liumiaocn ca]#

修改之后生成的CA的CSR文件信息如下所示:

[root@liumiaocn ca]# ls
ca-csr.json
[root@liumiaocn ca]# cat ca-csr.json 
{
    "CN": "devops.com",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "DaLian",
            "ST": "LiaoNing",
            "O": "devops",
            "OU": "unicorn"
        }
    ]
}

[root@liumiaocn ca]#

生成CA私钥、CSR文件与CA证书

使用如下命令可以一次性生成CA私钥、CSR文件与CA证书。

[root@liumiaocn ca]# ../cfssl gencert -initca ca-csr.json |../cfssljson -bare ca -
2019/12/15 06:12:02 [INFO] generating a new CA key and certificate from CSR
2019/12/15 06:12:02 [INFO] generate received request
2019/12/15 06:12:02 [INFO] received CSR
2019/12/15 06:12:02 [INFO] generating key: rsa-2048
2019/12/15 06:12:03 [INFO] encoded CSR
2019/12/15 06:12:03 [INFO] signed certificate with serial number 72583730418191516028003096307996422627737938938
[root@liumiaocn ca]# ls
ca.csr  ca-csr.json  ca-key.pem  ca.pem
[root@liumiaocn ca]#

文件种类信息如下所示:

[root@liumiaocn ca]# file *
ca.csr:      PEM certificate request
ca-csr.json: ASCII text
ca-key.pem:  PEM RSA private key
ca.pem:      PEM certificate
[root@liumiaocn ca]# 

文件内容如下所示:

[root@liumiaocn ca]# cat ca-key.pem 
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAqOeeZJI29et/dOGqljuiIDki067DUdQ/ua2Hq2gFGFrDXL6S
ULpM0Ks1pRDJD9VQCB/Es5uexYrp0ZVs7ePWE/ms25oxqXScE2iROIyUZp8gZrgj
Nc9o4ynG7kKlPNgeSnCKDZ6nPRy6BiRMDCN37LZ93dE/d4fXUuMYccs8TUeB7Uga
/5a60VAIZbMCKtZ1WCkUwzjoJbPVVUPsbjGM8pP2637Gk0khUQm9gSEfRL1ZrZ7c
UUCqxKFPcyUpl93vj9h03E3/suL3tmutQtibVoqLR+jOEIauewqv/gxv/fH6EEqF
5UWHREmdEiiLhTYzoRKeRS5GYZUOm1HT2pu2CwIDAQABAoIBAQClVSv3eCRybpXx
vF/19OOLNUKBAQXSGLhUMaemwgiSwW2QYD7q5KICdETrkdWuOPjBKw+pXEB7T7H2
5JSe/DF2liR9RZ8tJ6cLXIUiXIF7PnJB+icFKkSacC941CXYvBhSd3y7PjyoFnGF
R4xlKWbff/cO5R+CCqdcTE2GPhGF9kz6ttX1+vX9p8hMuo0bmbp20eOvFyv/EFId
qSLnp2CBcnxA9hM2DojCxixGguy6cCNVhOn1imxZLfpwb9R9tTXitPcapMjKwvn3
BNSVHAETxcsqpJv779Az77/ML9TZgPwgqvAnAKxCV4czoweQZQ3ssOymznQa3/e2
YT1poh75AoGBAM2o0v0GT6DpNfPuHW3Z0T8VYjW8iOO5FG2qcblCF97ltDdslp4M
BEtACpv5wZo9CtNxDyDUXjrz1sH5bSI4+n9RZDDP8IH7c8mbX5D4GgqII389J4XC
iYJ9LqLU1eKmCpxxbNO5zMzsozRV4B9XypdDXn2/B8Tq72d6DMVr9TotAoGBANI/
pUTOjgq8aO0U/lY7/p+M3FKT2+vdhN/0njNH5ckilTSBgOCW79uAFjZaWb2F+NLL
FpOJSSWasYyVevQDoQJBe84GOmZu7BxFkVuUMl4gcQUOhunkqYpk1z5qwoqsHiRW
TQq/wihYxrb4YVO2pGIyQDDzSdrLnkmyb3ke+uwXAoGAQ/E5OvQhzGQfOeX5fPgP
w8p5to0BoFHdqNk9Vtm57x5t6j2KiM4pgP64Qo1BY4Y1FGNufwcJ1moGEfEoF71B
LFykP+gCab67ougcq1T7rW0KZRe7/dml+iEHDi5INudp7AMg09W3DiBDTp/sOg6T
1GMiTWKV231N+B5/J52h10UCgYEAsdMO74FcdgwhGtS0wS8BDuVOu7E/QuEbL2hw
HaNj4JiVZdFatZozyI0vPE1ytW+IopEOyT5GVb3fCa6sTZJ8LbJBCmIOJvEOVmMo
rDJN33rE3KgKx+yU0O61dp9JZ4xn+gfcJYlGqGVdvQebGfjSVBN4Y26COsIZYO/A
hMsFI4UCgYEAhA8iHtljm0Q/aO078A7512Ra4xKJp4FFPG6qAokquRhXnb4AmXks
Un414h/iKCjKW2QvVDFwbOBkRhoEph2BskF9BDlcgr2/tUGZawHGoNZLOsyC7Afc
MSjwP6Ulwzv9lYe5XxEOzQ/YDVDljpXApQX+ZHfbp53q0fFbedHiypg=
-----END RSA PRIVATE KEY-----
[root@liumiaocn ca]# 
[root@liumiaocn ca]# cat ca.csr 
-----BEGIN CERTIFICATE REQUEST-----
MIICrjCCAZYCAQAwaTELMAkGA1UEBhMCQ04xETAPBgNVBAgTCExpYW9OaW5nMQ8w
DQYDVQQHEwZEYUxpYW4xDzANBgNVBAoTBmRldm9wczEQMA4GA1UECxMHdW5pY29y
bjETMBEGA1UEAxMKZGV2b3BzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAKjnnmSSNvXrf3ThqpY7oiA5ItOuw1HUP7mth6toBRhaw1y+klC6TNCr
NaUQyQ/VUAgfxLObnsWK6dGVbO3j1hP5rNuaMal0nBNokTiMlGafIGa4IzXPaOMp
xu5CpTzYHkpwig2epz0cugYkTAwjd+y2fd3RP3eH11LjGHHLPE1Hge1IGv+WutFQ
CGWzAirWdVgpFMM46CWz1VVD7G4xjPKT9ut+xpNJIVEJvYEhH0S9Wa2e3FFAqsSh
T3MlKZfd74/YdNxN/7Li97ZrrULYm1aKi0fozhCGrnsKr/4Mb/3x+hBKheVFh0RJ
nRIoi4U2M6ESnkUuRmGVDptR09qbtgsCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IB
AQAxHhkvw+GjxXhE3KeCcXxaXefdtfoJJvKzB3HPJGBHwJDEYWeld3LY76rEUCoA
g1RpYyXnhtzwnWxKQj1D4u9W7kAH8nLADa4+2cqI8B/WFXf5VU1GIuxUDXxWy4A1
ye48V7G6Tawqs9s1WzYTkIy/C/gPMKSVhsWv2FnXI6mawJjOhf5mWxXCh8gHY3Vq
IERe2YQ5Fspkh+Cd3V0uJrWviaNtn1bvX2logo/v9/IhO0iQg+PN/WLykq6C30iF
DASJJeVl3UAcPNw5rw0I16RkILNQWh0g9chPNodiZDjK67Uzd3zkUpscSDPXqjlb
syzeHsepu3Qenj0M54YWVuwH
-----END CERTIFICATE REQUEST-----
[root@liumiaocn ca]# 
[root@liumiaocn ca]# cat ca.pem 
-----BEGIN CERTIFICATE-----
MIIDxjCCAq6gAwIBAgIUDLbEXKukkhGbTQFdF4LH8EBnK/owDQYJKoZIhvcNAQEL
BQAwaTELMAkGA1UEBhMCQ04xETAPBgNVBAgTCExpYW9OaW5nMQ8wDQYDVQQHEwZE
YUxpYW4xDzANBgNVBAoTBmRldm9wczEQMA4GA1UECxMHdW5pY29ybjETMBEGA1UE
AxMKZGV2b3BzLmNvbTAeFw0xOTEyMTUxMTA3MDBaFw0yNDEyMTMxMTA3MDBaMGkx
CzAJBgNVBAYTAkNOMREwDwYDVQQIEwhMaWFvTmluZzEPMA0GA1UEBxMGRGFMaWFu
MQ8wDQYDVQQKEwZkZXZvcHMxEDAOBgNVBAsTB3VuaWNvcm4xEzARBgNVBAMTCmRl
dm9wcy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo555kkjb1
63904aqWO6IgOSLTrsNR1D+5rYeraAUYWsNcvpJQukzQqzWlEMkP1VAIH8Szm57F
iunRlWzt49YT+azbmjGpdJwTaJE4jJRmnyBmuCM1z2jjKcbuQqU82B5KcIoNnqc9
HLoGJEwMI3fstn3d0T93h9dS4xhxyzxNR4HtSBr/lrrRUAhlswIq1nVYKRTDOOgl
s9VVQ+xuMYzyk/brfsaTSSFRCb2BIR9EvVmtntxRQKrEoU9zJSmX3e+P2HTcTf+y
4ve2a61C2JtWiotH6M4Qhq57Cq/+DG/98foQSoXlRYdESZ0SKIuFNjOhEp5FLkZh
lQ6bUdPam7YLAgMBAAGjZjBkMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAG
AQH/AgECMB0GA1UdDgQWBBQhIS4LdvUwgDp6Hx/Kd04Hrj2CczAfBgNVHSMEGDAW
gBQhIS4LdvUwgDp6Hx/Kd04Hrj2CczANBgkqhkiG9w0BAQsFAAOCAQEAQ56h0t1H
VSnaX9ExBDlMIivK/znevJ2GPqvPG2Fq+C1nX/Gpv+biuuA0V15NEDC3YLlUfsfb
jstYAwNRY51gFnhZh/PwJXs1SlktoQ4RuxjwGfdRt1kNSOpzwZbz5JUcTqoEmgtO
LZIIhjLMiALV5br6zbNPqSDv18cLYWqS1is7sD0ppxNRMteizdYdHjk+t3Z1em+6
Onk0cqzZzBXVfELGb19FUcrcwLdQDpccAWTUzrQ/H9d595P6Og3bWmWDSgpYyIrT
mQ0PHXkxAJAMOrY90l+k7r6SfI5f3InTVGv+zMw4HVct9BPUGIOA88tt6rvjSprJ
08uzibszD2ZBEA==
-----END CERTIFICATE-----
[root@liumiaocn ca]# 

确认结果

使用cfssl-certinfo命令可以确认CA证书内容,详细如下所示

[root@liumiaocn ca]# ../cfssl-certinfo -cert ca.pem 
{
  "subject": {
    "common_name": "devops.com",
    "country": "CN",
    "organization": "devops",
    "organizational_unit": "unicorn",
    "locality": "DaLian",
    "province": "LiaoNing",
    "names": [
      "CN",
      "LiaoNing",
      "DaLian",
      "devops",
      "unicorn",
      "devops.com"
    ]
  },
  "issuer": {
    "common_name": "devops.com",
    "country": "CN",
    "organization": "devops",
    "organizational_unit": "unicorn",
    "locality": "DaLian",
    "province": "LiaoNing",
    "names": [
      "CN",
      "LiaoNing",
      "DaLian",
      "devops",
      "unicorn",
      "devops.com"
    ]
  },
  "serial_number": "72583730418191516028003096307996422627737938938",
  "not_before": "2019-12-15T11:07:00Z",
  "not_after": "2024-12-13T11:07:00Z",
  "sigalg": "SHA256WithRSA",
  "authority_key_id": "21:21:2E:B:76:F5:30:80:3A:7A:1F:1F:CA:77:4E:7:AE:3D:82:73",
  "subject_key_id": "21:21:2E:B:76:F5:30:80:3A:7A:1F:1F:CA:77:4E:7:AE:3D:82:73",
  "pem": "-----BEGIN CERTIFICATE-----\nMIIDxjCCAq6gAwIBAgIUDLbEXKukkhGbTQFdF4LH8EBnK/owDQYJKoZIhvcNAQEL\nBQAwaTELMAkGA1UEBhMCQ04xETAPBgNVBAgTCExpYW9OaW5nMQ8wDQYDVQQHEwZE\nYUxpYW4xDzANBgNVBAoTBmRldm9wczEQMA4GA1UECxMHdW5pY29ybjETMBEGA1UE\nAxMKZGV2b3BzLmNvbTAeFw0xOTEyMTUxMTA3MDBaFw0yNDEyMTMxMTA3MDBaMGkx\nCzAJBgNVBAYTAkNOMREwDwYDVQQIEwhMaWFvTmluZzEPMA0GA1UEBxMGRGFMaWFu\nMQ8wDQYDVQQKEwZkZXZvcHMxEDAOBgNVBAsTB3VuaWNvcm4xEzARBgNVBAMTCmRl\ndm9wcy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo555kkjb1\n63904aqWO6IgOSLTrsNR1D+5rYeraAUYWsNcvpJQukzQqzWlEMkP1VAIH8Szm57F\niunRlWzt49YT+azbmjGpdJwTaJE4jJRmnyBmuCM1z2jjKcbuQqU82B5KcIoNnqc9\nHLoGJEwMI3fstn3d0T93h9dS4xhxyzxNR4HtSBr/lrrRUAhlswIq1nVYKRTDOOgl\ns9VVQ+xuMYzyk/brfsaTSSFRCb2BIR9EvVmtntxRQKrEoU9zJSmX3e+P2HTcTf+y\n4ve2a61C2JtWiotH6M4Qhq57Cq/+DG/98foQSoXlRYdESZ0SKIuFNjOhEp5FLkZh\nlQ6bUdPam7YLAgMBAAGjZjBkMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAG\nAQH/AgECMB0GA1UdDgQWBBQhIS4LdvUwgDp6Hx/Kd04Hrj2CczAfBgNVHSMEGDAW\ngBQhIS4LdvUwgDp6Hx/Kd04Hrj2CczANBgkqhkiG9w0BAQsFAAOCAQEAQ56h0t1H\nVSnaX9ExBDlMIivK/znevJ2GPqvPG2Fq+C1nX/Gpv+biuuA0V15NEDC3YLlUfsfb\njstYAwNRY51gFnhZh/PwJXs1SlktoQ4RuxjwGfdRt1kNSOpzwZbz5JUcTqoEmgtO\nLZIIhjLMiALV5br6zbNPqSDv18cLYWqS1is7sD0ppxNRMteizdYdHjk+t3Z1em+6\nOnk0cqzZzBXVfELGb19FUcrcwLdQDpccAWTUzrQ/H9d595P6Og3bWmWDSgpYyIrT\nmQ0PHXkxAJAMOrY90l+k7r6SfI5f3InTVGv+zMw4HVct9BPUGIOA88tt6rvjSprJ\n08uzibszD2ZBEA==\n-----END CERTIFICATE-----\n"
}
[root@liumiaocn ca]# 

当然也可以使用x509子命令确认

[root@liumiaocn ca]# openssl x509 -noout -text -in ca.pem 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            0c:b6:c4:5c:ab:a4:92:11:9b:4d:01:5d:17:82:c7:f0:40:67:2b:fa
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = CN, ST = LiaoNing, L = DaLian, O = devops, OU = unicorn, CN = devops.com
        Validity
            Not Before: Dec 15 11:07:00 2019 GMT
            Not After : Dec 13 11:07:00 2024 GMT
        Subject: C = CN, ST = LiaoNing, L = DaLian, O = devops, OU = unicorn, CN = devops.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:a8:e7:9e:64:92:36:f5:eb:7f:74:e1:aa:96:3b:
                    a2:20:39:22:d3:ae:c3:51:d4:3f:b9:ad:87:ab:68:
                    05:18:5a:c3:5c:be:92:50:ba:4c:d0:ab:35:a5:10:
                    c9:0f:d5:50:08:1f:c4:b3:9b:9e:c5:8a:e9:d1:95:
                    6c:ed:e3:d6:13:f9:ac:db:9a:31:a9:74:9c:13:68:
                    91:38:8c:94:66:9f:20:66:b8:23:35:cf:68:e3:29:
                    c6:ee:42:a5:3c:d8:1e:4a:70:8a:0d:9e:a7:3d:1c:
                    ba:06:24:4c:0c:23:77:ec:b6:7d:dd:d1:3f:77:87:
                    d7:52:e3:18:71:cb:3c:4d:47:81:ed:48:1a:ff:96:
                    ba:d1:50:08:65:b3:02:2a:d6:75:58:29:14:c3:38:
                    e8:25:b3:d5:55:43:ec:6e:31:8c:f2:93:f6:eb:7e:
                    c6:93:49:21:51:09:bd:81:21:1f:44:bd:59:ad:9e:
                    dc:51:40:aa:c4:a1:4f:73:25:29:97:dd:ef:8f:d8:
                    74:dc:4d:ff:b2:e2:f7:b6:6b:ad:42:d8:9b:56:8a:
                    8b:47:e8:ce:10:86:ae:7b:0a:af:fe:0c:6f:fd:f1:
                    fa:10:4a:85:e5:45:87:44:49:9d:12:28:8b:85:36:
                    33:a1:12:9e:45:2e:46:61:95:0e:9b:51:d3:da:9b:
                    b6:0b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:2
            X509v3 Subject Key Identifier: 
                21:21:2E:0B:76:F5:30:80:3A:7A:1F:1F:CA:77:4E:07:AE:3D:82:73
            X509v3 Authority Key Identifier: 
                keyid:21:21:2E:0B:76:F5:30:80:3A:7A:1F:1F:CA:77:4E:07:AE:3D:82:73

    Signature Algorithm: sha256WithRSAEncryption
         43:9e:a1:d2:dd:47:55:29:da:5f:d1:31:04:39:4c:22:2b:ca:
         ff:39:de:bc:9d:86:3e:ab:cf:1b:61:6a:f8:2d:67:5f:f1:a9:
         bf:e6:e2:ba:e0:34:57:5e:4d:10:30:b7:60:b9:54:7e:c7:db:
         8e:cb:58:03:03:51:63:9d:60:16:78:59:87:f3:f0:25:7b:35:
         4a:59:2d:a1:0e:11:bb:18:f0:19:f7:51:b7:59:0d:48:ea:73:
         c1:96:f3:e4:95:1c:4e:aa:04:9a:0b:4e:2d:92:08:86:32:cc:
         88:02:d5:e5:ba:fa:cd:b3:4f:a9:20:ef:d7:c7:0b:61:6a:92:
         d6:2b:3b:b0:3d:29:a7:13:51:32:d7:a2:cd:d6:1d:1e:39:3e:
         b7:76:75:7a:6f:ba:3a:79:34:72:ac:d9:cc:15:d5:7c:42:c6:
         6f:5f:45:51:ca:dc:c0:b7:50:0e:97:1c:01:64:d4:ce:b4:3f:
         1f:d7:79:f7:93:fa:3a:0d:db:5a:65:83:4a:0a:58:c8:8a:d3:
         99:0d:0f:1d:79:31:00:90:0c:3a:b6:3d:d2:5f:a4:ee:be:92:
         7c:8e:5f:dc:89:d3:54:6b:fe:cc:cc:38:1d:57:2d:f4:13:d4:
         18:83:80:f3:cb:6d:ea:bb:e3:4a:9a:c9:d3:cb:b3:89:bb:33:
         0f:66:41:10
[root@liumiaocn ca]# 

可以看到此证书签发的有效期缺省为5年时间。

淼叔 CSDN认证博客专家 神经网络 TensorFlow NLP
资深架构师,PMP、OCP、CSM、HPE University讲师,EXIN DevOps Professional与DevOps Master认证讲师,曾担任HPE GD China DevOps & Agile Leader,帮助企业级客户提供DevOps咨询培训以及实施指导。熟悉通信和金融领域,有超过十年金融外汇行业的架构设计、开发、维护经验,在十几年的IT从业生涯中拥有了软件开发设计领域接近全生命周期的经验和知识积累,著有企业级DevOps技术与工具实战。
已标记关键词 清除标记
相关推荐
©️2020 CSDN 皮肤主题: 数字20 设计师:CSDN官方博客 返回首页