原题:
配置 linux1 为 CA 服务器,为 linux 主机颁发证书。证书颁发机构有效期 10 年,公用名为linux1.skills.com。申请并颁发一张供 linux 服务器使用的证 书,证书信息:有效期=5 年,公用名=skills.com,国家=CN,省=Beijing,城市 =Beijing,组织=skills,组织单位=system,使用者可选名称=*.skills.com 和 skills.com。将证书 skills.crt 和私钥 skills.key 复制到需要证书的 linux 服务器/etc/ssl 目录。浏览器访问 https 网站时,不出现证书警告信息
解析:
先安装证书组件openssl
yum install openssl* -y
切换至CA的工作目录
cd /etc/pki/CA/
创建编号文件
touch index.txt
echo 00 > serial
然后创建自签证书私钥
openssl genrsa -out ca.key 2048
使用此私钥创建CA根证书的请求文件
openssl req -new -out ca.csr -key ca.key
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN //国家
State or Province Name (full name) []:Beijing //省
Locality Name (eg, city) [Default City]:Beijing //城市
Organization Name (eg, company) [Default Company Ltd]:skills //组织
Organizational Unit Name (eg, section) []:system //组织单位
Common Name (eg, your name or your server's hostname) []:linux1.skills.com //公用名
Email Address []: //邮箱(回车跳过)
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: //密码(回车跳过)
An optional company name []: //公司名(回车跳过)
openssl x509 -req -days 3650 -in ca.csr -signkey ca.key -out ca.crt #颁发CA根证书
自签名证书就申请完成了 然后编辑一下证书颁发规则的文件
vim /etc/pki/tls/openssl.cnf
167 req_extensions = v3_req # The extensions to add to a certificate request //取消注释
213 basicConstraints=CA:TRUE //更改为TRUE
235 [ v3_req ]
236 subjectAltName = @alt_names //在[ v3_req ]字段中添加此行
240 basicConstraints = CA:TRUE //更改为TRUE
242 [alt_names] //添加此字段
243 DNS.1=*.skills.com //使用者可选名称1
244 DNS.2=skills.com //使用者可选名称2
然后申请一下服务器证书私钥
openssl genrsa -out skills.key 2048
使用私钥创建服务器证书请求文件
openssl req -new -key skills.key -out skills.csr -config /etc/pki/tls/openssl.cnf -extensions v3_req //使用私钥创建服务器证书请求文件
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN //国家
State or Province Name (full name) []:Beijing //省
Locality Name (eg, city) [Default City]:Beijing //城市
Organization Name (eg, company) [Default Company Ltd]:skills //组织
Organizational Unit Name (eg, section) []:system //组织单位
Common Name (eg, your name or your server's hostname) []:skills.com //公用名
Email Address []: //邮箱(回车跳过)
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: //密码(回车跳过)
An optional company name []: //公司名(回车跳过)
使用请求文件颁发证书
openssl ca -in skills.csr -out skills.crt -cert ca.crt -keyfile ca.key -extensions v3_req -days 1825 -config /etc/pki/tls/openssl.cnf //颁发服务器证书
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Feb 12 16:16:02 2023 GMT
Not After : Feb 11 16:16:02 2028 GMT
Subject:
countryName = CN
stateOrProvinceName = Beijing
organizationName = skills
organizationalUnitName = system
commonName = skills.com
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:*.skills.com, DNS:skills.com
X509v3 Basic Constraints:
CA:TRUE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
Certificate is to be certified until Feb 11 16:16:02 2028 GMT (1825 days)
Sign the certificate? [y/n]:y //输入y
1 out of 1 certificate requests certified, commit? [y/n]y //输入y
Write out database with 1 new entries
Data Base Updated
证书就颁发完成了 接下来将证书skills.crt和私钥skills.key复制到需要证书的linux服务器/etc/ssl目录下 然后安装证书即可