CA认证中心

最新推荐文章于 2022-07-06 10:37:29 发布

黑色蒲G英~

最新推荐文章于 2022-07-06 10:37:29 发布

阅读量323

点赞数

分类专栏： CentOS 文章标签： centos openssl

本文链接：https://blog.csdn.net/m0_61095002/article/details/119831947

版权

CentOS 专栏收录该内容

24 篇文章 0 订阅

订阅专栏

CA认证中心

步骤一： 把本机变成CA认证中心

[root@dns ~]# vi /etc/pki/tls/openssl.cnf +172
basicConstraints=CA:TRUE		<==本来是FALSE改成TRUE

步骤二： 配置认证中心，生成私钥与根证书

[root@dns ~]# /etc/pki/tls/misc/CA -newca
CA certificate filename (or enter to create)

Making CA certificate ...
Generating a 2048 bit RSA private key
...........+++
...................................................................................................+++
writing new private key to '/etc/pki/CA/private/./cakey.pem'
Enter PEM pass phrase:										<==输入密码保护秘钥，这里输入 123456
Verifying - Enter PEM pass phrase:				<==再输一次
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN												<==国家地区
State or Province Name (full name) []:beijing								<==省份	
Locality Name (eg, city) [Default City]:haidian							<==城市
Organization Name (eg, company) [Default Company Ltd]:IT		<==组织
Organizational Unit Name (eg, section) []:it								<==组织单位
Common Name (eg, your name or your server's hostname) []:netdj.net	<==通用名
Email Address []:							<==邮箱

Please enter the following 'extra' attributes
to be sent with your certificate request		<==添加一个“额外”属性，让客户端发送CA证书请求文件时要输入密码
A challenge password []:				<==回车
An optional company name []:		<==回车
Using configuration from /etc/pki/tls/openssl.cnf					<==CA服务器的配置文件，上面填写的内容会添加到这个文件
Enter pass phrase for /etc/pki/CA/private/./cakey.pem:		<==CA秘钥密码，这里输入123456
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
            86:9f:5a:90:a7:9a:1b:c4
        Validity
            Not Before: Dec  9 11:26:50 2020 GMT
            Not After : Dec  9 11:26:50 2023 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = beijing
            organizationName          = IT
            organizationalUnitName    = it
            commonName                = netdj.net
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                81:56:68:F6:DF:8B:0A:CA:1A:A2:8B:98:45:3C:C3:42:46:1E:7E:86
            X509v3 Authority Key Identifier: 
                keyid:81:56:68:F6:DF:8B:0A:CA:1A:A2:8B:98:45:3C:C3:42:46:1E:7E:86

            X509v3 Basic Constraints: 
                CA:TRUE
Certificate is to be certified until Dec  9 11:26:50 2023 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated

步骤四： 查看生产的证书文件，和私钥，如果生失败可以删除这两个文件，然后重新生成

[root@dns ~]# ls /etc/pki/CA/cacert.pem ; ls /etc/pki/CA/private/cakey.pem 
/etc/pki/CA/cacert.pem
/etc/pki/CA/private/cakey.pem

步骤五： 利用生成的私钥和证书颁发颁发证书，这里已经提前生成了一个证书申请文件

[root@dns CA]# pwd
/etc/pki/CA
[root@dns CA]# openssl ca -keyfile private/cakey.pem -cert cacert.pem -in server.csr -out server.crt
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for private/cakey.pem:		<==输入保护私钥的密码

黑色蒲G英~

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
打赏
0
评论
CA认证中心

CA认证中心步骤一：把本机变成CA认证中心[root@dns ~]# vi /etc/pki/tls/openssl.cnf +172basicConstraints=CA:TRUE <==本来是FALSE改成TRUE步骤二：配置认证中心，生成私钥与根证书[root@dns ~]# /etc/pki/tls/misc/CA -newcaCA certificate filename (or enter to create)Making CA certificate ...Ge
复制链接

扫一扫