创建私有CA
局域网或内网内部自建CA颁发证书
openssl配置文件详解
[root@centos8 ~]#vim /etc/pki/tls/openssl.cnf
[ ca ]
default_ca = CA_default # The default ca section 指定默认的ca
####################################################################
[ CA_default ]
#默认CA配置
dir = /etc/pki/CA # Where everything is kept 变量 存放和CA相关文件的总目录 centos8默认此文件夹不存在
certs = $dir/certs # Where the issued certs are kept 颁发证书存放地
crl_dir = $dir/crl # Where the issued crl are kept 证书吊销列表
database = $dir/index.txt # database index file. 所有用户颁发证书的索引数据库 证书编号 功能 说明 文件默认不存在
#unique_subject = no # Set to 'no' to allow creation of
# several certs with same subject.
new_certs_dir = $dir/newcerts # default place for new certs. 新颁发证书的存放地
certificate = $dir/cacert.pem # The CA certificate CA的自签名证书
serial = $dir/serial # The current serial number 每个证书的编号 序列号存放的将要颁发的证书的编号 需要赋予初始值
crlnumber = $dir/crlnumber # the current crl number 证书吊销列表的编号
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL 证书吊销列表的文件
private_key = $dir/private/cakey.pem# The private key CA的私钥
x509_extensions = usr_cert # The extensions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 365 # how long to certify for 证书的默认有效期
default_crl_days= 30 # how long before next CRL 证书吊销列表的有效期
default_md = sha256 # use SHA-256 by default
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match
# For the CA policy证书的匹配策略
[ policy_match ]
countryName = match #国家
stateOrProvinceName = match #省份
organizationName = match #组织
organizationalUnitName = optional #部门
commonName = supplied #哪个组织 通用名
emailAddress = optional #邮箱可选
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ req ]
default_bits = 2048
default_md = sha256
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extensions to add to the self signed cert
创建CentOS8中默认不存在的CA相关文件夹
[root@centos8 CA]#mkdir -p /etc/pki/CA/{cert,crl,newcerts,private}
[root@centos8 CA]#tree -d .
.
├── certs
├── crl
├── newcerts
└── private
4 directories
生成证书索引数据库文件
[root@centos8 CA]#touch /etc/pki/CA/index.txt
指定第一个颁发证书的序列号 格式为01 02
[root@centos8 CA]#echo 01 > /etc/pki/CA/serial
生成CA私钥
[root@centos8 ~]#cd /etc/pki/CA
#安全考虑,在子shell中修改umask权限,不影响当前环境
[root@centos8 CA]#(umask 066;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
..........................+++
..........+++
e is 65537 (0x10001)
生成CA自签名证书
[root@centos8 CA]#openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:henan
Locality Name (eg, city) [Default City]:zhengzhou
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:ca.magedu.org
Email Address []:admin@magedu.org
选项说明:
-new: 生成新证书签署请求
-x509: 专用于CA生成自签证书 x509证书格式
-key: 生成请求时用到的私钥文件
-days n: 证书的有效期限
-out /PATH/TO/SOMECERTFILE: 证书的保存路径
查看生成的证书文件
文件默认使用base64编码的
[root@centos8 CA]#cat cacert.pem
-----BEGIN CERTIFICATE-----
MIID8zCCAtugAwIBAgIUCyLsJSaKyaCS4thJMU/22MYCNU4wDQYJKoZIhvcNAQEL
BQAwgYgxCzAJBgNVBAYTAkNOMQ4wDAYDVQQIDAVoZW5hbjESMBAGA1UEBwwJemhl
bmd6aG91MQ8wDQYDVQQKDAZtYWdlZHUxCzAJBgNVBAsMAml0MRYwFAYDVQQDDA1j
YS5tYWdlZHUub3JnMR8wHQYJKoZIhvcNAQkBFhBhZG1pbkBtYWdlZHUub3JnMB4X
DTIxMDgyMzAxNTQwOVoXDTMxMDgyMTAxNTQwOVowgYgxCzAJBgNVBAYTAkNOMQ4w
DAYDVQQIDAVoZW5hbjESMBAGA1UEBwwJemhlbmd6aG91MQ8wDQYDVQQKDAZtYWdl
ZHUxCzAJBgNVBAsMAml0MRYwFAYDVQQDDA1jYS5tYWdlZHUub3JnMR8wHQYJKoZI
hvcNAQkBFhBhZG1pbkBtYWdlZHUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEA2VofJk/6yATmrL5W82fKwcbLbYlZeLacB+ow2QdRxSdcGK9vE2mP
ebSbNTtbBlrvbZ3zJUDSfhJWBdSRvs6l54a8t9qnbEyeCMu/0XLQQacGPMBxRBMt
7MSJiwqxU45czuk2Y/amqJYbKfP/OfjB3+yCVdkkwTRjIZPKKLoWkB4/iSJsSQX7
MVAQm/MZ5oOU/n6hth69Nwp0m5qtaQ9PNNLiEBqNAQNnYV/1S7F3r7B/GFsamdad
aeZqvolZ0zB5STPxlllrfuiTGYo4dzMA1XsNmZLFx+eyULRVaIjUmd6fFnYk0sdj
j1Idzi83qV0yiYjY/JgduoCmEGT9WuP2rQIDAQABo1MwUTAdBgNVHQ4EFgQU+liD
ISl8igIe4x6Ecls966fXwZIwHwYDVR0jBBgwFoAU+liDISl8igIe4x6Ecls966fX
wZIwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEACLq30buDJFaj
gxK8jsvhz2PZdkfPVM+w7tD4gXAp/MNLgxNUGOopfs2LypsUK7QNiQzFgsaHiItV
Ds83azOKEythw+gR/aRGo1lPhBpCBp/GLXNMEyBm8wacYjmSO1xQZFqoaQJfavWF
ITLk73efTrYKBk/vunihV+JDtJC4DeB70aVWWMLYVu7u6CVFXhlTHqNZ8B6ABOYv
znqdOYxQpSJPiN2MhFji5XAihamVVwfo69TQ7iOeExrTaRpfz2opQnGyWaWAsm/7
TC/rY2i5NzY7dBOeVmGyR354wplEwsp5yn9i+aQDry3cir+vBnxcYOOe6vUeKS1u
pH2lD16zYg==
-----END CERTIFICATE-----
#解码查看证书文件
[root@centos8 CA]#openssl x509 -in cacert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
0b:22:ec:25:26:8a:c9:a0:92:e2:d8:49:31:4f:f6:d8:c6:02:35:4e
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CN, ST = henan, L = zhengzhou, O = magedu, OU = it, CN = ca.magedu.org, emailAddress = admin@magedu.org
Validity
Not Before: Aug 23 01:54:09 2021 GMT
Not After : Aug 21 01:54:09 2031 GMT
Subject: C = CN, ST = henan, L = zhengzhou, O = magedu, OU = it, CN = ca.magedu.org, emailAddress = admin@magedu.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
#指定查看证书属性 日期 属性
[root@centos8 CA]#openssl x509 -in cacert.pem -noout -dates
notBefore=Aug 23 01:54:09 2021 GMT
notAfter=Aug 21 01:54:09 2031 GMT
[root@centos8 CA]#openssl x509 -in cacert.pem -noout -subject
subject=C = CN, ST = henan, L = zhengzhou, O = magedu, OU = it, CN = ca.magedu.org, emailAddress = admin@magedu.org
#下载到Windows查看
[root@centos8 CA]#yum install lrzsz -y; sz cacert.pem
更改后缀 .cer 就可以正常查看了
非交互式对某个应用生成自签名证书
[root@centos8 CA]#openssl req -utf8 -newkey rsa:1024 -subj "/CN=www.magedu.org" -keyout app.key -nodes -x509 -out app.crt
Generating a RSA private key
................+++++
.......................................................................................+++++
writing new private key to 'app.key'
-----
[root@centos8 CA]#ls app*
app.crt app.key
[root@centos8 CA]#mkdir /data/cert ;mv app.* /data/cert/
#查看证书内容
[root@centos8 CA]#cd /data/cert/
[root@centos8 cert]#ls
app.crt app.key
[root@centos8 cert]#openssl x509 -in app.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
78:1a:c8:de:52:3a:bd:10:a4:cf:ef:1d:04:75:41:e2:6e:2b:df:75
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = www.magedu.org
Validity
Not Before: Sep 20 06:33:06 2021 GMT
Not After : Oct 20 06:33:06 2021 GMT
Subject: CN = www.magedu.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (1024 bit)
Modulus:
00:b4:5c:90:f7:e9:82:32:47:df:98:d5:3d:3a:bd:
c1:c4:a7:54:d1:83:eb:c3:89:22:c8:84:24:99:da:
73:17:da:2d:8d:41:92:6c:47:ec:6a:dc:ab:27:34:
76:d3:8b:bd:2a:c8:ad:eb:55:41:40:9d:fe:a9:7d:
ec:ef:1a:c1:ef:db:32:28:66:9c:d6:5c:a3:b2:56:
43:e4:ec:40:ee:dc:ea:05:3f:7b:5f:e0:65:63:e3:
92:ee:a3:5b:bd:d5:d9:4d:96:b8:d6:e2:db:7d:6c:
39:f5:cf:fe:5c:7e:de:ce:35:08:f5:f2:72:fa:61:
e3:91:da:f8:60:1c:e5:73:8f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
F6:18:4C:7C:88:9E:ED:5F:09:96:7F:E8:22:97:67:40:A0:8C:51:A8
X509v3 Authority Key Identifier:
keyid:F6:18:4C:7C:88:9E:ED:5F:09:96:7F:E8:22:97:67:40:A0:8C:51:A8
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
6c:67:e5:f1:40:d8:72:e2:9e:87:a1:17:ce:2f:ed:04:4a:9b:
99:25:8a:18:31:22:35:5f:8b:33:77:50:8a:0e:17:64:f0:fd:
be:ce:fb:b5:bb:a8:52:47:db:5b:6b:b9:8e:62:57:d2:19:a7:
48:4c:e6:2c:ca:23:b9:94:b9:b6:8d:cb:eb:dd:98:0d:dd:d4:
4d:3f:84:64:b3:aa:38:79:53:5c:23:16:66:fb:01:51:2e:be:
ed:cf:5e:f6:2f:fc:90:9f:14:34:60:c3:68:6c:18:27:99:71:
7e:d1:ea:e1:53:19:85:a5:e0:9f:9f:9c:21:0f:27:3e:8a:2a:
95:51
CentOS7中可以使用make命令为httpd服务生成证书,而CentOS8中默认没有。
若想在CentOS8中使用,可以将Makefile文件拷贝到CentOS8中
[root@localhost certs]# pwd
/etc/pki/tls/certs
[root@localhost certs]# ls
ca-bundle.crt ca-bundle.trust.crt make-dummy-cert Makefile renew-dummy-cert
[root@localhost certs]# make /data/httpd.crt
umask 77 ; \
/usr/bin/openssl genrsa -aes128 2048 > /data/httpd.key
Generating RSA private key, 2048 bit long modulus
..............+++
.........................................................................................................................................................................................................................................................................+++
e is 65537 (0x10001)
Enter pass phrase:
Verifying - Enter pass phrase:
umask 77 ; \
/usr/bin/openssl req -utf8 -new -key /data/httpd.key -x509 -days 365 -out /data/httpd.crt
Enter pass phrase for /data/httpd.key: #输入加密私钥的密码
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:www.magedu.org
Email Address []:
[root@localhost certs]# ls /data/htt*
/data/httpd.crt /data/httpd.key
#查看帮助
[root@localhost certs]# make
This makefile allows you to create:
o public/private key pairs
o SSL certificate signing requests (CSRs)
o self-signed SSL test certificates
To create a key pair, run "make SOMETHING.key".
To create a CSR, run "make SOMETHING.csr".
To create a test certificate, run "make SOMETHING.crt".
To create a key and a test certificate in one file, run "make SOMETHING.pem".
To create a key for use with Apache, run "make genkey".
To create a CSR for use with Apache, run "make certreq".
To create a test certificate for use with Apache, run "make testcert".
To create a test certificate with serial number other than random, add SERIAL=num
You can also specify key length with KEYLEN=n and expiration in days with DAYS=n
Any additional options can be passed to openssl req via EXTRA_FLAGS
Examples:
make server.key
make server.csr
make server.crt
make stunnel.pem
make genkey
make certreq
make testcert
make server.crt SERIAL=1
make stunnel.pem EXTRA_FLAGS=-sha384
make testcert DAYS=600
#查看Makefile文件内容
[root@localhost certs]# cat Makefile
UTF8 := $(shell locale -c LC_CTYPE -k | grep -q charmap.*UTF-8 && echo -utf8)
DAYS=365
KEYLEN=2048
TYPE=rsa:$(KEYLEN)
EXTRA_FLAGS=
ifdef SERIAL
EXTRA_FLAGS+=-set_serial $(SERIAL)
endif
.PHONY: usage
.SUFFIXES: .key .csr .crt .pem
.PRECIOUS: %.key %.csr %.crt %.pem
................................................................................................................................
为用户生成证书
[root@centos8 data]#mkdir /data/app1
#生成app1的私钥文件
[root@centos8 data]#(umask 066; openssl genrsa -out /data/app1/app1.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
..................................+++++
....+++++
e is 65537 (0x010001)
#用私钥创建证书申请文件
#注意:国家、省份、公司这三项要和生成的自签名证书证书保持一致
[root@centos8 data]#openssl req -new -key /data/app1/app1.key -out /data/app1/app1.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:henan
Locality Name (eg, city) [Default City]:luoyang
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:sale
Common Name (eg, your name or your server's hostname) []:www.magedu.org
Email Address []:sale@magedu.org
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
为用户颁发颁发证书
[root@centos8 ~]#openssl ca -in /data/app1/app1.csr -out /etc/pki/CA/certs/app1.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 18 (0x12)
Validity
Not Before: Sep 20 07:43:05 2021 GMT
Not After : Jun 16 07:43:05 2024 GMT
Subject:
countryName = CN
stateOrProvinceName = henan
localityName = luoyang
organizationName = magedu
organizationalUnitName = sale
commonName = www.magedu.org
emailAddress = sale@magedu.org
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
44:7D:CC:52:9D:5A:75:95:C5:F1:BE:67:64:07:C9:D9:D2:63:D4:02
X509v3 Authority Key Identifier:
keyid:FA:58:83:21:29:7C:8A:02:1E:E3:1E:84:72:5B:3D:EB:A7:D7:C1:92
Certificate is to be certified until Jun 16 07:43:05 2024 GMT (1000 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
#颁发完成
报错
缺少数据库文件
若颁发证书过程中有报错如下
[root@centos8 CA]# openssl ca -in /data/app1/app1.csr -out /etc/pki/CA/certs/app1.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
140198580492096:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:69:fopen('/etc/pki/CA/index.txt','r')
140198580492096:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:76:
解决方法:
创建证书索引数据库文件;创建证书序列号文件
[root@centos8 CA]# touch /etc/pki/CA/index.txt
[root@centos8 CA]# echo 0F > /etc/pki/CA/serial
查看目录结构
[root@centos8 CA]# tree /etc/pki/CA
/etc/pki/CA
├── cacert.pem
├── certs
│ └── app1.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts #类似于备份文件夹
│ └── 0F.pem #0F就是serial序列号中的序号
├── private
│ └── cakey.pem
├── serial
└── serial.old
4 directories, 9 files
参数错误
颁发证书报错:省份不一致
[root@centos8 CA]# openssl ca -in /data/app2/app2.csr -out /etc/pki/CA/certs/app2.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
The countryName field is different between
CA certificate (CN) and the request (US)
更改颁发策略
vim /etc/pki/tls/openssl.cnf
policy = policy_anything
再次颁发
[root@centos8 ~]# openssl ca -in /data/app2/app2.csr -out /etc/pki/CA/certs/app2.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 17 (0x11)
Validity
Not Before: Aug 23 04:44:02 2021 GMT
Not After : Aug 23 04:44:02 2022 GMT
Subject:
countryName = US
stateOrProvinceName = newyork
localityName = newyork
organizationName = test
organizationalUnitName = devops
commonName = www.test.org
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
5C:67:CC:F2:45:F9:2D:81:38:5B:93:C7:E8:01:8B:90:B3:DC:55:63
X509v3 Authority Key Identifier:
keyid:FA:58:83:21:29:7C:8A:02:1E:E3:1E:84:72:5B:3D:EB:A7:D7:C1:92
Certificate is to be certified until Aug 23 04:44:02 2022 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
验证
[root@centos8 ~]# tree /etc/pki/CA
/etc/pki/CA
├── cacert.pem
├── certs
│ ├── app1.crt
│ ├── app1-new.crt
│ └── app2.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── newcerts
│ ├── 0F.pem
│ ├── 10.pem
│ └── 11.pem
├── private
│ └── cakey.pem
├── serial
└── serial.old
4 directories, 14 files
证书管理
查看
查看颁发证书的数据库文件
[root@centos8 ~]#cat /etc/pki/CA/index.txt
V 240519030457Z 0F unknown /C=CN/ST=henan/O=magedu/OU=sale/CN=www.magedu.org/emailAddress=sale@magedu.org
验证证书有效性
[root@centos8 CA]# openssl ca -status 0F
Using configuration from /etc/pki/tls/openssl.cnf
0F=Valid (V)
serial 查看下一个证书的证书编号
[root@centos8 CA]# cat /etc/pki/CA/serial
10
[root@centos8 CA]# openssl ca -in /data/app1/app1.csr -out /etc/pki/CA/certs/app1-new.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
ERROR:There is already a certificate for /C=CN/ST=henan/O=magedu/OU=sale/CN=www.magedu.org/emailAddress=sale@magedu.org
The matching entry has the following details
Type :Valid
Expires on :240519030457Z
Serial Number :0F
File name :unknown
Subject Name :/C=CN/ST=henan/O=magedu/OU=sale/CN=www.magedu.org/emailAddress=sale@magedu.org
使同一个证书申请文件可以申请多个证书
默认同一个证书申请文件不能申请多个证书
[root@centos8 CA]# vim /etc/pki/CA/index.txt.attr
#unique_subject = yes
unique_subject = no
或
[root@centos8 CA]# sed -i 's#yes#no#' /etc/pki/CA/index.txt.attr
测试
[root@centos8 CA]# openssl ca -in /data/app1/app1.csr -out /etc/pki/CA/certs/app1-new.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 16 (0x10)
Validity
Not Before: Aug 23 04:03:42 2021 GMT
Not After : May 19 04:03:42 2024 GMT
Subject:
countryName = CN
stateOrProvinceName = henan
organizationName = magedu
organizationalUnitName = sale
commonName = www.magedu.org
emailAddress = sale@magedu.org
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
50:0E:22:E0:A2:31:A9:31:68:96:61:11:79:06:AE:C6:65:C0:B5:39
X509v3 Authority Key Identifier:
keyid:FA:58:83:21:29:7C:8A:02:1E:E3:1E:84:72:5B:3D:EB:A7:D7:C1:92
Certificate is to be certified until May 19 04:03:42 2024 GMT (1000 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
#申请完成
如何吊销证书
吊销10证书
[root@centos8 ~]# openssl ca -revoke /etc/pki/CA/newcerts/10.pem
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 10.
Data Base Updated
#查看状态
[root@centos8 ~]# openssl ca -status 10
Using configuration from /etc/pki/tls/openssl.cnf
10=Revoked (R)
[root@centos8 ~]# cat /etc/pki/CA/index.txt
V 240519030457Z 0F unknown /C=CN/ST=henan/O=magedu/OU=sale/CN=www.magedu.org/emailAddress=sale@magedu.org
R 240519040342Z 210823054437Z 10 unknown /C=CN/ST=henan/O=magedu/OU=sale/CN=www.magedu.org/emailAddress=sale@magedu.org
V 220823044402Z 11 unknown /C=US/ST=newyork/L=newyork/O=test/OU=devops/CN=www.test.org
生成吊销列表crl文件
[root@centos8 ~]# openssl ca -gencrl -out /etc/pki/CA/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf
/etc/pki/CA/crlnumber: No such file or directory
error while loading CRL number
140020628682560:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:69:fopen('/etc/pki/CA/crlnumber','r')
140020628682560:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:76:
缺少吊销证书的序列
[root@centos8 ~]# echo 01 > /etc/pki/CA/crlnumber
[root@centos8 ~]# openssl ca -gencrl -out /etc/pki/CA/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf
[root@centos8 ~]# ll /etc/pki/CA/crl.pem
-rw-r--r-- 1 root root 739 Aug 23 13:49 /etc/pki/CA/crl.pem
吊销11号证书
[root@centos8 ~]# openssl ca -revoke /etc/pki/CA/newcerts/11.pem
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 11.
Data Base Updated
[root@centos8 ~]# cat /etc/pki/CA/index.txt
V 240519030457Z 0F unknown /C=CN/ST=henan/O=magedu/OU=sale/CN=www.magedu.org/emailAddress=sale@magedu.org
R 240519040342Z 210823054437Z 10 unknown /C=CN/ST=henan/O=magedu/OU=sale/CN=www.magedu.org/emailAddress=sale@magedu.org
R 220823044402Z 210823055158Z 11 unknown /C=US/ST=newyork/L=newyork/O=test/OU=devops/CN=www.test.org
[root@centos8 ~]# openssl ca -gencrl -out /etc/pki/CA/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf
Loading…