一、创建私有CA根证书
1、创建CA目录
root@DESKTOP-JP3S3AN:/home/wsl/openssl_pro# mkdir -pv /etc/pki/CA/{private,certs,crl,newcerts}
mkdir: created directory '/etc/pki/CA'
mkdir: created directory '/etc/pki/CA/private'
mkdir: created directory '/etc/pki/CA/certs'
mkdir: created directory '/etc/pki/CA/crl'
mkdir: created directory '/etc/pki/CA/newcerts'2、新建数据库文件并初始化
root@DESKTOP-JP3S3AN:/home/wsl/openssl_pro# touch /etc/pki/CA/{serial,index.txt}
root@DESKTOP-JP3S3AN:/home/wsl/openssl_pro# echo 01 > /etc/pki/CA/serial3、创建CA私钥
root@DESKTOP-JP3S3AN:/home/wsl/openssl_pro# openssl genrsa -out /etc/pki/CA/private/cakey.pem 4096
Generating RSA private key, 4096 bit long modulus (2 primes)
........................................++++
....................................................................................................................................................................................................................................................................++++
e is 65537 (0x010001)4、创建自签CA根证书
root@DESKTOP-JP3S3AN:/home/wsl/openssl_pro# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3655
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:sc
Locality Name (eg, city) []:cd
Organization Name (eg, company) [Internet Widgits Pty Ltd]:tsinghua-eiri
Organizational Unit Name (eg, section) []:xxxx
Common Name (e.g. server FQDN or YOUR name) []:xxxxxx
Email Address []:二、签发证书
1、创建客户私钥
root@DESKTOP-JP3S3AN:/home/wsl/openssl_pro/client# openssl genrsa -out client0001.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
....+++++
....+++++
e is 65537 (0x010001)2、提取客户公钥(备用)
root@DESKTOP-JP3S3AN:/home/wsl/openssl_pro/client# openssl rsa -in client0001.key -pubout -out client0001.pub
writing RSA key3、生成客户证书请求
root@DESKTOP-JP3S3AN:/home/wsl/openssl_pro/client# openssl req -new -key client0001.key -out client0001.csr -days 3650
Ignoring -days; not generating a certificate
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:sc
Locality Name (eg, city) []:cd
Organization Name (eg, company) [Internet Widgits Pty Ltd]:tsinghua-eiri
Organizational Unit Name (eg, section) []:scu
Common Name (e.g. server FQDN or YOUR name) []:jackwang
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:4、签发客户请求
root@DESKTOP-JP3S3AN:/home/wsl/openssl_pro/client# openssl ca -in client0001.csr -out /etc/pki/CA/certs/client0001.crt -days 3650
Using configuration from /usr/lib/ssl/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Feb 16 09:03:43 2022 GMT
Not After : Feb 14 09:03:43 2032 GMT
Subject:
countryName = CN
stateOrProvinceName = sc
organizationName = tsinghua-eiri
organizationalUnitName = scu
commonName = jackwang
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
D3:38:BA:C9:C5:50:C9:51:14:E0:1A:F2:7C:42:70:50:70:F5:92:81
X509v3 Authority Key Identifier:
keyid:4D:1E:75:EE:8A:DD:69:3E:6C:FE:FB:D2:AA:34:2D:91:48:8D:D7:55
Certificate is to be certified until Feb 14 09:03:43 2032 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated5、查看证书信息
root@DESKTOP-JP3S3AN:/home/wsl/openssl_pro/client# openssl x509 -in client0001.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CN, ST = sichuan, L = cd, O = tsinghua-eiri, OU = eiri-iot, CN = root
Validity
Not Before: Feb 16 09:03:43 2022 GMT
Not After : Feb 14 09:03:43 2032 GMT
Subject: C = CN, ST = sc, O = tsinghua-eiri, OU = scu, CN = jackwang
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:94:c6:ca:08:6e:08:26:47:39:6d:78:92:d6:a5:
6f:3e:3b:cc:b7:0d:fa:9c:eb:dd:5f:12:87:40:0f:
ad:c1:21:83:fe:7e:b8:c0:6c:a6:30:d4:e9:03:99:
4a:03:b5:88:59:11:12:ef:8b:f1:62:f1:f1:ee:d0:
f8:f2:03:35:12:16:b9:44:14:bb:69:89:83:c3:44:
9d:17:49:32:de:10:43:49:cb:70:2e:89:33:07:57:
f7:ed:da:06:1d:25:45:dc:ad:b9:da:55:30:05:02:
9f:e1:63:51:8a:cb:39:30:a1:71:86:5a:8e:a3:b3:
c7:71:50:19:74:f8:93:da:1b:9d:0a:b5:de:27:c8:
55:14:f8:e6:9b:02:2c:ea:75:bf:44:d6:08:49:3c:
9b:a1:b4:97:1e:a8:88:cf:23:83:eb:03:b6:6d:e6:
be:74:60:f8:88:29:0e:a7:7f:1a:ec:2e:c4:ff:4d:
2f:f2:6b:53:0e:a9:35:99:d1:0f:cc:ed:ef:41:eb:
a8:b2:27:7a:4c:d1:e9:b7:1c:1b:29:80:a6:b2:b8:
9f:1f:3a:35:e0:05:05:f6:a9:77:a0:bd:98:51:e2:
0b:38:9d:ca:3c:48:c2:02:5d:7b:ba:01:cd:5c:48:
8b:ef:38:03:f2:ed:ee:90:c5:31:b8:dd:40:49:c4:
ce:79
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
D3:38:BA:C9:C5:50:C9:51:14:E0:8A:F2:7C:45:70:50:70:F5:92:81
X509v3 Authority Key Identifier:
keyid:4D:BE:75:EE:8A:DD:69:3E:6C:FE:FB:D2:AA:34:2D:91:48:8D:D7:55
Signature Algorithm: sha256WithRSAEncryption
45:1c:29:cd:ad:18:10:6d:9f:50:f6:2c:08:1e:22:3a:90:fd:
36:36:c3:fa:ea:01:89:34:e3:c5:2b:e0:04:3f:39:c2:62:87:
a7:29:24:9a:40:47:d6:77:b3:49:53:c8:3f:1e:6c:b1:a0:0a:
26:36:d5:df:f7:f6:97:54:46:75:6b:97:2e:f5:7c:60:2f:96:
af:1c:65:94:58:30:22:3f:b5:31:30:f4:76:10:57:a6:12:51:
96:f7:ab:88:18:07:44:b7:d4:7a:4e:d7:bd:35:ec:4f:ec:00:
45:50:57:75:8c:1a:d1:9b:fb:81:9c:f0:d3:13:f6:75:06:1a:
65:b9:1e:51:8d:ec:d1:52:b2:e2:07:b7:6c:66:b2:66:e9:79:
3a:fc:eb:11:7d:c8:23:2c:c4:d6:f6:62:c4:a9:c3:87:a7:fa:
68:a1:1c:d4:28:d6:e1:bd:fa:7e:f0:00:f4:40:6d:45:7f:d7:
66:32:06:16:22:16:61:84:f4:a1:90:8e:29:2a:c7:07:7f:4f:
73:09:6b:da:d9:0a:80:bd:da:ba:a2:77:b9:c4:2a:3c:fd:69:
b3:0b:ac:d9:16:12:a3:f1:cd:3d:2f:21:3f:ca:78:d3:f0:9d:
7b:ac:80:51:0f:c3:2a:9b:80:73:ef:ab:e3:98:d4:c8:e3:e2:
a8:ff:dc:15:c9:00:ef:74:83:ca:68:71:e8:a4:62:dc:6c:3d:
32:95:aa:ac:f2:d8:a6:ae:3a:23:35:a6:df:95:ed:d6:05:0e:
03:e6:7b:d0:bf:c5:c2:0b:5f:b9:53:83:be:83:87:af:86:4b:
b1:a7:c5:36:17:29:d8:9f:9f:5e:4d:ff:05:4b:75:0d:fe:e5:
fe:cf:33:cd:8f:37:4a:c3:01:1c:22:11:e0:7c:f4:ae:5c:42:
5f:b2:69:b3:14:d1:f2:d2:5e:7f:77:53:1f:96:b2:df:e7:cd:
10:79:5b:2c:d9:1c:af:95:a3:bf:dc:6b:ea:21:c2:4f:d4:5c:
ff:df:3c:8a:6b:ce:9b:0b:c6:3f:2b:02:a6:5a:78:a5:4d:14:
c1:fa:1a:0e:3c:91:bd:de:c0:09:e4:5d:19:1c:c1:b6:3d:aa:
e5:ea:41:fb:ea:67:ed:14:ae:52:76:95:cd:d3:da:6a:9b:ce:
e7:4f:f5:3f:de:4f:e9:7c:48:f9:8d:18:ff:8a:16:a2:1c:3f:
a5:48:d9:81:ad:a4:2f:ae:d4:a9:8b:4a:a5:8d:83:2d:92:b9:
90:f3:0f:23:f0:62:5c:00:26:cd:b7:72:7c:98:c4:6b:98:bc:
ab:13:a6:3c:d7:c8:34:bf:9c:e2:06:26:ca:62:ec:dc:c9:49:
4a:58:db:07:c0:80:46:6d三、目录结构
root@DESKTOP-JP3S3AN:/home/wsl/openssl_pro/client# tree /etc/pki/CA
/etc/pki/CA
├── cacert.pem
├── certs
│ └── client0001.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│ └── 01.pem
├── private
│ └── cakey.pem
├── serial
└── serial.old
4 directories, 9 filesqt工程源码配套下载链接:https://x-x.fun/e/UEd02e914dZsC
236
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
