注:本实验在fedora 24下,openssl1.1.0
初始化
rm -rf /etc/pki/CA/*.old touch /etc/pki/CA/index.txt touch /etc/pki/CA/index.txt.attr echo "unique_subject = no" > index.txt.attr echo 01 > /etc/pki/CA/serial echo 02 > /etc/pki/CA/serial rm -rf keys mkdir keys
生成根CA并自签(Common Name填RootCA)
openssl genrsa -des3 -out keys/RootCA.key 2048 openssl req -new -x509 -days 3650 -key keys/RootCA.key -out keys/RootCA.crt
生成二级CA(Common Name填SecondCA)
openssl genrsa -des3 -out keys/secondCA.key 2048
openssl rsa -in keys/secondCA.key -out keys/secondCA.key
openssl req -new -days 3650 -key keys/secondCA.key -out keys/secondCA.csr
openssl ca -extensions v3_ca -in keys/secondCA.csr -config /etc/pki/tls/openssl.cnf -days 3650 -out keys/secondCA.crt -cert keys/RootCA.crt -keyfile keys/RootCA.key
- 生成三级CA(Common Name填ThirdCA)
openssl genrsa -des3 -out keys/thirdCA.key 2048
openssl rsa -in keys/thirdCA.key -out keys/thirdCA.key
openssl req -new -days 3650 -key keys/thirdCA.key -out keys/thirdCA.csr
openssl ca -extensions v3_ca -in keys/thirdCA.csr -config /etc/pki/tls/openssl.cnf -days 3650 -out keys/thirdCA.crt -cert keys/secondCA.crt -keyfile keys/secondCA.key
- 使用三级CA签发服务器证书
openssl genrsa -des3 -out keys/server.key 2048
openssl rsa -in keys/server.key -out keys/server.key
openssl req -new -days 3650 -key keys/server.key -out keys/server.csr
openssl ca -in keys/server.csr -config /etc/pki/tls/openssl.cnf -days 3650 -out keys/server.crt -cert keys/thirdCA.crt -keyfile keys/thirdCA.key
注:
指定证书数据内容
-subj /C=CN/ST=Guangdong/L=Shenzhen/O=PAX/OU=Common Software/CN=Server CA/emailAddress=qiaojx@paxsz.com
去掉key加密的输入提示:
去掉 -des3
don’t ask question
-batch
crt转pem格式
openssl x509 -in mycert.crt -out mycert.pem -outform PEM
吊销证书(作废证书)
首先
echo 00 > /etc/pki/CA/crlnumber
一般由于用户私钥泄露等情况才需要吊销一个未过期的证书。(当然我们用本测试CA时其时很少用到该命令,除非专门用于测试吊销证书的情况)
假设需要被吊销的证书文件为client.pem,则执行以下命令吊销证书:
openssl ca -revoke client.pem -cert RootCA.pem -keyfile RootCA.key -config /etc/pki/tls/openssl.cnf
生成证书吊销列表文件(CRL)
准备公开被吊销的证书列表时,可以生成证书吊销列表(CRL),执行命令如下:
openssl ca -gencrl -out client.crl -cert RootCA.pem -keyfile RootCA.key -config /etc/pki/tls/openssl.cnf
还可以添加-crldays和-crlhours参数来说明下一个吊销列表将在多少天后(或多少小时候)发布。
可以用以下命令检查client.crl的内容:
openssl crl -in client.crl -text -noout