vim /etc/pki/tls/openssl.cnf
[ CA_default ]
dir = /etc/pki/CA # Where everything is kept #存放目录
certs = $dir/certs # Where the issued certs are kept #存放证书目录
crl_dir = $dir/crl # Where the issued crl are kept #证书吊销列表
database = $dir/index.txt # database index file. #证书索引数据库文件
#unique_subject = no # Set to 'no' to allow creation of
# several certs with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate #CA自己证书
serial = $dir/serial # The current serial number #证书编号
crlnumber = $dir/crlnumber # the current crl number #证书吊销列表编号
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL #证书吊销列表文件
private_key = $dir/private/cakey.pem# The private key #CA私钥
三种策略:match匹配、optional可选、supplied提供
match:要求申请填写的信息跟CA设置信息必须一致
optional:可有可无,跟CA设置信息可不一致
supplied:必须填写这项申请信息
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
#############################################
1.创建CA所需文件
mkdir -p /etc/pki/CA/{certs,crl,newcerts,private}
touch /etc/pki/CA/index.txt
echo 01 >/etc/pki/CA/serial #指定第一个颁发证书的序列号
2.生成CA私钥
cd /etc/pki/CA/
(chmod 600权限)openssl genrsa -out private/cakey.pem 2048
3.生成CA自签名证书
国家代码:https://country-code.cl/
openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem
选项说明:
-new:生成新证书签署请求
-x509:专用于CA生成自签证书
-key:生成请求时用到的私钥文件
-days n:证书的有效期限
-out /PATH/TO/SOMECERTFILE: 证书的保存路径
国家#Country Name (2 letter code) [XX]:CN
省#State or Province Name (full name) []:beijing
城市#Locality Name (eg, city) [Default City]:beijing
公司#Organization Name (eg, company) [Default Company Ltd]:magedu
部门#Organizational Unit Name (eg, section) []:m48
服务(域名)#Common Name (eg, your name or your server's hostname) []:ca.magedu.org
邮箱#Email Address []:admin@magedu.org
查看证书信息#openssl x509 -in /etc/pki/CA/cacert.pem -noout -text
################################################################################################
申请颁发证书
1、为需要使用证书的主机生成生成私钥
(chmod 600权限) openssl genrsa -out /tmp/www.key
2、为需要使用证书的主机生成证书申请文件
openssl req -new -key /tmp/www.key -out /tmp/www.csr
国家#Country Name (2 letter code) [XX]:CN
省#State or Province Name (full name) []:beijing
城市#Locality Name (eg, city) [Default City]:beijing
公司#Organization Name (eg, company) [Default Company Ltd]:magedu
部门#Organizational Unit Name (eg, section) []:m50
服务(域名)#Common Name (eg, your name or your server's hostname) []:www.magedu.org
3、在CA签署证书并将证书颁发给请求者
openssl ca -in /tmp/www.csr -out /etc/pki/CA/certs/www.crt -days 100 #100天
注意:默认要求 国家,省,公司名称三项必须和CA一致
4、查看证书中的信息:
openssl x509 -in /PATH/FROM/CERT_FILE -noout -text|issuer|subject|serial|dates
openssl x509 -in certs/www.crt -noout -text
################################################################################################
吊销证书
吊销证书# openssl ca -revoke /etc/pki/CA/certs/www.crt
生成吊销列表# echo 01 > /etc/pki/CA/crlnumber
更新吊销列表文件# openssl ca -gencrl -out /etc/pki/CA/crl.pem
查看证书信息# openssl ca -status 01
CA私有证书实例
创建CA所需文件
mkdir -p /etc/pki/CA/{certs,crl,newcerts,private}
touch /etc/pki/CA/index.txt
echo 01 >/etc/pki/CA/serial
cd /etc/pki/CA/
生成CA私钥
openssl genrsa -out private/cakey.pem 2048
生成CA自签名证书
openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:chaoyang
Organization Name (eg, company) [Default Company Ltd]:wanghaha
Organizational Unit Name (eg, section) []:haha
Common Name (eg, your name or your server's hostname) []:CA
为需要使用证书的主机生成生成私钥
openssl genrsa -out /ss/wang.key
为需要使用证书的主机生成证书申请文件
openssl req -new -key /ss/wang.key -out /ss/wang.csr
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:chaoyang
Organization Name (eg, company) [Default Company Ltd]:wanghaha
Organizational Unit Name (eg, section) []:hehe
Common Name (eg, your name or your server's hostname) []:www.wang.com
在CA签署证书并将证书颁发给请求者
openssl ca -in /ss/wang.csr -out /etc/pki/CA/certs/wang.crt -days 3650
查看证书中的信息
openssl x509 -in certs/wang.crt -noout -text
吊销
openssl ca -revoke /etc/pki/CA/certs/wang.crt
生成吊销列表
echo 01 > /etc/pki/CA/crlnumber
更新吊销列表文件
openssl ca -gencrl -out /etc/pki/CA/crl.pem
查看证书状态
openssl ca -status 01
CA私有证书命令版
#####CA端操作
dnf -y install openssl-perl
vim /usr/bin/CA.pl
my $DAYS = "-days 365"; "-days 3650"; 私钥
my $CADAYS = "-days 1095"; "-days 7300" CA本身证书
CA.pl -newca #搭建CA
[root@rocky ~]# CA.pl -newca
Enter PEM pass phrase:1234
Verifying - Enter PEM pass phrase:1234
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:wanghaha
Organizational Unit Name (eg, section) []:wanghaha
Common Name (eg, your name or your server's hostname) []:CA
A challenge password []:1234
An optional company name []:1234
[root@rocky mnt]#mkdir server{1..7}
#####客户端操作
dnf -y install openssl-perl
[root@centos8-node1 yum.repos.d]# CA.pl -newreq
Enter PEM pass phrase:1111
Verifying - Enter PEM pass phrase:1111
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:wanghaha
Organizational Unit Name (eg, section) []:wanghaha
Common Name (eg, your name or your server's hostname) []:server1
#####CA端操作
[root@rocky mnt]# cd server1/
[root@rocky server1]# scp root@192.168.1.111:/etc/yum.repos.d/newreq.pem ./
[root@rocky server1]# vim /etc/pki/tls/openssl.cnf
default_days = 365 改成 3650
[root@rocky server1]# CA.pl -sign #签名
Enter pass phrase for /etc/pki/CA/private/cakey.pem:1234
Certificate is to be certified until Aug 12 15:37:51 2032 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
[root@rocky server1]# scp newcert.pem root@192.168.1.111:/etc/yum.repos.d/
#####客户端操作
[root@centos8-node1 yum.repos.d]# openssl rsa -in newkey.pem -out newkey-1.pem 生成一个不需要密码的key
[root@centos8-node1 yum.repos.d]# ll
-rw-r--r-- 1 root root 4547 Aug 15 11:39 newcert.pem
-rw------- 1 root root 1679 Aug 15 11:41 newkey-1.pem
-rw------- 1 root root 1854 Aug 15 11:29 newkey.pem
-rw-r--r-- 1 root root 1005 Aug 15 11:30 newreq.pem