openssl实现私有CA
目录
CA的配置文件:/etc/pki/tls/openssl.cnf
CA生成一对密钥
创建/etc/pki/CA/private目录
[root@localhost ~]# mkdir /etc/pki/CA/private
[root@localhost ~]# cd /etc/pki/CA
生成密钥
[root@localhost CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
................+++++
...........................................................+++++
e is 65537 (0x010001)
CA生成自签署证书
[root@localhost CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN //国家
State or Province Name (full name) []:HB //省份
Locality Name (eg, city) [Default City]:WH //城市
Organization Name (eg, company) [Default Company Ltd]:baidu //公司
Organizational Unit Name (eg, section) []:baidu //组织名称
Common Name (eg, your name or your server's hostname) []:www.baidu.com //你证书域名
Email Address []:123456@qq.com //你的邮箱
[root@localhost CA]# ls
cacert.pem private
创建空目录和空文件
[root@localhost CA]# mkdir certs newcerts crl
[root@localhost CA]# touch index.txt && echo 01 > serial
[root@localhost CA]# ls
cacert.pem certs crl index.txt newcerts private serial
创建目录来放置证书
[root@localhost ~]# mkdir -p /usr/local/apache/conf/ssl
[root@localhost ~]# cd /usr/local/apache/conf/ssl/
生成自生的密钥
[root@localhost ssl]# (umask 077;openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
....................+++++
.........................+++++
e is 65537 (0x010001)
[root@localhost ssl]# ls
httpd.key
客户端生成证书请求
[root@localhost ssl]# openssl req -new -key httpd.key -days 365 -out httpd.csr
Ignoring -days; not generating a certificate
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:baidu
Organizational Unit Name (eg, section) []:baidu
Common Name (eg, your name or your server's hostname) []:www.baidu.com
Email Address []:123456@qq.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:baidu
CA签署证书
[root@localhost ssl]# openssl ca -in httpd.csr -out httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Dec 26 13:32:19 2022 GMT
Not After : Dec 26 13:32:19 2023 GMT
Subject:
countryName = CN
stateOrProvinceName = HB
organizationName = baidu
organizationalUnitName = baidu
commonName = www.baidu.com
emailAddress = 123456@qq.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
AB:A2:A6:6D:D0:17:95:10:F1:7F:C1:F7:CD:2D:53:41:BA:B7:C5:42
X509v3 Authority Key Identifier:
keyid:40:49:B6:D4:86:D7:56:BB:76:F9:82:E2:BF:72:B0:C2:DC:0F:6C:6B
Certificate is to be certified until Dec 26 13:32:19 2023 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@localhost ssl]# ls
httpd.crt httpd.csr httpd.key