利用openssl创建自授权证书
1,创建相关目录,以及索引,序列号文件
[root@localhost ~]# mkdir -pv /etc/pki/CA/{certs,crl,newcerts,private}
[root@localhost ~]# touch /etc/pki/CA/index.txt
[root@localhost ~]# echo 00 > /etc/pki/CA/serial
2,
生成CA私钥
[root@localhost ~]# cd /etc/pki/CA/
[root@localhost CA]# (umask 066; openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
.............+++
.....................................................+++
e is 65537 (0x10001)
生成自签名证书
[root@localhost CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:SH
Locality Name (eg, city) [Default City]:SH
Organization Name (eg, company) [Default Company Ltd]:PTG
Organizational Unit Name (eg, section) []:NOC
Common Name (eg, your name or your server's hostname) []:CA
Email Address []:ptg@noc.com
查看证书
[root@localhost CA]# openssl x509 -in /etc/pki/CA/cacert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
8b:cb:01:8a:35:22:26:ce
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=SH, L=SH, O=PTG, OU=NOC, CN=CA/emailAddress=ptg@noc.com
Validity
Not Before: Mar 14 09:18:29 2021 GMT
Not After : Mar 12 09:18:29 2031 GMT
Subject: C=CN, ST=SH, L=SH, O=PTG, OU=NOC, CN=CA/emailAddress=ptg@noc.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d8:a3:40:3b:d0:e7:22:8e:80:a9:0e:96:80:c3:
94:06:57:35:35:6b:47:4f:8e:ed:90:f4:c9:89:a6:
c2:53:ce:6e:17:df:a8:ff:96:9c:7e:e2:2c:3f:e4:
5d:87:7a:c4:31:09:ff:b7:ed:78:86:c3:34:ff:b8:
4f:bc:a6:69:71:cb:7f:1f:98:87:fb:24:f1:f8:86:
08:50:bb:0d:f5:2d:a1:eb:30:ff:65:8f:52:81:43:
00:73:f2:8c:e1:bf:a4:08:82:d8:6d:c8:6b:93:19:
46:41:bd:d5:27:d9:06:85:7d:90:b5:bb:aa:b7:4d:
8d:91:e9:18:5c:26:f6:8b:cd:a9:7a:31:ac:ea:a4:
d2:58:eb:45:6a:88:ff:81:47:2e:b2:65:42:65:e2:
6d:58:9f:23:98:4b:5a:fd:99:65:2d:a3:63:fe:48:
e9:83:56:5c:c2:44:df:39:64:f2:50:0c:a7:26:07:
40:7e:54:78:07:6c:96:81:8d:cb:3a:f5:bb:3d:cb:
8a:30:77:ee:0d:ab:d1:0f:f2:b6:49:3c:4e:59:c4:
ed:f7:e4:8a:fb:0a:d0:66:fc:68:0e:36:ac:92:52:
00:96:8d:1a:f9:45:74:6d:28:58:31:64:6d:a5:48:
2b:75:4b:11:f5:c4:bc:5b:82:e8:f4:f0:87:e7:e4:
ae:83
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
83:8E:2F:69:4F:5A:53:49:C0:B2:1D:67:A2:18:8D:48:F3:3D:18:2C
X509v3 Authority Key Identifier:
keyid:83:8E:2F:69:4F:5A:53:49:C0:B2:1D:67:A2:18:8D:48:F3:3D:18:2C
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
15:9b:c5:ec:b6:2c:56:bc:46:30:c8:1c:3a:bd:e8:ac:58:5b:
9e:16:21:d6:1e:f2:e6:8b:03:98:a7:1a:06:f7:3e:ae:c3:cd:
a2:65:ad:24:8c:a2:2c:97:a9:81:ec:39:e8:f0:08:89:e4:5f:
11:79:8a:56:13:60:33:ed:9c:0d:e0:96:27:40:e7:15:0e:c1:
d2:d8:df:6d:ee:93:5e:2b:fc:56:7a:aa:0b:14:3a:1e:8f:93:
14:9e:c2:24:8b:44:5f:69:39:b1:f8:96:fd:31:0a:9a:9f:5a:
2c:34:44:e8:55:53:30:ff:e2:ce:7c:43:2e:c6:98:07:10:20:
f0:6e:d2:15:26:92:ff:8a:cc:5d:91:5b:75:b7:d0:8e:42:72:
85:5d:0f:23:61:e4:37:70:27:75:c2:25:44:6f:d2:ca:2c:50:
bc:3d:45:c9:61:56:87:8a:7d:4a:21:b8:3b:66:95:d4:52:13:
f0:a5:a1:fe:4d:09:10:9d:3c:74:e9:3c:d3:2e:0c:72:d0:6a:
ac:f6:55:6d:97:19:c4:17:82:f4:38:e9:05:27:13:18:78:df:
39:05:79:88:0b:6f:0d:ec:5c:40:1c:1e:88:ef:2a:d2:71:b1:
c2:bd:d1:29:3d:02:16:c3:c5:fc:27:7a:3e:a4:51:27:3c:6d:
47:2c:e7:39
生成用户私钥信息
[root@localhost CA]# mkdir -p /data/app1
[root@localhost CA]# (umask 066; openssl genrsa -out /data/app1/app1.key 2048)
Generating RSA private key, 2048 bit long modulus
...+++
..+++
e is 65537 (0x10001)
申请私有证书,并创建私有证书文件
[root@localhost CA]# openssl req -new -key /data/app1/app1.key -out /data/app1/app1.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:SH
Locality Name (eg, city) [Default City]:SH
Organization Name (eg, company) [Default Company Ltd]:PTG
Organizational Unit Name (eg, section) []:NOC
Common Name (eg, your name or your server's hostname) []:www
Email Address []:ptg@noc.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:ptg123
An optional company name []:
[root@localhost CA]# openssl ca -in /data/app1/app1.csr -out /etc/pki/CA/certs/app1.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Mar 14 09:32:02 2021 GMT
Not After : Mar 14 09:32:02 2022 GMT
Subject:
countryName = CN
stateOrProvinceName = SH
organizationName = PTG
organizationalUnitName = NOC
commonName = www
emailAddress = ptg@noc.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
0B:8D:60:1E:15:97:AF:82:90:BF:4F:05:E4:7D:97:EA:6D:1D:FD:DB
X509v3 Authority Key Identifier:
keyid:83:8E:2F:69:4F:5A:53:49:C0:B2:1D:67:A2:18:8D:48:F3:3D:18:2C
Certificate is to be certified until Mar 14 09:32:02 2022 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
查看颁发证书
[root@localhost CA]# openssl x509 -in /etc/pki/CA/certs/app1.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=SH, L=SH, O=PTG, OU=NOC, CN=CA/emailAddress=ptg@noc.com
Validity
Not Before: Mar 14 09:32:02 2021 GMT
Not After : Mar 14 09:32:02 2022 GMT
Subject: C=CN, ST=SH, O=PTG, OU=NOC, CN=www/emailAddress=ptg@noc.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b1:9c:57:f6:0a:e9:a4:4d:03:28:d3:c6:15:21:
8d:ed:7c:02:77:e3:08:01:61:1d:f8:0e:58:ab:44:
05:94:94:b6:47:f3:9c:d8:77:12:d1:be:13:d9:b2:
8f:12:cb:77:2b:76:be:00:8c:ea:25:1b:b3:89:82:
a8:00:15:f8:96:4b:61:bc:c2:3a:7f:01:87:05:3f:
3d:f1:0f:a7:5e:f5:fd:18:bd:83:da:1a:9a:15:fd:
a3:e2:ca:84:e1:e3:76:85:94:32:85:92:30:2e:db:
25:55:79:ee:d9:5d:56:ea:97:2a:12:5a:93:76:b5:
6a:8a:a6:3b:fe:0b:ed:ff:0d:3a:6f:31:c6:c2:e1:
5e:96:ff:4d:a5:39:61:69:b3:06:a7:17:8d:29:0f:
c3:52:b0:3d:93:cb:8e:93:42:99:f1:77:fc:d6:48:
d8:db:8b:9a:72:18:da:31:2a:b4:d6:6b:72:05:39:
16:ae:aa:a9:2e:32:3e:ff:77:bc:ed:70:0c:b5:5a:
34:d4:fa:16:cf:b6:98:54:17:96:99:1a:bb:20:24:
23:ad:e0:bd:b8:6a:b2:1c:99:cd:33:75:01:2a:b0:
e8:bf:92:43:54:98:6a:06:16:35:a6:fa:97:a3:6c:
d4:75:8b:bc:87:02:07:cb:e2:68:5a:31:d3:7f:ee:
40:f5
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
0B:8D:60:1E:15:97:AF:82:90:BF:4F:05:E4:7D:97:EA:6D:1D:FD:DB
X509v3 Authority Key Identifier:
keyid:83:8E:2F:69:4F:5A:53:49:C0:B2:1D:67:A2:18:8D:48:F3:3D:18:2C
Signature Algorithm: sha256WithRSAEncryption
d4:d9:5f:cb:ab:98:f3:29:01:a6:c0:b8:39:40:a9:b9:fe:af:
ee:a2:27:7d:65:75:17:ce:4d:f4:d9:ab:93:c3:91:4c:c0:bd:
18:2f:b4:26:78:42:c1:73:dd:48:1d:82:af:be:ee:8a:59:5e:
54:e4:f7:5d:ff:85:ab:df:23:9c:79:cd:c3:63:97:1c:3a:75:
54:78:87:e8:29:83:c1:46:b3:cd:37:af:3a:59:69:05:91:a8:
93:fa:ea:72:58:e5:47:18:f6:c5:77:44:2d:e8:65:b1:4c:f7:
bc:c1:cd:cc:67:01:f7:0d:7c:8b:cb:cd:07:2f:f7:b8:e9:e3:
75:b4:c9:68:98:56:c5:63:60:43:fd:9b:69:9b:6f:50:50:35:
e0:0b:af:6e:21:26:40:98:7b:28:19:ee:b9:65:de:90:be:85:
e5:00:84:bc:54:96:3e:66:f4:5a:6c:9e:64:cb:e6:b5:3d:3a:
4a:1f:b0:74:bd:f3:46:17:5d:65:29:57:ca:b4:86:92:da:7a:
9e:42:44:cf:b8:ae:8e:dd:a1:1a:85:0b:30:cf:f3:23:8a:15:
9d:cc:58:38:d9:4a:85:ec:67:5f:75:5b:18:a4:49:1e:c9:7a:
f4:6c:1c:b4:91:c4:e0:0a:47:f5:42:76:00:fa:ff:04:f0:ae:
be:cf:69:cc