使用openssl模拟CA和CA证书的签发

最新推荐文章于 2021-02-28 15:06:41 发布

weixin_34056162

最新推荐文章于 2021-02-28 15:06:41 发布

阅读量173

点赞数

原文链接：http://www.cnblogs.com/gaoyuechen/p/10364282.html

版权

使用openssl模拟CA和CA证书的签发

当使用ssl/tls进行加密通信时，必须要有数字证书。若通信只限制在局域网内，可以不向第三方机构申请签发证书，可以通过openssl 模拟CA(Certificate Authority)，并通过该CA签发证书。下文讲述在Centos7.3上使用openssl工具签发证书的具体步骤。

1 生成模拟CA

1.1 修改配置文件/etc/pki/tls/openssl.cnf

打开openssl的配置文件/etc/pki/tls/openssl.cnf，修改CA机构的默认信息，具体修改内容如下

[ req_distinguished_name ]
countryName         = Country Name (2 letter code)
countryName_default     = CN
countryName_min         = 2
countryName_max         = 2

stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = JangSu localityName = Locality Name (eg, city) localityName_default = NanJing 0.organizationName = Organization Name (eg, company) 0.organizationName_default = ZTE # we can do this but it is not needed normally :-) #1.organizationName = Second Organization Name (eg, company) #1.organizationName_default = World Wide Web Pty Ltd organizationalUnitName = Organizational Unit Name (eg, section) organizationalUnitName_default = Tech commonName = Common Name (eg, your name or your server\'s hostname) commonName_max = 64 emailAddress = Email Address emailAddress_max = 64

配置项说明：

countryName_default 默认的国家名称简写，这里配置为CN；
stateOrProvinceName_default，默认的省份名，这里配置为JangS；
localityName_default，默认的城市名称，这里配置为NanJing；
0.organizationName_default，默认的组织名称，这里配置为ZTE；
organizationalUnitName_default，默认的部门名称，这里配置为Tech；

1.2 生成CA自签证书

生成CA的私钥

(umask 077; openssl genrsa -out private/cakey.pem 2048)

[root@localhost CA]# pwd
/etc/pki/CA

[root@localhost CA]# (umask 077; openssl genrsa -out private/cakey.pem 2048) Generating RSA private key, 2048 bit long modulus .......................................................................................................+++ ..........+++ e is 65537 (0x10001)

生成自签证书

openssl req -new -x509 -key private/cakey.pem -out cacert.pem

[root@localhost CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem 
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [JangSu]: Locality Name (eg, city) [NanJing]: Organization Name (eg, company) [ZTE]: Organizational Unit Name (eg, section) [Tech]: Common Name (eg, your name or your server's hostname) []:ca.xiaojie.com Email Address []:xiaojie@163.com [root@localhost CA]# ls private cacert.pem cakey.pem

cakey.pem为CA的私钥；
cacert.pem为CA的自签证书；

查看签发证书中的内容

openssl x509 -text -in cacert.pem

[root@localhost CA]# openssl x509 -text -in cacert.pem 
Certificate: Data: Version: 3 (0x2) Serial Number: 13441978108521887108 (0xba8b7fdefd063584) Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, ST=JS, L=NanJing, O=ZTE, OU=Tech, CN=ca.xiaojie.com/emailAddress=caxiaojie@163.com Validity Not Before: Jun 2 03:30:22 2018 GMT Not After : Jun 2 03:30:22 2019 GMT Subject: C=CN, ST=JS, L=NanJing, O=Ztesoft, OU=Tech, CN=ca.xiaojie.com/emailAddress=caxiaojie@163.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:d2:ce:94:8e:26:52:bd:6e:7d:54:31:02:20:57: 01:81:1b:fc:24:3b:b1:e8:f1:4c:5d:e2:49:d8:5f: 5c:5e:02:89:76:29:f5:8d:33:17:98:06:80:06:ee: 37:dd:87:47:0d:f1:56:f0:cb:5e:5a:30:dc:31:46: 5a:cb:74:4c:76:8c:58:0b:bd:85:ff:15:16:67:64: 99:dd:53:3b:d0:6b:23:e3:35:3d:56:4a:ea:5d:89: