ca 颁发证书
创建CA和申请证书:
证书默认配置文件:
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = /etc/pki/CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
[root@node01 ~]# hostname -i node01 #客户端
192.168.100.10
[root@node02 ~]# hostname -i node02 #服务器
192.168.100.20
ca默认配置文件:/etc/pki/tls/openssl.cnf
1、生成私钥:
[root@node02 CA]# touch /etc/pki/CA/index.txt
[root@node02 CA]# echo 01 > /etc/pki/CA/serial
[root@node02 CA]# (umask066; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
-bash: umask066: command not found
Generating RSA private key, 2048 bit long modulus
.+++
.............................................................................................................................................................................................................+++
2、生成自签名证书:
[root@node02 CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacer.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:opt
Common Name (eg, your name or your server's hostname) []:ca.magedu.com
Email Address []:admin@magedu.com
3、查看证书内容:
[root@node02 CA]# openssl x509 -in cacer.pem -noout -text
4、windows 查看 cacer.pem 证书:
5、windows/mac 证书安装:
windows:
证书:
验证:
6、颁发证书:
1、生成私钥:
[root@node01 app]# ( umask 066; openssl genrsa -out app.key 2048)
2、生成证书申请文件
[root@node01 app]# openssl req -new -key app.key -days 365 -out app.csr
7、拷贝证书申请文件到node02 /etc/pki/CA
[root@node01 app]# scp ./app.csr node02:/etc/pki/CA/
8、颁发证书的时候出现的报错信息:
[root@node02 CA]# openssl ca -in app.csr -out app.cer -days 100
Using configuration from /etc/pki/tls/openssl.cnf
Error opening CA certificate /etc/pki/CA/cacert.pem
140251176069008:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/pki/CA/cacert.pem','r')
140251176069008:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:
[root@node02 CA]# mv cacer.pem cacert.pem
9、CA签署证书,并将证书颁发给请求者
[root@node02 CA]# openssl ca -in app.csr -out app.cer -days 100
最后证书导入浏览器或者对应app 服务网站;
ca 可以颁发多证书:
[root@node02 CA]# (umask 066; openssl genrsa -out /etc/pki/tls/private/test.key 2048)
[root@node02 CA]# openssl req -new -key /etc/pki/tls/private/test.key -out test.csr
[root@node02 CA]# vim /etc/pki/tls/openssl.cnf
[root@node02 CA]# openssl ca -in ./test.csr -out test.cer -days 300
同一个证书请求 或者多个证书:
[root@node02 CA]# openssl ca -in ./app.csr -out app.cer -days 300
[root@node02 CA]# cat index.txt.attr
unique_subject = yes