ca 自建 颁发证书_自建 ca 及使用 ca 颁发证书

创建CA：

一、安装openssl

[root@localhost ~]# yum install -y openssl

二、创建CA的相关文件及目录

mkdir /opt/root_ca &&\

cd root_ca&&\mkdir newcerts private crl &&\touch index.txt &&\touch serial &&\echo 01 >serial &&\

说明：

#newcerts目录用于存放CA签署(颁发)过的数字证书(证书备份目录)。

#private目录用于存放CA的私钥。

#文件serial和index.txt分别用于存放下一个证书的序列号和证书信息数据库。

#文件serial填写第一个证书序列号(如10000001)，之后每前一张证书，序列号自动加1。

三、修改openssl配置文件

vim /etc/pki/tls/openssl.cnf

[ CA_default ]dir = /opt/root_ca

[ policy_match ]

countryName=match

stateOrProvinceName=optional

organizationName=optional

organizationalUnitName=optional

commonName=supplied

emailAddress= optional

说明：

match 　　表示严格校验国家名称

optional 表示可选

这个“匹配”指的是在颁发证书的时候，检查请求中的信息是否和根证书中所对应的信息匹配；

加粗的部分为需要修改的配置，具体配置根据实际情况修改

四、生成CA私钥

[root@localhost root_ca] openssl genrsa -out private/ca.key

Generating RSA private key,2048 bit longmodulus

..................+++...............................+++e is65537 (0x10001)

五、使用私钥生成CA请求信息

[root@localhost root_ca]# openssl req -new -key private/ca.key -out ca.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter'.', the field will be left blank.-----Country Name (2letter code) [XX]:CN

State or Province Name (full name) []:BJ

Locality Name (eg, city) [Default City]:BJ

Organization Name (eg, company) [Default Company Ltd]:ESTREND

Organizational Unit Name (eg, section) []:IT

Common Name (eg, your name or your server's hostname) []:www.estrend.com

Email Address []:admin@estrend.com

Please enter the following'extra'attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

六、使用CA私钥和证书请求，生成CA根证书

[root@localhost root_ca]# openssl x509 -req -days 3650 -in ca.csr -signkey private/ca.key -out ca.crt

Signature ok

subject=/C=CN/ST=BJ/L=BJ/O=ESTREND/OU=IT/CN=www.estrend.com/emailAddress=admin@estrend.com

Getting Private key

颁发证书：

一、生成私钥

[root@localhost s1]# openssl genrsa -out server.key

Generating RSA private key,2048 bit longmodulus

..................+++...............................+++e is65537 (0x10001)

二、生成请求

[root@localhost server]# openssl req -new -key server.key -out server.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter'.', the field will be left blank.-----Country Name (2letter code) [XX]:CN

State or Province Name (full name) []:BJ

Locality Name (eg, city) [Default City]:BJ

Organization Name (eg, company) [Default Company Ltd]:ESTREND

Organizational Unit Name (eg, section) []:IT

Common Name (eg, your name or your server's hostname) []:www.123.com

Email Address []:admin@123.com

Please enter the following'extra'attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

三、颁发证书

[root@localhost server]# openssl ca -in server.csr -cert /opt/root_ca/ca.crt -keyfile /opt/root_ca/private/ca.key -out server.crt -days 3650Using configuration from/etc/pki/tls/openssl.cnf

Check that the request matches the signature

Signature ok

Certificate Details:

Serial Number:1 (0x1)

Validity

Not Before: May9 07:50:01 2019GMT

Not After : May6 07:50:01 2029GMT

Subject:

countryName=CN

stateOrProvinceName=BJ

organizationName=ESTREND

organizationalUnitName=IT

commonName= www.123.com

emailAddress= admin@123.com

X509v3 extensions:

X509v3 Basic Constraints:

CA:FALSE

Netscape Comment:

OpenSSL Generated Certificate

X509v3 Subject Key Identifier:

EA:DB:4B:E6:18:C6:23:15:33:86:EA:C2:7B:D5:60:85:FB:45:41:D4

X509v3 Authority Key Identifier:

DirName:/C=CN/ST=BJ/L=BJ/O=ESTREND/OU=IT/CN=www.estrend.com/emailAddress=admin@estrend.com

serial:B8:7C:0A:A8:8D:2E:AF:23Certificate is to be certifieduntil May 6 07:50:01 2029 GMT (3650days)

Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with1new entries

Data Base Updated