openssl基础信息
查看openssl版本
openssl version
查看版本更详细的信息
openssl version -a
/etc/pki/CA/
├── certs
├── crl
├── newcerts
└── private
生成自签证书
在确定配置为CA的服务器上生成一个自签证书
生成CA根密钥
umask 077; openssl genrsa -out /etc/pki/CA/private/cakey.pem 4096
生成CA自签证书
openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3655
注意:以下内容为必填项
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BJ
Locality Name (eg, city) [Default City]:BJ
Common Name (eg, your name or your server's hostname) []:10.216.91.117
要用到证书进行安全通信的服务器,需要向CA请求签署证书
生成私钥
umask 077; openssl genrsa -out /etc/pki/CA/https/httpd.key 2048
生成证书签署请求
openssl req -new -key /etc/pki/CA/https/httpd.key -out /etc/pki/CA/https/httpd.csr -days 365
将请求通过可靠方式发送给CA主机
在CA主机上签发证书
touch /etc/pki/CA/index.txt
openssl ca -in /etc/pki/CA/https/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jul 7 03:22:18 2020 GMT
Not After : Jul 7 03:22:18 2021 GMT
Subject:
countryName = CN
stateOrProvinceName = BJ
organizationName = Default Company Ltd
commonName = 10.216.91.117
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
F7:7A:46:30:2A:0E:C2:41:80:F0:D9:FB:0F:64:9F:CE:56:13:33:BD
X509v3 Authority Key Identifier:
keyid:B4:91:CE:D9:99:FF:3E:A9:90:E0:47:0B:8B:41:04:16:FD:8C:41:0D
遇到的问题:
The mandatory stateOrProvinceName field was missing The commonName field needed to be supplied and was missing The countryName field needed to be the same in the CA certificate (XX) and the request (CN)
吊销证书
在客户端获取要吊销的证书的serial
openssl x509 -in /etc/pki/CA/certs/httpd.crt -noout -serial -subject
serial=01
subject= /C=CN/ST=BJ/O=Default Company Ltd/CN=10.216.91.117
在CA服务器吊销证书
根据上一步查到的serial,吊销相应的证书
openssl ca -revoke /etc/pki/CA/newcerts/01.pem
生成吊销证书的吊销编号(第一次吊销证书时执行)
echo 01 > /etc/pki/CA/crlnumber
更新证书吊销列表
openssl ca -gencrl -out thisca.crl
查看crl文件
openssl crl -in /etc/pki/CA/thisca.crl -noout -text