需求描述:
(1) 在节点上搭建一个CA;
(2) 给用户user1颁发证书;
(3) 验证证书的可信。
1.创建CA
–(1)创建CA需要用到的目录和文件
–mkdir "$HOME/testca"
–cd "$HOME/testca"
–mkdir newcerts private conf
–chmod g-rwx,o-rwx private
–echo"01" > serial
–touchindex.txt
•说明:
–$HOME/testca为待建CA的主目录,其中,
•newcerts子目录将存放CA签署(颁发)过的数字证书(证书备份目录);
•Private子目录用于存放CA的私钥;
•目录conf只是用于存放一些简化参数用的配置文件;
•文件serial和index.txt分别用于存放下一个证书的序列号和证书信息数据库。
–(2)生成CA的私钥和自签名证书(即根证书)
–vi"$HOME/testca/conf/gentestca.conf"
–cd "$HOME/testca"
–openssl req -x509 -newkey rsa:2048 -outcacert.pem -outform PEM -days 2190 -config "$HOME/testca/conf/gentestca.conf"
–查看证书(私钥存储文件/private/cakey.pem)
•openssl x509 -in cacert.pem-text -noout
–(3)创建一个配置文件,以便后续CA日常操作中使用
–vi"$HOME/testca/conf/testca.conf"
•2. CA给User1签发证书
–(1)CA为网关User1创建密钥和证书请求(证书请求里包含了公钥)
–mkdir $HOME/testuser
–cd $HOME/testuser
–openssl req -newkey rsa:1024 -keyout testkey.pem -keyform PEM -out testreq.pem-outform PEM -subj "/O=TestCom/OU=TestOU/CN=testuser“
–查看req
–openssl req -in testreq.pem-text -noout
–(2)CA为user1签发证书
–openssl ca -in testreq.pem-out testcert.pem -config "$HOME/testca/conf/testca.conf"
–查看证书
–openssl x509 -intestcert.pem -text -noout
•3.证书可信校验163
–openssl verify -CAfile testca/cacert.pem –verbose testuser/testcert.pem
文件:gentestca.conf
==============================
[ req ]
default_keyfile = $ENV::HOME/testca/private/cakey.pem
default_md = md5
prompt = no
distinguished_name = ca_distinguished_name
x509_extensions = ca_extensions
[ ca_distinguished_name ]
organizationName = TestOrg
organizationalUnitName = TestDepartment
commonName = TestCA
emailAddress = ca_admin@testorg.com
[ ca_extensions ]
basicConstraints = CA:true
[ req ]
default_keyfile = $ENV::HOME/testca/private/cakey.pem
default_md = md5
prompt = no
distinguished_name = ca_distinguished_name
x509_extensions = ca_extensions
[ ca_distinguished_name ]
organizationName = TestOrg
organizationalUnitName = TestDepartment
commonName = TestCA
emailAddress = ca_admin@testorg.com
[ ca_extensions ]
basicConstraints = CA:true
==================================
文件:testca.conf
==================
[ ca ]
default_ca = testca # The default ca section
[ testca ]
dir = $ENV::HOME/testca # top dir
database = $dir/index.txt # index file.
new_certs_dir = $dir/newcerts # new certs dir
certificate = $dir/cacert.pem # The CA cert
serial = $dir/serial # serial no file
private_key = $dir/private/cakey.pem # CA private key
RANDFILE = $dir/private/.rand # random number file
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = md5 # message digest method to use
unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
policy = policy_any # default policy
[ policy_any ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
default_ca = testca # The default ca section
[ testca ]
dir = $ENV::HOME/testca # top dir
database = $dir/index.txt # index file.
new_certs_dir = $dir/newcerts # new certs dir
certificate = $dir/cacert.pem # The CA cert
serial = $dir/serial # serial no file
private_key = $dir/private/cakey.pem # CA private key
RANDFILE = $dir/private/.rand # random number file
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = md5 # message digest method to use
unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
policy = policy_any # default policy
[ policy_any ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
==================================
1983
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
