私有CA创建的参看配置文件
/etc/pki/tls/openssl.cnf
[root@y_zilong ~]# cat /etc/pki/tls/openssl.cnf
[ CA_default ]
dir = /etc/pki/CA # 所有证书存放的目录
certs = $dir/certs # 证书的位置
crl_dir = $dir/crl # 吊销证书的位置
database = $dir/index.txt # 数据库索引文件
#unique_subject = no # 设置为"no"以允许创建
# several certs with same subject. #同一主题的多个证书
new_certs_dir = $dir/newcerts # 新证书的默认位置
certificate = $dir/cacert.pem # CA证书
serial = $dir/serial # 当前序列号
crlnumber = $dir/crlnumber # 吊销的序列号
# must be commented out to leave a V1 CRL #必须注销掉才能留下V1 CRL
crl = $dir/crl.pem # 吊销列表的文件
private_key = $dir/private/cakey.pem #私钥的位置
RANDFILE = $dir/private/.rand # 随机数文件
x509_extensions = usr_cert # 要添加到证书的扩展
Centos8上面默认没有CA目录
可以自己创建,也可以从centos7上面复制
mkdir -p /etc/pki/CA/{certs,crl,newcerts,private}
Centos7默认存在CA目录
[root@y_zilong ~]# tree /etc/pki/CA/
/etc/pki/CA/
├── certs
├── crl
├── newcerts
└── private
4 directories, 0 files
[root@y_zilong ~]#
Centos8默认不存在CA目录
[root@y_zilong ~]# tree /etc/pki/
ca-trust/ fwupd-metadata/ nssdb/ rsyslog/
fwupd/ java/ rpm-gpg/ tls/
[root@y_zilong ~]#
从centos7把目录复制到centos8上面:
[root@y_zilong ~]# scp -r root@10.0.0.121:/etc/pki/CA/ /etc/pki/
root@10.0.0.121's password:
[root@y_zilong ~]# tree /etc/pki/CA/
/etc/pki/CA/
├── certs
├── crl
├── newcerts
└── private
4 directories, 0 files
[root@y_zilong ~]#
[root@y_zilong ~]# ll /etc/pki/CA/
total 4
drwxr-xr-x. 2 root root 6 Apr 26 08:04 certs
drwxr-xr-x. 2 root root 6 Apr 26 08:04 crl
drwxr-xr-x. 2 root root 6 Apr 26 08:04 newcerts
drwx------. 2 root root 6 Apr 26 08:04 private
[root@y_zilong ~]#
1、创建CA所需要的文件
#生成证书索引数据库文件
touch /etc/pki/CA/index.txt
#指定第一个颁发证书的序列号
echo 01 > /etc/pki/CA/serial
[root@y_zilong ~]# touch /etc/pki/CA/index.txt
#生成证书索引数据库文件
[root@y_zilong ~]# echo 01 > /etc/pki/CA/serial
#指定第一个颁发证书的序列号
[root@y_zilong ~]# tree /etc/pki/CA/
/etc/pki/CA/
├── certs
├── crl
├── index.txt
├── newcerts
├── private
└── serial
4 directories, 2 files
[root@y_zilong ~]#
index.txt和serial文件在颁发证书时需要使用,如果不存在,会出现以下错误提示
No such file or directory,No such file or directory:crypto/bio/bss_file.c:72:fopen('/etc/pki/CA/index.txt.attr','r')
2、生成CA私钥
(umask 066;openssl genrsa -out private/cakey.pem 2048)
[root@y_zilong ~]# cd /etc/pki/CA/
[root@y_zilong CA]# openssl genrsa -out private/cakey.pem 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
.....................................................................................................+++++
....+++++
e is 65537 (0x010001)
[root@y_zilong CA]# tree
.
├── certs
├── crl
├── index.txt
├── newcerts
├── private
│ └── cakey.pem
└── serial
4 directories, 3 files
[root@y_zilong CA]# ll private/cakey.pem
-rw-------. 1 root root 1675 Apr 26 08:38 private/cakey.pem
[root@y_zilong CA]#
#Centos7上面创建私钥要加上权限要求
[root@y_zilong CA]# ll private/cakey.pem
-rw-r--r--. 1 root root 1675 Apr 26 05:40 private/cakey.pem
[root@y_zilong CA]# rm -rf private/cakey.pem
[root@y_zilong CA]# (umask 066;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
...................+++
....................................................................+++
e is 65537 (0x10001)
[root@y_zilong CA]# ll private/cakey.pem
-rw-------. 1 root root 1679 Apr 26 05:42 private/cakey.pem
[root@y_zilong CA]#
3、生成CA自签名证书
openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem
选项说明:
-new:生成新证书签署请求
-x509:专用于CA生成自签证书
-key:生成请求时用到的私钥文件
-days n:证书的有效期限
-out /etc/pki/CA/cacert.pem :证书的保存路径
[root@y_zilong CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN #国家
State or Province Name (full name) []:shandong #州,省份
Locality Name (eg, city) [Default City]:linyi #市区
Organization Name (eg, company) [Default Company Ltd]:yzil #组织
Organizational Unit Name (eg, section) []:IT #行业
Common Name (eg, your name or your server's hostname) []:ca.yzil.com #给哪个服务器颁发的,给CA自己颁发的证书
Email Address []:123456@qq.com #邮箱,可写可不写
[root@y_zilong CA]# tree
.
├── cacert.pem
├── certs
├── crl
├── index.txt
├── newcerts
├── private
│ └── cakey.pem
└── serial
4 directories, 4 files
[root@y_zilong CA]# cat cacert.pem
-----BEGIN CERTIFICATE-----
MIID7zCCAtegAwIBAgIUGaZTibknfkO1rFrwzAORkv7Bkh0wDQYJKoZIhvcNAQEL
BQAwgYYxCzAJBgNVBAYTAkNOMREwDwYDVQQIDAhzaGFuZG9uZzEOMAwGA1UEBwwF
bGlueWkxDTALBgNVBAoMBHl6aWwxCzAJBgNVBAsMAklUMR0wGwYDVQQDDBR3d3cu
eXppbC5leGFtcGxlLmNvbTEZMBcGCSqGSIb3DQEJARYKMTIzNDU2cXEICDAeFw0y
MTA0MjYxMjQ5MTVaFw0zMTA0MjQxMjQ5MTVaMIGGMQswCQYDVQQGEwJDTjERMA8G
A1UECAwIc2hhbmRvbmcxDjAMBgNVBAcMBWxpbnlpMQ0wCwYDVQQKDAR5emlsMQsw
CQYDVQQLDAJJVDEdMBsGA1UEAwwUd3d3Lnl6aWwuZXhhbXBsZS5jb20xGTAXBgkq
hkiG9w0BCQEWCjEyMzQ1NnFxCAgwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQDUDL8QepN+q/2HilUU1zvQb1qMlHlhf+/mEFxhSPbD/YL8BDih7KZSv1FB
6rkO37mlTw5t2wPIrU90AzhROaqFfIg2TQqQm0FQnsFHOL/MITdFnEg94+QCBWnk
ogZbXKzFTXw1XzXpgtGG0G08ttk1IHTsjpwlFhxzrIY4Jr4lKQarbibLMOgg6XQz
6PjFVZgEtXj+EgYuna6pK+cXLXMu8HqZW5qx+2w1wUg1ttsmq36Z+e6yPxMn0lLg
oKlBKMjTqIGegKz+qmGVnV3YnbaHPMbtzfnJfw3bn/GcrMripi+QL6+sIJsQSzQQ
in/9NQxxUJDTUueyt1q3do8t8wgJAgMBAAGjUzBRMB0GA1UdDgQWBBTA7mzekP6F
yrA8V/ECujjm4S9/UzAfBgNVHSMEGDAWgBTA7mzekP6FyrA8V/ECujjm4S9/UzAP
BgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCJsq4pHW92X7wWtCXK
yuSlA2t5IyfARw0QhOS1e2Dro+/G7ZYOy6TLae8FF8j5AmwH5zhsIW4dMc3GGtJV
mH/DXB9xTsJywRv5ehEpDDkYb8853NzVlVWxmaEJroRBuWGNewqvHtG/CwTxFUcK
jClKz0v8t3PpIWSJFeWWW6uYVadPM2vM7WTV2Oy8+U83mTlbdIwi9s8O2lPyw2tz
k+RQJ9tqpVZywFkV+za/Zb+2CEg9Lrp7yjig+OO/m15UFoGTzrlKZeICQvPeukpA
BljPTzQbSt7/7+AVYAMAXVAjmHN3bfjD5XdoAzVI70Ks3GJvJyA06MsQf8dDqfEc
Mn9I
-----END CERTIFICATE-----
[root@y_zilong CA]# openssl x509 -in cacert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
19:a6:53:89:b9:27:7e:43:b5:ac:5a:f0:cc:03:91:92:fe:c1:92:1d
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CN, ST = shandong, L = linyi, O = yzil, OU = IT, CN = ca.yzil.com, emailAddress = 123456@qq.com
Validity
Not Before: Apr 26 12:49:15 2021 GMT
Not After : Apr 24 12:49:15 2031 GMT
Subject: C = CN, ST = shandong, L = linyi, O = yzil, OU = IT, CN = www.yzil.example.com, emailAddress = 123456@qq.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:d4:0c:bf:10:7a:93:7e:ab:fd:87:8a:55:14:d7:
3b:d0:6f:5a:8c:94:79:61:7f:ef:e6:10:5c:61:48:
f6:c3:fd:82:fc:04:38:a1:ec:a6:52:bf:51:41:ea:
b9:0e:df:b9:a5:4f:0e:6d:db:03:c8:ad:4f:74:03:
38:51:39:aa:85:7c:88:36:4d:0a:90:9b:41:50:9e:
c1:47:38:bf:cc:21:37:45:9c:48:3d:e3:e4:02:05:
69:e4:a2:06:5b:5c:ac:c5:4d:7c:35:5f:35:e9:82:
d1:86:d0:6d:3c:b6:d9:35:20:74:ec:8e:9c:25:16:
1c:73:ac:86:38:26:be:25:29:06:ab:6e:26:cb:30:
e8:20:e9:74:33:e8:f8:c5:55:98:04:b5:78:fe:12:
06:2e:9d:ae:a9:2b:e7:17:2d:73:2e:f0:7a:99:5b:
9a:b1:fb:6c:35:c1:48:35:b6:db:26:ab:7e:99:f9:
ee:b2:3f:13:27:d2:52:e0:a0:a9:41:28:c8:d3:a8:
81:9e:80:ac:fe:aa:61:95:9d:5d:d8:9d:b6:87:3c:
c6:ed:cd:f9:c9:7f:0d:db:9f:f1:9c:ac:ca:e2:a6:
2f:90:2f:af:ac:20:9b:10:4b:34:10:8a:7f:fd:35:
0c:71:50:90:d3:52:e7:b2:b7:5a:b7:76:8f:2d:f3:
08:09
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
C0:EE:6C:DE:90:FE:85:CA:B0:3C:57:F1:02:BA:38:E6:E1:2F:7F:53
X509v3 Authority Key Identifier:
keyid:C0:EE:6C:DE:90:FE:85:CA:B0:3C:57:F1:02:BA:38:E6:E1:2F:7F:53
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
89:b2:ae:29:1d:6f:76:5f:bc:16:b4:25:ca:ca:e4:a5:03:6b:
79:23:27:c0:47:0d:10:84:e4:b5:7b:60:eb:a3:ef:c6:ed:96:
0e:cb:a4:cb:69:ef:05:17:c8:f9:02:6c:07:e7:38:6c:21:6e:
1d:31:cd:c6:1a:d2:55:98:7f:c3:5c:1f:71:4e:c2:72:c1:1b:
f9:7a:11:29:0c:39:18:6f:cf:39:dc:dc:d5:95:55:b1:99:a1:
09:ae:84:41:b9:61:8d:7b:0a:af:1e:d1:bf:0b:04:f1:15:47:
0a:8c:29:4a:cf:4b:fc:b7:73:e9:21:64:89:15:e5:96:5b:ab:
98:55:a7:4f:33:6b:cc:ed:64:d5:d8:ec:bc:f9:4f:37:99:39:
5b:74:8c:22:f6:cf:0e:da:53:f2:c3:6b:73:93:e4:50:27:db:
6a:a5:56:72:c0:59:15:fb:36:bf:65:bf:b6:08:48:3d:2e:ba:
7b:ca:38:a0:f8:e3:bf:9b:5e:54:16:81:93:ce:b9:4a:65:e2:
02:42:f3:de:ba:4a:40:06:58:cf:4f:34:1b:4a:de:ff:ef:e0:
15:60:03:00:5d:50:23:98:73:77:6d:f8:c3:e5:77:68:03:35:
48:ef:42:ac:dc:62:6f:27:20:34:e8:cb:10:7f:c7:43:a9:f1:
1c:32:7f:48
[root@y_zilong CA]# openssl x509 -in cacert.pem -noout -subject
subject=C = CN, ST = shandong, L = linyi, O = yzil, OU = IT, CN = ca.yzil.com, emailAddress = 123456@qq.com
[root@y_zilong CA]#
[root@y_zilong ~]# sz /etc/pki/CA/carert.pem
#将文件cacert.pem传到windows上,修改文件名为cacert.pem.crt,双击可以看到下面显示
4、用户生成私钥和证书申请
默认有三项内容必须和CA一致:国家,省份,组织
[root@y_zilong ~]# mkdir -p /data/app1
#为需要使用证书的主机生成私钥
[root@y_zilong ~]# (umask 066;openssl genrsa -out /data/app1/app1.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
............................+++++
....+++++
e is 65537 (0x010001)
[root@y_zilong ~]# cat /data/app1/app1.key
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA1EfCnlQpIllih6CA6vxTHi6B1l3lIdsgZt6wU010U0S1JctN
k04ZEtdcBPhp+i/XyPc6CWN2OH02+qHU10VdVamnhT7+uVACm+T/ewC/4OMn9dkK
YBYcc9BMETfrD45DcYCKovXATS8sIkYUXX+y/cMnid4GOMAeHmCxEDTemZT0fGxs
T1hgyjZRQSmjThECrWNlQPQHjA+XgSbldnZv/hFU6Sd3OM7LGZds184XrqHCmtNv
TDI4mXTMatW3MZPdu3a1yYOnYsEcFJ3Jq8utliB6KJfAJuzYofH5ELAOW2a84jXC
StbYDU+mgppE1rLgbJgqcJgpoopAJjo/k2lhYwIDAQABAoIBAQCZZZmvS+XFmo3m
sAc4x0lQ4A6W15cCFhSeAYGtUKUkntvACd9u+NqJkPI/7Tq3vebSpEReEG+XdnRK
PLNPNCK0CjqxwMnVI4ofGSW8vtfpLHzt3P7wXEoHLpgpQR0tSoJV/KsyAyAJJnNf
+QAyaFrxoRprN/OLAtlA3mJU8b+Bfp5uId7LLzOaZGe5WG3iqxhO4z75Ql0mR7dq
KHuF5b4T7MpY5wac+AOfvexldfqvTBTpBDEQihB9d7GqBB33/IZJmyNDYrCqSIV5
KOrKvWiudTnEtc5KH/m5Z6nzqNBwLiffJ2gsGQXSFVTVuO9y6zYfJXOUUrPLgldc
RWmtfUTRAoGBAPhgfzxMKCCgYNbe+AHMcVqDqS59Qt2OFivDdTX3st1Lk+447hvN
CmXKOIJGKTsrc3S1nyTBwSHEtvBMisHH9iKT4uGYm/UoYTEJB/tzY4kbcrwMaKS0
N78eSkGBOEOZG3mod/aCLsM8nYA4ku6aa0LIAqt328kvxzq4SFGtH7KHAoGBANrL
prb2u+J8aQpZBmwi0HmstVP2gjKa7XcatDeTFRGJbIi5UdjlhTCbPybrteu3i+g4
YVSaJPjocFN8sq6ZI8oQCJuD+qXoopTspuuIEu5kIz/CWD0amt9SETH65TZbrlj7
Rx0Tj7aRQoz6zhAwp3D1P8fD3gKNITcPiXBM2WVFAoGAagh4CPvSHauZ6+EgK1Rm
B+gxL4GWLBNeb6xvu2xVVZfQPWDcdc3g5HeiDCt7qqDwFyD6Iaz9kDb0ij2C9xsw
fq53qyuFWPG2HELov3YRRhULtC/v9HBjZBnARZqutF0Gl7dOD1SgNgUIkBaW03nk
1IuiaCUxFQBqoyzM4uFvqL0CgYBJhUFCHerIklGhnoSf9ZrkJ/rOefkKFDFTYm/I
dO4RdII59zvfjFCTIre31mDNEmI66CccjKd71G9aPn60WNVD4tthlpm1AlUPge4d
Gx5xaMjHdgC8l6IPBL6ucsZu26PcVqNwy8/w4yLfyK9RlWfOdzq1X8XMSawtmlTu
nYQ3mQKBgQCqwRF+UAVFc8USi+mC5o1p02E6M0yrWuxxZgHln9brKqHnQ5IgaWXI
oo9TquwpEEFitsFuPxsPxWg1m5vekdGdYgYmPpc/cU6wyg4k3S43Qml9SnQWxGIw
kVS/VQ8RCmfsJ4PezkWfw3E+RABcKm0xMgjy+FoYNJaLFM3Jz56G4A==
-----END RSA PRIVATE KEY-----
#为需要使用证书的主机生成证书申请文件
[root@y_zilong ~]# openssl req -new -key /data/app1/app1.key -out /data/app1/app1.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:shandong
Locality Name (eg, city) [Default City]:linyi
Organization Name (eg, company) [Default Company Ltd]:yzil
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:app1.yzil.com
Email Address []:12345678@qq.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:redhat
An optional company name []:redhat
[root@y_zilong ~]# ll /data/app1/
total 8
-rw-r--r--. 1 root root 1106 Apr 26 09:21 app1.csr
-rw-------. 1 root root 1679 Apr 26 09:19 app1.key
在CA签署证书并将证书颁发给请求者
[root@y_zilong ~]# cd /etc/pki/CA/
[root@y_zilong CA]# openssl ca -in /data/app1/app1.csr -out /etc/pki/CA/certs/app1.crt -days 365
[root@y_zilong CA]# openssl ca -in /data/app1/app1.csr -out /etc/pki/CA/certs/app1.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Apr 27 01:41:35 2021 GMT
Not After : Apr 27 01:41:35 2022 GMT
Subject:
countryName = CN
stateOrProvinceName = shandong
organizationName = yzil
organizationalUnitName = IT
commonName = app1.yzil.com
emailAddress = 12345678@qq.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
39:AF:07:E4:06:BC:F7:17:3C:CF:2D:EA:DE:DE:29:C4:9A:64:70:A6
X509v3 Authority Key Identifier:
keyid:F6:A0:B3:3D:8D:0C:11:97:1C:BC:CB:E9:A0:12:F3:55:2B:CD:CD:89
Certificate is to be certified until Apr 27 01:41:35 2022 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@y_zilong CA]# tree
.
├── cacert.pem
├── certs
│ └── app1.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│ └── 01.pem
├── private
│ └── cakey.pem
├── serial
└── serial.old
4 directories, 9 files
[root@y_zilong CA]#
如果不同,会出现以下提示
[root@y_zilong ~]# openssl ca -in /data/app1/app1.csr -out /etc/pki/CA/certs/app1.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
The organizationName field is different between
CA certificate (yzil) and the request (app1)
[root@y_zilong ~]#
5、查看证书
[root@y_zilong ~]# openssl x509 -in /etc/pki/CA/certs/app1.crt -noout -subject
subject=C = CN, ST = shandong, O = yzil, OU = IT, CN = app1.yzil.com, emailAddress = 12345678@qq.com
[root@y_zilong ~]# openssl x509 -in /etc/pki/CA/certs/app1.crt -noout -dates
notBefore=Apr 27 01:41:35 2021 GMT
notAfter=Apr 27 01:41:35 2022 GMT
#验证指定编号对应证书的有效性
[root@y_zilong ~]# openssl ca -status 01
Using configuration from /etc/pki/tls/openssl.cnf
01=Valid (V)
[root@y_zilong ~]# cat /etc/pki/CA/index.txt
V 220427014135Z 01 unknown /C=CN/ST=shandong/O=yzil/OU=IT/CN=app1.yzil.com/emailAddress=12345678@qq.com
[root@y_zilong ~]# cat /etc/pki/CA/index.txt.old
[root@y_zilong ~]# cat /etc/pki/CA/serial
02
[root@y_zilong ~]# cat /etc/pki/CA/serial.old
01
[root@y_zilong ~]#
6、将证书相关文件发送到用户端使用
[root@y_zilong ~]# cp /etc/pki/CA/certs/app1.crt /data/app1/
[root@y_zilong ~]# tree /data/app1/
/data/app1/
├── app1.crt
├── app1.csr
└── app1.key
0 directories, 3 files
[root@y_zilong ~]#
7、默认生成的证书,在windows是不被信任的,可以通过下面的操作实现信任
8、证书的吊销
#在客户端获取要吊销的证书serial
[root@y_zilong ~]# openssl x509 -in /etc/pki/CA/certs/app1.crt -noout -serial -subject
serial=01
subject=C = CN, ST = shandong, O = yzil, OU = IT, CN = app1.yzil.com, emailAddress = 12345678@qq.com
[root@y_zilong ~]#
#在CA上,根据客户提交的serial与subject信息,对比检验是否与index.txt文件中的信息一致,吊销证书
[root@y_zilong ~]# openssl ca -revoke /etc/pki/CA/newcerts/01.pem
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 01.
Data Base Updated
[root@y_zilong ~]# openssl ca -status 01
Using configuration from /etc/pki/tls/openssl.cnf
01=Revoked (R)
[root@y_zilong ~]# cat /etc/pki/CA/index.txt
R 220427014135Z 210427021720Z 01 unknown /C=CN/ST=shandong/O=yzil/OU=IT/CN=app1.yzil.com/emailAddress=12345678@qq.com
[root@y_zilong ~]#
9、生成证书吊销列表文件
[root@y_zilong ~]# openssl ca -gencrl -out /etc/pki/CA/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf
/etc/pki/CA/crlnumber: No such file or directory
error while loading CRL number
140365347862336:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:72:fopen('/etc/pki/CA/crlnumber','r')
140365347862336:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:79:
#提示没有/etc/pki/CA/crlnumber这个文件
#指定第一个吊销证书的编号:第一次更新证书吊销列表前,才需要执行
[root@y_zilong ~]# echo 01 > /etc/pki/CA/crlnumber
#更新证书吊销列表
[root@y_zilong ~]# openssl ca -gencrl -out /etc/pki/CA/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf
[root@y_zilong ~]# cat /etc/pki/CA/crlnumber
02
[root@y_zilong ~]# tree /etc/pki/CA/
/etc/pki/CA/
├── cacert.pem
├── certs
│ └── app1.crt
├── crl
├── crlnumber
├── crlnumber.old
├── crl.pem
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── newcerts
│ └── 01.pem
├── private
│ └── cakey.pem
├── serial
└── serial.old
4 directories, 13 files
[root@y_zilong ~]# cat /etc/pki/CA/crl.pem
-----BEGIN X509 CRL-----
MIIB8TCB2gIBATANBgkqhkiG9w0BAQsFADCBgTELMAkGA1UEBhMCQ04xETAPBgNV
BAgMCHNoYW5kb25nMQ4wDAYDVQQHDAVsaW55aTENMAsGA1UECgwEeXppbDELMAkG
A1UECwwCSVQxFDASBgNVBAMMC2NhLnl6aWwuY29tMR0wGwYJKoZIhvcNAQkBFg4x
MjM0NDU2QHFxLmNvbRcNMjEwNDI3MDIyNjQ4WhcNMjEwNTI3MDIyNjQ4WjAUMBIC
AQEXDTIxMDQyNzAyMTcyMFqgDjAMMAoGA1UdFAQDAgEBMA0GCSqGSIb3DQEBCwUA
A4IBAQAnzHQRvCs3FgCvyGddhEqfwUZ5WFj/4E7bH9nBHbJhGlmlHSV/hBUbIM8k
mLtJXdZGu8cUoYXnp5dUhvyio7C9a5bGu2XOZpBZrFyX0GnrT1lL48A+5OXx4cqT
tKK3EfRY+7iBehZvGIaGrgqvwcaTvleo1dEYqOk894ims7jpYRDmyWAzn5ixBQ6x
VHgGKNCuqlBJncSjzTQhHnZp1FBHwQ4gljXDVKJ62yan4gyOdrrxihscdQy+vK/D
99WNAT/CCYBR+H1JA6a5ATTaeFzU6vuNQJY+VYOAGpdUgyghAahGlCZzmrEPR+do
mbqdlEGNzQbddg7FCvv5VN5FZ194
-----END X509 CRL-----
[root@y_zilong ~]# openssl crl -in /etc/pki/CA/crl.pem -noout -text
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CN, ST = shandong, L = linyi, O = yzil, OU = IT, CN = ca.yzil.com, emailAddress = 1234456@qq.com
Last Update: Apr 27 02:26:48 2021 GMT
Next Update: May 27 02:26:48 2021 GMT
CRL extensions:
X509v3 CRL Number:
1
Revoked Certificates:
Serial Number: 01
Revocation Date: Apr 27 02:17:20 2021 GMT
Signature Algorithm: sha256WithRSAEncryption
27:cc:74:11:bc:2b:37:16:00:af:c8:67:5d:84:4a:9f:c1:46:
79:58:58:ff:e0:4e:db:1f:d9:c1:1d:b2:61:1a:59:a5:1d:25:
7f:84:15:1b:20:cf:24:98:bb:49:5d:d6:46:bb:c7:14:a1:85:
e7:a7:97:54:86:fc:a2:a3:b0:bd:6b:96:c6:bb:65:ce:66:90:
59:ac:5c:97:d0:69:eb:4f:59:4b:e3:c0:3e:e4:e5:f1:e1:ca:
93:b4:a2:b7:11:f4:58:fb:b8:81:7a:16:6f:18:86:86:ae:0a:
af:c1:c6:93:be:57:a8:d5:d1:18:a8:e9:3c:f7:88:a6:b3:b8:
e9:61:10:e6:c9:60:33:9f:98:b1:05:0e:b1:54:78:06:28:d0:
ae:aa:50:49:9d:c4:a3:cd:34:21:1e:76:69:d4:50:47:c1:0e:
20:96:35:c3:54:a2:7a:db:26:a7:e2:0c:8e:76:ba:f1:8a:1b:
1c:75:0c:be:bc:af:c3:f7:d5:8d:01:3f:c2:09:80:51:f8:7d:
49:03:a6:b9:01:34:da:78:5c:d4:ea:fb:8d:40:96:3e:55:83:
80:1a:97:54:83:28:21:01:a8:46:94:26:73:9a:b1:0f:47:e7:
68:99:ba:9d:94:41:8d:cd:06:dd:76:0e:c5:0a:fb:f9:54:de:
45:67:5f:78
[root@y_zilong ~]#
查看crl文件:
[root@y_zilong ~]# sz /etc/pki/CA/crl.pem
#将文件crl.pem传到windows上,修改文件名为crl.pem.crl,双击可以看到下面显示