在CentOS8上实现私有CA和证书申请

已于 2022-01-19 17:21:46 修改
阅读量3.4k 收藏 8
点赞数 6
分类专栏: linux加密和安全 文章标签: 服务器 运维
于 2021-04-26 22:08:22 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/y_zilong/article/details/116170918
版权

私有CA创建的参看配置文件

/etc/pki/tls/openssl.cnf 

[root@y_zilong ~]# cat /etc/pki/tls/openssl.cnf 

[ CA_default ]

dir		= /etc/pki/CA		# 所有证书存放的目录
certs		= $dir/certs		# 证书的位置
crl_dir		= $dir/crl		# 吊销证书的位置
database	= $dir/index.txt	# 数据库索引文件
#unique_subject	= no			# 设置为"no"以允许创建
# several certs with same subject.  #同一主题的多个证书
new_certs_dir	= $dir/newcerts		# 新证书的默认位置

certificate	= $dir/cacert.pem 	# CA证书
serial		= $dir/serial 		# 当前序列号
crlnumber	= $dir/crlnumber	# 吊销的序列号
# must be commented out to leave a V1 CRL    #必须注销掉才能留下V1 CRL
crl		= $dir/crl.pem 		# 吊销列表的文件
private_key	= $dir/private/cakey.pem  #私钥的位置
RANDFILE	= $dir/private/.rand	# 随机数文件

x509_extensions	= usr_cert		# 要添加到证书的扩展

 Centos8上面默认没有CA目录

可以自己创建,也可以从centos7上面复制

 mkdir -p /etc/pki/CA/{certs,crl,newcerts,private}

Centos7默认存在CA目录

[root@y_zilong ~]# tree /etc/pki/CA/
/etc/pki/CA/
├── certs
├── crl
├── newcerts
└── private

4 directories, 0 files
[root@y_zilong ~]#

Centos8默认不存在CA目录

[root@y_zilong ~]# tree /etc/pki/
ca-trust/       fwupd-metadata/ nssdb/          rsyslog/        
fwupd/          java/           rpm-gpg/        tls/            
[root@y_zilong ~]#

从centos7把目录复制到centos8上面:

[root@y_zilong ~]# scp -r root@10.0.0.121:/etc/pki/CA/ /etc/pki/
root@10.0.0.121's password:  
[root@y_zilong ~]# tree /etc/pki/CA/
/etc/pki/CA/
├── certs
├── crl
├── newcerts
└── private

4 directories, 0 files
[root@y_zilong ~]# 
[root@y_zilong ~]# ll /etc/pki/CA/
total 4
drwxr-xr-x. 2 root root 6 Apr 26 08:04 certs
drwxr-xr-x. 2 root root 6 Apr 26 08:04 crl
drwxr-xr-x. 2 root root 6 Apr 26 08:04 newcerts
drwx------. 2 root root 6 Apr 26 08:04 private
[root@y_zilong ~]#

1、创建CA所需要的文件

#生成证书索引数据库文件

 touch /etc/pki/CA/index.txt

#指定第一个颁发证书的序列号

echo 01 > /etc/pki/CA/serial

[root@y_zilong ~]# touch /etc/pki/CA/index.txt
#生成证书索引数据库文件

[root@y_zilong ~]# echo 01 > /etc/pki/CA/serial
#指定第一个颁发证书的序列号

[root@y_zilong ~]# tree /etc/pki/CA/
/etc/pki/CA/
├── certs
├── crl
├── index.txt
├── newcerts
├── private
└── serial

4 directories, 2 files
[root@y_zilong ~]#

 index.txt和serial文件在颁发证书时需要使用,如果不存在,会出现以下错误提示

No such file or directory,No such file or directory:crypto/bio/bss_file.c:72:fopen('/etc/pki/CA/index.txt.attr','r')

2、生成CA私钥

(umask 066;openssl genrsa -out private/cakey.pem 2048)

[root@y_zilong ~]# cd /etc/pki/CA/
[root@y_zilong CA]# openssl genrsa -out private/cakey.pem 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
.....................................................................................................+++++
....+++++
e is 65537 (0x010001)
[root@y_zilong CA]# tree
.
├── certs
├── crl
├── index.txt
├── newcerts
├── private
│   └── cakey.pem
└── serial

4 directories, 3 files
[root@y_zilong CA]# ll private/cakey.pem 
-rw-------. 1 root root 1675 Apr 26 08:38 private/cakey.pem
[root@y_zilong CA]# 

#Centos7上面创建私钥要加上权限要求
[root@y_zilong CA]# ll private/cakey.pem 
-rw-r--r--. 1 root root 1675 Apr 26 05:40 private/cakey.pem
[root@y_zilong CA]# rm -rf private/cakey.pem 
[root@y_zilong CA]# (umask 066;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
...................+++
....................................................................+++
e is 65537 (0x10001)
[root@y_zilong CA]# ll private/cakey.pem 
-rw-------. 1 root root 1679 Apr 26 05:42 private/cakey.pem
[root@y_zilong CA]#

3、生成CA自签名证书

openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem

选项说明:

-new:生成新证书签署请求

-x509:专用于CA生成自签证书

-key:生成请求时用到的私钥文件

-days n:证书的有效期限

-out /etc/pki/CA/cacert.pem :证书的保存路径

[root@y_zilong CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN   #国家
State or Province Name (full name) []:shandong   #州,省份
Locality Name (eg, city) [Default City]:linyi    #市区
Organization Name (eg, company) [Default Company Ltd]:yzil    #组织
Organizational Unit Name (eg, section) []:IT    #行业
Common Name (eg, your name or your server's hostname) []:ca.yzil.com  #给哪个服务器颁发的,给CA自己颁发的证书
Email Address []:123456@qq.com  #邮箱,可写可不写

[root@y_zilong CA]# tree
.
├── cacert.pem
├── certs
├── crl
├── index.txt
├── newcerts
├── private
│   └── cakey.pem
└── serial

4 directories, 4 files

[root@y_zilong CA]# cat cacert.pem 
-----BEGIN CERTIFICATE-----
MIID7zCCAtegAwIBAgIUGaZTibknfkO1rFrwzAORkv7Bkh0wDQYJKoZIhvcNAQEL
BQAwgYYxCzAJBgNVBAYTAkNOMREwDwYDVQQIDAhzaGFuZG9uZzEOMAwGA1UEBwwF
bGlueWkxDTALBgNVBAoMBHl6aWwxCzAJBgNVBAsMAklUMR0wGwYDVQQDDBR3d3cu
eXppbC5leGFtcGxlLmNvbTEZMBcGCSqGSIb3DQEJARYKMTIzNDU2cXEICDAeFw0y
MTA0MjYxMjQ5MTVaFw0zMTA0MjQxMjQ5MTVaMIGGMQswCQYDVQQGEwJDTjERMA8G
A1UECAwIc2hhbmRvbmcxDjAMBgNVBAcMBWxpbnlpMQ0wCwYDVQQKDAR5emlsMQsw
CQYDVQQLDAJJVDEdMBsGA1UEAwwUd3d3Lnl6aWwuZXhhbXBsZS5jb20xGTAXBgkq
hkiG9w0BCQEWCjEyMzQ1NnFxCAgwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQDUDL8QepN+q/2HilUU1zvQb1qMlHlhf+/mEFxhSPbD/YL8BDih7KZSv1FB
6rkO37mlTw5t2wPIrU90AzhROaqFfIg2TQqQm0FQnsFHOL/MITdFnEg94+QCBWnk
ogZbXKzFTXw1XzXpgtGG0G08ttk1IHTsjpwlFhxzrIY4Jr4lKQarbibLMOgg6XQz
6PjFVZgEtXj+EgYuna6pK+cXLXMu8HqZW5qx+2w1wUg1ttsmq36Z+e6yPxMn0lLg
oKlBKMjTqIGegKz+qmGVnV3YnbaHPMbtzfnJfw3bn/GcrMripi+QL6+sIJsQSzQQ
in/9NQxxUJDTUueyt1q3do8t8wgJAgMBAAGjUzBRMB0GA1UdDgQWBBTA7mzekP6F
yrA8V/ECujjm4S9/UzAfBgNVHSMEGDAWgBTA7mzekP6FyrA8V/ECujjm4S9/UzAP
BgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCJsq4pHW92X7wWtCXK
yuSlA2t5IyfARw0QhOS1e2Dro+/G7ZYOy6TLae8FF8j5AmwH5zhsIW4dMc3GGtJV
mH/DXB9xTsJywRv5ehEpDDkYb8853NzVlVWxmaEJroRBuWGNewqvHtG/CwTxFUcK
jClKz0v8t3PpIWSJFeWWW6uYVadPM2vM7WTV2Oy8+U83mTlbdIwi9s8O2lPyw2tz
k+RQJ9tqpVZywFkV+za/Zb+2CEg9Lrp7yjig+OO/m15UFoGTzrlKZeICQvPeukpA
BljPTzQbSt7/7+AVYAMAXVAjmHN3bfjD5XdoAzVI70Ks3GJvJyA06MsQf8dDqfEc
Mn9I
-----END CERTIFICATE-----

[root@y_zilong CA]# openssl x509 -in cacert.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            19:a6:53:89:b9:27:7e:43:b5:ac:5a:f0:cc:03:91:92:fe:c1:92:1d
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = CN, ST = shandong, L = linyi, O = yzil, OU = IT, CN = ca.yzil.com, emailAddress = 123456@qq.com
        Validity
            Not Before: Apr 26 12:49:15 2021 GMT
            Not After : Apr 24 12:49:15 2031 GMT
        Subject: C = CN, ST = shandong, L = linyi, O = yzil, OU = IT, CN = www.yzil.example.com, emailAddress = 123456@qq.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:d4:0c:bf:10:7a:93:7e:ab:fd:87:8a:55:14:d7:
                    3b:d0:6f:5a:8c:94:79:61:7f:ef:e6:10:5c:61:48:
                    f6:c3:fd:82:fc:04:38:a1:ec:a6:52:bf:51:41:ea:
                    b9:0e:df:b9:a5:4f:0e:6d:db:03:c8:ad:4f:74:03:
                    38:51:39:aa:85:7c:88:36:4d:0a:90:9b:41:50:9e:
                    c1:47:38:bf:cc:21:37:45:9c:48:3d:e3:e4:02:05:
                    69:e4:a2:06:5b:5c:ac:c5:4d:7c:35:5f:35:e9:82:
                    d1:86:d0:6d:3c:b6:d9:35:20:74:ec:8e:9c:25:16:
                    1c:73:ac:86:38:26:be:25:29:06:ab:6e:26:cb:30:
                    e8:20:e9:74:33:e8:f8:c5:55:98:04:b5:78:fe:12:
                    06:2e:9d:ae:a9:2b:e7:17:2d:73:2e:f0:7a:99:5b:
                    9a:b1:fb:6c:35:c1:48:35:b6:db:26:ab:7e:99:f9:
                    ee:b2:3f:13:27:d2:52:e0:a0:a9:41:28:c8:d3:a8:
                    81:9e:80:ac:fe:aa:61:95:9d:5d:d8:9d:b6:87:3c:
                    c6:ed:cd:f9:c9:7f:0d:db:9f:f1:9c:ac:ca:e2:a6:
                    2f:90:2f:af:ac:20:9b:10:4b:34:10:8a:7f:fd:35:
                    0c:71:50:90:d3:52:e7:b2:b7:5a:b7:76:8f:2d:f3:
                    08:09
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                C0:EE:6C:DE:90:FE:85:CA:B0:3C:57:F1:02:BA:38:E6:E1:2F:7F:53
            X509v3 Authority Key Identifier: 
                keyid:C0:EE:6C:DE:90:FE:85:CA:B0:3C:57:F1:02:BA:38:E6:E1:2F:7F:53

            X509v3 Basic Constraints: critical
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         89:b2:ae:29:1d:6f:76:5f:bc:16:b4:25:ca:ca:e4:a5:03:6b:
         79:23:27:c0:47:0d:10:84:e4:b5:7b:60:eb:a3:ef:c6:ed:96:
         0e:cb:a4:cb:69:ef:05:17:c8:f9:02:6c:07:e7:38:6c:21:6e:
         1d:31:cd:c6:1a:d2:55:98:7f:c3:5c:1f:71:4e:c2:72:c1:1b:
         f9:7a:11:29:0c:39:18:6f:cf:39:dc:dc:d5:95:55:b1:99:a1:
         09:ae:84:41:b9:61:8d:7b:0a:af:1e:d1:bf:0b:04:f1:15:47:
         0a:8c:29:4a:cf:4b:fc:b7:73:e9:21:64:89:15:e5:96:5b:ab:
         98:55:a7:4f:33:6b:cc:ed:64:d5:d8:ec:bc:f9:4f:37:99:39:
         5b:74:8c:22:f6:cf:0e:da:53:f2:c3:6b:73:93:e4:50:27:db:
         6a:a5:56:72:c0:59:15:fb:36:bf:65:bf:b6:08:48:3d:2e:ba:
         7b:ca:38:a0:f8:e3:bf:9b:5e:54:16:81:93:ce:b9:4a:65:e2:
         02:42:f3:de:ba:4a:40:06:58:cf:4f:34:1b:4a:de:ff:ef:e0:
         15:60:03:00:5d:50:23:98:73:77:6d:f8:c3:e5:77:68:03:35:
         48:ef:42:ac:dc:62:6f:27:20:34:e8:cb:10:7f:c7:43:a9:f1:
         1c:32:7f:48

[root@y_zilong CA]# openssl x509 -in cacert.pem -noout -subject
subject=C = CN, ST = shandong, L = linyi, O = yzil, OU = IT, CN = ca.yzil.com, emailAddress = 123456@qq.com
[root@y_zilong CA]# 

[root@y_zilong ~]# sz /etc/pki/CA/carert.pem
#将文件cacert.pem传到windows上,修改文件名为cacert.pem.crt,双击可以看到下面显示

4、用户生成私钥和证书申请

默认有三项内容必须和CA一致:国家,省份,组织

[root@y_zilong ~]# mkdir -p /data/app1
#为需要使用证书的主机生成私钥
[root@y_zilong ~]# (umask 066;openssl genrsa -out /data/app1/app1.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
............................+++++
....+++++
e is 65537 (0x010001)
[root@y_zilong ~]# cat /data/app1/app1.key 
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA1EfCnlQpIllih6CA6vxTHi6B1l3lIdsgZt6wU010U0S1JctN
k04ZEtdcBPhp+i/XyPc6CWN2OH02+qHU10VdVamnhT7+uVACm+T/ewC/4OMn9dkK
YBYcc9BMETfrD45DcYCKovXATS8sIkYUXX+y/cMnid4GOMAeHmCxEDTemZT0fGxs
T1hgyjZRQSmjThECrWNlQPQHjA+XgSbldnZv/hFU6Sd3OM7LGZds184XrqHCmtNv
TDI4mXTMatW3MZPdu3a1yYOnYsEcFJ3Jq8utliB6KJfAJuzYofH5ELAOW2a84jXC
StbYDU+mgppE1rLgbJgqcJgpoopAJjo/k2lhYwIDAQABAoIBAQCZZZmvS+XFmo3m
sAc4x0lQ4A6W15cCFhSeAYGtUKUkntvACd9u+NqJkPI/7Tq3vebSpEReEG+XdnRK
PLNPNCK0CjqxwMnVI4ofGSW8vtfpLHzt3P7wXEoHLpgpQR0tSoJV/KsyAyAJJnNf
+QAyaFrxoRprN/OLAtlA3mJU8b+Bfp5uId7LLzOaZGe5WG3iqxhO4z75Ql0mR7dq
KHuF5b4T7MpY5wac+AOfvexldfqvTBTpBDEQihB9d7GqBB33/IZJmyNDYrCqSIV5
KOrKvWiudTnEtc5KH/m5Z6nzqNBwLiffJ2gsGQXSFVTVuO9y6zYfJXOUUrPLgldc
RWmtfUTRAoGBAPhgfzxMKCCgYNbe+AHMcVqDqS59Qt2OFivDdTX3st1Lk+447hvN
CmXKOIJGKTsrc3S1nyTBwSHEtvBMisHH9iKT4uGYm/UoYTEJB/tzY4kbcrwMaKS0
N78eSkGBOEOZG3mod/aCLsM8nYA4ku6aa0LIAqt328kvxzq4SFGtH7KHAoGBANrL
prb2u+J8aQpZBmwi0HmstVP2gjKa7XcatDeTFRGJbIi5UdjlhTCbPybrteu3i+g4
YVSaJPjocFN8sq6ZI8oQCJuD+qXoopTspuuIEu5kIz/CWD0amt9SETH65TZbrlj7
Rx0Tj7aRQoz6zhAwp3D1P8fD3gKNITcPiXBM2WVFAoGAagh4CPvSHauZ6+EgK1Rm
B+gxL4GWLBNeb6xvu2xVVZfQPWDcdc3g5HeiDCt7qqDwFyD6Iaz9kDb0ij2C9xsw
fq53qyuFWPG2HELov3YRRhULtC/v9HBjZBnARZqutF0Gl7dOD1SgNgUIkBaW03nk
1IuiaCUxFQBqoyzM4uFvqL0CgYBJhUFCHerIklGhnoSf9ZrkJ/rOefkKFDFTYm/I
dO4RdII59zvfjFCTIre31mDNEmI66CccjKd71G9aPn60WNVD4tthlpm1AlUPge4d
Gx5xaMjHdgC8l6IPBL6ucsZu26PcVqNwy8/w4yLfyK9RlWfOdzq1X8XMSawtmlTu
nYQ3mQKBgQCqwRF+UAVFc8USi+mC5o1p02E6M0yrWuxxZgHln9brKqHnQ5IgaWXI
oo9TquwpEEFitsFuPxsPxWg1m5vekdGdYgYmPpc/cU6wyg4k3S43Qml9SnQWxGIw
kVS/VQ8RCmfsJ4PezkWfw3E+RABcKm0xMgjy+FoYNJaLFM3Jz56G4A==
-----END RSA PRIVATE KEY-----
#为需要使用证书的主机生成证书申请文件
[root@y_zilong ~]# openssl req -new -key /data/app1/app1.key -out /data/app1/app1.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:shandong
Locality Name (eg, city) [Default City]:linyi
Organization Name (eg, company) [Default Company Ltd]:yzil
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:app1.yzil.com
Email Address []:12345678@qq.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:redhat
An optional company name []:redhat
[root@y_zilong ~]# ll /data/app1/
total 8
-rw-r--r--. 1 root root 1106 Apr 26 09:21 app1.csr
-rw-------. 1 root root 1679 Apr 26 09:19 app1.key
在CA签署证书并将证书颁发给请求者
[root@y_zilong ~]# cd /etc/pki/CA/
[root@y_zilong CA]#  openssl ca -in /data/app1/app1.csr -out /etc/pki/CA/certs/app1.crt -days 365

[root@y_zilong CA]# openssl ca -in /data/app1/app1.csr -out /etc/pki/CA/certs/app1.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Apr 27 01:41:35 2021 GMT
            Not After : Apr 27 01:41:35 2022 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = shandong
            organizationName          = yzil
            organizationalUnitName    = IT
            commonName                = app1.yzil.com
            emailAddress              = 12345678@qq.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                39:AF:07:E4:06:BC:F7:17:3C:CF:2D:EA:DE:DE:29:C4:9A:64:70:A6
            X509v3 Authority Key Identifier: 
                keyid:F6:A0:B3:3D:8D:0C:11:97:1C:BC:CB:E9:A0:12:F3:55:2B:CD:CD:89

Certificate is to be certified until Apr 27 01:41:35 2022 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@y_zilong CA]# tree
.
├── cacert.pem
├── certs
│   └── app1.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│   └── 01.pem
├── private
│   └── cakey.pem
├── serial
└── serial.old

4 directories, 9 files
[root@y_zilong CA]#

 如果不同,会出现以下提示

[root@y_zilong ~]# openssl ca -in /data/app1/app1.csr -out /etc/pki/CA/certs/app1.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
The organizationName field is different between
CA certificate (yzil) and the request (app1)
[root@y_zilong ~]#

5、查看证书

[root@y_zilong ~]# openssl x509 -in /etc/pki/CA/certs/app1.crt -noout -subject
subject=C = CN, ST = shandong, O = yzil, OU = IT, CN = app1.yzil.com, emailAddress = 12345678@qq.com

[root@y_zilong ~]# openssl x509 -in /etc/pki/CA/certs/app1.crt -noout -dates
notBefore=Apr 27 01:41:35 2021 GMT
notAfter=Apr 27 01:41:35 2022 GMT


#验证指定编号对应证书的有效性
[root@y_zilong ~]# openssl ca -status 01
Using configuration from /etc/pki/tls/openssl.cnf
01=Valid (V)
[root@y_zilong ~]# cat /etc/pki/CA/index.txt
V	220427014135Z		01	unknown	/C=CN/ST=shandong/O=yzil/OU=IT/CN=app1.yzil.com/emailAddress=12345678@qq.com
[root@y_zilong ~]# cat /etc/pki/CA/index.txt.old 
[root@y_zilong ~]# cat /etc/pki/CA/serial
02
[root@y_zilong ~]# cat /etc/pki/CA/serial.old 
01
[root@y_zilong ~]#

6、将证书相关文件发送到用户端使用

[root@y_zilong ~]# cp /etc/pki/CA/certs/app1.crt /data/app1/
[root@y_zilong ~]# tree /data/app1/
/data/app1/
├── app1.crt
├── app1.csr
└── app1.key

0 directories, 3 files
[root@y_zilong ~]#

7、默认生成的证书,在windows是不被信任的,可以通过下面的操作实现信任

8、证书的吊销

#在客户端获取要吊销的证书serial
[root@y_zilong ~]# openssl x509 -in /etc/pki/CA/certs/app1.crt -noout -serial -subject
serial=01
subject=C = CN, ST = shandong, O = yzil, OU = IT, CN = app1.yzil.com, emailAddress = 12345678@qq.com
[root@y_zilong ~]# 
#在CA上,根据客户提交的serial与subject信息,对比检验是否与index.txt文件中的信息一致,吊销证书
[root@y_zilong ~]# openssl ca -revoke /etc/pki/CA/newcerts/01.pem 
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 01.
Data Base Updated
[root@y_zilong ~]# openssl ca -status 01
Using configuration from /etc/pki/tls/openssl.cnf
01=Revoked (R)
[root@y_zilong ~]# cat /etc/pki/CA/index.txt
R	220427014135Z	210427021720Z	01	unknown	/C=CN/ST=shandong/O=yzil/OU=IT/CN=app1.yzil.com/emailAddress=12345678@qq.com
[root@y_zilong ~]#

9、生成证书吊销列表文件

[root@y_zilong ~]# openssl ca -gencrl -out /etc/pki/CA/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf
/etc/pki/CA/crlnumber: No such file or directory
error while loading CRL number
140365347862336:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:72:fopen('/etc/pki/CA/crlnumber','r')
140365347862336:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:79:
#提示没有/etc/pki/CA/crlnumber这个文件
#指定第一个吊销证书的编号:第一次更新证书吊销列表前,才需要执行
[root@y_zilong ~]# echo 01 > /etc/pki/CA/crlnumber
#更新证书吊销列表
[root@y_zilong ~]# openssl ca -gencrl -out /etc/pki/CA/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf
[root@y_zilong ~]# cat /etc/pki/CA/crlnumber
02
[root@y_zilong ~]# tree /etc/pki/CA/
/etc/pki/CA/
├── cacert.pem
├── certs
│   └── app1.crt
├── crl
├── crlnumber
├── crlnumber.old
├── crl.pem
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── newcerts
│   └── 01.pem
├── private
│   └── cakey.pem
├── serial
└── serial.old

4 directories, 13 files
[root@y_zilong ~]# cat /etc/pki/CA/crl.pem
-----BEGIN X509 CRL-----
MIIB8TCB2gIBATANBgkqhkiG9w0BAQsFADCBgTELMAkGA1UEBhMCQ04xETAPBgNV
BAgMCHNoYW5kb25nMQ4wDAYDVQQHDAVsaW55aTENMAsGA1UECgwEeXppbDELMAkG
A1UECwwCSVQxFDASBgNVBAMMC2NhLnl6aWwuY29tMR0wGwYJKoZIhvcNAQkBFg4x
MjM0NDU2QHFxLmNvbRcNMjEwNDI3MDIyNjQ4WhcNMjEwNTI3MDIyNjQ4WjAUMBIC
AQEXDTIxMDQyNzAyMTcyMFqgDjAMMAoGA1UdFAQDAgEBMA0GCSqGSIb3DQEBCwUA
A4IBAQAnzHQRvCs3FgCvyGddhEqfwUZ5WFj/4E7bH9nBHbJhGlmlHSV/hBUbIM8k
mLtJXdZGu8cUoYXnp5dUhvyio7C9a5bGu2XOZpBZrFyX0GnrT1lL48A+5OXx4cqT
tKK3EfRY+7iBehZvGIaGrgqvwcaTvleo1dEYqOk894ims7jpYRDmyWAzn5ixBQ6x
VHgGKNCuqlBJncSjzTQhHnZp1FBHwQ4gljXDVKJ62yan4gyOdrrxihscdQy+vK/D
99WNAT/CCYBR+H1JA6a5ATTaeFzU6vuNQJY+VYOAGpdUgyghAahGlCZzmrEPR+do
mbqdlEGNzQbddg7FCvv5VN5FZ194
-----END X509 CRL-----
[root@y_zilong ~]# openssl crl -in /etc/pki/CA/crl.pem -noout -text
Certificate Revocation List (CRL):
        Version 2 (0x1)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = CN, ST = shandong, L = linyi, O = yzil, OU = IT, CN = ca.yzil.com, emailAddress = 1234456@qq.com
        Last Update: Apr 27 02:26:48 2021 GMT
        Next Update: May 27 02:26:48 2021 GMT
        CRL extensions:
            X509v3 CRL Number: 
                1
Revoked Certificates:
    Serial Number: 01
        Revocation Date: Apr 27 02:17:20 2021 GMT
    Signature Algorithm: sha256WithRSAEncryption
         27:cc:74:11:bc:2b:37:16:00:af:c8:67:5d:84:4a:9f:c1:46:
         79:58:58:ff:e0:4e:db:1f:d9:c1:1d:b2:61:1a:59:a5:1d:25:
         7f:84:15:1b:20:cf:24:98:bb:49:5d:d6:46:bb:c7:14:a1:85:
         e7:a7:97:54:86:fc:a2:a3:b0:bd:6b:96:c6:bb:65:ce:66:90:
         59:ac:5c:97:d0:69:eb:4f:59:4b:e3:c0:3e:e4:e5:f1:e1:ca:
         93:b4:a2:b7:11:f4:58:fb:b8:81:7a:16:6f:18:86:86:ae:0a:
         af:c1:c6:93:be:57:a8:d5:d1:18:a8:e9:3c:f7:88:a6:b3:b8:
         e9:61:10:e6:c9:60:33:9f:98:b1:05:0e:b1:54:78:06:28:d0:
         ae:aa:50:49:9d:c4:a3:cd:34:21:1e:76:69:d4:50:47:c1:0e:
         20:96:35:c3:54:a2:7a:db:26:a7:e2:0c:8e:76:ba:f1:8a:1b:
         1c:75:0c:be:bc:af:c3:f7:d5:8d:01:3f:c2:09:80:51:f8:7d:
         49:03:a6:b9:01:34:da:78:5c:d4:ea:fb:8d:40:96:3e:55:83:
         80:1a:97:54:83:28:21:01:a8:46:94:26:73:9a:b1:0f:47:e7:
         68:99:ba:9d:94:41:8d:cd:06:dd:76:0e:c5:0a:fb:f9:54:de:
         45:67:5f:78
[root@y_zilong ~]#

 查看crl文件:

[root@y_zilong ~]# sz /etc/pki/CA/crl.pem  
#将文件crl.pem传到windows上,修改文件名为crl.pem.crl,双击可以看到下面显示

y_zilong
关注
  • 6
    点赞
  • 8
    收藏
    觉得还不错? 一键收藏
  • 打赏
    打赏
  • 0
    评论
专栏目录
CentOS8搭建实现私有CA证书申请
qq_38419276的博客
04-29 1779
选项说明 -new:生成新证书签署请求 -x509:专用于CA生成自签证书 -key:生成请求时用到的私钥文件 -days n:证书的有效期限 -out /PATH/TO/SOMECERTFILE: 证书的保存路 注意:默认要求 国家,省,公司名称三项必须和CA一致 创建CA相关目录,centos8没有以下的目录 [root@CentOS-8 ~]# mkdir -p /etc/pki/CA/{certs,crl,newcerts,private} [root@CentOS-8 ~]# tree /etc
centos8上实现私有CA证书申请颁发
王某人的博客
04-27 1718
私有CA证书申请颁发centos8 一.创建生成密钥文件 1.用下面这条命令查看这个路径下有没有文件 如果报错没有 ls /etc/pki/CA 2.就递归创建出以下文件 mkdir /etc/pki/CA/{certs,crl,newcerts,private} -p 3.index 存放证书所有者 生成证书索引数据库文件 touch /etc/pki/CA/index.txt 4.指定第一个颁发证书的序列号 echo 0F > /etc/pki/CA/serial
CentOS 7 搭建CA证书服务器
qq_44484541的博客
04-13 2754
【代码】CentOS 7 搭建CA证书服务器
如何在centos8上配置一个ca证书颁发机构并且颁发一个自签名证书【超详细!!!】
最新发布
a91888888的博客
12-09 421
12. 配置Apache SSL虚拟主机。在文件中添加以下内容:```在文件中添加以下内容:```13. 重启Apache服务。4. 创建CA证书配置文件。8. 配置证书签名请求文件。1. 安装OpenSSL。3. 创建CA证书数据库。6. 生成CA自签名证书。2. 创建CA证书目录。7. 配置证书颁发机构。11. 配置SSL证书。添加以下内容:```
安装内核模块出现错误
u013304893的博客
03-26 4585
安装内核模块出现如下错误 At main.c:160: SSL error:02001002:system library:fopen:No such file or directory: …/crypto/bio/bss_file.c:69 解决办法 cd /lib/modules/$(uname -r)/build/certs sudo tee x509.genkey > /dev/null << ‘EOF’ [ req ] default_bits = 4096 distingu
Linux安装TPM emulator错误:No such file or directory: ../crypto/bio/bss_file.c
qq_42133073的博客
04-06 3578
在安装tpm emulator执行make install时,会报如下错误: 网上大部分都是没有解决方法的。其实这里是缺少certs/signing_key.pem这个文件,我们只需要生成这个文件就好了。 解决方法: 建立x509.genkey文件 提示:以下是本篇文章正文内容,下面案例可供参考 一、pandas是什么? 示例:pandas 是基于NumPy 的一种工具,该工具是为了解决数据分析任务而创建的。 二、使用步骤 1.引入库 代码如下(示例): import numpy as np impo
Linux系统:CentOS 7 CA证书服务器部署
cronaldo91的博客
08-27 5988
证书请求文件:CSR是Cerificate Signing Request的英文缩写,即证书请求文件,也就是证书申请者在申请数字证书时由CSP(加密服务提供者)在生成私钥的同时也生成证书请求文件,证书申请者只要把CSR文件提交给证书颁发机构后,证书颁发机构使用其根证书的私钥签名就生成了证书文件,也就是颁发给用户的证书。HTTP 明文传输,数据都是未加密的,安全性较差,HTTPS(SSL+HTTP) 数据传输过程是加密的,安全性较好。功能:证书发放、证书更新、证书撤销和证书验证。
CentOS8 创建私有CA证书服务器,颁发证书,吊销证书
11-29
CentOS8 创建私有CA证书服务器,颁发证书,吊销证书
CentOS 8 上安装Jenkins的方法
01-09
CentOS 8 上安装Jenkins需要使用root账号或具有sudo权限的账号。因为Jenkins是使用Java编写的,所以需要安装Java环境 1、安装OpenJDK。 sudo dnf install java-1.8.0-openjdk-devel 2、启用Jenkins存储库。运行...
CentOS 8/RHEL 8 上安装和使用 Cockpit的方法
09-14
Cockpit 是一个基于 Web 的服务器管理工具,可用于 CentOS 和 RHEL 系统。最近发布的 CentOS 8 和 RHEL 8,其中 cockpit 是...这篇文章主要介绍了在 CentOS 8/RHEL 8 上安装和使用 Cockpit的方法,需要的朋友可以参考下
详解CentOS 7 : Docker私有仓库搭建和使用
01-20
系统环境: CentOS 7.2 192.168.0.179:Docker仓库 192.168.0.60:客户端 安装并启动docker yum -y install docker systemctl start docker systemctl enable docker 搭建私有仓库 179上下载registry镜像 ...
CentOS7.2服务器搭建Docker私有镜像仓库操作示例
09-30
主要介绍了CentOS7.2服务器搭建Docker私有镜像仓库操作,结合实例形式分析了基于CentOS7.2平台docker安装、证书和密钥生成、私有镜像创建与启动等操作相关命令与使用技巧,需要的朋友可以参考下
CentOS 8安装https证书
我是福强的博客
08-01 1236
linux certbot生成https证书
CentOS8.0CA证书申请以及sshd,dhcp服务器
Han199908的博客
05-06 1004
1、创建私有CA并进行证书申请。 2、总结ssh常用参数、用法。 3、总结sshd服务常用参数。 (科学上网的方法不要往博客写,访问量超过一万,博客会被封。) 4、搭建dhcp服务,实现ip地址申请分发 ...
Centos8搭建CA服务器
m0_56581199的博客
03-21 2395
Centos8搭建CA服务器一、CA理论知识二、搭建CA服务1.手动创建CA需要的文件和目录2.通过openssl申请证书私钥 #前言 配置CA服务器,为Linux主机颁发证书 提示:以下是本篇文章正文内容,下面案例可供参考 一、CA理论知识 CA文件后缀: .pem:导出导入证书的格式 .crt:证书文件 .key:证书私钥 .csr:证书签名请求 x509:证书格式 二、搭建CA服务 1.手动创建CA需要的文件和目录 命令如下(示例): mkdir -p /etc/pki/CA/{certs,
Linux 加密安全和私有CA搭建方法
萌兔兔MMQ!!
07-27 1075
常用安全技术3A认证身份确认授权权限分配审计监控做了什么安全通信加密算法和协议对称加密非对称加密单向加密哈希(hash)加密认证协议对称加密加密和解密使用的是同一个密钥是通过将原始数据分割成若干块来逐个进行加密特点效率高、速度快缺点加密解密使用的密钥相同,需要提前把密钥发给别人且不能确定数据来自于发送方。常见的对称加密算法DES56位加密,把数据切成56Bit一块来进行加密3DESDES的方式加密三次AES#获取到一个随机密码。...
Centos建立私有CA实现证书申请、颁发与吊销
m0_66477319的博客
11-06 312
CA是Certificate Authority的简写,是指凭证管理中心,认证授权机构。它类似于生活中的身份证颁发机构,但是CA是给服务器颁发证书的机构。颁发证书的目的是为了证明服务器的合法性,从而识别我们访问的服务器的真假。本文主要讲解了创建私有CA实现证书申请、颁发以及吊销。
Ubuntu18.04安装RTL8125/RTL8168等网卡驱动程序
热门推荐
tanmx219的博客
01-30 1万+
首先下载安装 Openssl, sudo apt-get update sudo apt-get install gcc make git clone --recursive https://github.com/openssl/openssl.git cd openssl ./Configure make make test sudo make install sudo ldconfig /usr/local/lib64/ ===================================
Centos安装私有证书
05-27
要在CentOS上安装私有证书,请按以下步骤操作: 1.将根证书文件传输到您的CentOS系统。您可以使用SCP、SFTP或其他文件传输工具将其上传到服务器。 2.将证书文件复制到/etc/pki/ca-trust/source/anchors/目录中,...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

y_zilong

一分钱的肯定

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值