OPENSSL-CA 知识

 

#cd /etc/pki/CA
#(umask 077; openssl genrsa -out private/cake.pem 1024) 生成密钥
#openssl rsa -in server1024.key -pubout 提取公钥
生成自签证书
#openssl req -new -x509 -key private/cake.pem -out cacert.pem -days 365
#openssl x509 -text -in server.crt 可以输出证书信息
#cd /etc/pki/tls/ CA的配制文件目录
#vim openssl.cnf
dir =/etc/pki/CA的信息
#mkdir certs newcerts crl
#touch index.txt
#touch serial
#echo 01>serial
---------------------------------------------------------------------------------------------------------------------------------------------
HTTPD生成证书
#mkdir ssl
#cd ssl
#pwd
/etc/httpd/ssl
#(umask 077; openssl genrsa -out httpd.key 1024
#openssl req -new -key httpd.key -out httpd.csr -days 365 这里没有x509，x509生成自禾签证书的
#openssl ca -in httpd.csr -out httpd.crt -days 365


--------------------------------------------------------------------------配制知识-----------------------------------------------------------------
[ CA_default ]默认

dir = /etc/pki/CA # CA工作路径
certs = $dir/certs # 证书保存位置
crl_dir = $dir/crl # 吊销列表
database = $dir/index.txt # 发过证的人在的表
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # 新生成的证书的位置

certificate = $dir/cacert.pem # 自己签证书的位置
serial = $dir/serial # 证书序列号
crlnumber = $dir/crlnumber # 证书的吊销列表的号码
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # 吊销列表文件
private_key = $dir/private/cakey.pem# ca自己的私钥
RANDFILE = $dir/private/.rand # privat

[ req_distinguished_name ] #设置默认的信息
countryName = Country Name (2 letter code)
countryName_default = XX 国家
countryName_min = 2
countryName_max = 2

stateOrProvinceName = State or Province Name (full name)
#stateOrProvinceName_default = Default Province

localityName = Locality Name (eg, city)
localityName_default = Default City