openssl 怎么生成吊销列表 - 教程

mkdir testcd test# 根据 /usr/lib/ssl/openssl.cnf 配置文件中目录结构可知有个demoCA目录，目录下有各种文件。mkdir ./demoCA ./demoCA/newcerts ./demoCA/privatesudo chmod 777 -R ./demoCA/echo '01' > ./demoCA/serialtouch ./demoCA/index.txt# /usr/lib/ssl/openssl.cnf 把 subjectAltName 改为下面sudo vim /usr/lib/ssl/openssl.cnf 放在 [ v3_req ] 下面subjectAltName         = DNS:localhost, DNS:proxy.com, DNS:www.proxy.com, IP:192.168.5.116# 生成根证书openssl genrsa -out ca.key 2048 # 生成CA私钥openssl req -new -x509 -key ca.key -out ca.crt -subj "/C=US/ST=State/L=City/O=Organization/OU=Organizational Unit/CN=RootCA" # 生成CA证书 openssl genrsa -out server.key 2048 # 生成服务器私钥openssl req -new -key server.key -out server.csr -subj "/C=US/ST=California/L=San Francisco/O=My Company/OU=IT Department/CN=localhost" # 生成服务器证书签名请求（CSR）cp ca.key ./demoCA/private/cakey.pemcp ca.crt ./demoCA/cacert.pem# openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt # 使用CA证书签署服务器证书openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key -extensions v3_req # 使用CA证书签署服务器证书

echo '00' >./demoCA/crlnumber# 如果想生成 pem 格式，名字改为 server.pem 即可openssl ca -gencrl -out server.crl# 吊销证书openssl ca -revoke server.crt# 生成吊销列表openssl ca -gencrl -out server.crl

windows下打开查看