证书申请及签署步骤:
1>生成证书申请请求
2>RA核验
3>CA签署
4>获取证书
***************************
1> 在centos8上面创建CA需要的以下文件及文件夹
[ CA_default ]
dir = /etc/pki/CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several certs with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
[20:22:52 root@centos8 pki]#mkdir CA
[20:23:55 root@centos8 CA]#touch index.txt
[20:24:01 root@centos8 CA]#echo 01 > serial
[20:32:25 root@centos8 CA]#mkdir private
[21:04:59 root@centos8 CA]#mkdir /etc/pki/CA/certs
[21:04:26 root@centos8 CA]#mkdir /etc/pki/CA/newcerts
2> create CA private key
[20:32:43 root@centos8 CA]#openssl genrsa -out private/cakey.pem
Generating RSA private key, 2048 bit long modulus (2 primes)
.......................................+++++
................................................+++++
e is 65537 (0x010001)
[20:35:45 root@centos8 CA]#ll ./private/cakey.pem
-rw-------. 1 root root 1679 May 9 20:32 ./private/cakey.pem
3> 生成CA自签名证书
[20:39:19 root@centos8 CA]#openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 36500 -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:SC
Locality Name (eg, city) [Default City]:Chengdu
Organization Name (eg, company) [Default Company Ltd]:Noise
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:noise
Email Address []:570110218@qq.com
[20:39:47 root@centos8 CA]#ll
total 8
-rw-r--r--. 1 root root 1391 May 9 20:39 cacert.pem
-rw-r--r--. 1 root root 0 May 9 20:24 index.txt
drwxr-xr-x. 2 root root 23 May 9 20:32 private
-rw-r--r--. 1 root root 3 May 9 20:24 serial
可以下载到windows,改成后缀.crt查看
[20:46:25 root@centos8 CA]#sz ./cacert.pem
也可以自行查看
[20:55:49 root@centos8 CA]#openssl x509 -in cacert.pem -noout -text
4> A主机申请证书并于CA签发
4.1> 生成私密key
[21:31:53 root@centos8 CA]#openssl genrsa -out /data/noise.key
4.2> 证书申请文件
[21:34:12 root@centos8 CA]#openssl req -new -key /data/noise.key -out /data/noise.csr
4.3> CA签发
[21:39:39 root@centos8 CA]#openssl ca -in /data/noise.csr -out /etc/pki/CA/certs/noise.crt -days 100
4.4> 查看证书
[21:41:14 root@centos8 CA]#openssl x509 -in /etc/pki/CA/certs/noise.crt -noout -text
吊销证书
[22:05:01 root@centos8 CA]#cat serial
[22:05:22 root@centos8 CA]#echo 02 > serial
[22:06:36 root@centos8 CA]#echo 02 > crlnumber
[22:06:42 root@centos8 CA]#openssl ca -gencrl -out /etc/pki/CA/crl.pem
[22:07:00 root@centos8 CA]#openssl crl -in /etc/pki/CA/crl.pem -noout -text
浙公网安备 33010602011771号