OpenSSL证书颁发机构基本搭建

日期：2020-10-16 栏目：程序人生浏览：次

[root@bogon ~]# vim /etc/pki/tls/openssl.cnf

####################################################################
[ CA_default ]

dir = /etc/pki/CA //CA目录改成绝对路径
certs = $dir/certs //公钥
crl_dir = $dir/crl //证书吊销列表
database = $dir/index.txt //证书颁发信息

new_certs_dir = $dir/newcerts //证书备份，副本

certificate = $dir/cacert.pem //CA公钥
serial = $dir/serial /学列号
crlnumber = $dir/crlnumber //吊销证书次数

crl = $dir/crl.pem //黑名单列表
private_key = $dir/private/cakey.pem//CA中心私钥

3、默认的CA下目录文件是没有的，需要我们手动建立下

[root@bogon ~]# cd /etc/pki/CA/

[root@bogon CA]# mkdir certs newcerts crl

[root@bogon CA]# touch index.txt

[root@bogon CA]# echo 01 > serial

4、自签证书，生成自己的证书，依次按屏幕提示输入个人信息即可

[root@bogon CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048

[root@bogon CA]# openssl req -x509 -new -key private/cakey.pem -out cacert.pem -days 365

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:Beijing
Locality Name (eg, city) [Newbury]:BJ
Organization Name (eg, company) [My Company Ltd]:Peace
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:ca.peace.com
Email Address []:

5、客户端申请证书，生成密钥

[root@bogon ssl]# (umask 077;openssl genrsa 1024 > client.key)

[root@bogon ssl]# openssl req -new -key client.key -out client.csr

[root@bogon ssl]# scp client.csr root@192.168.80.135:/tmp //这里我就用scp传给CA了

6、CA验证颁发，发回给客户端

[root@bogon tmp]# openssl ca -in client.csr -out client.crt -days 365

[root@bogon tmp]# scp client.crt root@192.168.80.136:/ssl

至此简单的CA证书申请颁发就结束了，当然这只是简简单单的一个申请过程而已。

转载注明出处：http://www.heiqu.com/7812f6e48f736c3f060c289437cb7870.html

OpenSSL证书颁发机构基本搭建

相关推荐