查看证书状态,使用下面这条命令 ,可以查看证书的内容以及颁发者的多种信息。
openssl x509 -in /etc/pki/CA/cacert.pem -noout -text|issuer|subject|serial|dates -text 证书的内容 -issuer 证书颁发者的信息 -subject 证书主体的信息 -serial 证书的序列号信息 -dates 查看证书的时间 # 证书颁发者的信息 [root@localhost ~]#openssl x509 -in /etc/pki/CA/cacert.pem -noout -issuer issuer= /C=CN/ST=shandong/L=qingdao/O=pojun.tech/OU=opt/CN=ca.pojun.tech # [root@localhost ~]#openssl x509 -in /etc/pki/CA/cacert.pem -noout -subject subject= /C=CN/ST=shandong/L=qingdao/O=pojun.tech/OU=opt/CN=ca.pojun.tech # 证书的有效时间 [root@localhost ~]#openssl x509 -in /etc/pki/CA/cacert.pem -noout -dates notBefore=Sep 11 13:43:42 2017 GMT notAfter=Sep 6 13:43:42 2037 GMT #也可以根据index.txt 文件中的证书编号,进行查看状态 [root@localhost ~]#openssl ca -status 01 Using configuration from /etc/pki/tls/openssl.cnf01=Valid (V) 吊销证书这里我们将子CA的证书吊销掉。
A 首先在子CA主机上获取到要吊销的证书的serial
前面的例子中,我们的子CA证书的存放路径是 /etc/pki/CA/certs/subca.crt
[root@centos6 CA]$openssl x509 -in /etc/pki/CA/certs/subca.crt -noout -serial -subject serial=01 subject= /C=CN/ST=shandong/O=pojun.tech/OU=opt/CN=subca.pojun.techB 在根CA上根据客户提交的serial与subject信息,对比检验是否与index.txt文件中的信息一致,然后吊销证书
#进入到CA的路径下,查看文件目录 [root@localhost CA]#pwd /etc/pki/CA [root@localhost CA]#tree . ├── cacert.pem ├── certs │ └── subca.crt # 这是直接颁发给子CA的证书文件├── crl ├── index.txt ├── index.txt.attr ├── index.txt.old ├── newcerts │ └── 01.pem #这个就是与子CA证书一致的Serial文件├── private │ └── cakey.pem ├── serial ├── serial.old └── subca.csr # 吊销子CA的证书 使用revoke 命令 [root@localhost CA]#openssl ca -revoke /etc/pki/CA/newcerts/01.pem Using configuration from /etc/pki/tls/openssl.cnf Enter pass phrase for /etc/pki/CA/private/cakey.pem: Revoking Certificate 01. Data Base UpdatedC 指定第一个吊销证书的编号
指定吊销证书的编号,只有在更新证书吊销列表之前,才需要操作
# 这条命令与生成证书时指定证书serial 号码的作用是一致的。 # 就是说,指定下一个证书吊销时的编号。 [root@localhost ~]#echo 01 > /etc/pki/CA/crlnumber [root@localhost ~]#cat /etc/pki/CA/crlnumber 01D 更新证书吊销列表
前面指定了证书吊销列表编号之后,就可以来更新证书吊销列表了。
[root@localhost ~]#openssl ca -gencrl -out /etc/pki/CA/crl/crl.pem Using configuration from /etc/pki/tls/openssl.cnf Enter pass phrase for /etc/pki/CA/private/cakey.pem: #这里提示输入密码查看证书吊销列表的文件
[root@localhost ~]#openssl crl -in /etc/pki/CA/crl/crl.pem -noout -text Certificate Revocation List (CRL): #证书吊销列表 Version 2 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: /C=CN/ST=shandong/L=qingdao/O=pojun.tech/OU=opt/CN=ca.pojun.tech Last Update: Sep 12 11:58:17 2017 GMT Next Update: Oct 12 11:58:17 2017 GMT CRL extensions: X509v3 CRL Number: 1 Revoked Certificates: #这里的标识显示,证书已经被吊销了 Serial Number: 01 #吊销的序列号 Revocation Date: Sep 12 11:52:47 2017 GMT Signature Algorithm: sha256WithRSAEncryption b4:6e:f2:73:21:ed:c4:38:39:06:29:76:61:ac:d6:ee:a4:5d: e8:cb:7c:8b:f8:01:21:ba:bd:b2:46:fa:ea:bf:de:fa:6e:f6: 85:d6:93:7c:81:b4:2d:d5:eb:c2:94:a3:6f:13:6d:f3:3f:48: 56:85:72:96:cf:e0:ea:a9:0e:07:43:6d:62:2d:4d:e2:2e:b5: 02:6a:27:7a:31:76:eb:4e:b1:d6:83:8b:d7:39:10:14:d6:94: 77:4b:10:d8:24:46:95:1b:48:87:16:77:ce:8c:1b:54:2c:4d: ee:2f:24:13:10:62:30:32:74:9e:84:49:c9:dc:a9:fc:31:60: 57:b5:43:7a:a3:09:75:60:1e:6a:f2:26:e9:54:37:2d:ce:0b: ac:b2:41:c2:d9:02:99:fc:a3:99:15:9c:10:a7:f4:be:08:83: 23:ee:ef:74:83:ea:fd:f7:c9:e1:87:6f:9b:1d:c3:df:88:2d: 79:2b:71:4b:9e:6f:ae:f9:08:d9:66:d4:f1:49:df:7e:89:99: 06:a3:86:72:37:02:78:0f:16:e8:87:8a:61:5b:a3:ac:e2:46: 38:ce:86:29:c9:c6:e5:8c:f8:25:2f:7e:d1:62:13:57:a3:a6: 10:42:13:b9:e4:0b:fa:9f:f4:d0:95:9b:5d:9b:2d:38:7f:8d: ac:c0:e6:3f