Top

CA

使用Centos创建证书颁发机构(ca)

我的环境是Centos7.4,这里我是使用CA自带的工具去颁发所以需要下载依赖.

1. 下载软件依赖

[root@server ~]# yum install openssl
[root@server ~]# /etc/pki/tls/misc/CA -
Unknown arg 
usage: /etc/pki/tls/misc/CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify

2. 安装CA

↓创建CA公钥、私钥.
[root@server ~]# /etc/pki/tls/misc/CA -newca
↓回车.
CA certificate filename (or enter to create) Making CA certificate ... Generating a 2048 bit RSA private key ...............+++ .........................................+++ writing new private key to '/etc/pki/CA/private/./cakey.pem'
↓输入两次密码.
Enter PEM pass phrase:123456 Verifying - Enter PEM pass phrase:123456 ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. -----
↓输入国家名的缩写.
Country Name (2 letter code) [XX]:CN
↓输入国家名的全名.
State or Province Name (full name) []:china
↓输入城市名.
Locality Name (eg, city) [Default City]:hainan
↓输入组织名称或公司.
Organization Name (eg, company) [Default Company Ltd]:jishixueyuan
↓输入单位名称.
Organizational Unit Name (eg, section) []:jisuanjji
↓Ca域名.
Common Name (eg, your name or your server's hostname) []:hyiqie.com
↓邮件名.
Email Address []:2319763378@qq.com Please enter the following 'extra' attributes to be sent with your certificate request
↓回车两次.
A challenge password []: An optional company name []: Using configuration from /etc/pki/tls/openssl.cnf
↓输入上面的密码.
Enter pass phrase for /etc/pki/CA/private/./cakey.pem:123456 Check that the request matches the signature Signature ok Certificate Details: Serial Number: f6:fc:2b:07:af:2d:57:22 Validity Not Before: Mar 22 13:10:03 2019 GMT Not After : Mar 21 13:10:03 2022 GMT Subject: countryName = CN stateOrProvinceName = china organizationName = jishixueyuan organizationalUnitName = jisuanji commonName = hyiqie.com emailAddress = 2319763378@qq.com X509v3 extensions: X509v3 Subject Key Identifier: 86:1F:78:D0:AC:46:DD:D7:B1:3D:52:33:3D:9C:44:37:95:A8:4D:8F X509v3 Authority Key Identifier: keyid:86:1F:78:D0:AC:46:DD:D7:B1:3D:52:33:3D:9C:44:37:95:A8:4D:8F X509v3 Basic Constraints: CA:TRUE Certificate is to be certified until Mar 21 13:10:03 2022 GMT (1095 days) Write out database with 1 new entries Data Base Updated
↓查看创建出来的CA根证书和私钥.
[root@server ~]# ls /etc/pki/CA/cacert.pem /etc/pki/CA/private/cakey.pem /etc/pki/CA/cacert.pem /etc/pki/CA/private/cakey.pem

3. 申请子证书的请求

↓申请证书请求.
[root@server ~]# /etc/pki/tls/misc/CA -newreq-nodes Generating a 2048 bit RSA private key ................+++ .............................+++ writing new private key to 'newreq.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. -----
↓填写证书的请求信息.
Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:china Locality Name (eg, city) [Default City]:hainan Organization Name (eg, company) [Default Company Ltd]:jishixueyuan Organizational Unit Name (eg, section) []:jisuanjji Common Name (eg, your name or your server's hostname) []:www.hyiqie.com Email Address []:2319763378@qq.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Request (and private key) is in newreq.pem
↓查看创建出来的证书请求(私钥和证书申请信息都在里面).
[root@server ~]# ls newreq.pem newreq.pem

3. 使用请求申请证书

[root@server ~]# /etc/pki/tls/misc/CA -sign
Using configuration from /etc/pki/tls/openssl.cnf
↓输入CA密码.
Enter pass phrase for /etc/pki/CA/private/cakey.pem:123456 Check that the request matches the signature Signature ok Certificate Details: Serial Number: f6:fc:2b:07:af:2d:57:23 Validity Not Before: Mar 22 13:36:43 2019 GMT Not After : Mar 21 13:36:43 2020 GMT Subject: countryName = CN stateOrProvinceName = china localityName = hainan organizationName = jishixueyuan organizationalUnitName = jisuanjji commonName = www.hyiqie.com emailAddress = 2319763378@qq.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 33:10:4E:A5:D4:3A:F6:FD:15:F0:81:A6:13:86:86:49:B9:9A:F0:F6 X509v3 Authority Key Identifier: keyid:86:1F:78:D0:AC:46:DD:D7:B1:3D:52:33:3D:9C:44:37:95:A8:4D:8F Certificate is to be certified until Mar 21 13:36:43 2020 GMT (365 days)
↓输入y.
Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated Certificate: Data: Version: 3 (0x2) Serial Number: f6:fc:2b:07:af:2d:57:23 Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, ST=china, O=jishixueyuan, OU=jisuanji, CN=hyiqie.com/emailAddress=2319763378@qq.com Validity Not Before: Mar 22 13:36:43 2019 GMT Not After : Mar 21 13:36:43 2020 GMT Subject: C=CN, ST=china, L=hainan, O=jishixueyuan, OU=jisuanjji, CN=www.hyiqie.com/emailAddress=2319763378@qq.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:f6:bc:97:bc:c3:1b:4a:3f:0f:e3:ad:e2:28:f3: 92:d4:73:2d:fb:f8:a0:6c:b1:5b:dd:01:4a:60:b4: d6:6d:ef:f0:98:d6:50:07:82:02:19:f9:4e:14:02: 81:ce:81:20:71:70:89:8a:b6:3b:66:46:5e:dc:46: 56:33:f1:83:c1:16:eb:d0:e1:9f:e5:5e:ab:24:37: 12:ce:f8:21:51:a3:a5:e1:61:86:21:ca:0c:54:b8: 34:b3:6f:ff:7a:9c:35:9b:55:24:57:44:7d:3e:40: 39:83:3b:6d:6f:b8:c8:8d:6d:6a:93:9a:54:bd:cf: 53:ed:a4:a7:97:87:9e:82:2a:5e:ce:83:3c:38:00: 75:8d:9a:05:88:f8:cd:d3:d4:df:71:02:d2:cf:c8: e6:04:98:e9:a4:fb:f3:94:5d:95:6c:6d:08:af:2e: 83:9a:d5:9b:62:13:d1:92:60:2f:40:15:e7:09:86: a6:4b:44:a8:28:ff:5e:5f:e4:71:dd:53:7e:f9:a7: d2:44:13:03:af:0a:44:79:93:99:fd:f7:b5:82:a4: 4d:ab:e8:67:c1:b0:26:56:6b:8d:bf:b3:3f:e0:f0: 75:91:9e:d0:27:32:38:75:de:c5:fd:ee:d2:45:0c: 88:a4:f7:01:de:93:89:03:d2:78:61:6a:15:20:28: 95:d3 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 33:10:4E:A5:D4:3A:F6:FD:15:F0:81:A6:13:86:86:49:B9:9A:F0:F6 X509v3 Authority Key Identifier: keyid:86:1F:78:D0:AC:46:DD:D7:B1:3D:52:33:3D:9C:44:37:95:A8:4D:8F Signature Algorithm: sha256WithRSAEncryption 04:37:2f:3e:0a:c3:9b:0f:d4:81:b1:c5:f0:36:c4:e1:5b:7e: 9d:af:e1:55:a1:1e:e7:b2:9d:3a:b2:70:0a:c3:3c:d3:3b:35: 2d:85:91:22:11:1c:99:bc:9a:96:5a:8d:f1:77:55:7b:34:8a: bd:ea:02:3b:63:bf:f6:a1:02:fd:ab:f1:51:ea:39:5e:62:dc: c0:e9:53:b3:9b:43:b6:5e:dc:13:06:20:f8:b0:05:59:20:56: 04:ac:f3:fb:06:ba:e5:27:9b:52:b6:cf:20:d6:db:e4:e0:2f: 85:93:40:d0:de:f9:e7:cb:7a:de:fd:e0:53:5c:fb:ee:f4:ec: 06:7b:30:33:da:3c:ef:b2:2a:2a:2b:bc:71:3a:fe:b6:61:11: 6e:b9:13:7f:a5:6b:d8:c1:9d:5c:f3:d5:65:d7:f4:63:66:6a: f9:3c:a6:7b:f9:75:4e:69:d1:65:cf:7e:80:f5:d5:87:ef:b8: ba:32:3f:3c:07:2b:93:dc:a3:a3:4e:6e:ba:6f:90:5d:8c:4c: 16:8f:63:2b:3a:bb:a3:f5:73:72:72:ba:9f:1a:3e:02:10:23: 37:83:98:86:23:50:46:d3:73:4b:bf:2f:44:26:ee:9a:a3:24: 99:d5:ee:8c:2a:01:18:b2:d2:42:b2:68:eb:3f:89:0b:83:39: bf:b7:d5:57 -----BEGIN CERTIFICATE----- MIIEFDCCAvygAwIBAgIJAPb8KwevLVcjMA0GCSqGSIb3DQEBCwUAMIGAMQswCQYD VQQGEwJDTjEOMAwGA1UECAwFY2hpbmExFTATBgNVBAoMDGppc2hpeHVleXVhbjER MA8GA1UECwwIamlzdWFuamkxFTATBgNVBAMMDGh5aXFpZWUILmNvbTEgMB4GCSqG SIb3DQEJARYRMjMxOTc2MzM3OEBxcS5jb20wHhcNMTkwMzIyMTMzNjQzWhcNMjAw MzIxMTMzNjQzWjCBlDELMAkGA1UEBhMCQ04xDjAMBgNVBAgMBWNoaW5hMQ8wDQYD VQQHDAZoYWluYW4xFTATBgNVBAoMDGppc2hpeHVleXVhbjESMBAGA1UECwwJamlz dWFuamppMRcwFQYDVQQDDA53d3cuaHlpcWllLmNvbTEgMB4GCSqGSIb3DQEJARYR MjMxOTc2MzM3OEBxcS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB AQD2vJe8wxtKPw/jreIo85LUcy37+KBssVvdAUpgtNZt7/CY1lAHggIZ+U4UAoHO gSBxcImKtjtmRl7cRlYz8YPBFuvQ4Z/lXqskNxLO+CFRo6XhYYYhygxUuDSzb/96 nDWbVSRXRH0+QDmDO21vuMiNbWqTmlS9z1PtpKeXh56CKl7Ogzw4AHWNmgWI+M3T 1N9xAtLPyOYEmOmk+/OUXZVsbQivLoOa1ZtiE9GSYC9AFecJhqZLRKgo/15f5HHd U375p9JEEwOvCkR5k5n997WCpE2r6GfBsCZWa42/sz/g8HWRntAnMjh13sX97tJF DIik9wHek4kD0nhhahUgKJXTAgMBAAGjezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4 QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBQz EE6l1Dr2/RXwgaYThoZJuZrw9jAfBgNVHSMEGDAWgBSGH3jQrEbd17E9UjM9nEQ3 lahNjzANBgkqhkiG9w0BAQsFAAOCAQEABDcvPgrDmw/UgbHF8DbE4Vt+na/hVaEe 57KdOrJwCsM80zs1LYWRIhEcmbyallqN8XdVezSKveoCO2O/9qEC/avxUeo5XmLc wOlTs5tDtl7cEwYg+LAFWSBWBKzz+wa65SebUrbPINbb5OAvhZNA0N7558t63v3g U1z77vTsBnswM9o877IqKiu8cTr+tmERbrkTf6Vr2MGdXPPVZdf0Y2Zq+Tyme/l1 TmnRZc9+gPXVh++4ujI/PAcrk9yjo05uum+QXYxMFo9jKzq7o/VzcnK6nxo+AhAj N4OYhiNQRtNzS78vRCbumqMkmdXujCoBGLLSQrJo6z+JC4M5v7fVVw== -----END CERTIFICATE----- Signed certificate is in newcert.pem
↓查看创建出来的证书.
[root@server ~]# ls newcert.pem newcert.pem


        
 上一篇

  Centos, CA