[关闭]
@mrz1 2018-01-07T09:08:23.000000Z 字数 14314 阅读 3852

利用openssl命令搭建私有CA管理证书

工具

1、创建所需要的文件

2、CA自签证书

  1. [root@centos7 ~]#cd /etc/pki/CA/
  1. [root@centos7 CA]#(umask066; openssl genrsa -out /etc/pki/CA/private/cakey.pem -des3 2048) //生成私钥
  2. bash: umask066: command not found...
  3. Generating RSA private key, 2048 bit long modulus
  4. ..................+++
  5. ..+++
  6. e is 65537 (0x10001)
  7. Enter pass phrase for /etc/pki/CA/private/cakey.pem:
  8. Verifying - Enter pass phrase for /etc/pki/CA/private/cakey.pem:
  1. [root@centos7 CA]#tree
  2. .
  3. ├── certs
  4. ├── crl
  5. ├── newcerts
  6. └── private
  7.     └── cakey.pem
  9. 4 directories, 1 file
  1. [root@centos7 CA]#openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days  7300 -out cacert.pem //生成自签名证书
  2. Enter pass phrase for /etc/pki/CA/private/cakey.pem:
  3. You are about to be asked to enter information that will be incorporated
  4. into your certificate request.
  5. What you are about to enter is what is called a Distinguished Name or a DN.
  6. There are quite a few fields but you can leave some blank
  7. For some fields there will be a default value,
  8. If you enter '.', the field will be left blank.
  9. -----
  10. Country Name (2 letter code) [XX]:CN
  11. State or Province Name (full name) []:Beijing
  12. Locality Name (eg, city) [Default City]:Beijing
  13. Organization Name (eg, company) [Default Company Ltd]:magedu
  14. Organizational Unit Name (eg, section) []:opt
  15. Common Name (eg, your name or your server's hostname) []:ca.magedu.com
  16. Email Address []:1353250703@qq.com

-new: 生成新证书签署请求
-x509: 专用于CA生成自签证书
-key: 生成请求时用到的私钥文件
-days n:证书的有效期限
-out /PATH/TO/SOMECERTFILE: 证书的保存路径

  1. [root@centos7 CA]#cat cacert.pem //查看文件
  2. -----BEGIN CERTIFICATE-----
  3. MIID6TCCAtGgAwIBAgIJAIltKDHnCEbmMA0GCSqGSIb3DQEBCwUAMIGKMQswCQYD
  4. VQQGEwJDTjEQMA4GA1UECAwHQmVpamluZzEQMA4GA1UEBwwHQmVpamluZzEPMA0G
  5. A1UECgwGbWFnZWR1MQwwCgYDVQQLDANvcHQxFjAUBgNVBAMMDWNhLm1hZ2VkdS5j
  6. b20xIDAeBgkqhkiG9w0BCQEWETEzNTMyNTA3MDNAcXEuY29tMB4XDTE4MDEwNzA3
  7. NDUwOFoXDTM4MDEwMjA3NDUwOFowgYoxCzAJBgNVBAYTAkNOMRAwDgYDVQQIDAdC
  8. ZWlqaW5nMRAwDgYDVQQHDAdCZWlqaW5nMQ8wDQYDVQQKDAZtYWdlZHUxDDAKBgNV
  9. BAsMA29wdDEWMBQGA1UEAwwNY2EubWFnZWR1LmNvbTEgMB4GCSqGSIb3DQEJARYR
  10. MTM1MzI1MDcwM0BxcS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
  11. AQCyR4IORcFzC3eHsKHXIo7FlywAPTZY80BWVwSM7jdTpSlNCvDGb6wjjKS0YY4w
  12. dyAxflfdtGopfxJyvjqjB1auVSgBe24raUjhgZL/bBMkQ255CPv/e9isKVn8FD+v
  13. mGYVf3e1wlxSKoqKwqsO/7JvZk8Wt2cG12Rvh3AisD0AKPc9TOMbsn5yEcriekh3
  14. W7aO5PtkZVe+V3YSjUix+FWzYiDJ2RRmY+w51PSt1cb6Vk7891VJ2NMch4q/sNy0
  15. TUCd0t4xE/E0JXx8rpZoffEsDYK0QHb9o5GoNUMSYHfGR271krtf01l6+4Gj0QDZ
  16. rjA8MBbkDwgkXMS2uvKxnO9HAgMBAAGjUDBOMB0GA1UdDgQWBBT9ZGVRTE5llYJD
  17. PB3+CMHAw3J+qzAfBgNVHSMEGDAWgBT9ZGVRTE5llYJDPB3+CMHAw3J+qzAMBgNV
  18. HRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQADUogD0Em7e9OtcZEKl3N5N7bL
  19. JPzqT6RRpN0ToCTPunD7vCPaVpI0b8KOhvMTNLoM432r+kPzf9l+GAln7DPeZprP
  20. k1kCW7tQQMCTSEf6SVnQ5r5BhSmB+nwEjQ4hiBrAzOH+3+uwYHiY0jI6EajgC03J
  21. g+Kd6rYHIC3uDNNh8lI2SoQUh244CdS/aRfWDIjDoEMpzjO94YU1EOWadmKUWvY3
  22. bh0zpwO076cvnZ43XKXpscNpktmLKxgQDrodn8MxHBMyOxX2Qx/SoCrLzfJPWtrn
  23. /BmcRkX5GlUR0LV1vUcOKgczr3ka/sY6OizGxOGJy4NmW3T/kJPsHbU9o7pP
  24. -----END CERTIFICATE-----
  1. [root@centos7 CA]#openssl x509 -in cacert.pem -noout -text //文本查看证书
  2. Certificate:
  3.     Data:
  4.         Version: 3 (0x2)
  5.         Serial Number:
  6.             89:6d:28:31:e7:08:46:e6
  7.     Signature Algorithm: sha256WithRSAEncryption
  8.         Issuer: C=CN, ST=Beijing, L=Beijing, O=magedu, OU=opt, CN=ca.magedu.com/emailAddress=1353250703@qq.com
  9.         Validity
  10.             Not Before: Jan  7 07:45:08 2018 GMT
  11.             Not After : Jan  2 07:45:08 2038 GMT
  12.         Subject: C=CN, ST=Beijing, L=Beijing, O=magedu, OU=opt, CN=ca.magedu.com/emailAddress=1353250703@qq.com
  13.         Subject Public Key Info:
  14.             Public Key Algorithm: rsaEncryption
  15.                 Public-Key: (2048 bit)
  16.                 Modulus:
  17.                     00:b2:47:82:0e:45:c1:73:0b:77:87:b0:a1:d7:22:
  18.                     8e:c5:97:2c:00:3d:36:58:f3:40:56:57:04:8c:ee:
  19.                     37:53:a5:29:4d:0a:f0:c6:6f:ac:23:8c:a4:b4:61:
  20.                     8e:30:77:20:31:7e:57:dd:b4:6a:29:7f:12:72:be:
  21.                     3a:a3:07:56:ae:55:28:01:7b:6e:2b:69:48:e1:81:
  22.                     92:ff:6c:13:24:43:6e:79:08:fb:ff:7b:d8:ac:29:
  23.                     59:fc:14:3f:af:98:66:15:7f:77:b5:c2:5c:52:2a:
  24.                     8a:8a:c2:ab:0e:ff:b2:6f:66:4f:16:b7:67:06:d7:
  25.                     64:6f:87:70:22:b0:3d:00:28:f7:3d:4c:e3:1b:b2:
  26.                     7e:72:11:ca:e2:7a:48:77:5b:b6:8e:e4:fb:64:65:
  27.                     57:be:57:76:12:8d:48:b1:f8:55:b3:62:20:c9:d9:
  28.                     14:66:63:ec:39:d4:f4:ad:d5:c6:fa:56:4e:fc:f7:
  29.                     55:49:d8:d3:1c:87:8a:bf:b0:dc:b4:4d:40:9d:d2:
  30.                     de:31:13:f1:34:25:7c:7c:ae:96:68:7d:f1:2c:0d:
  31.                     82:b4:40:76:fd:a3:91:a8:35:43:12:60:77:c6:47:
  32.                     6e:f5:92:bb:5f:d3:59:7a:fb:81:a3:d1:00:d9:ae:
  33.                     30:3c:30:16:e4:0f:08:24:5c:c4:b6:ba:f2:b1:9c:
  34.                     ef:47
  35.                 Exponent: 65537 (0x10001)
  36.         X509v3 extensions:
  37.             X509v3 Subject Key Identifier: 
  38.                 FD:64:65:51:4C:4E:65:95:82:43:3C:1D:FE:08:C1:C0:C3:72:7E:AB
  39.             X509v3 Authority Key Identifier: 
  40.                 keyid:FD:64:65:51:4C:4E:65:95:82:43:3C:1D:FE:08:C1:C0:C3:72:7E:AB
  42.             X509v3 Basic Constraints: 
  43.                 CA:TRUE
  44.     Signature Algorithm: sha256WithRSAEncryption
  45.          03:52:88:03:d0:49:bb:7b:d3:ad:71:91:0a:97:73:79:37:b6:
  46.          cb:24:fc:ea:4f:a4:51:a4:dd:13:a0:24:cf:ba:70:fb:bc:23:
  47.          da:56:92:34:6f:c2:8e:86:f3:13:34:ba:0c:e3:7d:ab:fa:43:
  48.          f3:7f:d9:7e:18:09:67:ec:33:de:66:9a:cf:93:59:02:5b:bb:
  49.          50:40:c0:93:48:47:fa:49:59:d0:e6:be:41:85:29:81:fa:7c:
  50.          04:8d:0e:21:88:1a:c0:cc:e1:fe:df:eb:b0:60:78:98:d2:32:
  51.          3a:11:a8:e0:0b:4d:c9:83:e2:9d:ea:b6:07:20:2d:ee:0c:d3:
  52.          61:f2:52:36:4a:84:14:87:6e:38:09:d4:bf:69:17:d6:0c:88:
  53.          c3:a0:43:29:ce:33:bd:e1:85:35:10:e5:9a:76:62:94:5a:f6:
  54.          37:6e:1d:33:a7:03:b4:ef:a7:2f:9d:9e:37:5c:a5:e9:b1:c3:
  55.          69:92:d9:8b:2b:18:10:0e:ba:1d:9f:c3:31:1c:13:32:3b:15:
  56.          f6:43:1f:d2:a0:2a:cb:cd:f2:4f:5a:da:e7:fc:19:9c:46:45:
  57.          f9:1a:55:11:d0:b5:75:bd:47:0e:2a:07:33:af:79:1a:fe:c6:
  58.          3a:3a:2c:c6:c4:e1:89:cb:83:66:5b:74:ff:90:93:ec:1d:b5:
  59.          3d:a3:ba:4f
  1. [root@centos7 CA]#openssl x509 -in cacert.pem -noout -subject
  2. subject= /C=CN/ST=Beijing/L=Beijing/O=magedu/OU=opt/CN=ca.magedu.com/emailAddress=1353250703@qq.com
  3. [root@centos7 CA]#openssl x509 -in cacert.pem -noout -dates //文本查看时间
  4. notBefore=Jan  7 07:45:08 2018 GMT
  5. notAfter=Jan  2 07:45:08 2038 GMT

3、颁发证书

  1. [root@centos6 app]#(umask 066;openssl genrsa -out app.key 1024)
  2. Generating RSA private key, 1024 bit long modulus
  3. ..++++++
  4. .......................++++++
  5. e is 65537 (0x10001)
  6. You have new mail in /var/spool/mail/root
  1. [root@centos6 app]#openssl req -new -key app.key -days 365 -out app.pem
  2. You are about to be asked to enter information that will be incorporated
  3. into your certificate request.
  4. What you are about to enter is what is called a Distinguished Name or a DN.
  5. There are quite a few fields but you can leave some blank
  6. For some fields there will be a default value,
  7. If you enter '.', the field will be left blank.
  8. -----
  9. Country Name (2 letter code) [XX]:CN
  10. State or Province Name (full name) []:Beijing
  11. Locality Name (eg, city) [Default City]:Beijing
  12. Organization Name (eg, company) [Default Company Ltd]:magedu
  13. Organizational Unit Name (eg, section) []:web
  14. Common Name (eg, your name or your server's hostname) []:*.ifeier.tech
  15. Email Address []:1353250703@qq.com
  17. Please enter the following 'extra' attributes
  18. to be sent with your certificate request
  19. A challenge password []:
  20. An optional company name []:

注意:默认国家,省,公司名称三项必须和CA一致

  1. [root@centos7 CA]#openssl ca -in app.csr -out certs/app.crt -days 365
  2. Using configuration from /etc/pki/tls/openssl.cnf
  3. Enter pass phrase for /etc/pki/CA/private/cakey.pem:
  4. Check that the request matches the signature
  5. Signature ok
  6. Certificate Details:
  7.         Serial Number: 1 (0x1)
  8.         Validity
  9.             Not Before: Jan  7 08:19:28 2018 GMT
  10.             Not After : Jan  7 08:19:28 2019 GMT
  11.         Subject:
  12.             countryName               = CN
  13.             stateOrProvinceName       = Beijing
  14.             organizationName          = magedu
  15.             organizationalUnitName    = web
  16.             commonName                = *.ifeier.tech
  17.             emailAddress              = 1353250703@qq.com
  18.         X509v3 extensions:
  19.             X509v3 Basic Constraints: 
  20.                 CA:FALSE
  21.             Netscape Comment: 
  22.                 OpenSSL Generated Certificate
  23.             X509v3 Subject Key Identifier: 
  24.                 AE:97:38:A0:F1:8A:B1:47:F6:18:21:2C:5A:B7:D9:72:8A:EA:CC:22
  25.             X509v3 Authority Key Identifier: 
  26.                 keyid:FD:64:65:51:4C:4E:65:95:82:43:3C:1D:FE:08:C1:C0:C3:72:7E:AB
  28. Certificate is to be certified until Jan  7 08:19:28 2019 GMT (365 days)
  29. Sign the certificate? [y/n]:y
  32. 1 out of 1 certificate requests certified, commit? [y/n]y
  33. Write out database with 1 new entries
  34. Data Base Updated
  1. [root@centos7 CA]#cat index.txt //记录在案
  2. V       190107081928Z           01      unknown /C=CN/ST=Beijing/O=magedu/OU=web/CN=*.ifeier.tech/emailAddress=1353250703@qq.com
  4. [root@centos7 CA]#cat serial //证书编号
  5. 02
  7. [root@centos7 CA]#tree
  8. .
  9. ├── app.csr
  10. ├── cacert.pem
  11. ├── certs
  12.    └── app.crt
  13. ├── crl
  14. ├── index.txt
  15. ├── index.txt.attr
  16. ├── index.txt.old
  17. ├── newcerts
  18.    └── 01.pem
  19. ├── private
  20.    └── cakey.pem
  21. ├── serial
  22. └── serial.old
  23. 4 directories, 10 files
  25. [root@centos7 CA]#diff newcerts/01.pem certs/app.crt -s //比较这两个文件
  26. Files newcerts/01.pem and certs/app.crt are identical
  28. [root@centos7 CA]#ll newcerts/01.pem certs/app.crt -s   //比较这两个文件
  29. 4 -rw-r--r-- 1 root root 3861 Jan  7 16:19 certs/app.crt
  30. 4 -rw-r--r-- 1 root root 3861 Jan  7 16:19 newcerts/01.pem
  1. [root@centos7 CA]#scp certs/app.crt 172.18.101.93:/app
  2. The authenticity of host '172.18.101.93 (172.18.101.93)' can't be established.
  3. RSA key fingerprint is SHA256:2cqUUYDNyWgJnskm7U33xF66s7E0wxByhOkt7OYiOiA.
  4. RSA key fingerprint is MD5:75:54:cf:f5:09:41:35:17:c2:00:a1:84:c3:48:10:8e.
  5. Are you sure you want to continue connecting (yes/no)? yes
  6. Warning: Permanently added '172.18.101.93' (RSA) to the list of known hosts.
  7. root@172.18.101.93's password: 
  8. app.crt                                                     100% 3861     1.9MB/s   00:00

4、吊销证书

  1. [root@centos7 CA]#cat index.txt.old  //找到对应的编号
  2. V       190107081928Z           01      unknown /C=CN/ST=Beijing/O=magedu/OU=web/CN=*.ifeier.tech/emailAddress=1353250703@qq.com
  3. [root@centos7 CA]#tree
  4. .
  5. ├── app2.csr
  6. ├── app.csr
  7. ├── cacert.pem
  8. ├── certs
  9.    ├── app2_2.crt
  10.    ├── app2.crt
  11.    └── app.crt
  12. ├── crl
  13. ├── index.txt
  14. ├── index.txt.attr
  15. ├── index.txt.attr.old
  16. ├── index.txt.old
  17. ├── newcerts
  18.    ├── 01.pem
  19.    └── 02.pem
  20. ├── private
  21.    └── cakey.pem
  22. ├── serial
  23. └── serial.old
  25. 4 directories, 15 files
  1. [root@centos7 CA]#openssl ca -revoke newcerts/02.pem  
  2. Using configuration from /etc/pki/tls/openssl.cnf
  3. Enter pass phrase for /etc/pki/CA/private/cakey.pem:
  4. Revoking Certificate 02.
  5. Data Base Updated
  7. [root@centos7 CA]#cat index.txt
  8. V       190107081928Z           01      unknown /C=CN/ST=Beijing/O=magedu/OU=web/CN=*.ifeier.tech/emailAddress=1353250703@qq.com
  9. R(R表示吊销了)       190107084106Z   180107085540Z   02      unknown /C=CN/ST=Beijing/O=magedu/OU=web/CN=*.ifeier.tech/emailAddress=1353250703@qq.com
  1. [root@centos7 CA]#openssl ca -gencrl -out cal.pem //更新证书吊销列表
  2. Using configuration from /etc/pki/tls/openssl.cnf
  3. Enter pass phrase for /etc/pki/CA/private/cakey.pem:
  5. [root@centos7 CA]#cat cal.pem 
  6. -----BEGIN X509 CRL-----
  7. MIIB+jCB4wIBATANBgkqhkiG9w0BAQsFADCBijELMAkGA1UEBhMCQ04xEDAOBgNV
  8. BAgMB0JlaWppbmcxEDAOBgNVBAcMB0JlaWppbmcxDzANBgNVBAoMBm1hZ2VkdTEM
  9. MAoGA1UECwwDb3B0MRYwFAYDVQQDDA1jYS5tYWdlZHUuY29tMSAwHgYJKoZIhvcN
  10. AQkBFhExMzUzMjUwNzAzQHFxLmNvbRcNMTgwMTA3MDkwMDI3WhcNMTgwMjA2MDkw
  11. MDI3WjAUMBICAQIXDTE4MDEwNzA4NTU0MFqgDjAMMAoGA1UdFAQDAgEBMA0GCSqG
  12. SIb3DQEBCwUAA4IBAQBLXorc8bwR18Kwyd6OuPTcmhXzRxk603BPf2/noVNwVfs4
  13. wyIaF31XQprCvA2aMQjgcRmU+V9bTlgpzdUurxwbMkDw/EniWqULgaELEjKitHDr
  14. aas8yvc0c4VvHt9w6BTDa/p9Duct+7hQxEjI7E/01fVHJQlMQjflfNpoduG+XrNu
  15. y8tLlCmgMSaUmsecmimtP5diodQEMfixYZZb34LwDGSKKSU9mB+gobO+OmQJtl4W
  16. oEFhXO0lrXlUkblLyD2oIergU0unOrJ9+TGopg9fPqkI8zhppLAetCP1YlQgPUka
  17. WQrXcT0FvVcU8VFxB1D04TTTCPCEwXOkYKUN/SzV
  18. -----END X509 CRL-----
  20. [root@centos7 CA]#cat crlnumber //编号
  21. 02
  23. [root@centos7 CA]#openssl crl -in cal.pem -noout -text  //详细查看   
  24. Certificate Revocation List (CRL):
  25.         Version 2 (0x1)
  26.     Signature Algorithm: sha256WithRSAEncryption
  27.         Issuer: /C=CN/ST=Beijing/L=Beijing/O=magedu/OU=opt/CN=ca.magedu.com/emailAddress=1353250703@qq.com
  28.         Last Update: Jan  7 09:00:27 2018 GMT
  29.         Next Update: Feb  6 09:00:27 2018 GMT
  30.         CRL extensions:
  31.             X509v3 CRL Number: 
  32.                 1
  33. Revoked Certificates:
  34.     Serial Number: 02
  35.         Revocation Date: Jan  7 08:55:40 2018 GMT
  36.     Signature Algorithm: sha256WithRSAEncryption
  37.          4b:5e:8a:dc:f1:bc:11:d7:c2:b0:c9:de:8e:b8:f4:dc:9a:15:
  38.          f3:47:19:3a:d3:70:4f:7f:6f:e7:a1:53:70:55:fb:38:c3:22:
  39.          1a:17:7d:57:42:9a:c2:bc:0d:9a:31:08:e0:71:19:94:f9:5f:
  40.          5b:4e:58:29:cd:d5:2e:af:1c:1b:32:40:f0:fc:49:e2:5a:a5:
  41.          0b:81:a1:0b:12:32:a2:b4:70:eb:69:ab:3c:ca:f7:34:73:85:
  42.          6f:1e:df:70:e8:14:c3:6b:fa:7d:0e:e7:2d:fb:b8:50:c4:48:
  43.          c8:ec:4f:f4:d5:f5:47:25:09:4c:42:37:e5:7c:da:68:76:e1:
  44.          be:5e:b3:6e:cb:cb:4b:94:29:a0:31:26:94:9a:c7:9c:9a:29:
  45.          ad:3f:97:62:a1:d4:04:31:f8:b1:61:96:5b:df:82:f0:0c:64:
  46.          8a:29:25:3d:98:1f:a0:a1:b3:be:3a:64:09:b6:5e:16:a0:41:
  47.          61:5c:ed:25:ad:79:54:91:b9:4b:c8:3d:a8:21:ea:e0:53:4b:
  48.          a7:3a:b2:7d:f9:31:a8:a6:0f:5f:3e:a9:08:f3:38:69:a4:b0:
  49.          1e:b4:23:f5:62:54:20:3d:49:1a:59:0a:d7:71:3d:05:bd:57:
  50.          14:f1:51:71:07:50:f4:e1:34:d3:08:f0:84:c1:73:a4:60:a5:
  51.          0d:fd:2c:d5

这就是全部过程,把证书发送到windows里面会看的很清楚!

问题

给已经颁发证书的人再次颁发证书,解决出现问题

  1. [root@centos7 CA]#openssl ca -in app.csr -out certs/app2.crt -days 365
  2. Using configuration from /etc/pki/tls/openssl.cnf
  3. Enter pass phrase for /etc/pki/CA/private/cakey.pem:
  4. Check that the request matches the signature
  5. Signature ok
  6. Certificate Details:
  7.         Serial Number: 2 (0x2)
  8.         Validity
  9.             Not Before: Jan  7 08:37:56 2018 GMT
  10.             Not After : Jan  7 08:37:56 2019 GMT
  11.         Subject:
  12.             countryName               = CN
  13.             stateOrProvinceName       = Beijing
  14.             organizationName          = magedu
  15.             organizationalUnitName    = web
  16.             commonName                = *.ifeier.tech
  17.             emailAddress              = 1353250703@qq.com
  18.         X509v3 extensions:
  19.             X509v3 Basic Constraints: 
  20.                 CA:FALSE
  21.             Netscape Comment: 
  22.                 OpenSSL Generated Certificate
  23.             X509v3 Subject Key Identifier: 
  24.                 AE:97:38:A0:F1:8A:B1:47:F6:18:21:2C:5A:B7:D9:72:8A:EA:CC:22
  25.             X509v3 Authority Key Identifier: 
  26.                 keyid:FD:64:65:51:4C:4E:65:95:82:43:3C:1D:FE:08:C1:C0:C3:72:7E:AB
  28. Certificate is to be certified until Jan  7 08:37:56 2019 GMT (365 days)
  29. Sign the certificate? [y/n]:y
  30. failed to update database //更新数据库失败
  31. TXT_DB error number 2
  1. [root@centos7 CA]#cat index.txt.attr //修改这个文件 yes改为no
  2. unique_subject = yes
  1. [root@centos7 CA]#cat index.txt //两条记录
  2. V       190107081928Z           01      unknown /C=CN/ST=Beijing/O=magedu/OU=web/CN=*.ifeier.tech/emailAddress=1353250703@qq.com
  3. V       190107084106Z           02      unknown /C=CN/ST=Beijing/O=magedu/OU=web/CN=*.ifeier.tech/emailAddress=1353250703@qq.com
  5. [root@centos7 CA]#cat serial //编号
  6. 03
  8. [root@centos7 CA]#tree
  9. .
  10. ├── app.csr
  11. ├── cacert.pem
  12. ├── certs
  13.    ├── app2.crt
  14.    └── app.crt
  15. ├── crl
  16. ├── index.txt
  17. ├── index.txt.attr
  18. ├── index.txt.attr.old
  19. ├── index.txt.old
  20. ├── newcerts
  21.    ├── 01.pem
  22.    └── 02.pem
  23. ├── private
  24.    └── cakey.pem
  25. ├── serial
  26. └── serial.old
  28. 4 directories, 13 files

默认国家,省,公司名称三项有错误的话。

  1. [root@centos6 app]#openssl req -new -key app.key -days 365 -out app2.csr
  2. You are about to be asked to enter information that will be incorporated
  3. into your certificate request.
  4. What you are about to enter is what is called a Distinguished Name or a DN.
  5. There are quite a few fields but you can leave some blank
  6. For some fields there will be a default value,
  7. If you enter '.', the field will be left blank.
  8. -----
  9. Country Name (2 letter code) [XX]:CN
  10. State or Province Name (full name) []:HeBei
  11. Locality Name (eg, city) [Default City]:Shijiazhuang
  12. Organization Name (eg, company) [Default Company Ltd]:linux
  13. Organizational Unit Name (eg, section) []:dev
  14. Common Name (eg, your name or your server's hostname) []:www.linux.org
  15. Email Address []:
  17. Please enter the following 'extra' attributes
  18. to be sent with your certificate request
  19. A challenge password []:
  20. An optional company name []:
  21. You have new mail in /var/spool/mail/root
  1. [root@centos6 app]#scp app2.csr 172.18.101.118:/etc/pki/CA/
  2. root@172.18.101.118's password: 
  3. app2.csr                                                    100%  655     0.6KB/s   00:00 
  1. [root@centos7 CA]#openssl ca -in app2.csr -out certs/app2_2.crt 
  2. Using configuration from /etc/pki/tls/openssl.cnf
  3. Enter pass phrase for /etc/pki/CA/private/cakey.pem:
  4. Check that the request matches the signature
  5. Signature ok
  6. The stateOrProvinceName field needed to be the same in the
  7. CA certificate (Beijing) and the request (HeBei) //不匹配
  1. [root@centos7 CA]#vim /etc/pki/tls/openssl.cnf 
  2. # For the CA policy
  3. # and supplied fields are just that :-)                                    
  4. policy          = policy_match //找到这一行改为 policy_anything
添加新批注
在作者公开此批注前,只有你和作者可见。
回复批注