[关闭]
@mrz1 2018-01-07T09:08:23.000000Z 字数 14314 阅读 1699

利用openssl命令搭建私有CA管理证书

工具


1、创建所需要的文件

2、CA自签证书

  1. [root@centos7 ~]#cd /etc/pki/CA/
  1. [root@centos7 CA]#(umask066; openssl genrsa -out /etc/pki/CA/private/cakey.pem -des3 2048) //生成私钥
  2. bash: umask066: command not found...
  3. Generating RSA private key, 2048 bit long modulus
  4. ..................+++
  5. ..+++
  6. e is 65537 (0x10001)
  7. Enter pass phrase for /etc/pki/CA/private/cakey.pem:
  8. Verifying - Enter pass phrase for /etc/pki/CA/private/cakey.pem:
  1. [root@centos7 CA]#tree
  2. .
  3. ├── certs
  4. ├── crl
  5. ├── newcerts
  6. └── private
  7. └── cakey.pem
  8. 4 directories, 1 file
  1. [root@centos7 CA]#openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 7300 -out cacert.pem //生成自签名证书
  2. Enter pass phrase for /etc/pki/CA/private/cakey.pem:
  3. You are about to be asked to enter information that will be incorporated
  4. into your certificate request.
  5. What you are about to enter is what is called a Distinguished Name or a DN.
  6. There are quite a few fields but you can leave some blank
  7. For some fields there will be a default value,
  8. If you enter '.', the field will be left blank.
  9. -----
  10. Country Name (2 letter code) [XX]:CN
  11. State or Province Name (full name) []:Beijing
  12. Locality Name (eg, city) [Default City]:Beijing
  13. Organization Name (eg, company) [Default Company Ltd]:magedu
  14. Organizational Unit Name (eg, section) []:opt
  15. Common Name (eg, your name or your server's hostname) []:ca.magedu.com
  16. Email Address []:1353250703@qq.com

-new: 生成新证书签署请求
-x509: 专用于CA生成自签证书
-key: 生成请求时用到的私钥文件
-days n:证书的有效期限
-out /PATH/TO/SOMECERTFILE: 证书的保存路径

  1. [root@centos7 CA]#cat cacert.pem //查看文件
  2. -----BEGIN CERTIFICATE-----
  3. MIID6TCCAtGgAwIBAgIJAIltKDHnCEbmMA0GCSqGSIb3DQEBCwUAMIGKMQswCQYD
  4. VQQGEwJDTjEQMA4GA1UECAwHQmVpamluZzEQMA4GA1UEBwwHQmVpamluZzEPMA0G
  5. A1UECgwGbWFnZWR1MQwwCgYDVQQLDANvcHQxFjAUBgNVBAMMDWNhLm1hZ2VkdS5j
  6. b20xIDAeBgkqhkiG9w0BCQEWETEzNTMyNTA3MDNAcXEuY29tMB4XDTE4MDEwNzA3
  7. NDUwOFoXDTM4MDEwMjA3NDUwOFowgYoxCzAJBgNVBAYTAkNOMRAwDgYDVQQIDAdC
  8. ZWlqaW5nMRAwDgYDVQQHDAdCZWlqaW5nMQ8wDQYDVQQKDAZtYWdlZHUxDDAKBgNV
  9. BAsMA29wdDEWMBQGA1UEAwwNY2EubWFnZWR1LmNvbTEgMB4GCSqGSIb3DQEJARYR
  10. MTM1MzI1MDcwM0BxcS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
  11. AQCyR4IORcFzC3eHsKHXIo7FlywAPTZY80BWVwSM7jdTpSlNCvDGb6wjjKS0YY4w
  12. dyAxflfdtGopfxJyvjqjB1auVSgBe24raUjhgZL/bBMkQ255CPv/e9isKVn8FD+v
  13. mGYVf3e1wlxSKoqKwqsO/7JvZk8Wt2cG12Rvh3AisD0AKPc9TOMbsn5yEcriekh3
  14. W7aO5PtkZVe+V3YSjUix+FWzYiDJ2RRmY+w51PSt1cb6Vk7891VJ2NMch4q/sNy0
  15. TUCd0t4xE/E0JXx8rpZoffEsDYK0QHb9o5GoNUMSYHfGR271krtf01l6+4Gj0QDZ
  16. rjA8MBbkDwgkXMS2uvKxnO9HAgMBAAGjUDBOMB0GA1UdDgQWBBT9ZGVRTE5llYJD
  17. PB3+CMHAw3J+qzAfBgNVHSMEGDAWgBT9ZGVRTE5llYJDPB3+CMHAw3J+qzAMBgNV
  18. HRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQADUogD0Em7e9OtcZEKl3N5N7bL
  19. JPzqT6RRpN0ToCTPunD7vCPaVpI0b8KOhvMTNLoM432r+kPzf9l+GAln7DPeZprP
  20. k1kCW7tQQMCTSEf6SVnQ5r5BhSmB+nwEjQ4hiBrAzOH+3+uwYHiY0jI6EajgC03J
  21. g+Kd6rYHIC3uDNNh8lI2SoQUh244CdS/aRfWDIjDoEMpzjO94YU1EOWadmKUWvY3
  22. bh0zpwO076cvnZ43XKXpscNpktmLKxgQDrodn8MxHBMyOxX2Qx/SoCrLzfJPWtrn
  23. /BmcRkX5GlUR0LV1vUcOKgczr3ka/sY6OizGxOGJy4NmW3T/kJPsHbU9o7pP
  24. -----END CERTIFICATE-----
  1. [root@centos7 CA]#openssl x509 -in cacert.pem -noout -text //文本查看证书
  2. Certificate:
  3. Data:
  4. Version: 3 (0x2)
  5. Serial Number:
  6. 89:6d:28:31:e7:08:46:e6
  7. Signature Algorithm: sha256WithRSAEncryption
  8. Issuer: C=CN, ST=Beijing, L=Beijing, O=magedu, OU=opt, CN=ca.magedu.com/emailAddress=1353250703@qq.com
  9. Validity
  10. Not Before: Jan 7 07:45:08 2018 GMT
  11. Not After : Jan 2 07:45:08 2038 GMT
  12. Subject: C=CN, ST=Beijing, L=Beijing, O=magedu, OU=opt, CN=ca.magedu.com/emailAddress=1353250703@qq.com
  13. Subject Public Key Info:
  14. Public Key Algorithm: rsaEncryption
  15. Public-Key: (2048 bit)
  16. Modulus:
  17. 00:b2:47:82:0e:45:c1:73:0b:77:87:b0:a1:d7:22:
  18. 8e:c5:97:2c:00:3d:36:58:f3:40:56:57:04:8c:ee:
  19. 37:53:a5:29:4d:0a:f0:c6:6f:ac:23:8c:a4:b4:61:
  20. 8e:30:77:20:31:7e:57:dd:b4:6a:29:7f:12:72:be:
  21. 3a:a3:07:56:ae:55:28:01:7b:6e:2b:69:48:e1:81:
  22. 92:ff:6c:13:24:43:6e:79:08:fb:ff:7b:d8:ac:29:
  23. 59:fc:14:3f:af:98:66:15:7f:77:b5:c2:5c:52:2a:
  24. 8a:8a:c2:ab:0e:ff:b2:6f:66:4f:16:b7:67:06:d7:
  25. 64:6f:87:70:22:b0:3d:00:28:f7:3d:4c:e3:1b:b2:
  26. 7e:72:11:ca:e2:7a:48:77:5b:b6:8e:e4:fb:64:65:
  27. 57:be:57:76:12:8d:48:b1:f8:55:b3:62:20:c9:d9:
  28. 14:66:63:ec:39:d4:f4:ad:d5:c6:fa:56:4e:fc:f7:
  29. 55:49:d8:d3:1c:87:8a:bf:b0:dc:b4:4d:40:9d:d2:
  30. de:31:13:f1:34:25:7c:7c:ae:96:68:7d:f1:2c:0d:
  31. 82:b4:40:76:fd:a3:91:a8:35:43:12:60:77:c6:47:
  32. 6e:f5:92:bb:5f:d3:59:7a:fb:81:a3:d1:00:d9:ae:
  33. 30:3c:30:16:e4:0f:08:24:5c:c4:b6:ba:f2:b1:9c:
  34. ef:47
  35. Exponent: 65537 (0x10001)
  36. X509v3 extensions:
  37. X509v3 Subject Key Identifier:
  38. FD:64:65:51:4C:4E:65:95:82:43:3C:1D:FE:08:C1:C0:C3:72:7E:AB
  39. X509v3 Authority Key Identifier:
  40. keyid:FD:64:65:51:4C:4E:65:95:82:43:3C:1D:FE:08:C1:C0:C3:72:7E:AB
  41. X509v3 Basic Constraints:
  42. CA:TRUE
  43. Signature Algorithm: sha256WithRSAEncryption
  44. 03:52:88:03:d0:49:bb:7b:d3:ad:71:91:0a:97:73:79:37:b6:
  45. cb:24:fc:ea:4f:a4:51:a4:dd:13:a0:24:cf:ba:70:fb:bc:23:
  46. da:56:92:34:6f:c2:8e:86:f3:13:34:ba:0c:e3:7d:ab:fa:43:
  47. f3:7f:d9:7e:18:09:67:ec:33:de:66:9a:cf:93:59:02:5b:bb:
  48. 50:40:c0:93:48:47:fa:49:59:d0:e6:be:41:85:29:81:fa:7c:
  49. 04:8d:0e:21:88:1a:c0:cc:e1:fe:df:eb:b0:60:78:98:d2:32:
  50. 3a:11:a8:e0:0b:4d:c9:83:e2:9d:ea:b6:07:20:2d:ee:0c:d3:
  51. 61:f2:52:36:4a:84:14:87:6e:38:09:d4:bf:69:17:d6:0c:88:
  52. c3:a0:43:29:ce:33:bd:e1:85:35:10:e5:9a:76:62:94:5a:f6:
  53. 37:6e:1d:33:a7:03:b4:ef:a7:2f:9d:9e:37:5c:a5:e9:b1:c3:
  54. 69:92:d9:8b:2b:18:10:0e:ba:1d:9f:c3:31:1c:13:32:3b:15:
  55. f6:43:1f:d2:a0:2a:cb:cd:f2:4f:5a:da:e7:fc:19:9c:46:45:
  56. f9:1a:55:11:d0:b5:75:bd:47:0e:2a:07:33:af:79:1a:fe:c6:
  57. 3a:3a:2c:c6:c4:e1:89:cb:83:66:5b:74:ff:90:93:ec:1d:b5:
  58. 3d:a3:ba:4f
  1. [root@centos7 CA]#openssl x509 -in cacert.pem -noout -subject
  2. subject= /C=CN/ST=Beijing/L=Beijing/O=magedu/OU=opt/CN=ca.magedu.com/emailAddress=1353250703@qq.com
  3. [root@centos7 CA]#openssl x509 -in cacert.pem -noout -dates //文本查看时间
  4. notBefore=Jan 7 07:45:08 2018 GMT
  5. notAfter=Jan 2 07:45:08 2038 GMT

3、颁发证书

  1. [root@centos6 app]#(umask 066;openssl genrsa -out app.key 1024)
  2. Generating RSA private key, 1024 bit long modulus
  3. ..++++++
  4. .......................++++++
  5. e is 65537 (0x10001)
  6. You have new mail in /var/spool/mail/root
  1. [root@centos6 app]#openssl req -new -key app.key -days 365 -out app.pem
  2. You are about to be asked to enter information that will be incorporated
  3. into your certificate request.
  4. What you are about to enter is what is called a Distinguished Name or a DN.
  5. There are quite a few fields but you can leave some blank
  6. For some fields there will be a default value,
  7. If you enter '.', the field will be left blank.
  8. -----
  9. Country Name (2 letter code) [XX]:CN
  10. State or Province Name (full name) []:Beijing
  11. Locality Name (eg, city) [Default City]:Beijing
  12. Organization Name (eg, company) [Default Company Ltd]:magedu
  13. Organizational Unit Name (eg, section) []:web
  14. Common Name (eg, your name or your server's hostname) []:*.ifeier.tech
  15. Email Address []:1353250703@qq.com
  16. Please enter the following 'extra' attributes
  17. to be sent with your certificate request
  18. A challenge password []:
  19. An optional company name []:

注意:默认国家,省,公司名称三项必须和CA一致

  1. [root@centos7 CA]#openssl ca -in app.csr -out certs/app.crt -days 365
  2. Using configuration from /etc/pki/tls/openssl.cnf
  3. Enter pass phrase for /etc/pki/CA/private/cakey.pem:
  4. Check that the request matches the signature
  5. Signature ok
  6. Certificate Details:
  7. Serial Number: 1 (0x1)
  8. Validity
  9. Not Before: Jan 7 08:19:28 2018 GMT
  10. Not After : Jan 7 08:19:28 2019 GMT
  11. Subject:
  12. countryName = CN
  13. stateOrProvinceName = Beijing
  14. organizationName = magedu
  15. organizationalUnitName = web
  16. commonName = *.ifeier.tech
  17. emailAddress = 1353250703@qq.com
  18. X509v3 extensions:
  19. X509v3 Basic Constraints:
  20. CA:FALSE
  21. Netscape Comment:
  22. OpenSSL Generated Certificate
  23. X509v3 Subject Key Identifier:
  24. AE:97:38:A0:F1:8A:B1:47:F6:18:21:2C:5A:B7:D9:72:8A:EA:CC:22
  25. X509v3 Authority Key Identifier:
  26. keyid:FD:64:65:51:4C:4E:65:95:82:43:3C:1D:FE:08:C1:C0:C3:72:7E:AB
  27. Certificate is to be certified until Jan 7 08:19:28 2019 GMT (365 days)
  28. Sign the certificate? [y/n]:y
  29. 1 out of 1 certificate requests certified, commit? [y/n]y
  30. Write out database with 1 new entries
  31. Data Base Updated
  1. [root@centos7 CA]#cat index.txt //记录在案
  2. V 190107081928Z 01 unknown /C=CN/ST=Beijing/O=magedu/OU=web/CN=*.ifeier.tech/emailAddress=1353250703@qq.com
  3. [root@centos7 CA]#cat serial //证书编号
  4. 02
  5. [root@centos7 CA]#tree
  6. .
  7. ├── app.csr
  8. ├── cacert.pem
  9. ├── certs
  10.    └── app.crt
  11. ├── crl
  12. ├── index.txt
  13. ├── index.txt.attr
  14. ├── index.txt.old
  15. ├── newcerts
  16.    └── 01.pem
  17. ├── private
  18.    └── cakey.pem
  19. ├── serial
  20. └── serial.old
  21. 4 directories, 10 files
  22. [root@centos7 CA]#diff newcerts/01.pem certs/app.crt -s //比较这两个文件
  23. Files newcerts/01.pem and certs/app.crt are identical
  24. [root@centos7 CA]#ll newcerts/01.pem certs/app.crt -s //比较这两个文件
  25. 4 -rw-r--r-- 1 root root 3861 Jan 7 16:19 certs/app.crt
  26. 4 -rw-r--r-- 1 root root 3861 Jan 7 16:19 newcerts/01.pem
  1. [root@centos7 CA]#scp certs/app.crt 172.18.101.93:/app
  2. The authenticity of host '172.18.101.93 (172.18.101.93)' can't be established.
  3. RSA key fingerprint is SHA256:2cqUUYDNyWgJnskm7U33xF66s7E0wxByhOkt7OYiOiA.
  4. RSA key fingerprint is MD5:75:54:cf:f5:09:41:35:17:c2:00:a1:84:c3:48:10:8e.
  5. Are you sure you want to continue connecting (yes/no)? yes
  6. Warning: Permanently added '172.18.101.93' (RSA) to the list of known hosts.
  7. root@172.18.101.93's password:
  8. app.crt 100% 3861 1.9MB/s 00:00

4、吊销证书

  1. [root@centos7 CA]#cat index.txt.old //找到对应的编号
  2. V 190107081928Z 01 unknown /C=CN/ST=Beijing/O=magedu/OU=web/CN=*.ifeier.tech/emailAddress=1353250703@qq.com
  3. [root@centos7 CA]#tree
  4. .
  5. ├── app2.csr
  6. ├── app.csr
  7. ├── cacert.pem
  8. ├── certs
  9.    ├── app2_2.crt
  10.    ├── app2.crt
  11.    └── app.crt
  12. ├── crl
  13. ├── index.txt
  14. ├── index.txt.attr
  15. ├── index.txt.attr.old
  16. ├── index.txt.old
  17. ├── newcerts
  18.    ├── 01.pem
  19.    └── 02.pem
  20. ├── private
  21.    └── cakey.pem
  22. ├── serial
  23. └── serial.old
  24. 4 directories, 15 files
  1. [root@centos7 CA]#openssl ca -revoke newcerts/02.pem
  2. Using configuration from /etc/pki/tls/openssl.cnf
  3. Enter pass phrase for /etc/pki/CA/private/cakey.pem:
  4. Revoking Certificate 02.
  5. Data Base Updated
  6. [root@centos7 CA]#cat index.txt
  7. V 190107081928Z 01 unknown /C=CN/ST=Beijing/O=magedu/OU=web/CN=*.ifeier.tech/emailAddress=1353250703@qq.com
  8. R(R表示吊销了) 190107084106Z 180107085540Z 02 unknown /C=CN/ST=Beijing/O=magedu/OU=web/CN=*.ifeier.tech/emailAddress=1353250703@qq.com
  1. [root@centos7 CA]#openssl ca -gencrl -out cal.pem //更新证书吊销列表
  2. Using configuration from /etc/pki/tls/openssl.cnf
  3. Enter pass phrase for /etc/pki/CA/private/cakey.pem:
  4. [root@centos7 CA]#cat cal.pem
  5. -----BEGIN X509 CRL-----
  6. MIIB+jCB4wIBATANBgkqhkiG9w0BAQsFADCBijELMAkGA1UEBhMCQ04xEDAOBgNV
  7. BAgMB0JlaWppbmcxEDAOBgNVBAcMB0JlaWppbmcxDzANBgNVBAoMBm1hZ2VkdTEM
  8. MAoGA1UECwwDb3B0MRYwFAYDVQQDDA1jYS5tYWdlZHUuY29tMSAwHgYJKoZIhvcN
  9. AQkBFhExMzUzMjUwNzAzQHFxLmNvbRcNMTgwMTA3MDkwMDI3WhcNMTgwMjA2MDkw
  10. MDI3WjAUMBICAQIXDTE4MDEwNzA4NTU0MFqgDjAMMAoGA1UdFAQDAgEBMA0GCSqG
  11. SIb3DQEBCwUAA4IBAQBLXorc8bwR18Kwyd6OuPTcmhXzRxk603BPf2/noVNwVfs4
  12. wyIaF31XQprCvA2aMQjgcRmU+V9bTlgpzdUurxwbMkDw/EniWqULgaELEjKitHDr
  13. aas8yvc0c4VvHt9w6BTDa/p9Duct+7hQxEjI7E/01fVHJQlMQjflfNpoduG+XrNu
  14. y8tLlCmgMSaUmsecmimtP5diodQEMfixYZZb34LwDGSKKSU9mB+gobO+OmQJtl4W
  15. oEFhXO0lrXlUkblLyD2oIergU0unOrJ9+TGopg9fPqkI8zhppLAetCP1YlQgPUka
  16. WQrXcT0FvVcU8VFxB1D04TTTCPCEwXOkYKUN/SzV
  17. -----END X509 CRL-----
  18. [root@centos7 CA]#cat crlnumber //编号
  19. 02
  20. [root@centos7 CA]#openssl crl -in cal.pem -noout -text //详细查看
  21. Certificate Revocation List (CRL):
  22. Version 2 (0x1)
  23. Signature Algorithm: sha256WithRSAEncryption
  24. Issuer: /C=CN/ST=Beijing/L=Beijing/O=magedu/OU=opt/CN=ca.magedu.com/emailAddress=1353250703@qq.com
  25. Last Update: Jan 7 09:00:27 2018 GMT
  26. Next Update: Feb 6 09:00:27 2018 GMT
  27. CRL extensions:
  28. X509v3 CRL Number:
  29. 1
  30. Revoked Certificates:
  31. Serial Number: 02
  32. Revocation Date: Jan 7 08:55:40 2018 GMT
  33. Signature Algorithm: sha256WithRSAEncryption
  34. 4b:5e:8a:dc:f1:bc:11:d7:c2:b0:c9:de:8e:b8:f4:dc:9a:15:
  35. f3:47:19:3a:d3:70:4f:7f:6f:e7:a1:53:70:55:fb:38:c3:22:
  36. 1a:17:7d:57:42:9a:c2:bc:0d:9a:31:08:e0:71:19:94:f9:5f:
  37. 5b:4e:58:29:cd:d5:2e:af:1c:1b:32:40:f0:fc:49:e2:5a:a5:
  38. 0b:81:a1:0b:12:32:a2:b4:70:eb:69:ab:3c:ca:f7:34:73:85:
  39. 6f:1e:df:70:e8:14:c3:6b:fa:7d:0e:e7:2d:fb:b8:50:c4:48:
  40. c8:ec:4f:f4:d5:f5:47:25:09:4c:42:37:e5:7c:da:68:76:e1:
  41. be:5e:b3:6e:cb:cb:4b:94:29:a0:31:26:94:9a:c7:9c:9a:29:
  42. ad:3f:97:62:a1:d4:04:31:f8:b1:61:96:5b:df:82:f0:0c:64:
  43. 8a:29:25:3d:98:1f:a0:a1:b3:be:3a:64:09:b6:5e:16:a0:41:
  44. 61:5c:ed:25:ad:79:54:91:b9:4b:c8:3d:a8:21:ea:e0:53:4b:
  45. a7:3a:b2:7d:f9:31:a8:a6:0f:5f:3e:a9:08:f3:38:69:a4:b0:
  46. 1e:b4:23:f5:62:54:20:3d:49:1a:59:0a:d7:71:3d:05:bd:57:
  47. 14:f1:51:71:07:50:f4:e1:34:d3:08:f0:84:c1:73:a4:60:a5:
  48. 0d:fd:2c:d5

这就是全部过程,把证书发送到windows里面会看的很清楚!

问题

给已经颁发证书的人再次颁发证书,解决出现问题

  1. [root@centos7 CA]#openssl ca -in app.csr -out certs/app2.crt -days 365
  2. Using configuration from /etc/pki/tls/openssl.cnf
  3. Enter pass phrase for /etc/pki/CA/private/cakey.pem:
  4. Check that the request matches the signature
  5. Signature ok
  6. Certificate Details:
  7. Serial Number: 2 (0x2)
  8. Validity
  9. Not Before: Jan 7 08:37:56 2018 GMT
  10. Not After : Jan 7 08:37:56 2019 GMT
  11. Subject:
  12. countryName = CN
  13. stateOrProvinceName = Beijing
  14. organizationName = magedu
  15. organizationalUnitName = web
  16. commonName = *.ifeier.tech
  17. emailAddress = 1353250703@qq.com
  18. X509v3 extensions:
  19. X509v3 Basic Constraints:
  20. CA:FALSE
  21. Netscape Comment:
  22. OpenSSL Generated Certificate
  23. X509v3 Subject Key Identifier:
  24. AE:97:38:A0:F1:8A:B1:47:F6:18:21:2C:5A:B7:D9:72:8A:EA:CC:22
  25. X509v3 Authority Key Identifier:
  26. keyid:FD:64:65:51:4C:4E:65:95:82:43:3C:1D:FE:08:C1:C0:C3:72:7E:AB
  27. Certificate is to be certified until Jan 7 08:37:56 2019 GMT (365 days)
  28. Sign the certificate? [y/n]:y
  29. failed to update database //更新数据库失败
  30. TXT_DB error number 2
  1. [root@centos7 CA]#cat index.txt.attr //修改这个文件 yes改为no
  2. unique_subject = yes
  1. [root@centos7 CA]#cat index.txt //两条记录
  2. V 190107081928Z 01 unknown /C=CN/ST=Beijing/O=magedu/OU=web/CN=*.ifeier.tech/emailAddress=1353250703@qq.com
  3. V 190107084106Z 02 unknown /C=CN/ST=Beijing/O=magedu/OU=web/CN=*.ifeier.tech/emailAddress=1353250703@qq.com
  4. [root@centos7 CA]#cat serial //编号
  5. 03
  6. [root@centos7 CA]#tree
  7. .
  8. ├── app.csr
  9. ├── cacert.pem
  10. ├── certs
  11.    ├── app2.crt
  12.    └── app.crt
  13. ├── crl
  14. ├── index.txt
  15. ├── index.txt.attr
  16. ├── index.txt.attr.old
  17. ├── index.txt.old
  18. ├── newcerts
  19.    ├── 01.pem
  20.    └── 02.pem
  21. ├── private
  22.    └── cakey.pem
  23. ├── serial
  24. └── serial.old
  25. 4 directories, 13 files

默认国家,省,公司名称三项有错误的话。

  1. [root@centos6 app]#openssl req -new -key app.key -days 365 -out app2.csr
  2. You are about to be asked to enter information that will be incorporated
  3. into your certificate request.
  4. What you are about to enter is what is called a Distinguished Name or a DN.
  5. There are quite a few fields but you can leave some blank
  6. For some fields there will be a default value,
  7. If you enter '.', the field will be left blank.
  8. -----
  9. Country Name (2 letter code) [XX]:CN
  10. State or Province Name (full name) []:HeBei
  11. Locality Name (eg, city) [Default City]:Shijiazhuang
  12. Organization Name (eg, company) [Default Company Ltd]:linux
  13. Organizational Unit Name (eg, section) []:dev
  14. Common Name (eg, your name or your server's hostname) []:www.linux.org
  15. Email Address []:
  16. Please enter the following 'extra' attributes
  17. to be sent with your certificate request
  18. A challenge password []:
  19. An optional company name []:
  20. You have new mail in /var/spool/mail/root
  1. [root@centos6 app]#scp app2.csr 172.18.101.118:/etc/pki/CA/
  2. root@172.18.101.118's password:
  3. app2.csr 100% 655 0.6KB/s 00:00
  1. [root@centos7 CA]#openssl ca -in app2.csr -out certs/app2_2.crt
  2. Using configuration from /etc/pki/tls/openssl.cnf
  3. Enter pass phrase for /etc/pki/CA/private/cakey.pem:
  4. Check that the request matches the signature
  5. Signature ok
  6. The stateOrProvinceName field needed to be the same in the
  7. CA certificate (Beijing) and the request (HeBei) //不匹配
  1. [root@centos7 CA]#vim /etc/pki/tls/openssl.cnf
  2. # For the CA policy
  3. # and supplied fields are just that :-)
  4. policy = policy_match //找到这一行改为 policy_anything
添加新批注
在作者公开此批注前,只有你和作者可见。
回复批注