实验环境:
虚拟机:VMware Workstation 12 Pro
主机A:ip为10.1.255.55/16,创建CA并给其他主机提供CA服务
主机B:为httpd服务器,ip为10.1.249.115/16 1、查看openssl的配置文件/etc/pki/tls/openssl.cnf [root@localhost ~]# cat /etc/pki/tls/openssl.cnf (查看配置文件的ca部分的内容)
......
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = /etc/pki/CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
# Extension copying option: use with caution.
# copy_extensions = copy
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = sha256 # use SHA-256 by default
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
...... 2、根据配置文件创建所需要的文件 [root@localhost ~]# touch /etc/pki/CA/index.txt
[root@localhost ~]# echo 01 > /etc/pki/CA/serial
[root@localhost ~]# ls /etc/pki/CA/
certs crl index.txt newcerts private serial
Generating RSA private key, 2048 bit long modulus
......................................................................................................................................................................................+++
....................................................................................................................+++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:haidian
Organization Name (eg, company) [Default Company Ltd]:linuxca.org
Organizational Unit Name (eg, section) []:ops
Common Name (eg, your name or your server's hostname) []:linuxCA
Email Address []:admin@linuxca.org
-new : 生成新证书签署请求
-x509 : 专用于CA生成自签证书
-key : 生成请求时用到的私钥文件
-days: 证书的有效期限
-out /PATH/TO/SOMECERTFILE : 证书的保存路径
[root@localhost ~]# ls /etc/pki/CA/
cacert.pem certs crl index.txt newcerts private serial
[root@localhost ~]# cat /etc/pki/CA/cacert.pem
-----BEGIN CERTIFICATE-----
MIID5zCCAs+gAwIBAgIJAJrY1Gr0+l+fMA0GCSqGSIb3DQEBCwUAMIGJMQswCQYD
VQQGEwJjbjEQMA4GA1UECAwHYmVpamluZzEQMA4GA1UEBwwHaGFpZGlhbjEUMBIG
A1UECgwLbGludXhjYS5vcmcxDDAKBgNVBAsMA29wczEQMA4GA1UEAwwHbGludXhD
QTEgMB4GCSqGSIb3DQEJARYRYWRtaW5AbGludXhjYS5vcmcwHhcNMTYwOTIzMDEw
NTE5WhcNMzYwOTE4MDEwNTE5WjCBiTELMAkGA1UEBhMCY24xEDAOBgNVBAgMB2Jl
aWppbmcxEDAOBgNVBAcMB2hhaWRpYW4xFDASBgNVBAoMC2xpbnV4Y2Eub3JnMQww
CgYDVQQLDANvcHMxEDAOBgNVBAMMB2xpbnV4Q0ExIDAeBgkqhkiG9w0BCQEWEWFk
bWluQGxpbnV4Y2Eub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
4Se9FQWwCe5oHKKfKLEeMlXwBJM+UBPwYYezmkleU8fKieXBmkgRj1lKpdmCdHZc
6VRGOwHQ/2z387tlyhJbtnIYw5oO5YjEgQZTrN+VGV4TnhzV4ZqIuvs30QiWwgcU
z9PUChtYlmoI1T6FK0UeyAA5Vq/kmtjXGI4h/m45fHJHq8BDFIygF/p0/ZchaHP/
g7BNk3Ctc2ZxawTyzTAkKBBIQ2AplM83eGFSGOfLxp41TYgDHEs95DU4hwV4wwox
edmbLeeiIOU+36QDi4SXrdBXSngzKXWpVe5VAu7PdptgP3h80e17+gv0nK3WBWEz
0lifYbpWcM8DTQtYfDlJgQIDAQABo1AwTjAdBgNVHQ4EFgQUHxaA/zbKpDOid9/t
r93Wy66uiFswHwYDVR0jBBgwFoAUHxaA/zbKpDOid9/tr93Wy66uiFswDAYDVR0T
BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAW+FOVHEULrQ2kIDnKMDq0jiyqrTK
HMjmhjZScTSoqXcfcrarUzkz1ucUtThe5/t1bklWWhB60TSbnjY9L7tZEV5RlqWh
+m1ieTEw2rvOj/WNfxJGnUnzivfYp5aq/3/kMZlVF8GDMpEYtYnvRmuaQ83xaZFM
eeoYJlb6652xzbsGaIvpta4bSxZqYE/hAEKgqo1LMLMjTskh+nc9NmAMH/ZaiaHr
8ycV8PBxZJdln8nm+8u+/rC+9p1q+PEURaYZuBRENe6WGNv8wKtQt6ZNxBneCvky
YdHaPqK+r9HCEOxoQIfJCtAenN9l7ETtYf1pfP+j6uTVF3Cd5TEpxKuRxQ==
-----END CERTIFICATE----- 4、在需要使用证书的主机(B)生成证书请求 (1)给httpd服务器生成私钥 [root@localhost ~]# mkdir /etc/httpd/ssl
[root@localhost ~]# (umask 077 ; openssl genrsa -out /etc/httpd/ssl/httpd.key 2048)
Generating RSA private key, 2048 bit long modulus
...........+++
...............+++
e is 65537 (0x10001) (2)生成证书申请文件 [root@localhost ~]# oepnssl req -new -key /etc/httpd/ssl/httpd.key -days 365 -out /etc/httpd/ssl/httpd.csr
-bash: oepnssl: command not found
[root@localhost ~]# openssl req -new -key /etc/httpd/ssl/httpd.key -days 365 -out /etc/httpd/ssl/httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:chaoyang
Organization Name (eg, company) [Default Company Ltd]:linuxca.org
Organizational Unit Name (eg, section) []:cwb
Common Name (eg, your name or your server's hostname) []:lovelinux
Email Address []:lovelinux@163.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: 此处不加密证书申请文件
An optional company name []:
httpd.csr httpd.key
[root@localhost ~]# scp /etc/httpd/ssl/httpd.csr 10.1.252.55:/testdir/
root@10.1.252.55's password:
httpd.csr 100% 1054 1.0KB/s 00:00 5、在主机A上签署证书,并颁发给请求者 (1)签署证书 [root@localhost testdir]# openssl ca -in /testdir/httpd.csr -out
主机A:ip为10.1.255.55/16,创建CA并给其他主机提供CA服务
主机B:为httpd服务器,ip为10.1.249.115/16 1、查看openssl的配置文件/etc/pki/tls/openssl.cnf [root@localhost ~]# cat /etc/pki/tls/openssl.cnf (查看配置文件的ca部分的内容)
......
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = /etc/pki/CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
# Extension copying option: use with caution.
# copy_extensions = copy
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = sha256 # use SHA-256 by default
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
...... 2、根据配置文件创建所需要的文件 [root@localhost ~]# touch /etc/pki/CA/index.txt
[root@localhost ~]# echo 01 > /etc/pki/CA/serial
[root@localhost ~]# ls /etc/pki/CA/
certs crl index.txt newcerts private serial
注意:文件名要与配置文件中的名字一样
3、在主机A上创建CA服务,并自签 (1)生成私钥 [root@localhost ~]# (umask 077 ; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)Generating RSA private key, 2048 bit long modulus
......................................................................................................................................................................................+++
....................................................................................................................+++
e is 65537 (0x10001)
用小括号说明是在子shell中执行括号内的命令,不会影响父shell的设置;将umask设置为077是为了防止其他人有权限查看和修改生成的私钥;在2048前还可以给私钥加上加密算法,比如3des rsa等,此例子不加密。
(2)生成自签证书 [root@localhost ~]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 7300You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:haidian
Organization Name (eg, company) [Default Company Ltd]:linuxca.org
Organizational Unit Name (eg, section) []:ops
Common Name (eg, your name or your server's hostname) []:linuxCA
Email Address []:admin@linuxca.org
-new : 生成新证书签署请求
-x509 : 专用于CA生成自签证书
-key : 生成请求时用到的私钥文件
-days: 证书的有效期限
-out /PATH/TO/SOMECERTFILE : 证书的保存路径
[root@localhost ~]# ls /etc/pki/CA/
cacert.pem certs crl index.txt newcerts private serial
[root@localhost ~]# cat /etc/pki/CA/cacert.pem
-----BEGIN CERTIFICATE-----
MIID5zCCAs+gAwIBAgIJAJrY1Gr0+l+fMA0GCSqGSIb3DQEBCwUAMIGJMQswCQYD
VQQGEwJjbjEQMA4GA1UECAwHYmVpamluZzEQMA4GA1UEBwwHaGFpZGlhbjEUMBIG
A1UECgwLbGludXhjYS5vcmcxDDAKBgNVBAsMA29wczEQMA4GA1UEAwwHbGludXhD
QTEgMB4GCSqGSIb3DQEJARYRYWRtaW5AbGludXhjYS5vcmcwHhcNMTYwOTIzMDEw
NTE5WhcNMzYwOTE4MDEwNTE5WjCBiTELMAkGA1UEBhMCY24xEDAOBgNVBAgMB2Jl
aWppbmcxEDAOBgNVBAcMB2hhaWRpYW4xFDASBgNVBAoMC2xpbnV4Y2Eub3JnMQww
CgYDVQQLDANvcHMxEDAOBgNVBAMMB2xpbnV4Q0ExIDAeBgkqhkiG9w0BCQEWEWFk
bWluQGxpbnV4Y2Eub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
4Se9FQWwCe5oHKKfKLEeMlXwBJM+UBPwYYezmkleU8fKieXBmkgRj1lKpdmCdHZc
6VRGOwHQ/2z387tlyhJbtnIYw5oO5YjEgQZTrN+VGV4TnhzV4ZqIuvs30QiWwgcU
z9PUChtYlmoI1T6FK0UeyAA5Vq/kmtjXGI4h/m45fHJHq8BDFIygF/p0/ZchaHP/
g7BNk3Ctc2ZxawTyzTAkKBBIQ2AplM83eGFSGOfLxp41TYgDHEs95DU4hwV4wwox
edmbLeeiIOU+36QDi4SXrdBXSngzKXWpVe5VAu7PdptgP3h80e17+gv0nK3WBWEz
0lifYbpWcM8DTQtYfDlJgQIDAQABo1AwTjAdBgNVHQ4EFgQUHxaA/zbKpDOid9/t
r93Wy66uiFswHwYDVR0jBBgwFoAUHxaA/zbKpDOid9/tr93Wy66uiFswDAYDVR0T
BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAW+FOVHEULrQ2kIDnKMDq0jiyqrTK
HMjmhjZScTSoqXcfcrarUzkz1ucUtThe5/t1bklWWhB60TSbnjY9L7tZEV5RlqWh
+m1ieTEw2rvOj/WNfxJGnUnzivfYp5aq/3/kMZlVF8GDMpEYtYnvRmuaQ83xaZFM
eeoYJlb6652xzbsGaIvpta4bSxZqYE/hAEKgqo1LMLMjTskh+nc9NmAMH/ZaiaHr
8ycV8PBxZJdln8nm+8u+/rC+9p1q+PEURaYZuBRENe6WGNv8wKtQt6ZNxBneCvky
YdHaPqK+r9HCEOxoQIfJCtAenN9l7ETtYf1pfP+j6uTVF3Cd5TEpxKuRxQ==
-----END CERTIFICATE----- 4、在需要使用证书的主机(B)生成证书请求 (1)给httpd服务器生成私钥 [root@localhost ~]# mkdir /etc/httpd/ssl
[root@localhost ~]# (umask 077 ; openssl genrsa -out /etc/httpd/ssl/httpd.key 2048)
Generating RSA private key, 2048 bit long modulus
...........+++
...............+++
e is 65537 (0x10001) (2)生成证书申请文件 [root@localhost ~]# oepnssl req -new -key /etc/httpd/ssl/httpd.key -days 365 -out /etc/httpd/ssl/httpd.csr
-bash: oepnssl: command not found
[root@localhost ~]# openssl req -new -key /etc/httpd/ssl/httpd.key -days 365 -out /etc/httpd/ssl/httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:chaoyang
Organization Name (eg, company) [Default Company Ltd]:linuxca.org
Organizational Unit Name (eg, section) []:cwb
Common Name (eg, your name or your server's hostname) []:lovelinux
Email Address []:lovelinux@163.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: 此处不加密证书申请文件
An optional company name []:
注意:默认国家,省,公司名称必须和CA一致
(3)将证书请求文件传输给CA [root@localhost ~]# ls /etc/httpd/ssl/httpd.httpd.csr httpd.key
[root@localhost ~]# scp /etc/httpd/ssl/httpd.csr 10.1.252.55:/testdir/
root@10.1.252.55's password:
httpd.csr 100% 1054 1.0KB/s 00:00 5、在主机A上签署证书,并颁发给请求者 (1)签署证书 [root@localhost testdir]# openssl ca -in /testdir/httpd.csr -out