码迷,mamicode.com
首页 > 其他好文 > 详细

OpenSSL <搭建私有CA>

时间:2018-05-12 14:23:52      阅读:149      评论:0      收藏:0      [点我收藏+]

标签:OpenSSL   Linux搭建私有CA   

CA  Server : el7-2 (172.16.1.51)  ,颁发证书

CA  Client  : el7-1 (172.16.1.52)  ,申请证书


1)CA自签证书

###################生成私钥

[root@el7-2   ~]# openssl genrsa  -out  /etc/pki/CA/private/cakey.pem 2048

Generating   RSA private key, 2048 bit long modulus

............................................................+++

...................................................................................................................................................................+++

###################自签证书

[root@el7-2   ~]# openssl  req  -new -x509    -key  /etc/pki/CA/private/cakey.pem  -out    /etc/pki/CA/cacert.pem

You   are about to be asked to enter information that will be incorporated

into   your certificate request.

What   you are about to enter is what is called a Distinguished Name or a DN.

There   are quite a few fields but you can leave some blank

For   some fields there will be a default value,

If   you enter '.', the field will be left blank.

-----

Country   Name (2 letter code) [XX]:cn

State   or Province Name (full name) []:shandong

Locality   Name (eg, city) [Default City]:yantai

Organization   Name (eg, company) [Default Company Ltd]:jying

Organizational   Unit Name (eg, section) []:tech

Common   Name (eg, your name or your server's hostname) []:cert.jying.com    

Email   Address []:

2)客户端创建私钥、证书申请请求

#####################创建私钥

[root@7-1   ~]# openssl  genrsa  -out    ClientPrivateKey  2048

Generating   RSA private key, 2048 bit long modulus

.....+++

...............................................................................................+++

e   is 65537 (0x10001)

#####################创建申请证书请求(有些参数需要与CA一致)

[root@7-1   ~]# openssl  req  -new    -key  ClientPrivateKey  -out    ClientReq.csr

You   are about to be asked to enter information that will be incorporated

into   your certificate request.

What   you are about to enter is what is called a Distinguished Name or a DN.

There   are quite a few fields but you can leave some blank

For   some fields there will be a default value,

If   you enter '.', the field will be left blank.

-----

Country   Name (2 letter code) [XX]:cn

State   or Province Name (full name) []:shandong           

Locality   Name (eg, city) [Default City]:yantai

Organization   Name (eg, company) [Default Company Ltd]:jying        

Organizational   Unit Name (eg, section) []:web

Common   Name (eg, your name or your server's hostname) []:www.jying.com

Email   Address []:

 

Please   enter the following 'extra' attributes

to   be sent with your certificate request

A   challenge password []:

An   optional company name []:

#####################将请求传送至CA

[root@7-1   ~]# scp  ClientReq.csr  root@172.16.1.52:/etc/pki/CA

The   authenticity of host '172.16.1.52 (172.16.1.52)' can't be established.

ECDSA   key fingerprint is SHA256:P1BfX8LN+/3SzKEugmKlg9VOziuyMiSJosAz1eVwk08.

ECDSA   key fingerprint is MD5:11:f7:ae:b1:0c:6d:6c:19:9a:00:24:bd:f2:1b:22:d1.

Are   you sure you want to continue connecting (yes/no)? yes

Warning:   Permanently added '172.16.1.52' (ECDSA) to the list of known hosts.

root@172.16.1.52's   password:

ClientReq.csr                                                          100%   1005   900.4KB/s   00:00

3)CA颁发证书

#####################创建证书数据库

[root@el7-2   CA]# touch  index.txt

#####################创建证书序列号

[root@el7-2   CA]# echo  01 >serial

#####################颁发证书

[root@el7-2   CA]# openssl  ca -in ClientReq.csr   -out    newcerts/Client.crt

Using   configuration from /etc/pki/tls/openssl.cnf

Check   that the request matches the signature

Signature   ok

Certificate   Details:

        Serial Number: 1 (0x1)

        Validity

            Not Before: May 12 05:11:17 2018   GMT

            Not After : May 12 05:11:17 2019   GMT

        Subject:

            countryName               = cn

            stateOrProvinceName       = shandong

            organizationName          = jying

            organizationalUnitName    = web

            commonName                = www.jying.com

        X509v3 extensions:

            X509v3 Basic Constraints:

                CA:FALSE

            Netscape Comment:

                OpenSSL Generated Certificate

            X509v3 Subject Key Identifier:

                  4E:C0:F2:5D:0B:43:3E:C5:CF:6D:3F:06:14:94:B2:08:87:2E:3D:A9

            X509v3 Authority Key Identifier:

                  keyid:9C:2C:DA:2B:57:98:0B:26:3B:08:52:F2:AF:73:DE:ED:EB:46:97:FA

 

Certificate   is to be certified until May 12 05:11:17 2019 GMT (365 days)

Sign   the certificate? [y/n]:y

 

 

1   out of 1 certificate requests certified, commit? [y/n]y

Write   out database with 1 new entries

Data   Base Updated

 

########################将证书传递给客户端

[root@el7-2   CA]# scp  newcerts/Client.crt   root@172.16.1.51:~

The   authenticity of host '172.16.1.51 (172.16.1.51)' can't be established.

ECDSA   key fingerprint is SHA256:P1BfX8LN+/3SzKEugmKlg9VOziuyMiSJosAz1eVwk08.

ECDSA   key fingerprint is MD5:11:f7:ae:b1:0c:6d:6c:19:9a:00:24:bd:f2:1b:22:d1.

Are   you sure you want to continue connecting (yes/no)? yes

Warning:   Permanently added '172.16.1.51' (ECDSA) to the list of known hosts.

root@172.16.1.51's   password:

Client.crt                                     100%   4438     3.7MB/s   00:00

 

####################客户端查看证书

[root@7-1   ~]# openssl x509 -in Client.crt  -text   -noout

Certificate:

    Data:

        Version: 3 (0x2)

        Serial Number: 1 (0x1)

    Signature Algorithm:   sha256WithRSAEncryption

        Issuer: C=cn, ST=shandong, L=yantai,   O=jying, OU=1, CN=jying.com

        Validity

            Not Before: May 12 05:11:17 2018   GMT

            Not After : May 12 05:11:17 2019 GMT

        Subject: C=cn, ST=shandong, O=jying,   OU=web, CN=www.jying.com

        Subject Public Key Info:

            Public Key Algorithm:   rsaEncryption

                Public-Key: (2048 bit)

                Modulus:

                      00:c4:b2:57:14:ba:a4:ed:b0:14:ed:52:2e:f2:4c:

                      0e:e9:59:ab:6b:79:8a:ac:95:11:d3:b1:0c:61:12:

                      08:d6:19:73:6e:63:5b:1c:8e:3e:5c:02:da:95:5a:

                      b7:58:94:bd:66:c1:eb:22:15:84:7e:73:63:45:ed:

                      b2:24:e4:fa:c9:6c:6f:80:a0:78:63:bf:03:62:4f:

                      71:e1:2f:62:98:1e:7c:ab:f7:c3:f3:0d:e1:be:8c:

                      12:55:bf:82:c4:8c:03:63:ff:31:43:40:45:ac:5e:

                      fd:d7:3e:bb:a2:89:2c:9a:ea:a1:4f:70:17:29:da:

                      2c:aa:3b:7b:45:45:f8:c4:fd:b9:71:31:59:17:63:

                      e5:95:35:7e:55:99:6f:40:5a:63:2f:b1:ae:b5:41:

                      ad:54:4e:33:e6:c4:49:86:1d:68:23:0a:9a:40:e9:

                      b4:fd:da:e6:07:7e:71:73:c2:17:d6:8e:af:a8:e7:

                      39:5f:8e:79:0e:a9:78:13:09:30:df:ba:ff:d1:db:

                      47:9f:95:7c:fb:24:a4:b8:24:34:ab:a8:25:ec:d2:

                      e3:64:09:4d:1c:87:ac:de:b9:5c:54:27:c2:56:a3:

                      22:a2:fb:11:1e:69:57:cf:40:b5:33:69:4d:7c:5b:

                      e4:4f:a6:1d:73:cd:c0:da:69:cc:59:b6:3b:43:49:

                    8e:9d

                Exponent: 65537 (0x10001)

        X509v3 extensions:

            X509v3 Basic Constraints:

                CA:FALSE

            Netscape Comment:

                OpenSSL Generated Certificate

            X509v3 Subject Key Identifier:

                  4E:C0:F2:5D:0B:43:3E:C5:CF:6D:3F:06:14:94:B2:08:87:2E:3D:A9

            X509v3 Authority Key Identifier:

                  keyid:9C:2C:DA:2B:57:98:0B:26:3B:08:52:F2:AF:73:DE:ED:EB:46:97:FA

 

    Signature Algorithm:   sha256WithRSAEncryption

           65:59:b1:68:14:79:c2:30:07:57:5a:fe:04:9b:bb:c4:b0:d5:

         31:bb:70:08:32:14:63:18:79:ea:3d:e7:cc:33:7f:4f:8b:2a:

           e4:a5:6c:81:34:99:cb:0e:15:f3:3c:14:96:6a:ea:f7:30:f1:

           d3:f4:4d:8e:7d:99:02:c9:a1:10:8c:38:64:52:a7:1e:b6:73:

           ac:56:74:1b:25:b6:ab:d3:cd:6d:22:7e:14:8d:aa:63:eb:15:

         8b:61:c2:58:6f:0a:6d:a5:e1:c5:32:99:62:04:14:6f:5b:a0:

           30:e7:8f:0e:bd:f2:7e:d0:79:69:f1:c7:29:26:87:15:b5:21:

           0a:9e:0e:09:98:ab:39:7b:a0:4f:61:5e:da:0d:ab:00:9e:39:

           e1:85:c4:9c:9e:ff:bc:74:4c:d9:03:ad:03:3d:d7:3e:56:46:

           f3:06:d2:2d:52:f5:27:53:e4:ca:84:24:a6:c8:09:35:9d:28:

           90:f7:12:04:df:f6:07:59:c2:ed:85:e8:2f:30:9e:d9:91:d5:

           a8:4f:f8:a7:aa:6e:3e:8c:2f:6f:17:15:67:52:69:7d:fa:ce:

           e5:64:b5:50:70:d6:30:b4:ad:26:b7:61:c2:9a:5c:64:68:e2:

           72:93:6d:a8:d1:8e:26:d4:52:3d:8b:ac:27:5d:73:00:c4:bc:

         65:ca:b7:63

 

吊销证书

######################吊销证书

[root@el7-2   CA]# openssl  ca  -revoke    /etc/pki/CA/newcerts/Client.crt

Using   configuration from /etc/pki/tls/openssl.cnf

Revoking   Certificate 01.

#####################生成CRL 序列号

[root@el7-2   CA]# echo  01 >/etc/pki/CA/crlnumber

#####################生成CRL

[root@el7-2   CA]# openssl  ca -gencrl  -out    /etc/pki/CA/crl/jying_web.crl

#####################查看CRL

[root@el7-2   CA]# openssl crl -in    /etc/pki/CA/crl/jying_web.crl     -noout  -text

Certificate   Revocation List (CRL):

        Version 2 (0x1)

    Signature Algorithm:   sha256WithRSAEncryption

        Issuer:   /C=cn/ST=shandong/L=yantai/O=jying/OU=1/CN=jying.com

        Last Update: May 12 05:24:41 2018 GMT

        Next Update: Jun 11 05:24:41 2018 GMT

        CRL extensions:

            X509v3 CRL Number:

                1

Revoked   Certificates:

    Serial Number: 01

        Revocation Date: May 12 05:23:39 2018   GMT

    Signature Algorithm:   sha256WithRSAEncryption

           94:e3:a5:c3:9b:da:f8:d8:38:dd:ca:5c:b5:a2:b6:4b:0f:fc:

           3c:a4:07:d5:a4:61:9a:d9:9f:60:74:2f:c2:58:41:67:cc:f4:

           b7:03:e1:01:6e:69:ea:a0:8f:be:7a:7f:be:75:90:fd:b5:95:

           79:98:9d:02:aa:4e:bb:b1:9d:c4:df:8b:ac:86:8e:b7:da:af:

           56:6e:40:57:7e:d2:7d:fe:08:bb:04:54:56:82:0a:17:32:65:

           52:41:9f:49:1b:42:c4:c7:5d:4e:83:5c:cc:07:dc:d2:7b:8b:

           1c:36:4e:20:5b:af:05:87:07:29:5c:bb:b9:dc:42:e1:54:db:

           77:8c:03:96:e2:28:9a:2c:e7:26:1d:be:37:93:5b:7c:96:50:

           30:55:ea:54:d4:c9:8d:df:13:21:1c:ff:c2:ae:dd:35:65:a3:

           ba:eb:f1:86:13:a1:06:85:40:74:c9:c2:42:b3:5f:ba:8d:0b:

           73:33:52:7d:4a:fe:2d:b7:33:20:ce:4f:de:1b:8e:ea:87:40:

           e3:fb:79:23:d3:dd:62:65:71:87:d8:fd:cb:36:3e:b8:39:27:

           86:de:02:ed:9a:ec:c4:a2:35:08:a0:e4:1f:05:a6:c7:7e:24:

           06:18:bc:91:0d:54:fa:18:5d:07:9e:93:6b:3e:0c:13:c2:3a:

         2d:02:d1:2a



OpenSSL <搭建私有CA>

标签:OpenSSL   Linux搭建私有CA   

原文地址:http://blog.51cto.com/jying/2115481

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!