CA Client : el7-1 (172.16.1.52) ,申请证书
1)CA自签证书
###################生成私钥 [root@el7-2 ~]# openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048 Generating RSA private key, 2048 bit long modulus ............................................................+++ ...................................................................................................................................................................+++ ###################自签证书 [root@el7-2 ~]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:cn State or Province Name (full name) []:shandong Locality Name (eg, city) [Default City]:yantai Organization Name (eg, company) [Default Company Ltd]:jying Organizational Unit Name (eg, section) []:tech Common Name (eg, your name or your server's hostname) []:cert.jying.com Email Address []: |
2)客户端创建私钥、证书申请请求
#####################创建私钥 [root@7-1 ~]# openssl genrsa -out ClientPrivateKey 2048 Generating RSA private key, 2048 bit long modulus .....+++ ...............................................................................................+++ e is 65537 (0x10001) #####################创建申请证书请求(有些参数需要与CA一致) [root@7-1 ~]# openssl req -new -key ClientPrivateKey -out ClientReq.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:cn State or Province Name (full name) []:shandong Locality Name (eg, city) [Default City]:yantai Organization Name (eg, company) [Default Company Ltd]:jying Organizational Unit Name (eg, section) []:web Common Name (eg, your name or your server's hostname) []:www.jying.com Email Address []:
Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: #####################将请求传送至CA [root@7-1 ~]# scp ClientReq.csr root@172.16.1.52:/etc/pki/CA The authenticity of host '172.16.1.52 (172.16.1.52)' can't be established. ECDSA key fingerprint is SHA256:P1BfX8LN+/3SzKEugmKlg9VOziuyMiSJosAz1eVwk08. ECDSA key fingerprint is MD5:11:f7:ae:b1:0c:6d:6c:19:9a:00:24:bd:f2:1b:22:d1. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '172.16.1.52' (ECDSA) to the list of known hosts. root@172.16.1.52's password: ClientReq.csr 100% 1005 900.4KB/s 00:00 |
3)CA颁发证书
#####################创建证书数据库 [root@el7-2 CA]# touch index.txt #####################创建证书序列号 [root@el7-2 CA]# echo 01 >serial #####################颁发证书 [root@el7-2 CA]# openssl ca -in ClientReq.csr -out newcerts/Client.crt Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: May 12 05:11:17 2018 GMT Not After : May 12 05:11:17 2019 GMT Subject: countryName = cn stateOrProvinceName = shandong organizationName = jying organizationalUnitName = web commonName = www.jying.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 4E:C0:F2:5D:0B:43:3E:C5:CF:6D:3F:06:14:94:B2:08:87:2E:3D:A9 X509v3 Authority Key Identifier: keyid:9C:2C:DA:2B:57:98:0B:26:3B:08:52:F2:AF:73:DE:ED:EB:46:97:FA
Certificate is to be certified until May 12 05:11:17 2019 GMT (365 days) Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
########################将证书传递给客户端 [root@el7-2 CA]# scp newcerts/Client.crt root@172.16.1.51:~ The authenticity of host '172.16.1.51 (172.16.1.51)' can't be established. ECDSA key fingerprint is SHA256:P1BfX8LN+/3SzKEugmKlg9VOziuyMiSJosAz1eVwk08. ECDSA key fingerprint is MD5:11:f7:ae:b1:0c:6d:6c:19:9a:00:24:bd:f2:1b:22:d1. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '172.16.1.51' (ECDSA) to the list of known hosts. root@172.16.1.51's password: Client.crt 100% 4438 3.7MB/s 00:00
####################客户端查看证书 [root@7-1 ~]# openssl x509 -in Client.crt -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: C=cn, ST=shandong, L=yantai, O=jying, OU=1, CN=jying.com Validity Not Before: May 12 05:11:17 2018 GMT Not After : May 12 05:11:17 2019 GMT Subject: C=cn, ST=shandong, O=jying, OU=web, CN=www.jying.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:c4:b2:57:14:ba:a4:ed:b0:14:ed:52:2e:f2:4c: 0e:e9:59:ab:6b:79:8a:ac:95:11:d3:b1:0c:61:12: 08:d6:19:73:6e:63:5b:1c:8e:3e:5c:02:da:95:5a: b7:58:94:bd:66:c1:eb:22:15:84:7e:73:63:45:ed: b2:24:e4:fa:c9:6c:6f:80:a0:78:63:bf:03:62:4f: 71:e1:2f:62:98:1e:7c:ab:f7:c3:f3:0d:e1:be:8c: 12:55:bf:82:c4:8c:03:63:ff:31:43:40:45:ac:5e: fd:d7:3e:bb:a2:89:2c:9a:ea:a1:4f:70:17:29:da: 2c:aa:3b:7b:45:45:f8:c4:fd:b9:71:31:59:17:63: e5:95:35:7e:55:99:6f:40:5a:63:2f:b1:ae:b5:41: ad:54:4e:33:e6:c4:49:86:1d:68:23:0a:9a:40:e9: b4:fd:da:e6:07:7e:71:73:c2:17:d6:8e:af:a8:e7: 39:5f:8e:79:0e:a9:78:13:09:30:df:ba:ff:d1:db: 47:9f:95:7c:fb:24:a4:b8:24:34:ab:a8:25:ec:d2: e3:64:09:4d:1c:87:ac:de:b9:5c:54:27:c2:56:a3: 22:a2:fb:11:1e:69:57:cf:40:b5:33:69:4d:7c:5b: e4:4f:a6:1d:73:cd:c0:da:69:cc:59:b6:3b:43:49: 8e:9d Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 4E:C0:F2:5D:0B:43:3E:C5:CF:6D:3F:06:14:94:B2:08:87:2E:3D:A9 X509v3 Authority Key Identifier: keyid:9C:2C:DA:2B:57:98:0B:26:3B:08:52:F2:AF:73:DE:ED:EB:46:97:FA
Signature Algorithm: sha256WithRSAEncryption 65:59:b1:68:14:79:c2:30:07:57:5a:fe:04:9b:bb:c4:b0:d5: 31:bb:70:08:32:14:63:18:79:ea:3d:e7:cc:33:7f:4f:8b:2a: e4:a5:6c:81:34:99:cb:0e:15:f3:3c:14:96:6a:ea:f7:30:f1: d3:f4:4d:8e:7d:99:02:c9:a1:10:8c:38:64:52:a7:1e:b6:73: ac:56:74:1b:25:b6:ab:d3:cd:6d:22:7e:14:8d:aa:63:eb:15: 8b:61:c2:58:6f:0a:6d:a5:e1:c5:32:99:62:04:14:6f:5b:a0: 30:e7:8f:0e:bd:f2:7e:d0:79:69:f1:c7:29:26:87:15:b5:21: 0a:9e:0e:09:98:ab:39:7b:a0:4f:61:5e:da:0d:ab:00:9e:39: e1:85:c4:9c:9e:ff:bc:74:4c:d9:03:ad:03:3d:d7:3e:56:46: f3:06:d2:2d:52:f5:27:53:e4:ca:84:24:a6:c8:09:35:9d:28: 90:f7:12:04:df:f6:07:59:c2:ed:85:e8:2f:30:9e:d9:91:d5: a8:4f:f8:a7:aa:6e:3e:8c:2f:6f:17:15:67:52:69:7d:fa:ce: e5:64:b5:50:70:d6:30:b4:ad:26:b7:61:c2:9a:5c:64:68:e2: 72:93:6d:a8:d1:8e:26:d4:52:3d:8b:ac:27:5d:73:00:c4:bc: 65:ca:b7:63 |
吊销证书
######################吊销证书 [root@el7-2 CA]# openssl ca -revoke /etc/pki/CA/newcerts/Client.crt Using configuration from /etc/pki/tls/openssl.cnf Revoking Certificate 01. #####################生成CRL 序列号 [root@el7-2 CA]# echo 01 >/etc/pki/CA/crlnumber #####################生成CRL [root@el7-2 CA]# openssl ca -gencrl -out /etc/pki/CA/crl/jying_web.crl #####################查看CRL [root@el7-2 CA]# openssl crl -in /etc/pki/CA/crl/jying_web.crl -noout -text Certificate Revocation List (CRL): Version 2 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: /C=cn/ST=shandong/L=yantai/O=jying/OU=1/CN=jying.com Last Update: May 12 05:24:41 2018 GMT Next Update: Jun 11 05:24:41 2018 GMT CRL extensions: X509v3 CRL Number: 1 Revoked Certificates: Serial Number: 01 Revocation Date: May 12 05:23:39 2018 GMT Signature Algorithm: sha256WithRSAEncryption 94:e3:a5:c3:9b:da:f8:d8:38:dd:ca:5c:b5:a2:b6:4b:0f:fc: 3c:a4:07:d5:a4:61:9a:d9:9f:60:74:2f:c2:58:41:67:cc:f4: b7:03:e1:01:6e:69:ea:a0:8f:be:7a:7f:be:75:90:fd:b5:95: 79:98:9d:02:aa:4e:bb:b1:9d:c4:df:8b:ac:86:8e:b7:da:af: 56:6e:40:57:7e:d2:7d:fe:08:bb:04:54:56:82:0a:17:32:65: 52:41:9f:49:1b:42:c4:c7:5d:4e:83:5c:cc:07:dc:d2:7b:8b: 1c:36:4e:20:5b:af:05:87:07:29:5c:bb:b9:dc:42:e1:54:db: 77:8c:03:96:e2:28:9a:2c:e7:26:1d:be:37:93:5b:7c:96:50: 30:55:ea:54:d4:c9:8d:df:13:21:1c:ff:c2:ae:dd:35:65:a3: ba:eb:f1:86:13:a1:06:85:40:74:c9:c2:42:b3:5f:ba:8d:0b: 73:33:52:7d:4a:fe:2d:b7:33:20:ce:4f:de:1b:8e:ea:87:40: e3:fb:79:23:d3:dd:62:65:71:87:d8:fd:cb:36:3e:b8:39:27: 86:de:02:ed:9a:ec:c4:a2:35:08:a0:e4:1f:05:a6:c7:7e:24: 06:18:bc:91:0d:54:fa:18:5d:07:9e:93:6b:3e:0c:13:c2:3a: 2d:02:d1:2a |
原文地址:http://blog.51cto.com/jying/2115481
