标签:dea 完整 方便 generated bad unknown using mda sig
openssl ca(签署和自建CA)#建立数据库索引文件和序列文件
[root@linux5 ~]# touch /etc/pki/CA/index.txt
[root@linux5 ~]# echo "01" > /etc/pki/CA/serial
#生成私钥
[root@linux5 ~]# openssl genrsa -out /etc/pki/CA/private/cakey.pem
#创建CA请求文件
[root@linux5 ~]# openssl req -new -key /etc/pki/CA/private/cakey.pem -out rootCA.csr
#自签署
[root@linux5 ~]# openssl ca -selfsign -in rootCA.csr
#把自签的证书放到/etc/pki/CA/下
[root@linux5 ~]# cp /etc/pki/CA/newcerts/01.pem /etc/pki/CA/cacert.pem
#老王生成私钥
[wang@linux5 ~]$ openssl genrsa -out wangkey.pem
#老王生成请求文件
[wang@linux5 ~]$ openssl req -new -key wangkey.pem -out wangwangwang.csr
#老王将证书请求文件发给CA机构(国家,域名,组织必须和subject一致)
[wang@linux5 ~]$ scp wangwangwang.csr root@192.168.38.146:/root/
#CA帮忙签
[root@linux5 ~]# openssl ca -in wangwangwang.csr
#CA将证书发给老王
[root@linux5 ~]# scp /etc/pki/CA/newcerts/02.pem wang@192.168.38.146:~/
证书请求文件使用CA的私钥签署之后就是证书,签署之后将证书发给申请者就是颁发证书。在签署时,为了保证证书的完整性和一致性,还应该对签署的证书生成数字摘要,即使用单向加密算法。
在配置文件中指定了签署证书时所需文件的结构,默认openssl.cnf中的结构要求如下
[ CA_default ]
dir = /etc/pki/CA # 定义路径变量
certs = $dir/certs # 已颁发证书的保存目录
database = $dir/index.txt # 数据库索引文件
new_certs_dir = $dir/newcerts # 新签署的证书保存目录
certificate = $dir/cacert.pem # CA证书路径名
serial = $dir/serial # 当前证书序列号
private_key = $dir/private/cakey.pem # CA的私钥路径名
其中目录/etc/pki/CA/{certs,newcerts,private}在安装openssl后就默认存在,所以无需独立创建,但证书的database文件index.txt和序列文件serial必须创建好,且序列号文件中得先给定一个序号,如"01"
[root@linux5 ~]# touch /etc/pki/CA/index.txt
[root@linux5 ~]# echo "01" > /etc/pki/CA/serial
另外,要签署证书请求,需要CA自己的私钥文件以及CA自己的证书,先创建好CA的私钥,存放位置为配置文件中private_key所指定的值,默认为/etc/pki/CA/private/cakey.pem。
[root@linux5 ~]# openssl genrsa -out /etc/pki/CA/private/cakey.pem
要提供CA自己的证书,测试环境下CA只能自签署,使用"openssl req -x509"、"openssl x509"和"openssl ca"都可以自签署证书请求文件,此处仅介绍openssl ca命令自身自签署的方法。
先创建CA的证书请求文件,建议使用CA的私钥文件/etc/pki/CA/private/cakey.pem来创建待自签署的证书请求文件,虽非必须,但方便管理。创建请求文件时,其中Country Name、State or Province Name、Organization Name和Common Name默认是必须提供的。
[root@linux5 ~]# openssl req -new -key /etc/pki/CA/private/cakey.pem -out rootCA.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BJ
Locality Name (eg, city) [Default City]:BJ
Organization Name (eg, company) [Default Company Ltd]:MG
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server‘s hostname) []:www.baidu.com
Email Address []:
Please enter the following ‘extra‘ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
如果有两次交互式询问则表示自签署将成功,如果失败,则考虑数据库文件index.txt是否创建、序列号文件serial是否存在且有序号值、私钥文件cakey.pem是否路径正确、创建证书请求文件时是否该提供的没有提供等情况。
[root@linux5 ~]# openssl ca -selfsign -in rootCA.csr
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Sep 1 12:18:39 2019 GMT
Not After : Aug 31 12:18:39 2020 GMT
Subject:
countryName = CN
stateOrProvinceName = BJ
organizationName = MG
organizationalUnitName = IT
commonName = www.baidu.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
78:5F:19:3D:9B:CD:5D:60:5A:00:E5:DA:95:7D:4C:EC:2C:20:B1:3F
X509v3 Authority Key Identifier:
keyid:78:5F:19:3D:9B:CD:5D:60:5A:00:E5:DA:95:7D:4C:EC:2C:20:B1:3F
Certificate is to be certified until Aug 31 12:18:39 2020 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=BJ, O=MG, OU=IT, CN=www.baidu.com
Validity
Not Before: Sep 1 12:18:39 2019 GMT
Not After : Aug 31 12:18:39 2020 GMT
Subject: C=CN, ST=BJ, O=MG, OU=IT, CN=www.baidu.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b8:1d:69:b1:34:dc:9d:68:77:3d:9a:66:62:74:
f4:45:46:80:64:78:21:a5:b0:b5:7c:89:9a:6e:72:
2f:01:2a:e7:30:57:1c:cd:3b:5e:e5:97:b9:a5:80:
7d:87:5d:6a:59:8c:5f:b9:0c:6f:d4:33:05:63:c2:
ff:50:12:11:29:7b:5f:e6:74:4a:11:c5:97:71:c4:
67:63:2d:36:d2:6f:b4:3a:7c:59:4a:80:79:35:b6:
e6:9f:c9:7b:82:18:11:95:19:c8:37:f7:9a:28:00:
98:6c:a3:73:00:01:4f:fe:7b:8e:d8:c5:82:06:c2:
c8:9e:44:8d:36:ca:05:0e:50:8a:17:32:05:91:18:
d1:e8:9b:a5:52:43:88:3f:99:01:84:7e:8b:c2:46:
23:d0:c1:91:a8:9e:f5:ef:c8:91:22:06:9e:b0:30:
1f:8c:f9:3e:f5:30:8c:27:95:54:05:03:82:ac:70:
f9:30:f9:0e:a2:8f:e6:9a:53:b5:f4:82:f1:ab:17:
6a:22:f9:b2:c4:0b:8d:6e:49:51:35:f9:dd:8c:4f:
eb:ee:ba:f0:08:1d:70:fd:90:11:47:0d:34:bd:b2:
3e:71:c5:a7:d5:c9:61:88:79:76:2a:59:74:b2:32:
fd:37:a4:2e:e0:8b:2f:98:76:ae:ae:19:57:23:93:
cb:3d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
78:5F:19:3D:9B:CD:5D:60:5A:00:E5:DA:95:7D:4C:EC:2C:20:B1:3F
X509v3 Authority Key Identifier:
keyid:78:5F:19:3D:9B:CD:5D:60:5A:00:E5:DA:95:7D:4C:EC:2C:20:B1:3F
Signature Algorithm: sha256WithRSAEncryption
33:c4:da:33:67:d6:f8:c5:80:17:c0:db:b2:dd:5a:4e:f2:0c:
3a:21:fa:f6:da:86:0a:b3:66:fe:31:23:ed:00:8d:2a:0f:26:
c5:0b:9b:af:1c:0b:31:ba:60:d6:d7:24:74:29:0f:3a:8a:a1:
1f:f2:e9:de:96:1f:05:19:50:67:2f:5e:20:0b:8a:21:f4:95:
3b:30:88:2b:7c:2c:13:c9:b5:b4:17:c7:0c:84:20:0d:68:d8:
4d:31:ad:03:77:66:11:d3:96:68:38:d4:48:75:e3:2c:3a:fe:
ad:63:2b:89:61:9b:7e:07:97:c0:45:20:e7:4c:f4:1a:c3:6e:
49:81:16:33:f1:79:74:d3:f5:08:2c:21:42:b4:bd:65:a3:c2:
9d:56:7d:a8:3f:52:d0:55:94:ba:69:45:28:2a:05:13:4b:a2:
d5:00:dd:47:3d:92:27:7e:b0:23:f6:5a:96:0e:9b:e7:fd:7f:
57:3a:f0:43:88:05:60:73:db:3d:d8:f0:0e:90:97:18:94:f1:
53:56:e0:e6:0c:5a:60:f7:bb:86:bf:70:82:b2:d2:2a:64:c0:
b1:a6:13:69:ee:ae:ce:d6:8b:fa:b2:05:42:69:79:74:2a:6b:
04:e9:29:cc:55:6d:7d:4a:0f:43:63:2a:83:bb:de:0d:09:dd:
fa:f5:9c:70
-----BEGIN CERTIFICATE-----
MIIDjjCCAnagAwIBAgIBATANBgkqhkiG9w0BAQsFADBMMQswCQYDVQQGEwJDTjEL
MAkGA1UECAwCQkoxCzAJBgNVBAoMAk1HMQswCQYDVQQLDAJJVDEWMBQGA1UEAwwN
d3d3LmJhaWR1LmNvbTAeFw0xOTA5MDExMjE4MzlaFw0yMDA4MzExMjE4MzlaMEwx
CzAJBgNVBAYTAkNOMQswCQYDVQQIDAJCSjELMAkGA1UECgwCTUcxCzAJBgNVBAsM
AklUMRYwFAYDVQQDDA13d3cuYmFpZHUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAuB1psTTcnWh3PZpmYnT0RUaAZHghpbC1fImabnIvASrnMFcc
zTte5Ze5pYB9h11qWYxfuQxv1DMFY8L/UBIRKXtf5nRKEcWXccRnYy020m+0OnxZ
SoB5Nbbmn8l7ghgRlRnIN/eaKACYbKNzAAFP/nuO2MWCBsLInkSNNsoFDlCKFzIF
kRjR6JulUkOIP5kBhH6LwkYj0MGRqJ7178iRIgaesDAfjPk+9TCMJ5VUBQOCrHD5
MPkOoo/mmlO19ILxqxdqIvmyxAuNbklRNfndjE/r7rrwCB1w/ZARRw00vbI+ccWn
1clhiHl2Kll0sjL9N6Qu4IsvmHaurhlXI5PLPQIDAQABo3sweTAJBgNVHRMEAjAA
MCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAd
BgNVHQ4EFgQUeF8ZPZvNXWBaAOXalX1M7CwgsT8wHwYDVR0jBBgwFoAUeF8ZPZvN
XWBaAOXalX1M7CwgsT8wDQYJKoZIhvcNAQELBQADggEBADPE2jNn1vjFgBfA27Ld
Wk7yDDoh+vbahgqzZv4xI+0AjSoPJsULm68cCzG6YNbXJHQpDzqKoR/y6d6WHwUZ
UGcvXiALiiH0lTswiCt8LBPJtbQXxwyEIA1o2E0xrQN3ZhHTlmg41Eh14yw6/q1j
K4lhm34Hl8BFIOdM9BrDbkmBFjPxeXTT9QgsIUK0vWWjwp1Wfag/UtBVlLppRSgq
BRNLotUA3Uc9kid+sCP2WpYOm+f9f1c68EOIBWBz2z3Y8A6QlxiU8VNW4OYMWmD3
u4a/cIKy0ipkwLGmE2nurs7Wi/qyBUJpeXQqawTpKcxVbX1KD0NjKoO73g0J3fr1
nHA=
-----END CERTIFICATE-----
Data Base Updated
[root@linux5 ~]# tree -C /etc/pki/CA
/etc/pki/CA
|-- certs
|-- crl
|-- index.txt
|-- index.txt.attr
|-- index.txt.old
|-- newcerts
| `-- 01.pem
|-- private
| `-- cakey.pem
|-- serial
`-- serial.old
其中newcerts目录下的01.pem即为刚才自签署的证书文件,因为它是CA自身的证书,所以根据配置文件中的"certificate=$dir/cacert.pem"项,应该将其放入/etc/pki/CA目录下,且命名为cacert.pem,只有这样以后才能签署其它证书请求。
[root@linux5 ~]# cp /etc/pki/CA/newcerts/01.pem /etc/pki/CA/cacert.pem
至此,自建CA就完成了,
[root@linux5 ~]# cat /etc/pki/CA/index.txt
V 200831121839Z 01 unknown /C=CN/ST=BJ/O=MG/OU=IT/CN=www.baidu.com
那么,下次签署证书请求时,序列号将是"02"。
[root@linux5 ~]# touch /etc/pki/CA/index.txt
[root@linux5 ~]# echo "01" > /etc/pki/CA/serial
[root@linux5 ~]# openssl genrsa -out /etc/pki/CA/private/cakey.pem
[root@linux5 ~]# openssl req -new -key /etc/pki/CA/private/cakey.pem -out rootCA.csr
[root@linux5 ~]# openssl ca -selfsign -in rootCA.csr
[root@linux5 ~]# cp /etc/pki/CA/newcerts/01.pem /etc/pki/CA/cacert.pem
以上过程是完全读取默认配置文件创建的,其实很多过程是没有那么严格的,openssl ca命令自身可以指定很多选项覆盖配置文件中的项,但既然提供了默认的配置文件及目录结构,为了方便管理,仍然建议完全采用配置文件中的项。
[wang@linux5 ~]$ openssl genrsa -out wangkey.pem
[wang@linux5 ~]$ openssl req -new -key wangkey.pem -out wangwangwang.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BJ
Locality Name (eg, city) [Default City]:BJ
Organization Name (eg, company) [Default Company Ltd]:MG
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server‘s hostname) []:www.wangwangwang.com
Email Address []:
Please enter the following ‘extra‘ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
其中Country Name、State or Province Name、Organization Name和Common Name必须提供,且前三者必须和CA的subject中的对应项完全相同。这些是由配置文件中的匹配策略决定的。
[ ca ]
default_ca = CA_default # The default ca section
[ CA_default ]
policy = policy_match
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[wang@linux5 ~]$ scp wangwangwang.csr root@192.168.38.146:/root/
[root@linux5 ~]# openssl ca -in wangwangwang.csr
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 2 (0x2)
Validity
Not Before: Sep 1 12:52:13 2019 GMT
Not After : Aug 31 12:52:13 2020 GMT
Subject:
countryName = CN
stateOrProvinceName = BJ
organizationName = MG
commonName = www.wangwangwang.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
5C:B0:F3:C6:8B:F0:96:40:73:5C:B6:A8:2F:E4:DF:8C:2E:5B:C5:C5
X509v3 Authority Key Identifier:
keyid:78:5F:19:3D:9B:CD:5D:60:5A:00:E5:DA:95:7D:4C:EC:2C:20:B1:3F
Certificate is to be certified until Aug 31 12:52:13 2020 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=BJ, O=MG, OU=IT, CN=www.baidu.com
Validity
Not Before: Sep 1 12:52:13 2019 GMT
Not After : Aug 31 12:52:13 2020 GMT
Subject: C=CN, ST=BJ, O=MG, CN=www.wangwangwang.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d5:44:3a:e8:1e:de:4b:06:df:24:bc:4e:99:f3:
9a:a0:1c:84:e2:b2:32:cf:9d:f3:a1:e1:1e:9b:65:
d3:84:96:f1:73:7f:88:32:ea:d7:fa:c9:35:82:60:
86:b0:b1:33:b9:45:a9:a9:62:33:7d:b7:23:56:08:
d2:00:ef:c1:e4:e1:bb:ca:e7:a7:26:de:43:76:e1:
07:7f:92:06:b4:88:61:6a:38:27:88:e4:5e:82:c4:
90:b4:88:b2:46:bf:3a:6f:44:95:01:94:be:33:be:
62:74:bd:7c:01:d1:3f:a3:95:26:d4:21:87:de:2d:
e2:f9:96:09:25:6b:19:aa:30:c8:c9:68:7c:73:fe:
35:0e:b5:7c:68:6c:2e:3d:99:40:d8:b4:ee:cc:88:
a2:53:b3:1e:31:ac:f5:ce:ad:5c:93:b9:ba:eb:fb:
d2:0c:46:90:8b:fc:ae:b9:42:dd:d1:00:61:96:47:
1a:3f:58:df:7f:c1:b6:ee:ca:b5:5e:4f:91:ca:3d:
4e:8a:39:36:58:26:a2:7e:97:a2:72:89:27:ef:9d:
2b:4e:4d:cc:91:bf:2e:66:f3:25:8f:f4:6f:97:da:
2b:6a:d1:64:2d:f9:c6:4f:72:6b:59:d0:96:48:6e:
4b:58:97:6e:78:0e:57:75:a1:da:c4:85:90:d4:08:
cd:45
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
5C:B0:F3:C6:8B:F0:96:40:73:5C:B6:A8:2F:E4:DF:8C:2E:5B:C5:C5
X509v3 Authority Key Identifier:
keyid:78:5F:19:3D:9B:CD:5D:60:5A:00:E5:DA:95:7D:4C:EC:2C:20:B1:3F
Signature Algorithm: sha256WithRSAEncryption
25:f1:7a:b5:e2:8f:25:6e:90:1d:dc:40:7e:73:8d:88:84:3c:
72:ea:15:3f:fe:93:a5:e9:e3:f3:3f:d2:47:75:39:72:55:98:
89:a7:99:ee:07:fb:03:a6:4d:84:fa:49:7b:98:07:2e:7b:53:
c4:16:5e:30:1f:6e:62:ba:a8:b0:01:07:bc:a0:82:1f:7f:a3:
77:36:74:f5:d1:e6:7e:fe:e1:0d:05:d6:b2:28:76:2d:21:57:
73:67:37:91:40:a2:4b:74:e3:b7:39:10:32:f2:8f:03:34:be:
2d:c3:d7:c9:84:00:39:1f:44:dc:08:cc:5f:91:ec:7a:72:48:
4b:5e:f8:de:a2:ed:29:c9:d0:48:ca:9c:a5:d9:48:31:c2:52:
d2:6d:2c:14:b6:7c:c7:f3:9b:16:7e:0e:e2:26:0d:03:57:92:
e2:a0:fa:11:ed:26:cd:1e:ef:8c:c5:03:1c:80:91:af:06:4a:
2b:78:42:1a:23:02:1b:d7:67:4f:0d:ec:07:7c:6d:1b:9f:85:
38:c9:69:22:2f:e4:d0:bf:91:26:73:20:e5:fa:09:b1:30:80:
de:ad:97:c0:53:3c:02:a1:5b:5f:4a:55:4f:b3:cf:fb:6b:24:
95:82:2c:45:71:39:70:c4:2b:44:68:b6:5e:d7:6f:23:f5:fb:
46:31:93:f9
-----BEGIN CERTIFICATE-----
MIIDiDCCAnCgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBMMQswCQYDVQQGEwJDTjEL
MAkGA1UECAwCQkoxCzAJBgNVBAoMAk1HMQswCQYDVQQLDAJJVDEWMBQGA1UEAwwN
d3d3LmJhaWR1LmNvbTAeFw0xOTA5MDExMjUyMTNaFw0yMDA4MzExMjUyMTNaMEYx
CzAJBgNVBAYTAkNOMQswCQYDVQQIDAJCSjELMAkGA1UECgwCTUcxHTAbBgNVBAMM
FHd3dy53YW5nd2FuZ3dhbmcuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEA1UQ66B7eSwbfJLxOmfOaoByE4rIyz53zoeEem2XThJbxc3+IMurX+sk1
gmCGsLEzuUWpqWIzfbcjVgjSAO/B5OG7yuenJt5DduEHf5IGtIhhajgniORegsSQ
tIiyRr86b0SVAZS+M75idL18AdE/o5Um1CGH3i3i+ZYJJWsZqjDIyWh8c/41DrV8
aGwuPZlA2LTuzIiiU7MeMaz1zq1ck7m66/vSDEaQi/yuuULd0QBhlkcaP1jff8G2
7sq1Xk+Ryj1Oijk2WCaifpeicokn750rTk3Mkb8uZvMlj/Rvl9oratFkLfnGT3Jr
WdCWSG5LWJdueA5XdaHaxIWQ1AjNRQIDAQABo3sweTAJBgNVHRMEAjAAMCwGCWCG
SAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4E
FgQUXLDzxovwlkBzXLaoL+TfjC5bxcUwHwYDVR0jBBgwFoAUeF8ZPZvNXWBaAOXa
lX1M7CwgsT8wDQYJKoZIhvcNAQELBQADggEBACXxerXijyVukB3cQH5zjYiEPHLq
FT/+k6Xp4/M/0kd1OXJVmImnme4H+wOmTYT6SXuYBy57U8QWXjAfbmK6qLABB7yg
gh9/o3c2dPXR5n7+4Q0F1rIodi0hV3NnN5FAokt047c5EDLyjwM0vi3D18mEADkf
RNwIzF+R7HpySEte+N6i7SnJ0EjKnKXZSDHCUtJtLBS2fMfzmxZ+DuImDQNXkuKg
+hHtJs0e74zFAxyAka8GSit4QhojAhvXZ08N7Ad8bRufhTjJaSIv5NC/kSZzIOX6
CbEwgN6tl8BTPAKhW19KVU+zz/trJJWCLEVxOXDEK0Rotl7XbyP1+0Yxk/k=
-----END CERTIFICATE-----
Data Base Updated
[root@linux5 ~]# tree -C /etc/pki/CA
/etc/pki/CA
|-- cacert.pem
|-- certs
|-- crl
|-- index.txt
|-- index.txt.attr
|-- index.txt.attr.old
|-- index.txt.old
|-- newcerts
| |-- 01.pem
| `-- 02.pem
|-- private
| `-- cakey.pem
|-- serial
`-- serial.old
[root@linux5 ~]# cat /etc/pki/CA/index.txt
V 200831121839Z 01 unknown /C=CN/ST=BJ/O=MG/OU=IT/CN=www.baidu.com
V 200831125213Z 02 unknown /C=CN/ST=BJ/O=MG/CN=www.wangwangwang.com
[root@linux5 ~]# cat /etc/pki/CA/serial
03
#老王生成私钥
[wang@linux5 ~]$ openssl genrsa -out wangkey.pem
#老王生成请求文件
[wang@linux5 ~]$ openssl req -new -key wangkey.pem -out wangwangwang.csr
#老王将证书请求文件发给CA机构(国家,域名,组织必须和subject一致)
[wang@linux5 ~]$ scp wangwangwang.csr root@192.168.38.146:/root/
#CA帮忙签
[root@linux5 ~]# openssl ca -in wangwangwang.csr
#CA将证书发给老王
[root@linux5 ~]# scp /etc/pki/CA/newcerts/02.pem wang@192.168.38.146:~/
标签:dea 完整 方便 generated bad unknown using mda sig
原文地址:https://blog.51cto.com/14012942/2434561