Linux openssl CA证书及签发

证书申请及签署步骤：
1> 生成证书申请请求
2> RA核验
3> CA签署
4> 获取证书
===============================================================

1> 在centos8上面创建CA需要的以下文件及文件夹

[ CA_default ]

dir		= /etc/pki/CA		# Where everything is kept
certs		= $dir/certs		# Where the issued certs are kept
crl_dir		= $dir/crl		# Where the issued crl are kept
database	= $dir/index.txt	# database index file.
#unique_subject	= no			# Set to ‘no‘ to allow creation of
					# several certs with same subject.
new_certs_dir	= $dir/newcerts		# default place for new certs.

certificate	= $dir/cacert.pem 	# The CA certificate
serial		= $dir/serial 		# The current serial number
crlnumber	= $dir/crlnumber	# the current crl number
					# must be commented out to leave a V1 CRL
crl		= $dir/crl.pem 		# The current CRL
private_key	= $dir/private/cakey.pem# The private key

[20:22:52 root@centos8 pki]#mkdir CA

[20:23:55 root@centos8 CA]#touch index.txt
[20:24:01 root@centos8 CA]#echo 01 > serial

[20:32:25 root@centos8 CA]#mkdir private

[21:04:59 root@centos8 CA]#mkdir /etc/pki/CA/certs

[21:04:26 root@centos8 CA]#mkdir /etc/pki/CA/newcerts

2> create CA private key

[20:32:43 root@centos8 CA]#openssl genrsa -out private/cakey.pem
Generating RSA private key, 2048 bit long modulus (2 primes)
.......................................+++++
................................................+++++
e is 65537 (0x010001)

[20:35:45 root@centos8 CA]#ll ./private/cakey.pem
-rw-------. 1 root root 1679 May 9 20:32 ./private/cakey.pem

3> 生成CA自签名证书

[20:39:19 root@centos8 CA]#openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 36500 -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:SC
Locality Name (eg, city) [Default City]:Chengdu
Organization Name (eg, company) [Default Company Ltd]:Noise
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server‘s hostname) []:noise
Email Address []:570110218@qq.com
[20:39:47 root@centos8 CA]#ll
total 8
-rw-r--r--. 1 root root 1391 May 9 20:39 cacert.pem
-rw-r--r--. 1 root root 0 May 9 20:24 index.txt
drwxr-xr-x. 2 root root 23 May 9 20:32 private
-rw-r--r--. 1 root root 3 May 9 20:24 serial

可以下载到windows，改成后缀.crt查看

[20:46:25 root@centos8 CA]#sz ./cacert.pem

也可以自行查看

[20:55:49 root@centos8 CA]#openssl x509 -in cacert.pem -noout -text

4> A主机申请证书并于CA签发

4.1> 生成私密key

[21:31:53 root@centos8 CA]#openssl genrsa -out /data/noise.key

4.2> 证书申请文件

[21:34:12 root@centos8 CA]#openssl req -new -key /data/noise.key -out /data/noise.csr

4.3> CA签发

[21:39:39 root@centos8 CA]#openssl ca -in /data/noise.csr -out /etc/pki/CA/certs/noise.crt -days 100

4.4> 查看证书

[21:41:14 root@centos8 CA]#openssl x509 -in /etc/pki/CA/certs/noise.crt -noout -text

吊销证书

[22:05:01 root@centos8 CA]#cat serial

[22:05:22 root@centos8 CA]#echo 02 > serial

[22:06:36 root@centos8 CA]#echo 02 > crlnumber

[22:06:42 root@centos8 CA]#openssl ca -gencrl -out /etc/pki/CA/crl.pem

[22:07:00 root@centos8 CA]#openssl crl -in /etc/pki/CA/crl.pem -noout -text