#######################################################################
自建CA ===========>centos7==========>DIR:/etc/pki/CA
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:WUHAN
Locality Name (eg, city) [Default City]:JIANGXIA
Organization Name (eg, company) [Default Company Ltd]:CA.jack.com
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:JACK WANG
Email Address []:wang2891135657@163.com
#######################################################################
openssl配置文件: /etc/pki/tls/openssl.cnf 关于证书和吊销列表配置
touch index.txt (生成索引数据库,即证书的相关信息)
echo 01 > serial (给定初始证书编号)
(umask 066;openssl genrsa -out private/cakey.pem 2048)生成CA私钥
openssl req -new -x509 -key private/cakey.pem -days 3650 -out cacert.pem
#用私钥生成CA自签名证书
openssl x509 -in cacert.pem -noout -text (查看CA证书信息,也可发送win查看,改后缀:crt)
#接受申请者的私钥
openssl req -new -key /root/.ssh/wh5003.com.key -out wh5003.com.csr (用申请者的私钥生成证书申请)
openssl ca -in wh5003.com.csr -out certs/wh5003.com.crt -days 710 (为申请者生成有效期710天的证书)
openssl x509 -in certs/wh5003.com.crt -noout -serial -subject (查看生成的证书的信息)
openssl ca -status 01 (查看状态)
#######################################################################
证书申请============>centos6==========>DIR:/data/certs
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:WUHAN
Locality Name (eg, city) [Default City]:WUCHANG
Organization Name (eg, company) [Default Company Ltd]:CA.jack.com
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:JACK LIN
Email Address []:953752844@qq.com
#######################################################################
(umask 066;openssl genrsa -out wh5003.com.key 2048) 申请者生成私钥
scp wh5003.com.key jack7:/root/.ssh/ 发送给CA机构
#######################################################################
将CA和申请者证书安装在windows即可查看效果
#######################################################################
#######################################################################
证书吊销==========>centos7(CA)=======>DIR:/etc/pki/CA
openssl x509 -in certs/wh5003.com.crt -noout -serial -subject (查看需要吊销的证书编号)
openssl ca -revoke newcerts/01.pem (核对吊销信息)
echo 01 > crlnumber (生成初始吊销编号)
openssl ca -gencrl -out crl.pem (生成吊销列表证书)
openssl ca -status 01 (查看被吊销的编号状态)
cat index.txt (查看数据库索引信息)
sz crl.pem (也可在windows查看,改后缀:crl)
######################################################################
[20:43:05-root@jack7 CA]#tree /etc/pki/CA/
/etc/pki/CA/
├── cacert.pem
├── certs
│ └── wh5003.com.crt
├── crl
├── crlnumber
├── crlnumber.old
├── crl.pem
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── newcerts
│ └── 01.pem
├── private
│ └── cakey.pem
├── serial
├── serial.old
└── wh5003.com.csr