自建CA及吊销证书

#######################################################################
自建CA ===========>centos7==========>DIR:/etc/pki/CA

Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:WUHAN
Locality Name (eg, city) [Default City]:JIANGXIA
Organization Name (eg, company) [Default Company Ltd]:CA.jack.com
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:JACK WANG
Email Address []:wang2891135657@163.com
#######################################################################
openssl配置文件: /etc/pki/tls/openssl.cnf 关于证书和吊销列表配置
touch index.txt (生成索引数据库,即证书的相关信息)
echo 01 > serial (给定初始证书编号)
(umask 066;openssl genrsa -out private/cakey.pem 2048)生成CA私钥
openssl req -new -x509 -key private/cakey.pem -days 3650 -out cacert.pem
#用私钥生成CA自签名证书
openssl x509 -in cacert.pem -noout -text (查看CA证书信息,也可发送win查看,改后缀:crt)

#接受申请者的私钥
openssl req -new -key /root/.ssh/wh5003.com.key -out wh5003.com.csr (用申请者的私钥生成证书申请)
openssl ca -in wh5003.com.csr -out certs/wh5003.com.crt -days 710 (为申请者生成有效期710天的证书)
openssl x509 -in certs/wh5003.com.crt -noout -serial -subject (查看生成的证书的信息)
openssl ca -status 01 (查看状态)

#######################################################################
证书申请============>centos6==========>DIR:/data/certs

Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:WUHAN
Locality Name (eg, city) [Default City]:WUCHANG
Organization Name (eg, company) [Default Company Ltd]:CA.jack.com
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:JACK LIN
Email Address []:953752844@qq.com

#######################################################################
(umask 066;openssl genrsa -out wh5003.com.key 2048) 申请者生成私钥
scp wh5003.com.key jack7:/root/.ssh/ 发送给CA机构

#######################################################################
将CA和申请者证书安装在windows即可查看效果
#######################################################################

#######################################################################
证书吊销==========>centos7(CA)=======>DIR:/etc/pki/CA

openssl x509 -in certs/wh5003.com.crt -noout -serial -subject (查看需要吊销的证书编号)
openssl ca -revoke newcerts/01.pem (核对吊销信息)
echo 01 > crlnumber (生成初始吊销编号)
openssl ca -gencrl -out crl.pem (生成吊销列表证书)
openssl ca -status 01 (查看被吊销的编号状态)
cat index.txt (查看数据库索引信息)
sz crl.pem (也可在windows查看,改后缀:crl)

######################################################################
[20:43:05-root@jack7 CA]#tree /etc/pki/CA/

/etc/pki/CA/
├── cacert.pem
├── certs
│   └── wh5003.com.crt
├── crl
├── crlnumber
├── crlnumber.old
├── crl.pem
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── newcerts
│   └── 01.pem
├── private
│   └── cakey.pem
├── serial
├── serial.old
└── wh5003.com.csr

上一篇:shell实现一键证书申请和颁发脚本


下一篇:利用curl命令访问Kubernetes API server