请求方的操作:此步骤是为了验证CA的发证过程。
1.生成私钥:
Openssl genrsa 1024 > private.key 生成私钥并保存到private.key文件中
或者Openssl genrsa –out private.key 1024
1024:表示生成1024位的密码
从私钥中生成公钥:
openssl rsa -in private.key -pubout > public.key 生成公钥并保存到public.key文件中
证书请求:
openssl req -new -key private.key -out my.csr
(请求方的详细信息)
Country Name (2 letter code) [GB]: #所在国家
State or Province Name (full name) [Berkshire]: #州或省名
Locality Name (eg, city) [Newbury]: #所在城市的名字
Organization Name (eg, company) [My Company Ltd]: #组织或公司的名字
Organizational Unit Name (eg, section) []: #公司所在部门
Common Name (eg, your name or your server's hostname) []: #服务器名字或个人名字
Email Address []: #Email地址
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: #加密证书请求的密码
An optional company name []: #
2. 上面的条件填好以后就生成了证书颁发请求文件:my.csr
然后把my.csr发给CA并放到/dir_name下
scp my.csr CA 的域名或CA的IP地址:/dir_name
那么在CA的/dir_name目录下就会收到my.csr
CA的配置
3. 配置做成CA
cd /etc/pki/tls
vim openssl.cnf
找到[ CA_default ]
dir = /etc/pki/CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir/newcerts # default place for new certs.
保存退出
接着cd ../CA目录下:
mkdir certs crl newcerts
touch index.txt serial
echo 00 > serial
4. 创建CA的证书:CA要想给别人发证首先自己得有证
cd private
openssl genrsa 1024 > cakey.pem
生成自签的证书
cd ..
openssl req –new –x509 –key private/cakey.pem –out cacert.pem
(CA的详细信息)
Country Name (2 letter code) [GB]: #所在国家
State or Province Name (full name) [Berkshire]: #州或省名
Locality Name (eg, city) [Newbury]: #所在城市的名字
Organization Name (eg, company) [My Company Ltd]: #组织或公司的名字
Organizational Unit Name (eg, section) []: #公司所在部门
Common Name (eg, your name or your server's hostname) []: #服务器名字或个人名字
Email Address []: #Email地址
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: #加密证书请求的密码
An optional company name []: #
5. cd /dir_name
给请求者发证:
openssl ca –in my.csr –out my.crt