1 创建CA相关目录和文件
[root@CA ~]#mkdir -pv /etc/pki/CA/{certs,crl,newcerts,private}
mkdir: created directory ‘/etc/pki/CA‘
mkdir: created directory ‘/etc/pki/CA/certs‘
mkdir: created directory ‘/etc/pki/CA/crl‘
mkdir: created directory ‘/etc/pki/CA/newcerts‘
mkdir: created directory ‘/etc/pki/CA/private‘
[root@CA ~]#tree /etc/pki/CA/
/etc/pki/CA/
├── certs
├── crl
├── newcerts
└── private
4 directories, 0 files
[root@CA ~]#touch /etc/pki/CA/index.txt
[root@CA ~]#echo 0F > /etc/pki/CA/serial
创建CA相关目录和文件 index.txt和serial文件在颁发证书时需要使用,如果不存在,会出现以下错误提示
[root@CA ~]#openssl ca -in /data/app1/app1.csr -out /etc/pki/CA/certs/app1.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
140040142845760:error:02001002:system library:fopen:No such file or
directory:crypto/bio/bss_file.c:72:fopen(‘/etc/pki/CA/index.txt‘,‘r‘)
140040142845760:error:2006D080:BIO routines:BIO_new_file:no such
file:crypto/bio/bss_file.c:79:
[root@CA ~]#openssl ca -in /data/app1/app1.csr -out /etc/pki/CA/certs/app1.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
/etc/pki/CA/serial: No such file or directory
error while loading serial number
140240559408960:error:02001002:system library:fopen:No such file or
directory:crypto/bio/bss_file.c:72:fopen(‘/etc/pki/CA/serial‘,‘r‘)
140240559408960:error:2006D080:BIO routines:BIO_new_file:no such
file:crypto/bio/bss_file.c:79:
2 创建CA的私钥
[root@CA ~]#cd /etc/pki/CA/
[root@CA CA]#(umask 066; openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
.......................+++++
..............+++++
e is 65537 (0x010001)
[root@CA CA]#tree
.
├── certs
├── crl
├── index.txt
├── newcerts
├── private
│?? └── cakey.pem
└── serial
4 directories, 3 files
[root@CA CA]#ll private/
total 4
-rw------- 1 root root 1679 Jul 25 22:58 cakey.pem
[root@CA CA]#cat private/cakey.pem
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAsvWeHckzQtx03+7MZIJHKGC/OceP81sAbWWD4snaJ7P6HPBk
ZWc5oEyFjvdDn/h8uJwrsZvCLqn2O7jSHykztX+1JVe6TwJSeLn09CEpzaOKLxRK
2p0hUsfh+OXqDcbEv1fnlpCh3Vhq3vQ5acC55Ag3WGY8S6qfB20YrAlnZ4+3kCpg
zK2yanT69W9rw5KymOmpit7A5g4wv6tBrN8GM8Y/y1xGowR9DmjgK3d+cD4GDqoj
x+AMDa9xc+MP/D3q3PhcpLtK8KicjhS+R0HL6s0o9kNKgCEgdfrvS8+jCtdeextQ
mz8gek2EDBgVM5agwYBopKxf2ucBVRN4aBbRqwIDAQABAoIBAQCGhJWbshc0FN5N
TQSaMEsokMBswBL2S9sgYAQovq2a1nAUvKXaiyMH2T0zX62XW4L0iX9We8wUo3ER
JzXacnAJ57rUHQNQTGCNmsoDj8IKbvl5tfkmJqJbxR+YpcmvHU/avEq6JHFnHgUH
HfDiCxovy/U+H2sHPXNYc6rt9guiDWPtlSGaVjJvpTC1iVyUMBxYMzBFPsRDhuJh
4rp6AHktka7sQWH7J3ZWPYwktBIpDRGQ8dyHBx3acvrp3JPvXW2Tv99vdJbGcN6d
Di3mYlTCAVRgwPeynxUIZicaxzX/wGA0h9tQQPL8Uni25dKemsJBM6cU4DyvBRuO
obSs6FCRAoGBAOzzt3Tt/Z0ZGSMaIjH/+Iv3pPrT6jDBj2sx10vzHevetWXXYgds
082aeo0zjE86va8psHmICQei5lpS6YfAFFHKFmIcJpitA4bQ7pS1sL22k51C+916
qNd4cMyUDUiaSymrrx6NkiI/iauHW3BT1znwhoZV5PnaaSdVXisr85SPAoGBAMFY
dctPYnNuURWMUmFS3yZjqJosz6iba8Xkm22haxyw/bREUSUcbYVHKCFWr0W3HHH4
HMwoj37iiLTde4tac8KpfG3MxZiboyVxlbsKzfR1MYpxOM91nv3xOkZ3XtJtMEww
0aV4vKOc/EwgrUEAZYZ+4QrUMTSjGPhb/r6/npclAoGBAIbkc/M4LSILELlf/kmS
nC8qaxx0GaVp+7idpiBRph4KKiBxDhiGBsnMgKnzx5OvMB8Qz6tQGzviq9qNyu6C
Fc8+CaIOvpY6IIDWXowAJz7JOp3TbUj3tDj+EtEUE7/aPqHZYBc3pxKiM0CYDSEU
SbltSVgee/0VLrm6qqJPIhrXAoGATDY7UGW9T/TXH2BNhLFu5qn35rXtMO/6nmnL
Xn53Qzr89lbLiY5YGWYACowp0JgqLT5403zVe1V+P5TiQv7njH7UXk+OP+Zxe6v3
MmBC6K5dVc3lb9lUT5MLvoUFKnsBw7amnMwnx3J0/OkQggPPASH4QRV9Q9taV2Oj
2bqcn8UCgYEAoaJZ+85kAoYlnrNlj5dQVL6PW4RTnBp+PSVUSGr0E/TPhNtOQw5k
pLMhMBsu/RhtJsuU6USIk3Q+n8u14rMWD7sa4hE8qud8WTBN+gicSHN0jOTfwOV7
6FsLqReFGl19KZWaInfonEScJgnuw5cdO04Eao0INoUsnPBDnycpQic=
-----END RSA PRIVATE KEY-----
3 给CA颁发自签名证书
[root@CA CA]#openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:hunan
Locality Name (eg, city) [Default City]:changsha
Organization Name (eg, company) [Default Company Ltd]:jiang
Organizational Unit Name (eg, section) []:devpos
Common Name (eg, your name or your server‘s hostname) []:ca.jiang.com
Email Address []:
[root@CA CA]#tree /etc/pki/CA/
/etc/pki/CA/
├── cacert.pem
├── certs
├── crl
├── index.txt
├── newcerts
├── private
│?? └── cakey.pem
└── serial
4 directories, 4 files
[root@CA CA]#cat /etc/pki/CA/cacert.pem
-----BEGIN CERTIFICATE-----
MIIDsTCCApmgAwIBAgIUIpTg2zhhRwHvtpjkXPdhlBXRMrswDQYJKoZIhvcNAQEL
BQAwaDELMAkGA1UEBhMCQ04xDjAMBgNVBAgMBWh1bmFuMREwDwYDVQQHDAhjaGFu
Z3NoYTEOMAwGA1UECgwFamlhbmcxDzANBgNVBAsMBmRldnBvczEVMBMGA1UEAwwM
Y2EuamlhbmcuY29tMB4XDTIxMDcyNTE1MDIxM1oXDTMxMDcyMzE1MDIxM1owaDEL
MAkGA1UEBhMCQ04xDjAMBgNVBAgMBWh1bmFuMREwDwYDVQQHDAhjaGFuZ3NoYTEO
MAwGA1UECgwFamlhbmcxDzANBgNVBAsMBmRldnBvczEVMBMGA1UEAwwMY2Euamlh
bmcuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsvWeHckzQtx0
3+7MZIJHKGC/OceP81sAbWWD4snaJ7P6HPBkZWc5oEyFjvdDn/h8uJwrsZvCLqn2
O7jSHykztX+1JVe6TwJSeLn09CEpzaOKLxRK2p0hUsfh+OXqDcbEv1fnlpCh3Vhq
3vQ5acC55Ag3WGY8S6qfB20YrAlnZ4+3kCpgzK2yanT69W9rw5KymOmpit7A5g4w
v6tBrN8GM8Y/y1xGowR9DmjgK3d+cD4GDqojx+AMDa9xc+MP/D3q3PhcpLtK8Kic
jhS+R0HL6s0o9kNKgCEgdfrvS8+jCtdeextQmz8gek2EDBgVM5agwYBopKxf2ucB
VRN4aBbRqwIDAQABo1MwUTAdBgNVHQ4EFgQUL2Y6kN+HBzbChjMfMA7njaF99U4w
HwYDVR0jBBgwFoAUL2Y6kN+HBzbChjMfMA7njaF99U4wDwYDVR0TAQH/BAUwAwEB
/zANBgkqhkiG9w0BAQsFAAOCAQEAmBqYcIz2WmkrNMCEpquRLRBSIFub4b0Fy9yN
/+nNLcaGsma/k/mlULy37RrhuZUwne6y1MD5RMLwRAM9yFZ9NTOB0fKHWlD4t1u5
bBB4Kr2FjbvNUQq/KgpHxd1nIwEVfeA7Z5EV7a+LJlX/NstYseGRtD0oGnj2AP+1
Ku3BGS5dd1cz1mM++IuvVwsheQVaTPNqqGXnI4K7sze5od0tuczx5xY7mtJJYT6G
XeciEhKvAkrV8lwcB5xeMm7Tta+bu9ux09OLRdQyl7iPoPDmupWy9U57HlnnLfVG
8Zi9HRnHTnbgjyW7crLV93lnj5JpZlkdeNR19uuhW7JKYchl3g==
-----END CERTIFICATE-----
#查看自签的证书
[root@CA CA]#openssl x509 -in /etc/pki/CA/cacert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
22:94:e0:db:38:61:47:01:ef:b6:98:e4:5c:f7:61:94:15:d1:32:bb
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CN, ST = hunan, L = changsha, O = jiang, OU = devpos, CN = ca.jiang.com
Validity
Not Before: Jul 25 15:02:13 2021 GMT
Not After : Jul 23 15:02:13 2031 GMT
Subject: C = CN, ST = hunan, L = changsha, O = jiang, OU = devpos, CN = ca.jiang.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:b2:f5:9e:1d:c9:33:42:dc:74:df:ee:cc:64:82:
47:28:60:bf:39:c7:8f:f3:5b:00:6d:65:83:e2:c9:
da:27:b3:fa:1c:f0:64:65:67:39:a0:4c:85:8e:f7:
43:9f:f8:7c:b8:9c:2b:b1:9b:c2:2e:a9:f6:3b:b8:
d2:1f:29:33:b5:7f:b5:25:57:ba:4f:02:52:78:b9:
f4:f4:21:29:cd:a3:8a:2f:14:4a:da:9d:21:52:c7:
e1:f8:e5:ea:0d:c6:c4:bf:57:e7:96:90:a1:dd:58:
6a:de:f4:39:69:c0:b9:e4:08:37:58:66:3c:4b:aa:
9f:07:6d:18:ac:09:67:67:8f:b7:90:2a:60:cc:ad:
b2:6a:74:fa:f5:6f:6b:c3:92:b2:98:e9:a9:8a:de:
c0:e6:0e:30:bf:ab:41:ac:df:06:33:c6:3f:cb:5c:
46:a3:04:7d:0e:68:e0:2b:77:7e:70:3e:06:0e:aa:
23:c7:e0:0c:0d:af:71:73:e3:0f:fc:3d:ea:dc:f8:
5c:a4:bb:4a:f0:a8:9c:8e:14:be:47:41:cb:ea:cd:
28:f6:43:4a:80:21:20:75:fa:ef:4b:cf:a3:0a:d7:
5e:7b:1b:50:9b:3f:20:7a:4d:84:0c:18:15:33:96:
a0:c1:80:68:a4:ac:5f:da:e7:01:55:13:78:68:16:
d1:ab
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
2F:66:3A:90:DF:87:07:36:C2:86:33:1F:30:0E:E7:8D:A1:7D:F5:4E
X509v3 Authority Key Identifier:
keyid:2F:66:3A:90:DF:87:07:36:C2:86:33:1F:30:0E:E7:8D:A1:7D:F5:4E
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
98:1a:98:70:8c:f6:5a:69:2b:34:c0:84:a6:ab:91:2d:10:52:
20:5b:9b:e1:bd:05:cb:dc:8d:ff:e9:cd:2d:c6:86:b2:66:bf:
93:f9:a5:50:bc:b7:ed:1a:e1:b9:95:30:9d:ee:b2:d4:c0:f9:
44:c2:f0:44:03:3d:c8:56:7d:35:33:81:d1:f2:87:5a:50:f8:
b7:5b:b9:6c:10:78:2a:bd:85:8d:bb:cd:51:0a:bf:2a:0a:47:
c5:dd:67:23:01:15:7d:e0:3b:67:91:15:ed:af:8b:26:55:ff:
36:cb:58:b1:e1:91:b4:3d:28:1a:78:f6:00:ff:b5:2a:ed:c1:
19:2e:5d:77:57:33:d6:63:3e:f8:8b:af:57:0b:21:79:05:5a:
4c:f3:6a:a8:65:e7:23:82:bb:b3:37:b9:a1:dd:2d:b9:cc:f1:
e7:16:3b:9a:d2:49:61:3e:86:5d:e7:22:12:12:af:02:4a:d5:
f2:5c:1c:07:9c:5e:32:6e:d3:b5:af:9b:bb:db:b1:d3:d3:8b:
45:d4:32:97:b8:8f:a0:f0:e6:ba:95:b2:f5:4e:7b:1e:59:e7:
2d:f5:46:f1:98:bd:1d:19:c7:4e:76:e0:8f:25:bb:72:b2:d5:
f7:79:67:8f:92:69:66:59:1d:78:d4:75:f6:eb:a1:5b:b2:4a:
61:c8:65:de
[root@CA CA]#sz /etc/pki/CA/cacert.pem
#将文件cacert.pem传到windows上,修改文件名为cacert.pem.crt,双击可以看到下面显示
4 用户生成私钥和证书申请
[root@client ~]#mkdir /data/app1
#生成私钥文件
[root@client ~]#(umask 066; openssl genrsa -out /data/app1/app1.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
...............................................+++++
...............+++++
e is 65537 (0x010001)
[root@client ~]#cat /data/app1/app1.key
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAxq183PgxD3cB9coDmAf+IS40GPA+NbnOfOFYMxBepWnSDBA1
ilXBdbTitkalx38JBmRoMvvgYNNMli0ncYAN6udJvSw9EVP3a4FCBnjcEzr4+WIH
CiavIhVhUNylfj+4G5bIKbxt9ff1En688l4XkrU/AAnzU1hd0kXID5/fKvoMY/0q
5iBfKgBu6b1nwKhaNpvjuPn+jM7PSyTaUWQ8MjYEERxZuuVvKy40V8a+hB70ROVO
ytgXjWxjqRG4hE9/hc8O8KoSEmIj2UplEoMxempD0y13+ACZmCZ75o6FvfOsW7cb
s+uIqFQ30zF2LO6AwcFt2PF/KkwRtrCJs4HRzwIDAQABAoIBAQCYqXpGeNeJ4JI7
AS1dxtZ5PH1/pCrJMar+vlD9e9ieFf/2kQXy9A4hmgq***p1fqG6rbB7bJtvCy3Q
P4YNaq5HD83TdIjAJdr6WmoXewrwI+JoDfEG1c7Ay9jpP4JSzjdzy5qmp0l/NTa1
LXmWasKGUorERuEX69C74C7oApqC9CCstteZqjivAoErTgz6URUjDBjyGEGch3A1
5Li0g9hRac9CgzlGy1wQZSRcXIUwrSOjtPqHjrFIbv34h/qoaFvu7FpQP+O9Gg34
2Xi2mwV6bmYt6bLdJqBA5pCYBLF3hwPo0k/dRGt0+s/uzVBnFfVqvT91BzIPlMUG
R1QzKRFBAoGBAPOuK/kDmnGF/Itg8LqukulS0aA/hAPNpk4nCli8LH0C19U/u5j9
0dGnlF851cbaM+tniuoQ90WPZ6u4jFexkAxbN8ds3RaOclR+rPBLSugOH2Jvv+Dx
mq5GyDU4wbU5mj0g2ca9Y5/UdhnuLtAATBuF/Qp3l8crlRNd4V85hdzfAoGBANC4
3qow148ZisF+3CYrmmZ3v0M/8vTLfvE3rkspZuXnz3uWuyaK7cIobOuMX3ofinHQ
/y6qEnj+NdBaeUNWHPS12YMsRS3g7+0wqwLigo7L753TY9NShcatep1Z8dDKVoJa
834u2HiA3xP5LP1I8CGeNnkwAXY9Xv5KbldaH7kRAoGBAKuUnj3OfbclwvdZIOgx
+Bv2RshxMMGE0m8BKlXk2eaEU/lB0RQe1NitCNosXQyRpDFDTRsXKyV9nl/ZqGgv
DODGcfYn/1zcnEBGmfrw6SOQniSvzwnS1TmVeW+QMUUr9CDKus0nmbh231nOzoOD
UhOnOs9d+i8xztw+JGzqkgk9AoGARvaz7dVRVLvwaz1AiFHG2xPXmXvClOwjKswt
nCxlacFYz8I9uyr9D0hDUAqX46OZpHzUZf847J4xmbdJB1Xd3m19mJWSp7iUmmYz
nnV4wiggPd7DT/P8u8H7sEgGaWCB7SwTIVG4E7BtKBNN8oe77RInnyhtNtBC3d5c
iaKAqqECgYEA6oSLJY1M8+N04KF2Ge3wHxHBXeH0WEWHBgrQnB4y/TwMQIsNmUze
PC6tFcdSGiCnS1b2JjB6TAd1p0B7nTOeEzE7qUUuHOcxNAFIJTpD5y/lu6G3Oc4F
2sWWosy4C6FBbENSVGgLVcaBtdRW9znsTBy5CiRvJzW2VOky2l6n03Q=
-----END RSA PRIVATE KEY-----
#生成证书申请文件
[root@client ~]#openssl req -new -key /data/app1/app1.key -out /data/app1/app1.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:hunan
Locality Name (eg, city) [Default City]:changsha
Organization Name (eg, company) [Default Company Ltd]:jiang
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server‘s hostname) []:app1.liu.com
Email Address []:
Please enter the following ‘extra‘ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@client ~]#ll /data/app1/
total 8
-rw-r--r-- 1 root root 997 Jul 25 23:11 app1.csr
-rw------- 1 root root 1679 Jul 25 23:08 app1.key
默认有三项内容必须和CA一致:国家,省份,组织,如果不同,会出现下面的提示
[root@CA CA]#openssl ca -in /data/app2/app2.csr -out /etc/pki/CA/certs/app2.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
The stateOrProvinceName field is different between
CA certificate (beijing) and the request (hubei)
5 CA颁发证书
[root@client ~]#scp /data/app1/app1.csr 10.0.0.146:/root
[root@CA ~]#openssl ca -in /root/app1.csr -out /etc/pki/CA/certs/app1.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 15 (0xf)
Validity
Not Before: Jul 25 15:18:46 2021 GMT
Not After : Apr 20 15:18:46 2024 GMT
Subject:
countryName = CN
stateOrProvinceName = hunan
organizationName = jiang
organizationalUnitName = it
commonName = app1.liu.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
9E:EB:5C:04:0C:DD:20:80:64:0E:99:66:74:39:92:3A:54:72:FB:BE
X509v3 Authority Key Identifier:
keyid:2F:66:3A:90:DF:87:07:36:C2:86:33:1F:30:0E:E7:8D:A1:7D:F5:4E
Certificate is to be certified until Apr 20 15:18:46 2024 GMT (1000 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@CA ~]#tree /etc/pki/CA
/etc/pki/CA
├── cacert.pem
├── certs
│?? └── app1.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│?? └── 0F.pem
├── private
│?? └── cakey.pem
├── serial
└── serial.old
4 directories, 9 files
6 查看证书
[root@CA ~]#cat /etc/pki/CA/certs/app1.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 15 (0xf)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=hunan, L=changsha, O=jiang, OU=devpos, CN=ca.jiang.com
Validity
Not Before: Jul 25 15:18:46 2021 GMT
Not After : Apr 20 15:18:46 2024 GMT
Subject: C=CN, ST=hunan, O=jiang, OU=it, CN=app1.liu.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:c6:ad:7c:dc:f8:31:0f:77:01:f5:ca:03:98:07:
fe:21:2e:34:18:f0:3e:35:b9:ce:7c:e1:58:33:10:
5e:a5:69:d2:0c:10:35:8a:55:c1:75:b4:e2:b6:46:
a5:c7:7f:09:06:64:68:32:fb:e0:60:d3:4c:96:2d:
27:71:80:0d:ea:e7:49:bd:2c:3d:11:53:f7:6b:81:
42:06:78:dc:13:3a:f8:f9:62:07:0a:26:af:22:15:
61:50:dc:a5:7e:3f:b8:1b:96:c8:29:bc:6d:f5:f7:
f5:12:7e:bc:f2:5e:17:92:b5:3f:00:09:f3:53:58:
5d:d2:45:c8:0f:9f:df:2a:fa:0c:63:fd:2a:e6:20:
5f:2a:00:6e:e9:bd:67:c0:a8:5a:36:9b:e3:b8:f9:
fe:8c:ce:cf:4b:24:da:51:64:3c:32:36:04:11:1c:
59:ba:e5:6f:2b:2e:34:57:c6:be:84:1e:f4:44:e5:
4e:ca:d8:17:8d:6c:63:a9:11:b8:84:4f:7f:85:cf:
0e:f0:aa:12:12:62:23:d9:4a:65:12:83:31:7a:6a:
43:d3:2d:77:f8:00:99:98:26:7b:e6:8e:85:bd:f3:
ac:5b:b7:1b:b3:eb:88:a8:54:37:d3:31:76:2c:ee:
80:c1:c1:6d:d8:f1:7f:2a:4c:11:b6:b0:89:b3:81:
d1:cf
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
9E:EB:5C:04:0C:DD:20:80:64:0E:99:66:74:39:92:3A:54:72:FB:BE
X509v3 Authority Key Identifier:
keyid:2F:66:3A:90:DF:87:07:36:C2:86:33:1F:30:0E:E7:8D:A1:7D:F5:4E
Signature Algorithm: sha256WithRSAEncryption
1d:81:78:c2:69:34:60:5e:93:15:41:f7:4b:e4:02:82:cf:df:
ee:ba:8c:83:e7:2a:dd:af:1f:12:14:f5:e6:e6:85:60:66:ca:
54:79:13:ac:40:68:35:cf:25:80:7a:27:e6:b4:e1:75:06:15:
f1:22:4b:d3:19:60:e7:5d:48:50:ae:c2:05:e7:85:08:56:3d:
6d:d3:eb:94:8e:aa:81:cc:fd:1b:c3:97:e2:42:8d:24:fc:8d:
5e:8e:1f:d1:dc:98:b4:94:21:8b:1a:29:d0:a6:2d:51:fe:32:
94:79:82:5a:a7:c2:63:67:8e:2b:94:16:e1:f0:b9:7a:ac:f1:
6b:ba:98:a0:70:e5:55:82:1e:5f:4c:af:b8:d9:aa:89:a2:c0:
15:69:cf:e0:03:5a:92:57:73:70:c5:55:d0:7e:dd:4c:c8:1c:
28:e1:92:45:2a:40:cc:ea:14:43:9d:59:f6:65:1b:2e:04:72:
19:5d:77:27:08:50:ce:87:7e:f0:ff:0d:34:33:ed:39:91:e2:
8e:ec:55:f7:d2:f5:b5:23:00:5b:5d:82:b1:d8:21:5b:74:6b:
71:5e:a2:71:a5:1d:11:87:76:06:f6:24:09:90:36:34:1d:c9:
23:4f:0d:75:67:d8:bf:45:f8:f6:1b:61:08:fd:19:b3:4b:ba:
25:95:c6:6c
-----BEGIN CERTIFICATE-----
MIIDrzCCApegAwIBAgIBDzANBgkqhkiG9w0BAQsFADBoMQswCQYDVQQGEwJDTjEO
MAwGA1UECAwFaHVuYW4xETAPBgNVBAcMCGNoYW5nc2hhMQ4wDAYDVQQKDAVqaWFu
ZzEPMA0GA1UECwwGZGV2cG9zMRUwEwYDVQQDDAxjYS5qaWFuZy5jb20wHhcNMjEw
NzI1MTUxODQ2WhcNMjQwNDIwMTUxODQ2WjBRMQswCQYDVQQGEwJDTjEOMAwGA1UE
CAwFaHVuYW4xDjAMBgNVBAoMBWppYW5nMQswCQYDVQQLDAJpdDEVMBMGA1UEAwwM
YXBwMS5saXUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxq18
3PgxD3cB9coDmAf+IS40GPA+NbnOfOFYMxBepWnSDBA1ilXBdbTitkalx38JBmRo
MvvgYNNMli0ncYAN6udJvSw9EVP3a4FCBnjcEzr4+WIHCiavIhVhUNylfj+4G5bI
Kbxt9ff1En688l4XkrU/AAnzU1hd0kXID5/fKvoMY/0q5iBfKgBu6b1nwKhaNpvj
uPn+jM7PSyTaUWQ8MjYEERxZuuVvKy40V8a+hB70ROVOytgXjWxjqRG4hE9/hc8O
8KoSEmIj2UplEoMxempD0y13+ACZmCZ75o6FvfOsW7cbs+uIqFQ30zF2LO6AwcFt
2PF/KkwRtrCJs4HRzwIDAQABo3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQf
Fh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUnutcBAzd
IIBkDplmdDmSOlRy+74wHwYDVR0jBBgwFoAUL2Y6kN+HBzbChjMfMA7njaF99U4w
DQYJKoZIhvcNAQELBQADggEBAB2BeMJpNGBekxVB90vkAoLP3+66jIPnKt2vHxIU
9ebmhWBmylR5E6xAaDXPJYB6J+a04XUGFfEiS9MZYOddSFCuwgXnhQhWPW3T65SO
qoHM/RvDl+JCjST8jV6OH9HcmLSUIYsaKdCmLVH+MpR5glqnwmNnjiuUFuHwuXqs
8Wu6mKBw5VWCHl9Mr7jZqomiwBVpz+ADWpJXc3DFVdB+3UzIHCjhkkUqQMzqFEOd
WfZlGy4EchlddycIUM6HfvD/DTQz7TmR4o7sVffS9bUjAFtdgrHYIVt0a3FeonGl
HRGHdgb2JAmQNjQdySNPDXVn2L9F+PYbYQj9GbNLuiWVxmw=
-----END CERTIFICATE-----
[root@CA ~]#openssl x509 -in /etc/pki/CA/certs/app1.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 15 (0xf)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CN, ST = hunan, L = changsha, O = jiang, OU = devpos, CN = ca.jiang.com
Validity
Not Before: Jul 25 15:18:46 2021 GMT
Not After : Apr 20 15:18:46 2024 GMT
Subject: C = CN, ST = hunan, O = jiang, OU = it, CN = app1.liu.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:c6:ad:7c:dc:f8:31:0f:77:01:f5:ca:03:98:07:
fe:21:2e:34:18:f0:3e:35:b9:ce:7c:e1:58:33:10:
5e:a5:69:d2:0c:10:35:8a:55:c1:75:b4:e2:b6:46:
a5:c7:7f:09:06:64:68:32:fb:e0:60:d3:4c:96:2d:
27:71:80:0d:ea:e7:49:bd:2c:3d:11:53:f7:6b:81:
42:06:78:dc:13:3a:f8:f9:62:07:0a:26:af:22:15:
61:50:dc:a5:7e:3f:b8:1b:96:c8:29:bc:6d:f5:f7:
f5:12:7e:bc:f2:5e:17:92:b5:3f:00:09:f3:53:58:
5d:d2:45:c8:0f:9f:df:2a:fa:0c:63:fd:2a:e6:20:
5f:2a:00:6e:e9:bd:67:c0:a8:5a:36:9b:e3:b8:f9:
fe:8c:ce:cf:4b:24:da:51:64:3c:32:36:04:11:1c:
59:ba:e5:6f:2b:2e:34:57:c6:be:84:1e:f4:44:e5:
4e:ca:d8:17:8d:6c:63:a9:11:b8:84:4f:7f:85:cf:
0e:f0:aa:12:12:62:23:d9:4a:65:12:83:31:7a:6a:
43:d3:2d:77:f8:00:99:98:26:7b:e6:8e:85:bd:f3:
ac:5b:b7:1b:b3:eb:88:a8:54:37:d3:31:76:2c:ee:
80:c1:c1:6d:d8:f1:7f:2a:4c:11:b6:b0:89:b3:81:
d1:cf
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
9E:EB:5C:04:0C:DD:20:80:64:0E:99:66:74:39:92:3A:54:72:FB:BE
X509v3 Authority Key Identifier:
keyid:2F:66:3A:90:DF:87:07:36:C2:86:33:1F:30:0E:E7:8D:A1:7D:F5:4E
Signature Algorithm: sha256WithRSAEncryption
1d:81:78:c2:69:34:60:5e:93:15:41:f7:4b:e4:02:82:cf:df:
ee:ba:8c:83:e7:2a:dd:af:1f:12:14:f5:e6:e6:85:60:66:ca:
54:79:13:ac:40:68:35:cf:25:80:7a:27:e6:b4:e1:75:06:15:
f1:22:4b:d3:19:60:e7:5d:48:50:ae:c2:05:e7:85:08:56:3d:
6d:d3:eb:94:8e:aa:81:cc:fd:1b:c3:97:e2:42:8d:24:fc:8d:
5e:8e:1f:d1:dc:98:b4:94:21:8b:1a:29:d0:a6:2d:51:fe:32:
94:79:82:5a:a7:c2:63:67:8e:2b:94:16:e1:f0:b9:7a:ac:f1:
6b:ba:98:a0:70:e5:55:82:1e:5f:4c:af:b8:d9:aa:89:a2:c0:
15:69:cf:e0:03:5a:92:57:73:70:c5:55:d0:7e:dd:4c:c8:1c:
28:e1:92:45:2a:40:cc:ea:14:43:9d:59:f6:65:1b:2e:04:72:
19:5d:77:27:08:50:ce:87:7e:f0:ff:0d:34:33:ed:39:91:e2:
8e:ec:55:f7:d2:f5:b5:23:00:5b:5d:82:b1:d8:21:5b:74:6b:
71:5e:a2:71:a5:1d:11:87:76:06:f6:24:09:90:36:34:1d:c9:
23:4f:0d:75:67:d8:bf:45:f8:f6:1b:61:08:fd:19:b3:4b:ba:
25:95:c6:6c
[root@CA ~]#openssl x509 -in /etc/pki/CA/certs/app1.crt -noout -issuer
issuer=C = CN, ST = hunan, L = changsha, O = jiang, OU = devpos, CN = ca.jiang.com
[root@CA ~]#openssl x509 -in /etc/pki/CA/certs/app1.crt -noout -subject
subject=C = CN, ST = hunan, O = jiang, OU = it, CN = app1.liu.com
[root@CA ~]#openssl x509 -in /etc/pki/CA/certs/app1.crt -noout -dates
notBefore=Jul 25 15:18:46 2021 GMT
notAfter=Apr 20 15:18:46 2024 GMT
[root@CA ~]#openssl x509 -in /etc/pki/CA/certs/app1.crt -noout -serial
serial=0F
#验证指定编号对应证书的有效性
[root@CA ~]#openssl ca -status 0F
Using configuration from /etc/pki/tls/openssl.cnf
0F=Valid (V)
[root@CA ~]#cat /etc/pki/CA/index.txt
V 240420151846Z 0F unknown /C=CN/ST=hunan/O=jiang/OU=it/CN=app1.liu.com
[root@CA ~]#cat /etc/pki/CA/index.txt.old
[root@CA ~]#cat /etc/pki/CA/serial
10
[root@CA ~]#cat /etc/pki/CA/serial.old
0F
[root@CA ~]#sz /etc/pki/CA/certs/app1.crt
7 将证书相关文件发送到用户端使用
[root@CA ~]#scp /etc/pki/CA/certs/app1.crt 10.0.0.147:/data/app1
[root@client ~]#tree /data/app1/
/data/app1/
├── app1.crt
├── app1.csr
└── app1.key
0 directories, 3 files
8 证书的信任
默认生成的证书,在windows上是不被信任的,可以通过下面的操作实现信任
打开internet属性
9 证书的吊销
[root@CA ~]#openssl ca -revoke /etc/pki/CA/newcerts/0F.pem
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 0F.
Data Base Updated
[root@CA ~]#openssl ca -status 0F
Using configuration from /etc/pki/tls/openssl.cnf
0F=Revoked (R)
[root@CA ~]#cat /etc/pki/CA/index.txt
R 240420151846Z 210725154004Z 0F unknown /C=CN/ST=hunan/O=jiang/OU=it/CN=app1.liu.com
10 生成证书吊销列表文件
[root@CA ~]#openssl ca -gencrl -out /etc/pki/CA/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf
/etc/pki/CA/crlnumber: No such file or directory
error while loading CRL number
140334684034880:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:69:fopen(‘/etc/pki/CA/crlnumber‘,‘r‘)
140334684034880:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:76:
[root@CA ~]#echo 01 > /etc/pki/CA/crlnumber
[root@CA ~]#openssl ca -gencrl -out /etc/pki/CA/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf
[root@CA ~]#cat /etc/pki/CA/crlnumber
02
[root@CA ~]#cat /etc/pki/CA/crl.pem
-----BEGIN X509 CRL-----
MIIB1zCBwAIBATANBgkqhkiG9w0BAQsFADBoMQswCQYDVQQGEwJDTjEOMAwGA1UE
CAwFaHVuYW4xETAPBgNVBAcMCGNoYW5nc2hhMQ4wDAYDVQQKDAVqaWFuZzEPMA0G
A1UECwwGZGV2cG9zMRUwEwYDVQQDDAxjYS5qaWFuZy5jb20XDTIxMDcyNTE1NDQw
N1oXDTIxMDgyNDE1NDQwN1owFDASAgEPFw0yMTA3MjUxNTQwMDRaoA4wDDAKBgNV
HRQEAwIBATANBgkqhkiG9w0BAQsFAAOCAQEAMYrk5uxrAtzXRTxkqYHO+10cAtz7
p4GrZkwFysgf3s1KJs16fWlvpjU0RVcEt/hWtLB7lr3C2+WW9pD/BZGthjucbc9a
qMsmsaV+Hia2Fp7xnlhXw3c411klnzrAQjzM+irG/ApJMo4WMgFelWlRLpmBD/TP
n4DPjkdItMlDWzaquFVG54dzAqpCBbbf74dLadC6dmKyclQAF5dOOKd8+0GTId3e
EZjSDOXL5T6CP5DpCruES90OVVPLg55nKuhwgRtXmBEB8jgNkmj+S5PlmFeWb2+4
8DR1m0Rkzw4fUhkWFTKh4QPAs7zQEIAjLqfA0moOOhUu+coDN/0KNvUzIQ==
-----END X509 CRL-----
[root@CA ~]#openssl crl -in /etc/pki/CA/crl.pem -noout -text
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CN, ST = hunan, L = changsha, O = jiang, OU = devpos, CN = ca.jiang.com
Last Update: Jul 25 15:44:07 2021 GMT
Next Update: Aug 24 15:44:07 2021 GMT
CRL extensions:
X509v3 CRL Number:
1
Revoked Certificates:
Serial Number: 0F
Revocation Date: Jul 25 15:40:04 2021 GMT
Signature Algorithm: sha256WithRSAEncryption
31:8a:e4:e6:ec:6b:02:dc:d7:45:3c:64:a9:81:ce:fb:5d:1c:
02:dc:fb:a7:81:ab:66:4c:05:ca:c8:1f:de:cd:4a:26:cd:7a:
7d:69:6f:a6:35:34:45:57:04:b7:f8:56:b4:b0:7b:96:bd:c2:
db:e5:96:f6:90:ff:05:91:ad:86:3b:9c:6d:cf:5a:a8:cb:26:
b1:a5:7e:1e:26:b6:16:9e:f1:9e:58:57:c3:77:38:d7:59:25:
9f:3a:c0:42:3c:cc:fa:2a:c6:fc:0a:49:32:8e:16:32:01:5e:
95:69:51:2e:99:81:0f:f4:cf:9f:80:cf:8e:47:48:b4:c9:43:
5b:36:aa:b8:55:46:e7:87:73:02:aa:42:05:b6:df:ef:87:4b:
69:d0:ba:76:62:b2:72:54:00:17:97:4e:38:a7:7c:fb:41:93:
21:dd:de:11:98:d2:0c:e5:cb:e5:3e:82:3f:90:e9:0a:bb:84:
4b:dd:0e:55:53:cb:83:9e:67:2a:e8:70:81:1b:57:98:11:01:
f2:38:0d:92:68:fe:4b:93:e5:98:57:96:6f:6f:b8:f0:34:75:
9b:44:64:cf:0e:1f:52:19:16:15:32:a1:e1:03:c0:b3:bc:d0:
10:80:23:2e:a7:c0:d2:6a:0e:3a:15:2e:f9:ca:03:37:fd:0a:
36:f5:33:21
[root@CA ~]#sz /etc/pki/CA/crl.pem
#将此文件crl.pem传到windows上并改后缀为crl.pem.crl,双击可以查看以下显示