第一部分,配置CA的工作环境

1、 配置CA工作配置文件

vim /etc/pki/tls/openssl.cnf 

[ CA_default ] # CA的配置信息

dir             = /etc/pki/CA           # Where everything is kept ,CA的工作目录
certs           = $dir/certs            # Where the issued certs are kept, 证书的保持目录
crl_dir         = $dir/crl              # Where the issued crl are kept ,证书吊销目录
database        = $dir/index.txt        # database index file.,证书的列表
#unique_subject = no                    # Set to 'no' to allow creation of
                                        # several ctificates with same subject.
new_certs_dir   = $dir/newcerts         # default place for new certs.

certificate     = $dir/cacert.pem       # The CA certificate ,CA自己的证书,非常重要
serial          = $dir/serial           # The current serial number ,签署的证书的序列号
crlnumber       = $dir/crlnumber        # the current crl number
                                        # must be commented out to leave a V1 CRL
crl             = $dir/crl.pem          # The current CRL  ,
private_key     = $dir/private/cakey.pem# The private key ,CA自己的私钥,非常重要
RANDFILE        = $dir/private/.rand    # private random number file

x509_extensions = usr_cert              # The extentions to add to the cert

# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt        = ca_default            # Subject Name options
cert_opt        = ca_default            # Certificate field options

default_days    = 365                   # how long to certify for
default_crl_days= 30                    # how long before next CRL
default_md      = sha256                # use SHA-256 by default
preserve        = no                    # keep passed DN ordering

# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy          = policy_match

[ req_distinguished_name ]  #请求者的默认信息,主机名和邮件不会默认
countryName                     = Country Name (2 letter code)
countryName_default             = CN
countryName_min                 = 2
countryName_max                 = 2

stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default    = GD

localityName                    = Locality Name (eg, city)
localityName_default            = SHENZHEN

0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = SZXX

# we can do this but it is not needed normally :-)
#1.organizationName             = Second Organization Name (eg, company)
#1.organizationName_default     = World Wide Web Pty Ltd

organizationalUnitName          = Organizational Unit Name (eg, section)
organizationalUnitName_default =  TECH

commonName                      = Common Name (eg, your name or your server\'s hostname)
commonName_max                  = 64

emailAddress                    = Email Address
emailAddress_max                = 64

# SET-ex3                       = SET extension number 3

2、生成CA的私钥

cd /etc/pki/CA
(umask 077;openssl genrsa -out private/cakey.pem 2048)  # 生成一个私钥 

# ls private/
cakey.pem

openssl rsa -in cakey.pem  -pubout # 从私钥中提取公钥

3、根据私钥生成CA自己的证书

 openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365  # 加上-x509 参数用来生成一个自签证书
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [GD]:
Locality Name (eg, city) [shengzhen]:
Organization Name (eg, company) [SZXX]:
Organizational Unit Name (eg, section) [IT]:
Common Name (eg, your name or your server's hostname) []:ca.fish.com  -- 这个名字非常重要,跟主机名或者DNS保持一致
Email Address []:[email protected]

# openssl x509 -text -in private/cakey.pem    -- 查看证书中的信息

4、创建颁发证书时工作的目录和文件

mkdir certs  crl newcerts
touch index.txt
echo 01 > serial

# tree .
.
├── cacert.pem
├── certs
├── crl
├── index.txt
├── newcerts
├── private
│   └── cakey.pem
├── serial

第二部分,准备客户端签发的证书请求

1、客户端生成私钥

mkdir /etc/httpd/ssl
cd /etc/httpd/ssl

(umask 077; openssl genrsa -out httpd.key 1024) 

2、客户端生成证书请求

# openssl req -new -key httpd.key -out httpd.csr 
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [GD]:
Locality Name (eg, city) [shengzhen]:
Organization Name (eg, company) [SZXX]:
Organizational Unit Name (eg, section) [IT]:
Common Name (eg, your name or your server's hostname) []:www.fish.com
Email Address []:[email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

3、CA 根据证书申请请求办法证书,此时客户端的证书请求一般是拷贝到CA服务器上的

openssl ca -in httpd.csr -out http.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: May 29 14:33:26 2019 GMT
            Not After : May 28 14:33:26 2020 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = GD
            organizationName          = SZXX
            organizationalUnitName    = IT
            commonName                = www.fish.com
            emailAddress              = [email protected]
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                F6:61:F0:99:90:29:F7:66:5E:55:F9:D1:D0:7F:58:14:CA:53:0A:72
            X509v3 Authority Key Identifier: 
                keyid:88:A4:07:29:65:16:7D:A0:87:26:B0:0D:AC:22:DB:3A:5A:12:FF:20

Certificate is to be certified until May 28 14:33:26 2020 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

# ll
total 12
-rw-r--r-- 1 root root 3840 May 29 22:34 http.crt
-rw-r--r-- 1 root root  696 May 29 22:32 httpd.csr
-rw------- 1 root root  887 May 29 22:29 httpd.key

3、此时CA的情况

# cat /etc/pki/CA/index.txt
V   200528143326Z       01  unknown /C=CN/ST=GD/O=SZXX/OU=IT/CN=www.fish.com/[email protected]

# cat /etc/pki/CA/serial
02