CA如何自签证书及颁发证书?

                          证书
1.CA自签证书
cd /etc/pki/CA/private
生成密钥:
[root@station116 private]# openssl genrsa 2048 > ca.key
Generating RSA private key, 2048 bit long modulus
...............................+++
.......+++
e is 65537 (0x10001)
[root@station116 private]# ls
ca.key   
切换到CA目录中
cd /etc/pki/CA
生成证书:
 [root@station116 CA]#  openssl req -new -x509 -key ./private/ca.key -out ca.pem -days 1000
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:HA
Locality Name (eg, city) [Newbury]:ZZ
Organization Name (eg, company) [My Company Ltd]:ZZU
Organizational Unit Name (eg, section) []:SI
Common Name (eg, your name or your server's hostname) []:statio.example.com
Email Address []:[email protected]
[root@station116 CA]#
[root@station116 CA]# ls
ca.pem  private   
编辑文件:vim /etc/pki/tls/openssl.cnf
将dir那行修改成如下红字所示:
   [ CA_default ]
 
dir             = /etc/pki/CA           # Where everything is kept
certs           = $dir/certs            # Where the issued certs are kept
crl_dir         = $dir/crl              # Where the issued crl are kept
database        = $dir/index.txt        # database index file.
在CA目录下执行以下命令:
mkdir ./newcerts
touch ./{serial,index.txt}
echo "00" > serial
2.给用户颁发证书:
1. )使用一个命令make生成证书:
必须切换到/etc/pki/tls/certs/目录下才能执行make命令
[root@station116 certs]# make my.pem
umask 77 ; \
        PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
        PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
        /usr/bin/openssl req -utf8 -newkey rsa:1024 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2 -set_serial 0 ; \
        cat $PEM1 >  my.pem ; \
        echo ""    >> my.pem ; \
        cat $PEM2 >> my.pem ; \
        rm -f $PEM1 $PEM2
Generating a 1024 bit RSA private key
.............++++++
.................................................................................................................++++++
writing new private key to '/tmp/openssl.O11114'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:HA
Locality Name (eg, city) [Newbury]:ZZ
Organization Name (eg, company) [My Company Ltd]:ZZU
Organizational Unit Name (eg, section) []:SI
Common Name (eg, your name or your server's hostname) []:station.example.com
Email Address []:[email protected]
2. )单步生成证书:
  1.生成密钥:
  cd /etc/pki/tls/certs
  make my.key
 [root@station116 certs]# make my.key
umask 77 ; \
        /usr/bin/openssl genrsa -des3 1024 > my.key
Generating RSA private key, 1024 bit long modulus
...................++++++
..............++++++
e is 65537 (0x10001)
Enter pass phrase:
Verifying - Enter pass phrase:
[root@station116 certs]#
 
 
或者使用:
[root@station116 certs]# openssl genrsa 1024 > my.key
Generating RSA private key, 1024 bit long modulus
........++++++
...........................................................++++++
e is 65537 (0x10001)
[root@station116 certs]#
 
提取公钥:
[root@station116 certs]# openssl rsa -in my.key -pubout -out my.pubkey
writing RSA key
 2.证书签发请求:
[root@station116 certs]# make my.csr
umask 77 ; \
        /usr/bin/openssl req -utf8 -new -key my.key -out my.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:HA
Locality Name (eg, city) [Newbury]:ZZ
Organization Name (eg, company) [My Company Ltd]:ZZU
Organizational Unit Name (eg, section) []:SI
Common Name (eg, your name or your server's hostname) []:station.example.com
Email Address []:[email protected]
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:zhuying
An optional company name []:zhuying
[root@station116 certs]#
 
或者使用命令
[root@station116 certs]# openssl req -new -key ./my.key -out ./my.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:HA
Locality Name (eg, city) [Newbury]:ZZ
Organization Name (eg, company) [My Company Ltd]:ZZU
Organizational Unit Name (eg, section) []:SI
Common Name (eg, your name or your server's hostname) []:station.example.com
Email Address []:[email protected]
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@station116 certs]#
查看内容:
[root@station116 certs]# openssl req -noout -in my.csr -text
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=CN, ST=HA, L=ZZ, O=ZZU, OU=SI, CN=station.example.com/[email protected]
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:ee:6e:1d:1e:97:9b:de:f8:d9:a4:43:b0:d3:4a:
                    4b:fd:9a:8a:5d:5f:eb:4d:79:35:43:f7:d4:a9:aa:
                    e6:52:cd:5a:a0:98:d1:19:ec:df:bb:c3:5a:4f:c7:
                    83:69:6b:e0:ff:60:a4:14:5f:ce:47:c8:37:33:ad:
                    f4:ab:3a:be:b8:93:19:cf:b4:55:2e:26:ba:28:d7:
                    09:a9:6d:cd:38:36:8d:7d:50:c9:06:5f:4b:45:8c:
                    0f:c5:b5:45:0d:53:4e:f6:63:7b:5c:35:70:3d:38:
                    66:fd:93:c1:3b:90:f2:dc:ee:48:b1:11:cc:92:f2:
                    4c:92:0c:aa:3e:28:04:14:a7
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: sha1WithRSAEncryption
        7d:b9:79:e7:f7:f7:24:bc:e4:e6:57:b8:84:f1:e2:92:58:19:
        b5:fd:e9:1e:86:64:57:5f:de:ab:fd:b8:d5:0e:74:1e:b8:75:
        0f:15:b8:ae:89:4a:ac:3b:e8:55:61:6f:dd:5e:84:14:11:c4:
        86:01:b8:bb:14:5b:4c:95:b6:1e:67:f2:19:8c:ab:d0:43:f6:
        b2:84:09:d7:36:29:a6:29:a7:0f:bd:6f:6a:68:f7:81:31:07:
        a8:71:df:e0:67:e6:b6:84:ee:10:53:bb:fc:5b:0b:19:b9:1e:
        73:62:9e:c4:6d:b3:97:d3:fd:12:99:b7:2a:1a:f4:a0:e3:3c:
        92:8a
[root@station116 certs]#
 
3.生成证书:
[root@station116 certs]# make my.pem
umask 77 ; \
        PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
        PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
        /usr/bin/openssl req -utf8 -newkey rsa:1024 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2 -set_serial 0 ; \
        cat $PEM1 >  my.pem ; \
        echo ""    >> my.pem ; \
        cat $PEM2 >> my.pem ; \
        rm -f $PEM1 $PEM2
Generating a 1024 bit RSA private key
..++++++
..............++++++
writing new private key to '/tmp/openssl.r11852'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:HA
Locality Name (eg, city) [Newbury]:ZZ
Organization Name (eg, company) [My Company Ltd]:ZZU
Organizational Unit Name (eg, section) []:SI
Common Name (eg, your name or your server's hostname) []:station.example.com
Email Address []:[email protected]                                   
[root@station116 certs]#

你可能感兴趣的:(专题小结)