OpenSSL生成并使用CA根证书签名Keytool生成的证书请求

  1. 生成私钥[带密码]

    [root@node00 security]# openssl genrsa [-des3] -out ca.key 2048
    Generating RSA private key, 2048 bit long modulus
    ..............................................+++
    ...................+++
    e is 65537 (0x10001)
    Enter pass phrase for ca.key:
    Verifying - Enter pass phrase for ca.key:
    [root@node00 security]#
    
  2. 生成证书请求文件

    [root@node00 security]# openssl req -new -key ca.key -out ca.csr
    Enter pass phrase for ca.key:
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [XX]:CN
    State or Province Name (full name) []:GuangDong
    Locality Name (eg, city) [Default City]:ShenZhen
    Organization Name (eg, company) [Default Company Ltd]:Hinabian
    Organizational Unit Name (eg, section) []:data
    Common Name (eg, your name or your server's hostname) []:node00
    Email Address []:
    
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:
    [root@node00 security]# 
    
  3. 用自己的私钥给自己签发根证书

    [root@node00 security]# openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
    Signature ok
    subject=/C=CN/ST=GuangDong/L=ShenZhen/O=Hinabian/OU=data/CN=node00
    Getting Private key
    Enter pass phrase for ca.key:
    [root@node00 security]# 
    
  4. 用CA根证书来签名服务器端的证书请求文件

    4.1 创建 /etc/pki/CA/index.txt文件

    [root@node00 security]# openssl ca -days 3650 -keyfile ca.key -cert ca.crt -in pki/node00.csr -out node00.pem
    Using configuration from /etc/pki/tls/openssl.cnf
    Enter pass phrase for ca.key:
    /etc/pki/CA/index.txt: No such file or directory
    unable to open '/etc/pki/CA/index.txt'
    140358162147216:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/pki/CA/index.txt','r')
    140358162147216:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:
    

    用来跟踪已经颁发的证书。

    [root@node00 CA]# touch /etc/pki/CA/index.txt
    

    4.2 创建 /etc/pki/CA/index.txt文件

    [root@node00 security]# openssl ca -days 3650 -keyfile ca.key -cert ca.crt -in pki/node00.csr -out node00.pem
    Using configuration from /etc/pki/tls/openssl.cnf
    Enter pass phrase for ca.key:
    /etc/pki/CA/serial: No such file or directory
    error while loading serial number
    140017638942608:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/pki/CA/serial','r')
    140017638942608:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:
    [root@node00 security]#
    

    用来跟踪最后一次颁发的证书的序列号。

    [root@node00 CA]# echo "01" > /etc/pki/CA/serial
    [root@node00 CA]# 
    

    4.3 用CA根证书来签名服务器端的证书请求文件

    [root@node00 security]# openssl ca -days 3650 -keyfile ca.key -cert ca.crt -in pki/node00.csr -out node00.pem
    Using configuration from /etc/pki/tls/openssl.cnf
    Enter pass phrase for ca.key:
    Check that the request matches the signature
    Signature ok
    The stateOrProvinceName field needed to be the same in the
    CA certificate (GuangDong) and the request (GuangDong)
    [root@node00 security]# ll
    total 12
    -rw-r--r-- 1 root root 1200 Oct 24 16:42 ca.crt
    -rw-r--r-- 1 root root 1005 Oct 24 16:42 ca.csr
    -rw-r--r-- 1 root root 1743 Oct 24 16:37 ca.key
    -rw-r--r-- 1 root root    0 Oct 24 16:45 node00.pem
    drwxr-xr-x 2 root root   42 Oct 24 16:45 pki
    [root@node00 security]# 
    

    问题:

    The stateOrProvinceName field needed to be the same in the
    CA certificate (GuangDong) and the request (GuangDong)
    

    解决方案: 修改 /etc/pki/tls/openssl.cnf 文件

    # A few difference way of specifying how similar the request should look
    # For type CA, the listed attributes must be the same, and the optional
    # and supplied fields are just that :-)
    policy          = policy_match
    
    # For the CA policy
    [ policy_match ]
    countryName             = match
    #stateOrProvinceName    = match  	(将 match 改为 optional )
    #organizationName       = match		(将 match 改为 optional )
    stateOrProvinceName     = optional
    organizationName        = optional		
    organizationalUnitName  = optional
    commonName              = supplied
    emailAddress            = optional
    

    再次执行:

    [root@node00 security]# openssl ca -days 3650 -keyfile ca.key -cert ca.crt -in pki/node00.csr -out node00.pem
    Using configuration from /etc/pki/tls/openssl.cnf
    Enter pass phrase for ca.key:
    Check that the request matches the signature
    Signature ok
    Certificate Details:
            Serial Number: 1 (0x1)
            Validity
                Not Before: Oct 24 08:54:57 2018 GMT
                Not After : Oct 21 08:54:57 2028 GMT
            Subject:
                countryName               = CN
                stateOrProvinceName       = GuangDong
                organizationName          = Hinabian
                organizationalUnitName    = data
                commonName                = node00
            X509v3 extensions:
                X509v3 Basic Constraints: 
                    CA:FALSE
                Netscape Comment: 
                    OpenSSL Generated Certificate
                X509v3 Subject Key Identifier: 
                    58:30:7D:B3:7E:85:D4:39:22:2F:B3:96:55:A3:38:68:FE:7F:03:88
                X509v3 Authority Key Identifier: 
                    DirName:/C=CN/ST=GuangDong/L=ShenZhen/O=Hinabian/OU=data/CN=node00
                    serial:E1:40:B9:DB:A9:83:F9:C3
    
    Certificate is to be certified until Oct 21 08:54:57 2028 GMT (3650 days)
    Sign the certificate? [y/n]:y
    
    
    1 out of 1 certificate requests certified, commit? [y/n]y
    Write out database with 1 new entries
    Data Base Updated
    [root@node00 security]# ll
    total 20
    -rw-r--r-- 1 root root 1200 Oct 24 16:42 ca.crt
    -rw-r--r-- 1 root root 1005 Oct 24 16:42 ca.csr
    -rw-r--r-- 1 root root 1743 Oct 24 16:37 ca.key
    -rw-r--r-- 1 root root 4632 Oct 24 16:55 node00.pem
    drwxr-xr-x 2 root root   42 Oct 24 16:45 pki
    [root@node00 security]# 
    

    成功生成证书签名node00.pem!

你可能感兴趣的:(CDH)