做一个自签证证书过程
1 进入/etc/pki/CA/private 生成一个密钥文件
[root@station40 certs]# cd /etc/pki/CA/private/
[root@station40 private]# ls
my.key
[root@station40 private]# openssl genrsa 2048 >cakey.pem
Generating RSA private key, 2048 bit long modulus
.............................+++
...............................................................+++
e is 65537 (0x10001)
[root@station40 private]# ls
cakey.pem
2 开始自签
-days 是CA证书的自签发时的有效期限
[root@station40 CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 2000
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [ Berkshire ]:HN
Locality Name (eg, city) [Newbury]:ZZ
Organization Name (eg, company) [My Company Ltd]:ZZU
Organizational Unit Name (eg, section) []:DA
Common Name (eg, your name or your server's hostname) []:stations.example.com
Email Address []:[email protected]
3 在/etc/pki/tls/CA缺少3个文件,现在我们一次建立它们
[root@station40 CA]# mkdir newcerts
[root@station40 CA]# touch ./{index.txt,serial}
[root@station40 CA]# ll
total 32
-rw-r--r-- 1 root root 1058 Feb 25 22:43 cacert.pem
-rw-r--r-- 1 root root 0 Feb 25 22:59 index.txt
drwxr-xr-x 2 root root 4096 Feb 25 22:58 newcerts
drwx------ 2 root root 4096 Feb 25 22:32 private
-rw-r--r-- 1 root root 0 Feb 25 22:59 serial
进入serial添加一个二位数字
[root@station40 CA]#
4.修改/etc/pki/tls/openssl.conf 文件, 修改绝对路径,把【 CA default】的第一行 改为/etc/pki/CA
[ CA_default ]
dir = /etc/pki/CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
45,15-2
申请证书过程
1 生成一个密钥文件
[root@station40 text]# cd /etc/pki/tls/certs
[root@station40 certs]# ls
ca-bundle.crt make-dummy-cert Makefile
[root@station40 certs]# openssl genrsa 2048 >my.key
Generating RSA private key, 2048 bit long modulus
...........................................................+++
.................................................+++
e is 65537 (0x10001)
[root@station40 certs]#
2请求ca证书
[root@station40 certs]# openssl req -new -key my.key -out my.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [ Berkshire ]:HN
Locality Name (eg, city) [Newbury]:ZZ
Organization Name (eg, company) [My Company Ltd]:ZZU
Organizational Unit Name (eg, section) []:DA
Common Name (eg, your name or your server's hostname) []:stations
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
3 生成证书
[root@station40 certs]# openssl ca -in my.csr -out my.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Feb 25 16:16:25 2010 GMT
Not After : Feb 25 16:16:25 2011 GMT
Subject:
countryName = CN
stateOrProvinceName = HN
organizationName = ZZU
organizationalUnitName = DA
commonName = stations
emailAddress = [email protected]
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
7B:77:F3:22:20:FD:F3:9D:FE:2B:D4:65:58:E0:19:47:AF:05:BA: 6A
X509v3 Authority Key Identifier:
keyid: 7C :A6:0E:49:DC:87:64: 8F :2E:20:DB:25: 0A : 4A :6B:7D:E1: 3F :BA:95
Certificate is to be certified until Feb 25 16:16:25 2011 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@station40 certs]#
4.很简单吧 下面就可以使用命令查看一下你的证书啦
[root@station40 certs]# openssl x509 -in my.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=CN, ST=HN, L=ZZ, O=ZZU, OU=DA, CN=stations.example.com/[email protected]
Validity
Not Before: Feb 25 16:16:25 2010 GMT
Not After : Feb 25 16:16:25 2011 GMT
Subject: C=CN, ST=HN, O=ZZU, OU=DA, CN=stations/[email protected]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:cc:98:a7:17: 8f :a1:06:74:18:53:68:92:48: 4a :
45:7e: 7a :ae: 7a :ca: 0f : 8f :29:ca:19:72:fb:aa:a5:
94:b9:2d:92:75:6d:a5:42:14:33: 3f :ee:a1:81:f3:
8a :55:94:fc:31:fd:f0:77:7d:f6:ab:0b:ec:4e: 6a :
16:ee:63: 9a :33:91: 7f :eb:ca:40: 8c :49:b4: 2f :78:
a8:db:c2:49:91:d2:5b:85:99: 3f :22: 7a :4d:99:b9:
f6:89:95:5d:46: 9c :43:80:76:ee:f2:16:17:69:f7:
be:76:a6:4b:65:34:ee:bc:58:56:77:21:85:31:d5:
0e:ed:cf:73:c2:f9:0e:a9:cf: 0c :ab:67:e1:9d:55:
dc:77:ce: 5a :94:fa:5b:d2:f9:33: 7a :81:eb:61: 8f :
86:ea:0b: 0a :ef:d5:ee: 0f :ee:96:22:46:21:98: 1f :
f1:c2:d3:4b:89: 9c :e4:db:90:28:32:ef:86:bf:5d:
ab:e4:85:23: 1c :93:8e:db:12:8d:39: 6a :f0:a0:db:
e4:90:82:68:8b:08:f7:df:b2:c9:93:da:69:e9: 5a :
30:bf:b0:00:b1:b1: 1f :9e:70:89: 3c :3e:eb:ff:41:
b6: 9f :e0:a8: 1c :68:1d:c2:40:ff:6d:c5:5b:e9:71:
89:10: 6f :a3:b6:30:e1:81:df:22:c3:ce:36:53:71:
a1:dd
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
7B:77:F3:22:20:FD:F3:9D:FE:2B:D4:65:58:E0:19:47:AF:05:BA: 6A
X509v3 Authority Key Identifier:
keyid: 7C :A6:0E:49:DC:87:64: 8F :2E:20:DB:25: 0A : 4A :6B:7D:E1: 3F :BA:95
Signature Algorithm: sha1WithRSAEncryption
c8:af:63: 9c :bd:89:f8:7b:5e:a3:bd:f8:46:fd:f8: 3c :d0:bd:
86:a5:d8:7e:d1: 8c :c9:77:66:f9:a2:33:f8:62:45: 6a :f6:73:
e8:a7:fe:1b:9b:ac:de:43:83:e2:d2:92:c7: 4c :27:73:75:ed:
70:ac:6e:9b:ed:1e:51:0d:d2:20:a7:c6:dd: 1c :ac:50:f3:c8:
62:61:a1:25:67:4e:a7:d0:37:e9:a6:48:59:08:51:71:b3:f4:
84:18:bf:16:8d:f1:bb: 8f :5e:c9:f9:4d:72:19:45: 8f :8d: 5f :
1c :50:ad:11:40:c9:35:55:b3:22:11:fa:22:9e:ad: 9f :93:4e:
31:60:03:21: 0f :39:47:11: 7a :34: 0c :7d:c5: 2f : 6f :79:69:47:
35:e4:ab:2e:f0:d3:9e:41:96:b1:94:f8:e0:57:13: 4f :85:7d:
00:45:fa:14:c9:d8:33:11:a5: 1c :16:9d:fc:27: 6f :df:1d: 6f :
8a :24:de:23:ac:4d:9d:67:5e:38:76:0e:a5:d7:e0:f7:52:c7:
31: 1a :23:e8:91:84:a8:b2:89:b7:31: 5a :fb: 3a :76:59:9b:50:
75:94:c0:fa:33:a2:85:d1:e5:80: 4f :c1:67:18:62:5b:47: 6a :
a1:18:be:6e:fe:98: 7c :15:ff:c6:26:ba:22:91:99:ae:d0:cd:
e4:cd:f5:d2
[root@station40 certs]#