RHS333企业CA证书中心搭建

测试环境:RHEL5.4

CA中心:station1

 

配置CA中心的思路:

1、openssl包的安装

2、配置/etc/pki/tls/openssl.cnf文件

3、生成CA中心的密钥

4、通过CA中心的密钥生成CA中心的公钥

 

蓝色字体:表示需要修改的选项;    黑色字体:需要在服务器中新建的目录

红色字体:注释

配置/etc/pki/tls/openssl.cnf文件

[ CA_default ]

dir             = /etc/pki/CA             # Where everything is kept;    CA中心的相关文件存放地
certs           = $dir/certs
              # Where the issued certs are kept;新颁发的证书
crl_dir         = $dir/crl
                 # Where the issued crl are kept;被吊销的证书
database        = $dir/index.txt
        # database index file.;index文件,可以查看到证书的颁发与吊销的情况
#unique_subject = no                    # Set to ‘no’ to allow creation of
                                                     # several ctificates with same subject.
new_certs_dir   = $dir/newcerts         # default place for new certs.;新证书默认的地方

certificate     = $dir/my-ca.crt        # The CA certificate;CA证书的公钥
serial          = $dir/serial
              # The current serial number;颁发证书的序列号
crlnumber       = $dir/crlnumber
        # the current crl number;被吊销的证书序列号
                                                      # must be commented out to leave a V1 CRL
crl             = $dir/my-ca.crl                # The current CRL;被吊销的证书列表
private_key     = $dir/private/my-ca.key
                # The private key;CA的私钥,需小心保管
RANDFILE        = $dir/private/.rand    # private random number file

#定义证书期限与相关的策略

default_days    = 365                   # how long to certify for
default_crl_days= 30                    # how long before next CRL
default_md      = sha1                  # which md to use.
preserve        = no                    # keep passed DN ordering

policy          = policy_match

# For the CA policy
[ policy_match ]           CA的策略匹配规则:match必须匹配,optional 无所谓,supplied必须不能匹配
countryName             = match          
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
countryName_default        = CN
countryName_min                 = 2
countryName_max                 = 2

stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = GuangDong

localityName                    = Locality Name (eg, city)
localityName_default            = ShenZhen

0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = Ryoyo Ltd

—————————————————————————————————————————–

3,生成CA中心的密钥

[root@station1 CA]# (umask 077;openssl genrsa -out private/my-ca.key -des3 2048)
Generating RSA private key, 2048 bit long modulus
……………………………………..+++
…………+++
e is 65537 (0×10001)
Enter pass phrase for private/my-ca.key:  redhat
Verifying – Enter pass phrase for private/my-ca.key:  redhat 

[root@station1 CA]# openssl req -new -x509 -key private/my-ca.key > my-ca.crt
Enter pass phrase for private/my-ca.key: redhat
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [CN]:                               ====>之前预定义的内容
State or Province Name (full name) [GuangDong]:           
Locality Name (eg, city) [ShenZhen]:
Organization Name (eg, company) [Ryoyo Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server’s hostname) []:staion1
Email Address []:
[root@station1 CA]# ls
certs  crl  crlnumber  index.txt  my-ca.crt  newcerts  private  serial
[root@station1 CA]#

———————————————————————————————————

完成以上操作,CA中心就已经搭建好了!

本文出自 “潜入技术的海洋” 博客,请务必保留此出处http://myhat.blog.51cto.com/391263/587965

你可能感兴趣的:(职场,服务器,ca,休闲,RHS333)