CA中心:station1
配置CA中心的思路:
1、openssl包的安装
2、配置/etc/pki/tls/openssl.cnf文件
3、生成CA中心的密钥
4、通过CA中心的密钥生成CA中心的公钥
蓝色字体:表示需要修改的选项; 黑色字体:需要在服务器中新建的目录
红色字体:注释
配置/etc/pki/tls/openssl.cnf文件
[ CA_default ]
dir = /etc/pki/CA # Where everything is kept; CA中心的相关文件存放地
certs = $dir/certs # Where the issued certs are kept;新颁发的证书
crl_dir = $dir/crl # Where the issued crl are kept;被吊销的证书
database = $dir/index.txt # database index file.;index文件,可以查看到证书的颁发与吊销的情况
#unique_subject = no # Set to ‘no’ to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.;新证书默认的地方
certificate = $dir/my-ca.crt # The CA certificate;CA证书的公钥
serial = $dir/serial # The current serial number;颁发证书的序列号
crlnumber = $dir/crlnumber # the current crl number;被吊销的证书序列号
# must be commented out to leave a V1 CRL
crl = $dir/my-ca.crl # The current CRL;被吊销的证书列表
private_key = $dir/private/my-ca.key # The private key;CA的私钥,需小心保管
RANDFILE = $dir/private/.rand # private random number file
#定义证书期限与相关的策略
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = sha1 # which md to use.
preserve = no # keep passed DN ordering
policy = policy_match
# For the CA policy
[ policy_match ] CA的策略匹配规则:match必须匹配,optional 无所谓,supplied必须不能匹配
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = CN
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = GuangDong
localityName = Locality Name (eg, city)
localityName_default = ShenZhen
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Ryoyo Ltd
—————————————————————————————————————————–
3,生成CA中心的密钥
[root@station1 CA]# (umask 077;openssl genrsa -out private/my-ca.key -des3 2048)
Generating RSA private key, 2048 bit long modulus
……………………………………..+++
…………+++
e is 65537 (0×10001)
Enter pass phrase for private/my-ca.key: redhat
Verifying – Enter pass phrase for private/my-ca.key: redhat
[root@station1 CA]# openssl req -new -x509 -key private/my-ca.key > my-ca.crt
Enter pass phrase for private/my-ca.key: redhat
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [CN]: ====>之前预定义的内容
State or Province Name (full name) [GuangDong]:
Locality Name (eg, city) [ShenZhen]:
Organization Name (eg, company) [Ryoyo Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server’s hostname) []:staion1
Email Address []:
[root@station1 CA]# ls
certs crl crlnumber index.txt my-ca.crt newcerts private serial
[root@station1 CA]#
———————————————————————————————————
完成以上操作,CA中心就已经搭建好了!