证书
1.CA
自签证书
cd /etc/pki/CA/private
生成密钥:
[root@station116 private]# openssl genrsa 2048 > ca.key
Generating RSA private key, 2048 bit long modulus
...............................+++
.......+++
e is 65537 (0x10001)
[root@station116 private]# ls
ca.key
切换到
CA
目录中
cd /etc/pki/CA
生成证书:
[root@station116 CA]# openssl req -new -x509 -key ./private/ca.key -out ca.pem -days 1000
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:HA
Locality Name (eg, city) [Newbury]:ZZ
Organization Name (eg, company) [My Company Ltd]:ZZU
Organizational Unit Name (eg, section) []:SI
Common Name (eg, your name or your server's hostname) []:statio.example.com
[root@station116 CA]#
[root@station116 CA]# ls
ca.pem private
编辑文件:
vim /etc/pki/tls/openssl.cnf
将
dir
那行修改成如下红字所示:
[ CA_default ]
dir = /etc/pki/CA
# Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
在
CA
目录下执行以下命令:
mkdir ./newcerts
touch ./{serial,index.txt}
echo "00" > serial
2.
给用户颁发证书:
1.
)使用一个命令
make
生成证书:
必须切换到
/etc/pki/tls/certs/
目录下才能执行
make
命令
[root@station116 certs]# make my.pem
umask 77 ; \
PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
/usr/bin/openssl req -utf8 -newkey rsa:1024 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2 -set_serial 0 ; \
cat $PEM1 > my.pem ; \
echo "" >> my.pem ; \
cat $PEM2 >> my.pem ; \
rm -f $PEM1 $PEM2
Generating a 1024 bit RSA private key
.............++++++
.................................................................................................................++++++
writing new private key to '/tmp/openssl.O11114'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:HA
Locality Name (eg, city) [Newbury]:ZZ
Organization Name (eg, company) [My Company Ltd]:ZZU
Organizational Unit Name (eg, section) []:SI
Common Name (eg, your name or your server's hostname) []:station.example.com
2.
)单步生成证书:
1.
生成密钥:
cd /etc/pki/tls/certs
make my.key
[root@station116 certs]# make my.key
umask 77 ; \
/usr/bin/openssl genrsa -des3 1024 > my.key
Generating RSA private key, 1024 bit long modulus
...................++++++
..............++++++
e is 65537 (0x10001)
Enter pass phrase:
Verifying - Enter pass phrase:
[root@station116 certs]#
或者使用:
[root@station116 certs]# openssl genrsa 1024 > my.key
Generating RSA private key, 1024 bit long modulus
........++++++
...........................................................++++++
e is 65537 (0x10001)
[root@station116 certs]#
提取公钥:
[root@station116 certs]# openssl rsa -in my.key -pubout -out my.pubkey
writing RSA key
2.
证书签发请求:
[root@station116 certs]# make my.csr
umask 77 ; \
/usr/bin/openssl req -utf8 -new -key my.key -out my.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:HA
Locality Name (eg, city) [Newbury]:ZZ
Organization Name (eg, company) [My Company Ltd]:ZZU
Organizational Unit Name (eg, section) []:SI
Common Name (eg, your name or your server's hostname) []:station.example.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:zhuying
An optional company name []:zhuying
[root@station116 certs]#
或者使用命令
:
[root@station116 certs]# openssl req -new -key ./my.key -out ./my.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:HA
Locality Name (eg, city) [Newbury]:ZZ
Organization Name (eg, company) [My Company Ltd]:ZZU
Organizational Unit Name (eg, section) []:SI
Common Name (eg, your name or your server's hostname) []:station.example.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@station116 certs]#
查看内容:
[root@station116 certs]# openssl req -noout -in my.csr -text
Certificate Request:
Data:
Version: 0 (0x0)
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:ee:6e:1d:1e:97:9b:de:f8:d9:a4:43:b0:d3:4a:
4b:fd:9a:8a:5d:5f:eb:4d:79:35:43:f7:d4:a9:aa:
e6:52:cd:5a:a0:98:d1:19:ec:df:bb:c3:5a:4f:c7:
83:69:6b:e0:ff:60:a4:14:5f:ce:47:c8:37:33:ad:
f4:ab:3a:be:b8:93:19:cf:b4:55:2e:26:ba:28:d7:
09:a9:6d:cd:38:36:8d:7d:50:c9:06:5f:4b:45:8c:
0f:c5:b5:45:0d:53:4e:f6:63:7b:5c:35:70:3d:38:
66:fd:93:c1:3b:90:f2:dc:ee:48:b1:11:cc:92:f2:
4c:92:0c:aa:3e:28:04:14:a7
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha1WithRSAEncryption
7d:b9:79:e7:f7:f7:24:bc:e4:e6:57:b8:84:f1:e2:92:58:19:
b5:fd:e9:1e:86:64:57:5f:de:ab:fd:b8:d5:0e:74:1e:b8:75:
0f:15:b8:ae:89:4a:ac:3b:e8:55:61:6f:dd:5e:84:14:11:c4:
86:01:b8:bb:14:5b:4c:95:b6:1e:67:f2:19:8c:ab:d0:43:f6:
b2:84:09:d7:36:29:a6:29:a7:0f:bd:6f:6a:68:f7:81:31:07:
a8:71:df:e0:67:e6:b6:84:ee:10:53:bb:fc:5b:0b:19:b9:1e:
73:62:9e:c4:6d:b3:97:d3:fd:12:99:b7:2a:1a:f4:a0:e3:3c:
92:8a
[root@station116 certs]#
3.
生成证书:
[root@station116 certs]# make my.pem
umask 77 ; \
PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
/usr/bin/openssl req -utf8 -newkey rsa:1024 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2 -set_serial 0 ; \
cat $PEM1 > my.pem ; \
echo "" >> my.pem ; \
cat $PEM2 >> my.pem ; \
rm -f $PEM1 $PEM2
Generating a 1024 bit RSA private key
..++++++
..............++++++
writing new private key to '/tmp/openssl.r11852'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:HA
Locality Name (eg, city) [Newbury]:ZZ
Organization Name (eg, company) [My Company Ltd]:ZZU
Organizational Unit Name (eg, section) []:SI
Common Name (eg, your name or your server's hostname) []:station.example.com
[root@station116 certs]#