本文已参与「新人创作礼」活动, 一起开启掘金创作之路。
1.实战案例:在CentOS8上实现私有CA和证书申请
1.1 创建CA相关目录和文件
[root@rocky8 ~]# mkdir -pv /etc/pki/CA/{certs,crl,newcerts,private}
mkdir: created directory '/etc/pki/CA'
mkdir: created directory '/etc/pki/CA/certs'
mkdir: created directory '/etc/pki/CA/crl'
mkdir: created directory '/etc/pki/CA/newcerts'
mkdir: created directory '/etc/pki/CA/private'
[root@rocky8 ~]# tree /etc/pki/CA/
/etc/pki/CA/
├── certs
├── crl
├── newcerts
└── private
4 directories, 0 files
[root@rocky8 ~]# touch /etc/pki/CA/index.txt
[root@rocky8 ~]# echo 0F > /etc/pki/CA/serial
index.txt和serial文件在颁发证书时需要使用,如果不存在,会出现以下错误提示
[root@rocky8 app]# openssl ca -in test.csr -out /etc/pki/CA/certs/test.crt -days 100 #颁发ca申请证书
Using configuration from /etc/pki/tls/openssl.cnf
140541517784896:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:69:fopen('/etc/pki/CA/index.txt','r')
140541517784896:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:76:
#提示没有这个文件,/etc/pki/CA/index.txt
[root@rocky8 app]# openssl ca -in test.csr -out /etc/pki/CA/certs/test.crt -days 100
Using configuration from /etc/pki/tls/openssl.cnf
/etc/pki/CA/serial: No such file or directory
error while loading serial number
140526988703552:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:69:fopen('/etc/pki/CA/serial','r')
140526988703552:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:76:
#提示没有/etc/pki/CA/serial,证书编号文件
1.2 创建CA的私钥
[root@rocky8 ~]# cd /etc/pki/CA/
[root@rocky8 CA]# (umask 066; openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
.......+++++
............+++++
e is 65537 (0x010001)
[root@rocky8 CA]# tree
.
├── certs
├── crl
├── index.txt
├── newcerts
├── private
│ └── cakey.pem
└── serial
4 directories, 3 files
[root@rocky8 CA]# ll private/
total 4
-rw------- 1 root root 1679 Nov 16 21:43 cakey.pem
[root@rocky8 CA]# cat private/cakey.pem
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEA29kcL7nJtWSehdNYSyqHaDps9S4NmNsxWck5xdCM+pVi+nsa
PPPteFQiqurJGznq65I8ODIDIzjQniogaKdphc9f5MduPprCEZDJgorUmekDtHWE
fuZaLf/J/3OOT03zKw3epFYeSj1wdqLwz/OD1zCVGxBsY+QItiLfxaI763kIIsbL
7F/x40Kz84ud5mVvdHBFVfE64Uqt24/Hz1M7Jxrz9PSHqIdjA9nWE4UF6BtD1QRS
+470PMr71LcXPeWdil3VvtbwAa6EvqQ2syIijt81j65+aTqbwpqm/0FvehXKt3Tt
bNP/74QbAl5pda6hWRGFcyM9LzHTQLCH1GieowIDAQABAoIBAQCdWkDVW/mmLhVU
HZe1fQQbsq2nssWioUgqRl9mWUV+WQvV0eROuhw+oqGJibBVH1goMauOYSVjwVd3
zRkTLrfVQT8WZTNf9a5vmhzQpYNTgbbYI8Cof0EOaWTvxIqX8mfYaf3vy3+0jVMA
ZtFLVbUIgUpHa7LYsC8YBc/6CYsvlkZGJAikL1jvT16jsDtKF9ZpjnJcIfLO0V7n
0M0y4vOJigi4zM9wTDzk9ZKCEVIzG+BpYMOs4dFqK+kyyn9lWmGp41c5iXRB8zbj
y3sjM9DPulWAFqIavbm7SweeQYZitRKpbrij4P1EH7mvwXaPcNXeN+WdMdRCa8wj
3V/YEIEpAoGBAPZ5gC+pT2m/iOWLFKjL2DHpw/dJzhI8mAbIxv84Frruu9SHdsBq
PnHdr7SU54KN6gzuBPCXpjV0NZMVdE/F7cyAM8SpBMz1knnWvE+Cq7sXRrB70fM3
dmzhZxnosTG93iAPRlOzDPGK20ce8vS/nKWiOYkwDFa8xhBcNAjBCAr3AoGBAORY
LfcMTvdXFe+5+COd/JE/klq6TIAegVbVqSPovrCVNTOSmD2tof+IxSQF/2TR8rdw
Qsvh3jirGCp9BKB9v7TxRauzLopwgU8zzB5n2LkPluA3oqjHLiELaAbJKEwp83jI
V3SrtFST0ZdyvFdkulfjMYjkqNWJtU93SaZCSJK1AoGAClasXtNuRlRHbMF5u17Z
kbZphuzsnO03v0kat8flhC/RZyfLfmS2e9Y9sYhxcZN8VtCBGopx6VoXiTTkLRhz
Uhmqkjw4vFQssbmlKnyjsXRXfb2j39zatdR6m6acECcTsyqQ25/uEg+uBPyyWjvT
WUtFuJBwZA8FC9iiQh++s58CgYEAk6EbHqU7jJgmG5ZtgoGLIFEsizH1ccPHNV/v
+cJpPvtIqS429XGD0hUX+AFUrFc8iDKxTOWb6aFcf2PSkPyb7B0tQSQYi/LO92jy
qBnVuVgF4LK3nE0iWsToHbMCNbPNsKI+QLUeYqwrDrJkaFA8VcQSa4ICUgS1T0o9
OJuUFh0CgYEA8dpAf6+DqXAm3/x6DdGlU5kGO2kE8seS8/nThCf0PjrRN2NGREV7
ncDaLjLtvmNb0l/ondDzytkJDykSwNv71vzrrk2glwqvpUOxS88keTSGiSkdckJq
Fui3fucLL0SnAcZTnBXPUA79PK68fEpiV/cslxS9p97F5nxl8qm6KzQ=
-----END RSA PRIVATE KEY-----
1.3 给CA颁发自签名证书
[root@rocky8 CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:shaanxi
Locality Name (eg, city) [Default City]:xi'an
Organization Name (eg, company) [Default Company Ltd]:raymonds
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:ca.raymonds.cc
Email Address []:88563128@qq.com
[root@rocky8 CA]# tree
.
├── cacert.pem
├── certs
├── crl
├── index.txt
├── newcerts
├── private
│ └── cakey.pem
└── serial
4 directories, 4 files
[root@rocky8 CA]# cat /etc/pki/CA/cacert.pem
-----BEGIN CERTIFICATE-----
MIID8zCCAtugAwIBAgIUf+wNPK7Rbzv0qbmGG1P7REZQttEwDQYJKoZIhvcNAQEL
BQAwgYgxCzAJBgNVBAYTAmNuMRAwDgYDVQQIDAdzaGFhbnhpMQ4wDAYDVQQHDAV4
aSdhbjERMA8GA1UECgwIcmF5bW9uZHMxCzAJBgNVBAsMAml0MRcwFQYDVQQDDA5j
YS5yYXltb25kcy5jYzEeMBwGCSqGSIb3DQEJARYPODg1NjMxMjhAcXEuY29tMB4X
DTIxMTExNjEzNDYwMFoXDTMxMTExNDEzNDYwMFowgYgxCzAJBgNVBAYTAmNuMRAw
DgYDVQQIDAdzaGFhbnhpMQ4wDAYDVQQHDAV4aSdhbjERMA8GA1UECgwIcmF5bW9u
ZHMxCzAJBgNVBAsMAml0MRcwFQYDVQQDDA5jYS5yYXltb25kcy5jYzEeMBwGCSqG
SIb3DQEJARYPODg1NjMxMjhAcXEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEA29kcL7nJtWSehdNYSyqHaDps9S4NmNsxWck5xdCM+pVi+nsaPPPt
eFQiqurJGznq65I8ODIDIzjQniogaKdphc9f5MduPprCEZDJgorUmekDtHWEfuZa
Lf/J/3OOT03zKw3epFYeSj1wdqLwz/OD1zCVGxBsY+QItiLfxaI763kIIsbL7F/x
40Kz84ud5mVvdHBFVfE64Uqt24/Hz1M7Jxrz9PSHqIdjA9nWE4UF6BtD1QRS+470
PMr71LcXPeWdil3VvtbwAa6EvqQ2syIijt81j65+aTqbwpqm/0FvehXKt3TtbNP/
74QbAl5pda6hWRGFcyM9LzHTQLCH1GieowIDAQABo1MwUTAdBgNVHQ4EFgQUFpO9
j3tEAq+VqPLgv9geeFEo6kkwHwYDVR0jBBgwFoAUFpO9j3tEAq+VqPLgv9geeFEo
6kkwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAq9LLIkG/vm3b
LIzHPqsfw0q0Kox4U6f8zFp0KfaIJpdDXzEYRYxWTHU0bir0+GExzbrgxFWbvlEl
IAH68Y6N3c6Y+kc6XwZPd5WDUxiDCYDPMTE8Bk4oGCNBQ1Snm4SHGHem3zb2baGN
2tw2aFPAsYuOEv5Hg5WV5F1PBg56W/cJZ51T+EA7cfUGIaVZyWUCdiwGLN8smCpq
gg7lsDOOYECyDeq3pTLpg1FvjCzH8UH9rRR3lAa5tatvAIo/WwdrsLDRUW+PRuR9
DBdP7cUB1nCHdV5cHTNUqUfrri8Y+FTDbX6D70fjhvlGn4iy1KMYbNXJySv4mvsX
viNrAwfaNQ==
-----END CERTIFICATE-----
[root@rocky8 CA]# openssl x509 -in /etc/pki/CA/cacert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
7f:ec:0d:3c:ae:d1:6f:3b:f4:a9:b9:86:1b:53:fb:44:46:50:b6:d1
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = cn, ST = shaanxi, L = xi'an, O = raymonds, OU = it, CN = ca.raymonds.cc, emailAddress = 88563128@qq.com
Validity
Not Before: Nov 16 13:46:00 2021 GMT
Not After : Nov 14 13:46:00 2031 GMT
Subject: C = cn, ST = shaanxi, L = xi'an, O = raymonds, OU = it, CN = ca.raymonds.cc, emailAddress = 88563128@qq.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:db:d9:1c:2f:b9:c9:b5:64:9e:85:d3:58:4b:2a:
87:68:3a:6c:f5:2e:0d:98:db:31:59:c9:39:c5:d0:
8c:fa:95:62:fa:7b:1a:3c:f3:ed:78:54:22:aa:ea:
c9:1b:39:ea:eb:92:3c:38:32:03:23:38:d0:9e:2a:
20:68:a7:69:85:cf:5f:e4:c7:6e:3e:9a:c2:11:90:
c9:82:8a:d4:99:e9:03:b4:75:84:7e:e6:5a:2d:ff:
c9:ff:73:8e:4f:4d:f3:2b:0d:de:a4:56:1e:4a:3d:
70:76:a2:f0:cf:f3:83:d7:30:95:1b:10:6c:63:e4:
08:b6:22:df:c5:a2:3b:eb:79:08:22:c6:cb:ec:5f:
f1:e3:42:b3:f3:8b:9d:e6:65:6f:74:70:45:55:f1:
3a:e1:4a:ad:db:8f:c7:cf:53:3b:27:1a:f3:f4:f4:
87:a8:87:63:03:d9:d6:13:85:05:e8:1b:43:d5:04:
52:fb:8e:f4:3c:ca:fb:d4:b7:17:3d:e5:9d:8a:5d:
d5:be:d6:f0:01:ae:84:be:a4:36:b3:22:22:8e:df:
35:8f:ae:7e:69:3a:9b:c2:9a:a6:ff:41:6f:7a:15:
ca:b7:74:ed:6c:d3:ff:ef:84:1b:02:5e:69:75:ae:
a1:59:11:85:73:23:3d:2f:31:d3:40:b0:87:d4:68:
9e:a3
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
16:93:BD:8F:7B:44:02:AF:95:A8:F2:E0:BF:D8:1E:78:51:28:EA:49
X509v3 Authority Key Identifier:
keyid:16:93:BD:8F:7B:44:02:AF:95:A8:F2:E0:BF:D8:1E:78:51:28:EA:49
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
ab:d2:cb:22:41:bf:be:6d:db:2c:8c:c7:3e:ab:1f:c3:4a:b4:
2a:8c:78:53:a7:fc:cc:5a:74:29:f6:88:26:97:43:5f:31:18:
45:8c:56:4c:75:34:6e:2a:f4:f8:61:31:cd:ba:e0:c4:55:9b:
be:51:25:20:01:fa:f1:8e:8d:dd:ce:98:fa:47:3a:5f:06:4f:
77:95:83:53:18:83:09:80:cf:31:31:3c:06:4e:28:18:23:41:
43:54:a7:9b:84:87:18:77:a6:df:36:f6:6d:a1:8d:da:dc:36:
68:53:c0:b1:8b:8e:12:fe:47:83:95:95:e4:5d:4f:06:0e:7a:
5b:f7:09:67:9d:53:f8:40:3b:71:f5:06:21:a5:59:c9:65:02:
76:2c:06:2c:df:2c:98:2a:6a:82:0e:e5:b0:33:8e:60:40:b2:
0d:ea:b7:a5:32:e9:83:51:6f:8c:2c:c7:f1:41:fd:ad:14:77:
94:06:b9:b5:ab:6f:00:8a:3f:5b:07:6b:b0:b0:d1:51:6f:8f:
46:e4:7d:0c:17:4f:ed:c5:01:d6:70:87:75:5e:5c:1d:33:54:
a9:47:eb:ae:2f:18:f8:54:c3:6d:7e:83:ef:47:e3:86:f9:46:
9f:88:b2:d4:a3:18:6c:d5:c9:c9:2b:f8:9a:fb:17:be:23:6b:
03:07:da:35
[root@rocky8 CA]# sz /etc/pki/CA/cacert.pem
#将文件cacert.pem传到windows上,修改文件名为cacert.pem.crt,双击可以看到下面显示
1.4 用户生成私钥和证书申请
[root@rocky8 CA]# mkdir /data/app1
[root@rocky8 CA]# (umask 066; openssl genrsa -out /data/app1/app1.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
...................+++++
...................................+++++
e is 65537 (0x010001)
[root@rocky8 CA]# cat /data/app1/app1.key
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAzIgxzhTt09hpx+KQA1M8acoqGtmt+6e/JP8LTBPnL15VHzts
FQcUdBKdU8P3Bq4TVFvoprKPxgwVzdfz0AXIQpUsR7fprnVHefpLAvnFkzsPZ9CD
crC6kyE6U+ZnY9yjMsvjcDXQfo7MNRvhL5wist5X9dlzfKS8szyUklsG2H1bwUf6
51EOKg9RFbqcO3G84VEKu6vbR6SMeFQ+oWqVkAF2oVLPzpdW20gIizvmF6lXPG5s
/CLziKVM3WGEU6W47sSFsgdUA6OQuZcYMHRdSQSzWIB8Tgr+ImMEi4uvDmyfIECf
3RAxvza1jG3AK9T6p6bVtBmvl8q8bZvPjfTjmQIDAQABAoIBAHh5hLS5+Ti+kdhu
aJu8zKoXreNw8x13uoyFOldOpe9t5j/mVYyxRef1CvzLQleJ89LN7GU8apmihrlg
Cbovnb0ydwmrmBbt9/Mubj7Ldwh5UmK5HKRS2yNNADlpTt8wmGSUWly/JhdV740c
5fCQTJQFidRDiNYThx8ggPcQbSDY8LRizz+JQGIrz++6rKQDb/xFAlc7l4HoRHVw
9kZxFSmSAlkI3j2uJfUFozGQjSlWs+TLXw5yB5/Z9SjqSHDW1d4K2ITNEo9Fncn3
AXWvzlODg+vrzLd4sZ4b6sXn6P3P1s7fKqzvAeJEK2p+wo1UOvGKh1dzfVzxdZOP
7wT+TgECgYEA6RUI8i9Q8gJHetZ1UzathLPxUq47NRKfyxflx32Qb4tnRjeBI/ae
w8vPoJ6ijEjX3+1HairVjfDHI4DlirLs5fBAHhnmGSG5rFOXsNqpVsrZKdRa18D7
F45vNY368TouVWn1T8DcL/jdJkZvyUQT93CFz0W51qz4RFdInJl528ECgYEA4KSE
WZ2OkGlMs1JOUlhAVHuey3YsaWYIx0EUwvF7kjVWPE20ye131K+KSIkUhYEYv2ed
WK9T+ZXDAUs+7BJurZlwrAIeb4qzP1Bd4aFzioT5o1fqgtjufycVlzusKfWU32wt
83/D/l74JmqoNEYLKlfmN3+hhyxWRNTT7Y/03dkCgYBCfu7LcTZNpNrRr6dPMzUz
u8ZoSS65CHQwE8RJMohnWkT/YkxkfzJyN44ni7ph/VIhH2eVYV0FnqChf199P2iY
fP891zOvDdET2dFX8joHed2UsnGsRfEcmlUd2UCzW17mnVEQDLyEryIgjk3MBLER
kbeLF6BaH4TAsooTqzF5wQKBgQCz2yRX96yn9JbDT9eDWEMRIPSvY8sFC/tlRLcR
qXPNSMTlfTWNIoJ5l534m0AB761XueahlaZ/QqehhpQ3QD664QnzvbKOjZcbzwWL
W899DSAt5nrNDlBNH4bK0azy3zu1chCMTzQlmfXGFEjdqWLRIRUiRB6YcigT7e5L
2qEraQKBgFil4xKADBSkHdl1x36CHZGiLrIpphQvZ0nQ9NuCP/m0r1HLFNuw9Pbg
jQtkvjG0oDmluaWsyqQkAuYt5jh4nFlsguDGe+7I1iTv5LUICSyLRmIOwwvy5sbd
7Vke9ib91w74QIFyty35/5fPyhVcCs8XJLnN1nJEqq/lMm5R6pkt
-----END RSA PRIVATE KEY-----
[root@rocky8 CA]# openssl req -new -key /data/app1/app1.key -out /data/app1/app1.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:shaanxi
Locality Name (eg, city) [Default City]:xi'an
Organization Name (eg, company) [Default Company Ltd]:raymonds
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:app1.raymonds.cc
Email Address []:root@raymonds.cc
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@rocky8 CA]# ll /data/app1/
total 8
-rw-r--r-- 1 root root 1054 Nov 16 21:54 app1.csr
-rw------- 1 root root 1675 Nov 16 21:51 app1.key
默认有三项内容必须和CA一致:国家,省份,组织,如果不同,会出现下面的提示
[root@rocky8 app]# openssl ca -in test2.csr -out /etc/pki/CA/certs/test2.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
The stateOrProvinceName field is different between
CA certificate (shaanxi) and the request (beijing) #提示省份不同,颁发不了证书
1.5 CA颁发证书
[root@rocky8 CA]# openssl ca -in /data/app1/app1.csr -out /etc/pki/CA/certs/app1.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 15 (0xf)
Validity
Not Before: Nov 16 13:57:24 2021 GMT
Not After : Aug 12 13:57:24 2024 GMT
Subject:
countryName = cn
stateOrProvinceName = shaanxi
organizationName = raymonds
organizationalUnitName = it
commonName = app1.raymonds.cc
emailAddress = root@raymonds.cc
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
5B:61:80:FE:B9:26:47:A0:0C:F9:2C:88:D6:AD:26:FF:F8:20:FF:7E
X509v3 Authority Key Identifier:
keyid:16:93:BD:8F:7B:44:02:AF:95:A8:F2:E0:BF:D8:1E:78:51:28:EA:49
Certificate is to be certified until Aug 12 13:57:24 2024 GMT (1000 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@rocky8 CA]# tree /etc/pki/CA
/etc/pki/CA
├── cacert.pem
├── certs
│ └── app1.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│ └── 0F.pem
├── private
│ └── cakey.pem
├── serial
└── serial.old
4 directories, 9 files
1.6 查看证书
[root@rocky8 CA]# cat /etc/pki/CA/certs/app1.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 15 (0xf)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=cn, ST=shaanxi, L=xi'an, O=raymonds, OU=it, CN=ca.raymonds.cc/emailAddress=88563128@qq.com
Validity
Not Before: Nov 16 13:57:24 2021 GMT
Not After : Aug 12 13:57:24 2024 GMT
Subject: C=cn, ST=shaanxi, O=raymonds, OU=it, CN=app1.raymonds.cc/emailAddress=root@raymonds.cc
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:cc:88:31:ce:14:ed:d3:d8:69:c7:e2:90:03:53:
3c:69:ca:2a:1a:d9:ad:fb:a7:bf:24:ff:0b:4c:13:
e7:2f:5e:55:1f:3b:6c:15:07:14:74:12:9d:53:c3:
f7:06:ae:13:54:5b:e8:a6:b2:8f:c6:0c:15:cd:d7:
f3:d0:05:c8:42:95:2c:47:b7:e9:ae:75:47:79:fa:
4b:02:f9:c5:93:3b:0f:67:d0:83:72:b0:ba:93:21:
3a:53:e6:67:63:dc:a3:32:cb:e3:70:35:d0:7e:8e:
cc:35:1b:e1:2f:9c:22:b2:de:57:f5:d9:73:7c:a4:
bc:b3:3c:94:92:5b:06:d8:7d:5b:c1:47:fa:e7:51:
0e:2a:0f:51:15:ba:9c:3b:71:bc:e1:51:0a:bb:ab:
db:47:a4:8c:78:54:3e:a1:6a:95:90:01:76:a1:52:
cf:ce:97:56:db:48:08:8b:3b:e6:17:a9:57:3c:6e:
6c:fc:22:f3:88:a5:4c:dd:61:84:53:a5:b8:ee:c4:
85:b2:07:54:03:a3:90:b9:97:18:30:74:5d:49:04:
b3:58:80:7c:4e:0a:fe:22:63:04:8b:8b:af:0e:6c:
9f:20:40:9f:dd:10:31:bf:36:b5:8c:6d:c0:2b:d4:
fa:a7:a6:d5:b4:19:af:97:ca:bc:6d:9b:cf:8d:f4:
e3:99
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
5B:61:80:FE:B9:26:47:A0:0C:F9:2C:88:D6:AD:26:FF:F8:20:FF:7E
X509v3 Authority Key Identifier:
keyid:16:93:BD:8F:7B:44:02:AF:95:A8:F2:E0:BF:D8:1E:78:51:28:EA:49
Signature Algorithm: sha256WithRSAEncryption
93:6f:21:b2:1f:72:3f:3b:85:ee:e9:47:56:2a:cf:74:fb:e3:
d7:b8:7f:d6:55:35:29:f3:14:b2:3d:68:27:01:fb:41:df:3b:
dd:d0:b2:44:6f:66:f3:35:5f:a1:b9:b8:d3:40:6f:e7:63:e5:
60:80:0d:16:c7:72:55:80:e4:5e:d9:d7:b3:93:e1:21:c1:81:
6f:22:cd:2f:2a:ff:82:8e:75:5d:8e:9d:09:c4:a6:de:f4:0b:
9d:01:7a:42:a0:b2:05:6b:ce:7e:ba:ed:ea:fa:90:33:f6:e2:
d8:26:32:69:35:57:21:12:0f:59:f9:a6:b8:45:4f:16:0a:4e:
7d:ac:db:2f:15:83:71:39:45:3c:6b:84:64:ae:60:40:a5:a1:
2a:58:6d:ec:f0:8e:48:9f:30:73:aa:03:9e:c6:f9:1b:b5:a1:
f5:45:23:e1:fb:61:30:26:a3:51:b4:c3:69:a8:ab:18:e9:a5:
d1:79:3c:de:c5:af:35:c6:cd:76:68:d1:7a:69:41:15:38:b4:
06:f4:32:3a:27:ef:a9:5a:d9:47:89:ce:d5:78:e4:80:fc:dd:
fb:13:13:94:b5:a6:30:d9:be:20:1d:c2:98:9a:22:1e:b6:dc:
ce:8a:7e:43:59:4d:24:b2:8e:1e:8c:34:b1:ce:47:53:4f:59:
de:f7:14:75
-----BEGIN CERTIFICATE-----
MIID+jCCAuKgAwIBAgIBDzANBgkqhkiG9w0BAQsFADCBiDELMAkGA1UEBhMCY24x
EDAOBgNVBAgMB3NoYWFueGkxDjAMBgNVBAcMBXhpJ2FuMREwDwYDVQQKDAhyYXlt
b25kczELMAkGA1UECwwCaXQxFzAVBgNVBAMMDmNhLnJheW1vbmRzLmNjMR4wHAYJ
KoZIhvcNAQkBFg84ODU2MzEyOEBxcS5jb20wHhcNMjExMTE2MTM1NzI0WhcNMjQw
ODEyMTM1NzI0WjB7MQswCQYDVQQGEwJjbjEQMA4GA1UECAwHc2hhYW54aTERMA8G
A1UECgwIcmF5bW9uZHMxCzAJBgNVBAsMAml0MRkwFwYDVQQDDBBhcHAxLnJheW1v
bmRzLmNjMR8wHQYJKoZIhvcNAQkBFhByb290QHJheW1vbmRzLmNjMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzIgxzhTt09hpx+KQA1M8acoqGtmt+6e/
JP8LTBPnL15VHztsFQcUdBKdU8P3Bq4TVFvoprKPxgwVzdfz0AXIQpUsR7fprnVH
efpLAvnFkzsPZ9CDcrC6kyE6U+ZnY9yjMsvjcDXQfo7MNRvhL5wist5X9dlzfKS8
szyUklsG2H1bwUf651EOKg9RFbqcO3G84VEKu6vbR6SMeFQ+oWqVkAF2oVLPzpdW
20gIizvmF6lXPG5s/CLziKVM3WGEU6W47sSFsgdUA6OQuZcYMHRdSQSzWIB8Tgr+
ImMEi4uvDmyfIECf3RAxvza1jG3AK9T6p6bVtBmvl8q8bZvPjfTjmQIDAQABo3sw
eTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBD
ZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUW2GA/rkmR6AM+SyI1q0m//gg/34wHwYDVR0j
BBgwFoAUFpO9j3tEAq+VqPLgv9geeFEo6kkwDQYJKoZIhvcNAQELBQADggEBAJNv
IbIfcj87he7pR1Yqz3T749e4f9ZVNSnzFLI9aCcB+0HfO93QskRvZvM1X6G5uNNA
b+dj5WCADRbHclWA5F7Z17OT4SHBgW8izS8q/4KOdV2OnQnEpt70C50BekKgsgVr
zn667er6kDP24tgmMmk1VyESD1n5prhFTxYKTn2s2y8Vg3E5RTxrhGSuYECloSpY
bezwjkifMHOqA57G+Ru1ofVFI+H7YTAmo1G0w2moqxjppdF5PN7FrzXGzXZo0Xpp
QRU4tAb0Mjon76la2UeJztV45ID83fsTE5S1pjDZviAdwpiaIh623M6KfkNZTSSy
jh6MNLHOR1NPWd73FHU=
-----END CERTIFICATE-----
[root@rocky8 CA]# openssl x509 -in /etc/pki/CA/certs/app1.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 15 (0xf)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = cn, ST = shaanxi, L = xi'an, O = raymonds, OU = it, CN = ca.raymonds.cc, emailAddress = 88563128@qq.com
Validity
Not Before: Nov 16 13:57:24 2021 GMT
Not After : Aug 12 13:57:24 2024 GMT
Subject: C = cn, ST = shaanxi, O = raymonds, OU = it, CN = app1.raymonds.cc, emailAddress = root@raymonds.cc
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:cc:88:31:ce:14:ed:d3:d8:69:c7:e2:90:03:53:
3c:69:ca:2a:1a:d9:ad:fb:a7:bf:24:ff:0b:4c:13:
e7:2f:5e:55:1f:3b:6c:15:07:14:74:12:9d:53:c3:
f7:06:ae:13:54:5b:e8:a6:b2:8f:c6:0c:15:cd:d7:
f3:d0:05:c8:42:95:2c:47:b7:e9:ae:75:47:79:fa:
4b:02:f9:c5:93:3b:0f:67:d0:83:72:b0:ba:93:21:
3a:53:e6:67:63:dc:a3:32:cb:e3:70:35:d0:7e:8e:
cc:35:1b:e1:2f:9c:22:b2:de:57:f5:d9:73:7c:a4:
bc:b3:3c:94:92:5b:06:d8:7d:5b:c1:47:fa:e7:51:
0e:2a:0f:51:15:ba:9c:3b:71:bc:e1:51:0a:bb:ab:
db:47:a4:8c:78:54:3e:a1:6a:95:90:01:76:a1:52:
cf:ce:97:56:db:48:08:8b:3b:e6:17:a9:57:3c:6e:
6c:fc:22:f3:88:a5:4c:dd:61:84:53:a5:b8:ee:c4:
85:b2:07:54:03:a3:90:b9:97:18:30:74:5d:49:04:
b3:58:80:7c:4e:0a:fe:22:63:04:8b:8b:af:0e:6c:
9f:20:40:9f:dd:10:31:bf:36:b5:8c:6d:c0:2b:d4:
fa:a7:a6:d5:b4:19:af:97:ca:bc:6d:9b:cf:8d:f4:
e3:99
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
5B:61:80:FE:B9:26:47:A0:0C:F9:2C:88:D6:AD:26:FF:F8:20:FF:7E
X509v3 Authority Key Identifier:
keyid:16:93:BD:8F:7B:44:02:AF:95:A8:F2:E0:BF:D8:1E:78:51:28:EA:49
Signature Algorithm: sha256WithRSAEncryption
93:6f:21:b2:1f:72:3f:3b:85:ee:e9:47:56:2a:cf:74:fb:e3:
d7:b8:7f:d6:55:35:29:f3:14:b2:3d:68:27:01:fb:41:df:3b:
dd:d0:b2:44:6f:66:f3:35:5f:a1:b9:b8:d3:40:6f:e7:63:e5:
60:80:0d:16:c7:72:55:80:e4:5e:d9:d7:b3:93:e1:21:c1:81:
6f:22:cd:2f:2a:ff:82:8e:75:5d:8e:9d:09:c4:a6:de:f4:0b:
9d:01:7a:42:a0:b2:05:6b:ce:7e:ba:ed:ea:fa:90:33:f6:e2:
d8:26:32:69:35:57:21:12:0f:59:f9:a6:b8:45:4f:16:0a:4e:
7d:ac:db:2f:15:83:71:39:45:3c:6b:84:64:ae:60:40:a5:a1:
2a:58:6d:ec:f0:8e:48:9f:30:73:aa:03:9e:c6:f9:1b:b5:a1:
f5:45:23:e1:fb:61:30:26:a3:51:b4:c3:69:a8:ab:18:e9:a5:
d1:79:3c:de:c5:af:35:c6:cd:76:68:d1:7a:69:41:15:38:b4:
06:f4:32:3a:27:ef:a9:5a:d9:47:89:ce:d5:78:e4:80:fc:dd:
fb:13:13:94:b5:a6:30:d9:be:20:1d:c2:98:9a:22:1e:b6:dc:
ce:8a:7e:43:59:4d:24:b2:8e:1e:8c:34:b1:ce:47:53:4f:59:
de:f7:14:75
[root@rocky8 CA]# openssl x509 -in /etc/pki/CA/certs/app1.crt -noout -issuer
issuer=C = cn, ST = shaanxi, L = xi'an, O = raymonds, OU = it, CN = ca.raymonds.cc, emailAddress = 88563128@qq.com
[root@rocky8 CA]# openssl x509 -in /etc/pki/CA/certs/app1.crt -noout -subject
subject=C = cn, ST = shaanxi, O = raymonds, OU = it, CN = app1.raymonds.cc, emailAddress = root@raymonds.cc
[root@rocky8 CA]# openssl x509 -in /etc/pki/CA/certs/app1.crt -noout -dates
notBefore=Nov 16 13:57:24 2021 GMT
notAfter=Aug 12 13:57:24 2024 GMT
[root@rocky8 CA]# openssl x509 -in /etc/pki/CA/certs/app1.crt -noout -serial
serial=0F
#验证指定编号对应证书的有效性
[root@rocky8 CA]# openssl ca -status 0F
Using configuration from /etc/pki/tls/openssl.cnf
0F=Valid (V)
[root@rocky8 CA]# cat /etc/pki/CA/index.txt
V 240812135724Z 0F unknown /C=cn/ST=shaanxi/O=raymonds/OU=it/CN=app1.raymonds.cc/emailAddress=root@raymonds.cc
[root@rocky8 CA]# cat /etc/pki/CA/index.txt.old
[root@rocky8 CA]# cat /etc/pki/CA/serial
10
[root@rocky8 CA]# cat /etc/pki/CA/serial.old
0F
[root@rocky8 CA]# sz /etc/pki/CA/certs/app1.crt
1.7 将证书相关文件发送到用户端使用
[root@rocky8 CA]# cp /etc/pki/CA/certs/app1.crt /data/app1/
[root@rocky8 CA]# tree /data/app1/
/data/app1/
├── app1.crt
├── app1.csr
└── app1.key
0 directories, 3 files
1.8 证书的信任
默认生成的证书,在windows上是不被信任的,可以通过下面的操作实现信任
打开internet属性
2.4.5.9 证书的吊销
[root@rocky8 CA]# openssl ca -revoke /etc/pki/CA/newcerts/0F.pem
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 0F.
Data Base Updated
[root@rocky8 CA]# openssl ca -status 0F
Using configuration from /etc/pki/tls/openssl.cnf
0F=Revoked (R)
[root@rocky8 CA]# cat /etc/pki/CA/index.txt
R 240812135724Z 211116144914Z 0F unknown /C=cn/ST=shaanxi/O=raymonds/OU=it/CN=app1.raymonds.cc/emailAddress=root@raymonds.cc
2.4.5.10 生成证书吊销列表文件
[root@rocky8 CA]# openssl ca -gencrl -out /etc/pki/CA/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf
/etc/pki/CA/crlnumber: No such file or directory
error while loading CRL number
139662603671360:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:69:fopen('/etc/pki/CA/crlnumber','r')
139662603671360:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:76:
[root@rocky8 CA]# echo 01 >/etc/pki/CA/crlnumber
[root@rocky8 CA]# openssl ca -gencrl -out /etc/pki/CA/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf
[root@rocky8 CA]# cat /etc/pki/CA/crlnumber
02
[root@rocky8 CA]# cat /etc/pki/CA/crl.pem
-----BEGIN X509 CRL-----
MIIB+DCB4QIBATANBgkqhkiG9w0BAQsFADCBiDELMAkGA1UEBhMCY24xEDAOBgNV
BAgMB3NoYWFueGkxDjAMBgNVBAcMBXhpJ2FuMREwDwYDVQQKDAhyYXltb25kczEL
MAkGA1UECwwCaXQxFzAVBgNVBAMMDmNhLnJheW1vbmRzLmNjMR4wHAYJKoZIhvcN
AQkBFg84ODU2MzEyOEBxcS5jb20XDTIxMTExNjE0NTA0NloXDTIxMTIxNjE0NTA0
NlowFDASAgEPFw0yMTExMTYxNDQ5MTRaoA4wDDAKBgNVHRQEAwIBATANBgkqhkiG
9w0BAQsFAAOCAQEAhGY5YoNqPR+v8WQq0tDOasmaq7A6C1g8VdtbmNgpKBohvh5O
eMZG74BCzHPNpWf7l1yZ1I19JOQ1Yr8myyGVCzMDX2i2e+XaaIBdx4mR6Fc36Nhb
X+a0odaOu/cEYbRBnCNWab84sNqP7H7PsX5wphJf1ecjBRfwRN3CdYr75ZN/qBfo
nWGTWjAIDDQtRhVhqydTy6d4nqr22Kyw/J0L9Y42w1gRFnNTyBp5xQucu79S9U1n
tm5pIwwf3LAEqLQ27pfZkwpmrzTcM8OUSTGB6wIkOlxvAKWtMQdP+K7Duxvvq8zT
F8BdGz+1hG4wukSAvkBjnndJgD9308eHS6O1cw==
-----END X509 CRL-----
[root@rocky8 CA]# openssl crl -in /etc/pki/CA/crl.pem -noout -text
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = cn, ST = shaanxi, L = xi'an, O = raymonds, OU = it, CN = ca.raymonds.cc, emailAddress = 88563128@qq.com
Last Update: Nov 16 14:50:46 2021 GMT
Next Update: Dec 16 14:50:46 2021 GMT
CRL extensions:
X509v3 CRL Number:
1
Revoked Certificates:
Serial Number: 0F
Revocation Date: Nov 16 14:49:14 2021 GMT
Signature Algorithm: sha256WithRSAEncryption
84:66:39:62:83:6a:3d:1f:af:f1:64:2a:d2:d0:ce:6a:c9:9a:
ab:b0:3a:0b:58:3c:55:db:5b:98:d8:29:28:1a:21:be:1e:4e:
78:c6:46:ef:80:42:cc:73:cd:a5:67:fb:97:5c:99:d4:8d:7d:
24:e4:35:62:bf:26:cb:21:95:0b:33:03:5f:68:b6:7b:e5:da:
68:80:5d:c7:89:91:e8:57:37:e8:d8:5b:5f:e6:b4:a1:d6:8e:
bb:f7:04:61:b4:41:9c:23:56:69:bf:38:b0:da:8f:ec:7e:cf:
b1:7e:70:a6:12:5f:d5:e7:23:05:17:f0:44:dd:c2:75:8a:fb:
e5:93:7f:a8:17:e8:9d:61:93:5a:30:08:0c:34:2d:46:15:61:
ab:27:53:cb:a7:78:9e:aa:f6:d8:ac:b0:fc:9d:0b:f5:8e:36:
c3:58:11:16:73:53:c8:1a:79:c5:0b:9c:bb:bf:52:f5:4d:67:
b6:6e:69:23:0c:1f:dc:b0:04:a8:b4:36:ee:97:d9:93:0a:66:
af:34:dc:33:c3:94:49:31:81:eb:02:24:3a:5c:6f:00:a5:ad:
31:07:4f:f8:ae:c3:bb:1b:ef:ab:cc:d3:17:c0:5d:1b:3f:b5:
84:6e:30:ba:44:80:be:40:63:9e:77:49:80:3f:77:d3:c7:87:
4b:a3:b5:73
[root@rocky8 CA]# sz /etc/pki/CA/crl.pem
#将此文件crl.pem传到windows上并改后缀为crl.pem.crl,双击可以查看以下显示
2.一键自动颁发证书脚本
范例:
[root@rocky8 ~]# vim certificate.sh
#!/bin/bash
#
#**********************************************************************************************
#Author: Raymond
#QQ: 88563128
#Date: 2021-11-16
#FileName: certificate.sh
#URL: raymond.blog.csdn.net
#Description: The test script
#Copyright (C): 2021 All rights reserved
#*********************************************************************************************
CA_SUBJECT="/O=raymonds/CN=ca.raymonds.cc"
CA_EXPIRE=3650
SUBJECT="/C=CN/ST=Shaanxi/L=xi'an/O=raymonds/CN=*.raymonds.cc"
SERIAL=01
EXPIRE=365
FILE=httpd
openssl req -x509 -newkey rsa:2048 -subj ${CA_SUBJECT} -keyout ca.key -nodes -days ${CA_EXPIRE} -out ca.crt
openssl req -newkey rsa:2048 -nodes -keyout ${FILE}.key -subj ${SUBJECT} -out ${FILE}.csr
openssl x509 -req -in ${FILE}.csr -CA ca.crt -CAkey ca.key -set_serial ${SERIAL} -days ${EXPIRE} -out ${FILE}.crt
chmod 600 ${FILE}.key ca.key
[root@rocky8 data]# bash certificate.sh
Generating a RSA private key
...................................................................+++++
........................................................................................+++++
writing new private key to 'ca.key'
-----
Generating a RSA private key
..............+++++
........+++++
writing new private key to 'httpd.key'
-----
Signature ok
subject=C = CN, ST = Shaanxi, L = xi'an, O = raymonds, CN = *.raymonds.cc
Getting CA Private Key
[root@rocky8 data]# ls
ca.crt ca.key certificate.sh httpd.crt httpd.csr httpd.key
[root@rocky8 data]# vim certificate2.sh
#!/bin/bash
#
#**********************************************************************************************
#Author: Raymond
#QQ: 88563128
#Date: 2021-11-19
#FileName: certificate2.sh
#URL: raymond.blog.csdn.net
#Description: The test script
#Copyright (C): 2021 All rights reserved
#*********************************************************************************************
#证书存放目录
DIR=/data
#每个证书信息
declare -A CERT_INFO
CERT_INFO=([subject0]="/O=raymond/CN=ca.raymonds.cc" \
[keyfile0]="cakey.pem" \
[crtfile0]="cacert.pem" \
[key0]=2048 \
[expire0]=3650 \
[serial0]=0 \
[subject1]="/C=CN/ST=shaanxi/L=xi'an/O=it/CN=master.raymonds.cc" \
[keyfile1]="master.key" \
[crtfile1]="master.crt" \
[key1]=2048 \
[expire1]=365
[serial1]=1 \
[csrfile1]="master.csr" \
[subject2]="/C=CN/ST=shaanxi/L=xi'an/O=sales/CN=slave.raymonds.cc" \
[keyfile2]="slave.key" \
[crtfile2]="slave.crt" \
[key2]=2048 \
[expire2]=365 \
[serial2]=2 \
[csrfile2]="slave.csr" )
COLOR="echo -e \E[1;32m"
END="\E[0m"
#证书编号最大值
N=`echo ${!CERT_INFO[*]} |grep -o subject|wc -l`
cd $DIR
for((i=0;i<N;i++));do
if [ $i -eq 0 ] ;then
openssl req -x509 -newkey rsa:${CERT_INFO[key${i}]} -subj ${CERT_INFO[subject${i}]} \
-set_serial ${CERT_INFO[serial${i}]} -keyout ${CERT_INFO[keyfile${i}]} -nodes \
-days ${CERT_INFO[expire${i}]} -out ${CERT_INFO[crtfile${i}]} &>/dev/null
else
openssl req -newkey rsa:${CERT_INFO[key${i}]} -nodes -subj ${CERT_INFO[subject${i}]} \
-keyout ${CERT_INFO[keyfile${i}]} -out ${CERT_INFO[csrfile${i}]} &>/dev/null
openssl x509 -req -in ${CERT_INFO[csrfile${i}]} -CA ${CERT_INFO[crtfile0]} \
-CAkey ${CERT_INFO[keyfile0]} -set_serial ${CERT_INFO[serial${i}]} \
-days ${CERT_INFO[expire${i}]} -out ${CERT_INFO[crtfile${i}]} &>/dev/null
fi
$COLOR"**************************************生成证书信息**************************************"$END
openssl x509 -in ${CERT_INFO[crtfile${i}]} -noout -subject -dates -serial
echo
done
chmod 600 *.key
echo "证书生成完成"
$COLOR"**************************************生成证书文件如下**************************************"$END
echo "证书存放目录: "$DIR
echo "证书文件列表: "`ls $DIR`
[root@rocky8 ~]# bash certificate2.sh
**************************************生成证书信息**************************************
subject=O = raymond, CN = ca.raymonds.cc
notBefore=Nov 19 16:37:23 2021 GMT
notAfter=Nov 17 16:37:23 2031 GMT
serial=00
**************************************生成证书信息**************************************
subject=C = CN, ST = shaanxi, L = xi'an, O = it, CN = master.raymonds.cc
notBefore=Nov 19 16:37:24 2021 GMT
notAfter=Nov 19 16:37:24 2022 GMT
serial=01
**************************************生成证书信息**************************************
subject=C = CN, ST = shaanxi, L = xi'an, O = sales, CN = slave.raymonds.cc
notBefore=Nov 19 16:37:24 2021 GMT
notAfter=Nov 19 16:37:24 2022 GMT
serial=02
证书生成完成
**************************************生成证书文件如下**************************************
证书存放目录: /data
证书文件列表: cacert.pem cakey.pem master.crt master.csr master.key slave.crt slave.csr slave.key
[root@rocky8 ~]# ls /data
cacert.pem cakey.pem master.crt master.csr master.key slave.crt slave.csr slave.key
