Centos7创建私有CA并签发证书

发布于 2018-06-04  350 次阅读


CA

#cd /etc/pki/CA
#touch index.txt serial
#echo 01 > serial
#(umask 077; openssl genrsa -out private/cakey.pem 2048)
#vim /etc/pki/tls/openssl.cnf

#openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Shandong]:
Locality Name (eg, city) [Qingdao]:
Organization Name (eg, company) [LIMEXC]:
Organizational Unit Name (eg, section) [Tech]:
Common Name (eg, your name or your server's hostname) []:ca.720.com
Email Address []:admin@720.com

WEB

#(umask 077; openssl genrsa 1024 > httpd.key)
#openssl req -new -key httpd.key -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:CN
State or Province Name (full name) [Shandong]:Shandong
Locality Name (eg, city) [Qingdao]:Qingdao
Organization Name (eg, company) [LIMEXC]:LIMEXC
Organizational Unit Name (eg, section) [Tech]:Tech
Common Name (eg, your name or your server's hostname) []:www.720.com
Email Address []:xian@720.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

#scp httpd.csr 172.16.0.134:/tmp/ 将证书发送至CA

CA

#openssl ca -in /tmp/httpd.csr -out /tmp/httpd.crt -days 3650
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jan 27 22:12:13 2018 GMT
Not After : Jan 25 22:12:13 2028 GMT
Subject:
countryName = CN
stateOrProvinceName = Shandong
organizationName = LIMEXC
organizationalUnitName = Tech
commonName = www.720.com
emailAddress = xian@720.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
2C:D3:94:C0:AD:01:63:3F:4C:34:DB:4F:3C:8F:4C:46:7F:CE:1B:15
X509v3 Authority Key Identifier:
keyid:9E:1E:CE:67:EE:78:09:B3:E1:B4:E3:71:70:82:D7:01:80:51:04:55
Certificate is to be certified until Jan 25 22:12:13 2028 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

#scp httpd.crt 172.16.0.132:/etc/httpd/ssl/ 将证书发送回WEB

WEB

#vim ssl.conf
在web端配置证书,测试。

将cacert.pem拷贝到客户端,修改后缀为crt。将证书导入。


我们都要做生活的高手。