使用centos+openssl搭建CA签发证书.docx
《使用centos+openssl搭建CA签发证书.docx》由会员分享,可在线阅读,更多相关《使用centos+openssl搭建CA签发证书.docx(16页珍藏版)》请在冰豆网上搜索。
使用centos+openssl搭建CA签发证书
一、安装centos系统,如下图:
二、使用openssl建立CA并颁发证书,使用root用户登录centos系统
[root@localhost~]#mkdircerts
[root@localhost~]#cdcerts
[root@localhostcerts]#/etc/pki/tls/misc/CA-newca
CAcertificatefilename(orentertocreate)
MakingCAcertificate...
Generatinga2048bitRSAprivatekey
....................................................................................................................................................+++
.+++
writingnewprivatekeyto'/etc/pki/CA/private/./cakey.pem'
EnterPEMpassphrase:
Verifying-EnterPEMpassphrase:
-----
Youareabouttobeaskedtoenterinformationthatwillbeincorporated
intoyourcertificaterequest.
WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN.
Therearequiteafewfieldsbutyoucanleavesomeblank
Forsomefieldstherewillbeadefaultvalue,
Ifyouenter'.',thefieldwillbeleftblank.
-----
CountryName(2lettercode)[XX]:
CN
StateorProvinceName(fullname)[]:
beijing
LocalityName(eg,city)[DefaultCity]:
beijing
OrganizationName(eg,company)[DefaultCompanyLtd]:
opzoon
OrganizationalUnitName(eg,section)[]:
opzoon
CommonName(eg,yournameoryourserver'shostname)[]:
EmailAddress[]:
tac@
Pleaseenterthefollowing'extra'attributes
tobesentwithyourcertificaterequest
Achallengepassword[]:
111111
Anoptionalcompanyname[]:
opzoon
Usingconfigurationfrom/etc/pki/tls/f
Enterpassphrasefor/etc/pki/CA/private/./cakey.pem:
Checkthattherequestmatchesthesignature
Signatureok
CertificateDetails:
SerialNumber:
ec:
01:
11:
fd:
2f:
3f:
25:
c1
Validity
NotBefore:
Feb121:
21:
432012GMT
NotAfter:
Jan3121:
21:
432015GMT
Subject:
countryName=CN
stateOrProvinceName=beijing
organizationName=opzoon
organizationalUnitName=opzoon
commonName=
emailAddress=tac@
X509v3extensions:
X509v3SubjectKeyIdentifier:
E2:
BC:
51:
1B:
2E:
1E:
74:
AF:
4E:
93:
0D:
6E:
D4:
AC:
E5:
30:
35:
B4:
50:
32
X509v3AuthorityKeyIdentifier:
keyid:
E2:
BC:
51:
1B:
2E:
1E:
74:
AF:
4E:
93:
0D:
6E:
D4:
AC:
E5:
30:
35:
B4:
50:
32
X509v3BasicConstraints:
CA:
TRUE
CertificateistobecertifieduntilJan3121:
21:
432015GMT(1095days)
Writeoutdatabasewith1newentries
DataBaseUpdated
[root@localhostcerts]#
[root@localhostcerts]#cd/etc/pki/CA/
[root@localhostCA]#opensslx509-incacert.pem-days3650-outcacert.pem-signkey./private/cakey.pem
GettingPrivatekey
Enterpassphrasefor./private/cakey.pem:
[root@localhostCA]#
[root@localhostCA]#cd/root/certs/
[root@localhostcerts]#/etc/pki/tls/misc/CA-newreq
Generatinga2048bitRSAprivatekey
....................................................+++
.............+++
writingnewprivatekeyto'newkey.pem'
EnterPEMpassphrase:
Verifying-EnterPEMpassphrase:
-----
Youareabouttobeaskedtoenterinformationthatwillbeincorporated
intoyourcertificaterequest.
WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN.
Therearequiteafewfieldsbutyoucanleavesomeblank
Forsomefieldstherewillbeadefaultvalue,
Ifyouenter'.',thefieldwillbeleftblank.
-----
CountryName(2lettercode)[XX]:
CN
StateorProvinceName(fullname)[]:
fujian
LocalityName(eg,city)[DefaultCity]:
fuzhou
OrganizationName(eg,company)[DefaultCompanyLtd]:
opzoon
OrganizationalUnitName(eg,section)[]:
opzoon
CommonName(eg,yournameoryourserver'shostname)[]:
EmailAddress[]:
fujian@
Pleaseenterthefollowing'extra'attributes
tobesentwithyourcertificaterequest
Achallengepassword[]:
fuzhou
Anoptionalcompanyname[]:
opzoon
Requestisinnewreq.pem,privatekeyisinnewkey.pem
[root@localhostcerts]#
[root@localhostcerts]#/etc/pki/tls/misc/CA-sign
Usingconfigurationfrom/etc/pki/tls/f
Enterpassphrasefor/etc/pki/CA/private/cakey.pem:
Checkthattherequestmatchesthesignature
Signatureok
CertificateDetails:
SerialNumber:
ec:
01:
11:
fd:
2f:
3f:
25:
c2
Validity
NotBefore:
Feb121:
45:
552012GMT
NotAfter:
Jan3121:
45:
552013GMT
Subject:
countryName=CN
stateOrProvinceName=fujian
localityName=fuzhou
organizationName=opzoon
organizationalUnitName=opzoon
commonName=
emailAddress=fujian@
X509v3extensions:
X509v3BasicConstraints:
CA:
FALSE
NetscapeComment:
OpenSSLGeneratedCertificate
X509v3SubjectKeyIdentifier:
32:
5A:
E6:
00:
EC:
A5:
88:
C5:
AB:
73:
17:
77:
F1:
D3:
08:
A8:
FE:
2D:
B3:
EE
X509v3AuthorityKeyIdentifier:
keyid:
E2:
BC:
51:
1B:
2E:
1E:
74:
AF:
4E:
93:
0D:
6E:
D4:
AC:
E5:
30:
35:
B4:
50:
32
CertificateistobecertifieduntilJan3121:
45:
552013GMT(365days)
Signthecertificate?
[y/n]:
y
1outof1certificaterequestscertified,commit?
[y/n]y
Writeoutdatabasewith1newentries
DataBaseUpdated
Certificate:
Data:
Version:
3(0x2)
SerialNumber:
ec:
01:
11:
fd:
2f:
3f:
25:
c2
SignatureAlgorithm:
sha1WithRSAEncryption
Issuer:
C=CN,ST=beijing,O=opzoon,OU=opzoon,CN=
Validity
NotBefore:
Feb121:
45:
552012GMT
NotAfter:
Jan3121:
45:
552013GMT
Subject:
C=CN,ST=fujian,L=fuzhou,O=opzoon,OU=opzoon,CN=
SubjectPublicKeyInfo:
PublicKeyAlgorithm:
rsaEncryption
Public-Key:
(2048bit)
Modulus:
00:
d8:
29:
e0:
c8:
fe:
a7:
fa:
44:
b0:
1a:
2b:
72:
f5:
66:
1c:
48:
da:
e8:
7c:
33:
28:
b0:
7d:
20:
df:
b5:
24:
1e:
99:
51:
78:
aa:
6e:
87:
cd:
0d:
e0:
6e:
ea:
cd:
52:
30:
1f:
87:
67:
98:
1a:
8a:
37:
f4:
16:
ad:
22:
60:
05:
18:
5e:
16:
21:
b1:
48:
31:
29:
7b:
6d:
ae:
58:
a1:
5c:
07:
04:
37:
72:
7b:
41:
37:
89:
63:
ec:
af:
35:
9a:
06:
47:
3f:
2c:
c6:
53:
db:
68:
22:
63:
ad:
85:
a0:
21:
cc:
0b:
f3:
05:
a5:
1d:
26:
07:
c5:
ec:
1a:
e3:
06:
88:
18:
52:
e7:
65:
4a:
1a:
9d:
c1:
1e:
cb:
f6:
db:
f5:
3f:
0f:
37:
01:
8f:
8c:
05:
c7:
bf:
8f:
eb:
d2:
32:
71:
ae:
70:
10:
d7:
ef:
52:
86:
37:
d2:
6d:
a9:
05:
24:
91:
c1:
b5:
57:
38:
0e:
83:
8d:
90:
fb:
16:
9f:
2c:
a6:
bc:
d1:
2e:
ef:
3e:
f7:
50:
b3:
54:
cf:
d9:
98:
ef:
a2:
12:
ad:
ba:
c8:
4e:
ce:
b6:
ce:
91:
2d:
8a:
63:
cd:
e3:
6e:
8d:
f0:
72:
b1:
67:
90:
36:
f1:
e9:
06:
9f:
45:
73:
08:
2a:
4a:
4d:
a3:
66:
c5:
00:
59:
fd:
81:
2e:
57:
da:
8c:
8d:
c9:
22:
b1:
f3:
8d:
77:
0b:
a2:
e8:
8f:
54:
2d:
bc:
8f:
58:
b3:
3c:
2d:
4b:
1a:
10:
fa:
3e:
43:
8b:
20:
3f:
e0:
24:
fc:
23:
c0:
2d:
5d
Exponent:
65537(0x10001)
X509v3extensions:
X509v3BasicConstraints:
CA:
FALSE
NetscapeComment:
OpenSSLGeneratedCertificate
X509v3SubjectKeyIdentifier:
32:
5A:
E6:
00:
EC:
A5:
88:
C5:
AB:
73:
17:
77:
F1:
D3:
08:
A8:
FE:
2D:
B3:
EE
X509v3AuthorityKeyIdentifier:
keyid:
E2:
BC:
51:
1B:
2E:
1E:
74:
AF:
4E:
93:
0D:
6E:
D4:
AC:
E5:
30:
35:
B4:
50:
32
SignatureAlgorithm:
sha1WithRSAEncryption
a0:
e3:
bf:
1e:
3b:
88:
e0:
86:
15:
ed:
7b:
17:
80:
88:
c9:
2f:
c2:
ce:
ba:
f4:
c9:
96:
81:
07:
9e:
42:
51:
ed:
a8:
47:
0b:
3a:
c5:
01:
6b:
1d:
2d:
dc:
6d:
8a:
8a:
57:
bc:
c9:
7a:
a7:
02:
e3:
35:
eb:
79:
f4:
f7:
6f:
6b:
fd:
11:
49:
d8:
4d:
10:
d8:
bc:
7c:
31:
7a:
7d:
0f:
c9:
92:
2e:
d6:
01:
90:
11:
2b:
96:
f3:
11:
d9:
ad:
af:
97:
a5:
53:
c9:
f2:
cd:
58:
9b:
65:
cd:
52:
d8:
80:
88:
dc:
c5:
c3:
5a:
09:
c5:
87:
46:
81:
57:
e0:
af:
fe:
16:
9a:
1c:
50:
a6:
b3:
ef:
2a:
ef:
ab:
ff:
ec:
a9:
b3:
42:
e6:
ec:
c6:
a5:
70:
43:
bc:
56:
27:
aa:
e9:
76:
5b:
02:
84:
2b:
ea:
96:
e4:
92:
4f:
4e:
90:
cb:
94:
05:
d8:
d2:
ca:
b3:
2d:
91:
4f:
ee:
a1:
a3:
4a:
70:
91:
cf:
e4:
1f:
45:
72:
39:
ca:
f1:
25:
80:
1a:
4c:
8a:
ce:
ec:
bc:
dd:
61:
57:
75:
ff:
06:
84:
16:
5f:
f1:
03:
9a:
9e:
56:
14:
18:
a8:
95:
14:
2b:
53:
83:
65:
55:
93:
7c:
59:
0e:
53:
e0:
c7:
bd:
99:
2c:
36:
b7:
57:
f3:
53:
c8:
e2:
86:
80:
30:
6f:
31:
5d:
66:
cf:
19:
91:
68:
9d:
50:
5c:
20:
dc:
8b:
e6:
61:
9d:
0c:
56:
a9:
c7:
3f:
6f:
13:
26:
06:
0e:
b9:
51:
d0:
26:
a4:
ee
-----BEGINCERTIFICATE-----
MIIEAjCCAuqgAwIBAgIJAOwBEf0vPyXCMA0GCSqGSIb3DQEBBQUAMHgxCzAJBgNV
BAYTAkNOMRAwDgYDVQQIDAdiZWlqaW5nMQ8wDQYDVQQKDAZvcHpvb24xDzANBgNV
BAsMBm9wem9vbjEWMBQGA1UEAwwNb3B6b29uLmNvbS5jbjEdMBsGCSqGSIb3DQEJ
ARYOdGFjQG9wem9vbi5jb20wHhcNMTIwMjAxMjE0NTU1WhcNMTMwMTMxMjE0NTU1
WjCBizELMAkGA1UEBhMCQ04xDzANBgNVBAgMBmZ1amlhbjEPMA0GA1UEBwwGZnV6
aG91MQ8wDQYDVQQKDAZvcHpvb24xDzANBgNVBAsMBm9wem9vbjEWMBQGA1UEAwwN
b3B6b29uLmNvbS5jbjEgMB4GCSqGSIb3DQEJARYRZnVqaWFuQG9wem9vbi5jb20w
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDYKeDI/qf6RLAaK3L1ZhxI
2uh8MyiwfSDftSQemVF4qm6HzQ3gburNUjAfh2eYGoo39BatImAFGF4WIbFIMSl7
ba5YoVwHBDdye0E3iWPsrzWaBkc/LMZT22giY62FoCHMC/MFpR0mB8XsGuMGiBhS
52VKGp3BHsv22/U/DzcBj4wFx7+P69Iyca5wENfvUoY30m2pBSSRwbVXOA6DjZD7
Fp8sprzRLu8+91CzVM/ZmO+iEq26yE7Ots6RLYpjzeNujfBysWeQNvHpBp9Fcwgq
Sk2jZsUAWf2BLlfajI3JIrHzjXcLouiPVC28j1izPC1LGhD6PkOLID/gJPwjwC1d
AgMBAAGjezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2Vu
ZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBQyWuYA7KWIxatzF3fx0wio/i2z
7jAfBgNVHSMEGDAWgBTivFEbLh50r06TDW7UrOUwNbRQMjANBgkqhkiG9w0BAQUF
AAOCAQEAoOO/HjuI4IYV7XsXgIjJL8LOuvTJloEHnkJR7ahHCzrFAWsdLdxtiopX
vMl6pwLjNet59Pdva/0RSdhNENi8fDF6fQ/Jki7WAZARK5bzEdmtr5elU8nyzVib
Zc1S2ICI3MXDWgnFh0aBV+Cv/haaHFCms+8q76v/7KmzQubsxqVwQ7xWJ6rpdlsC
hCvqluSST06Qy5QF2NLKsy2RT+6ho0pwkc/kH0VyOcrxJYAaTIrO7LzdYVd1/waE
Fl/xA5qeVhQYqJUUK1ODZVWTfFkOU+DHvZksNrdX81PI4oaAMG8xXWbPGZFonVBc
INyL5mGdDFapxz9vEyYGDrlR0Cak7g==
-----ENDCERTIFICATE-----
Signedcertificateisinnewcert.pem
[root@localhostcerts]#ls
newcert.pemnewkey.pemnewreq.pem
到此CA的建立和证书的制作已经完成,其中newcert.pem为证书文件,newkey.pem为证书密钥文件,/etc/pki/CA/目录下的cacert.pem为CA证书。