使用centos+openssl搭建CA签发证书.docx

资源描述

使用centos+openssl搭建CA签发证书.docx

《使用centos+openssl搭建CA签发证书.docx》由会员分享，可在线阅读，更多相关《使用centos+openssl搭建CA签发证书.docx（16页珍藏版）》请在冰豆网上搜索。

使用centos+openssl搭建CA签发证书.docx

使用centos+openssl搭建CA签发证书

一、安装centos系统，如下图：

二、使用openssl建立CA并颁发证书，使用root用户登录centos系统

[root@localhost~]#mkdircerts

[root@localhost~]#cdcerts

[root@localhostcerts]#/etc/pki/tls/misc/CA-newca

CAcertificatefilename（orentertocreate）

MakingCAcertificate...

Generatinga2048bitRSAprivatekey

....................................................................................................................................................+++

.+++

writingnewprivatekeyto'/etc/pki/CA/private/./cakey.pem'

EnterPEMpassphrase:

Verifying-EnterPEMpassphrase:

-----

Youareabouttobeaskedtoenterinformationthatwillbeincorporated

intoyourcertificaterequest.

WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN.

Therearequiteafewfieldsbutyoucanleavesomeblank

Forsomefieldstherewillbeadefaultvalue,

Ifyouenter'.',thefieldwillbeleftblank.

-----

CountryName（2lettercode）[XX]:

StateorProvinceName（fullname）[]:

beijing

LocalityName（eg,city）[DefaultCity]:

beijing

OrganizationName（eg,company）[DefaultCompanyLtd]:

opzoon

OrganizationalUnitName（eg,section）[]:

opzoon

CommonName（eg,yournameoryourserver'shostname）[]:

EmailAddress[]:

tac@

Pleaseenterthefollowing'extra'attributes

tobesentwithyourcertificaterequest

Achallengepassword[]:

111111

Anoptionalcompanyname[]:

opzoon

Usingconfigurationfrom/etc/pki/tls/f

Enterpassphrasefor/etc/pki/CA/private/./cakey.pem:

Checkthattherequestmatchesthesignature

Signatureok

CertificateDetails:

SerialNumber:

ec:

01:

11:

fd:

2f:

3f:

25:

Validity

NotBefore:

Feb121:

21:

432012GMT

NotAfter:

Jan3121:

21:

432015GMT

Subject:

countryName=CN

stateOrProvinceName=beijing

organizationName=opzoon

organizationalUnitName=opzoon

commonName=

emailAddress=tac@

X509v3extensions:

X509v3SubjectKeyIdentifier:

E2:

BC:

51:

1B:

2E:

1E:

74:

AF:

4E:

93:

0D:

6E:

D4:

AC:

E5:

30:

35:

B4:

50:

X509v3AuthorityKeyIdentifier:

keyid:

E2:

BC:

51:

1B:

2E:

1E:

74:

AF:

4E:

93:

0D:

6E:

D4:

AC:

E5:

30:

35:

B4:

50:

X509v3BasicConstraints:

CA:

TRUE

CertificateistobecertifieduntilJan3121:

21:

432015GMT（1095days）

Writeoutdatabasewith1newentries

DataBaseUpdated

[root@localhostcerts]#

[root@localhostcerts]#cd/etc/pki/CA/

[root@localhostCA]#opensslx509-incacert.pem-days3650-outcacert.pem-signkey./private/cakey.pem

GettingPrivatekey

Enterpassphrasefor./private/cakey.pem:

[root@localhostCA]#

[root@localhostCA]#cd/root/certs/

[root@localhostcerts]#/etc/pki/tls/misc/CA-newreq

Generatinga2048bitRSAprivatekey

....................................................+++

.............+++

writingnewprivatekeyto'newkey.pem'

EnterPEMpassphrase:

Verifying-EnterPEMpassphrase:

-----

Youareabouttobeaskedtoenterinformationthatwillbeincorporated

intoyourcertificaterequest.

WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN.

Therearequiteafewfieldsbutyoucanleavesomeblank

Forsomefieldstherewillbeadefaultvalue,

Ifyouenter'.',thefieldwillbeleftblank.

-----

CountryName（2lettercode）[XX]:

StateorProvinceName（fullname）[]:

fujian

LocalityName（eg,city）[DefaultCity]:

fuzhou

OrganizationName（eg,company）[DefaultCompanyLtd]:

opzoon

OrganizationalUnitName（eg,section）[]:

opzoon

CommonName（eg,yournameoryourserver'shostname）[]:

EmailAddress[]:

fujian@

Pleaseenterthefollowing'extra'attributes

tobesentwithyourcertificaterequest

Achallengepassword[]:

fuzhou

Anoptionalcompanyname[]:

opzoon

Requestisinnewreq.pem,privatekeyisinnewkey.pem

[root@localhostcerts]#

[root@localhostcerts]#/etc/pki/tls/misc/CA-sign

Usingconfigurationfrom/etc/pki/tls/f

Enterpassphrasefor/etc/pki/CA/private/cakey.pem:

Checkthattherequestmatchesthesignature

Signatureok

CertificateDetails:

SerialNumber:

ec:

01:

11:

fd:

2f:

3f:

25:

Validity

NotBefore:

Feb121:

45:

552012GMT

NotAfter:

Jan3121:

45:

552013GMT

Subject:

countryName=CN

stateOrProvinceName=fujian

localityName=fuzhou

organizationName=opzoon

organizationalUnitName=opzoon

commonName=

emailAddress=fujian@

X509v3extensions:

X509v3BasicConstraints:

CA:

FALSE

NetscapeComment:

OpenSSLGeneratedCertificate

X509v3SubjectKeyIdentifier:

32:

5A:

E6:

00:

EC:

A5:

88:

C5:

AB:

73:

17:

77:

F1:

D3:

08:

A8:

FE:

2D:

B3:

X509v3AuthorityKeyIdentifier:

keyid:

E2:

BC:

51:

1B:

2E:

1E:

74:

AF:

4E:

93:

0D:

6E:

D4:

AC:

E5:

30:

35:

B4:

50:

CertificateistobecertifieduntilJan3121:

45:

552013GMT（365days）

Signthecertificate?

[y/n]:

1outof1certificaterequestscertified,commit?

[y/n]y

Writeoutdatabasewith1newentries

DataBaseUpdated

Certificate:

Data:

Version:

3（0x2）

SerialNumber:

ec:

01:

11:

fd:

2f:

3f:

25:

SignatureAlgorithm:

sha1WithRSAEncryption

Issuer:

C=CN,ST=beijing,O=opzoon,OU=opzoon,CN=

Validity

NotBefore:

Feb121:

45:

552012GMT

NotAfter:

Jan3121:

45:

552013GMT

Subject:

C=CN,ST=fujian,L=fuzhou,O=opzoon,OU=opzoon,CN=

SubjectPublicKeyInfo:

PublicKeyAlgorithm:

rsaEncryption

Public-Key:

（2048bit）

Modulus:

00:

d8:

29:

e0:

c8:

fe:

a7:

fa:

44:

b0:

1a:

2b:

72:

f5:

66:

1c:

48:

da:

e8:

7c:

33:

28:

b0:

7d:

20:

df:

b5:

24:

1e:

99:

51:

78:

aa:

6e:

87:

cd:

0d:

e0:

6e:

ea:

cd:

52:

30:

1f:

87:

67:

98:

1a:

8a:

37:

f4:

16:

ad:

22:

60:

05:

18:

5e:

16:

21:

b1:

48:

31:

29:

7b:

6d:

ae:

58:

a1:

5c:

07:

04:

37:

72:

7b:

41:

37:

89:

63:

ec:

af:

35:

9a:

06:

47:

3f:

2c:

c6:

53:

db:

68:

22:

63:

ad:

85:

a0:

21:

cc:

0b:

f3:

05:

a5:

1d:

26:

07:

c5:

ec:

1a:

e3:

06:

88:

18:

52:

e7:

65:

4a:

1a:

9d:

c1:

1e:

cb:

f6:

db:

f5:

3f:

0f:

37:

01:

8f:

8c:

05:

c7:

bf:

8f:

eb:

d2:

32:

71:

ae:

70:

10:

d7:

ef:

52:

86:

37:

d2:

6d:

a9:

05:

24:

91:

c1:

b5:

57:

38:

0e:

83:

8d:

90:

fb:

16:

9f:

2c:

a6:

bc:

d1:

2e:

ef:

3e:

f7:

50:

b3:

54:

cf:

d9:

98:

ef:

a2:

12:

ad:

ba:

c8:

4e:

ce:

b6:

ce:

91:

2d:

8a:

63:

cd:

e3:

6e:

8d:

f0:

72:

b1:

67:

90:

36:

f1:

e9:

06:

9f:

45:

73:

08:

2a:

4a:

4d:

a3:

66:

c5:

00:

59:

fd:

81:

2e:

57:

da:

8c:

8d:

c9:

22:

b1:

f3:

8d:

77:

0b:

a2:

e8:

8f:

54:

2d:

bc:

8f:

58:

b3:

3c:

2d:

4b:

1a:

10:

fa:

3e:

43:

8b:

20:

3f:

e0:

24:

fc:

23:

c0:

2d:

Exponent:

65537（0x10001）

X509v3extensions:

X509v3BasicConstraints:

CA:

FALSE

NetscapeComment:

OpenSSLGeneratedCertificate

X509v3SubjectKeyIdentifier:

32:

5A:

E6:

00:

EC:

A5:

88:

C5:

AB:

73:

17:

77:

F1:

D3:

08:

A8:

FE:

2D:

B3:

X509v3AuthorityKeyIdentifier:

keyid:

E2:

BC:

51:

1B:

2E:

1E:

74:

AF:

4E:

93:

0D:

6E:

D4:

AC:

E5:

30:

35:

B4:

50:

SignatureAlgorithm:

sha1WithRSAEncryption

a0:

e3:

bf:

1e:

3b:

88:

e0:

86:

15:

ed:

7b:

17:

80:

88:

c9:

2f:

c2:

ce:

ba:

f4:

c9:

96:

81:

07:

9e:

42:

51:

ed:

a8:

47:

0b:

3a:

c5:

01:

6b:

1d:

2d:

dc:

6d:

8a:

57:

bc:

c9:

7a:

a7:

02:

e3:

35:

eb:

79:

f4:

f7:

6f:

6b:

fd:

11:

49:

d8:

4d:

10:

d8:

bc:

7c:

31:

7a:

7d:

0f:

c9:

92:

2e:

d6:

01:

90:

11:

2b:

96:

f3:

11:

d9:

ad:

af:

97:

a5:

53:

c9:

f2:

cd:

58:

9b:

65:

cd:

52:

d8:

80:

88:

dc:

c5:

c3:

5a:

09:

c5:

87:

46:

81:

57:

e0:

af:

fe:

16:

9a:

1c:

50:

a6:

b3:

ef:

2a:

ef:

ab:

ff:

ec:

a9:

b3:

42:

e6:

ec:

c6:

a5:

70:

43:

bc:

56:

27:

aa:

e9:

76:

5b:

02:

84:

2b:

ea:

96:

e4:

92:

4f:

4e:

90:

cb:

94:

05:

d8:

d2:

ca:

b3:

2d:

91:

4f:

ee:

a1:

a3:

4a:

70:

91:

cf:

e4:

1f:

45:

72:

39:

ca:

f1:

25:

80:

1a:

4c:

8a:

ce:

ec:

bc:

dd:

61:

57:

75:

ff:

06:

84:

16:

5f:

f1:

03:

9a:

9e:

56:

14:

18:

a8:

95:

14:

2b:

53:

83:

65:

55:

93:

7c:

59:

0e:

53:

e0:

c7:

bd:

99:

2c:

36:

b7:

57:

f3:

53:

c8:

e2:

86:

80:

30:

6f:

31:

5d:

66:

cf:

19:

91:

68:

9d:

50:

5c:

20:

dc:

8b:

e6:

61:

9d:

0c:

56:

a9:

c7:

3f:

6f:

13:

26:

06:

0e:

b9:

51:

d0:

26:

a4:

-----BEGINCERTIFICATE-----

MIIEAjCCAuqgAwIBAgIJAOwBEf0vPyXCMA0GCSqGSIb3DQEBBQUAMHgxCzAJBgNV

BAYTAkNOMRAwDgYDVQQIDAdiZWlqaW5nMQ8wDQYDVQQKDAZvcHpvb24xDzANBgNV

BAsMBm9wem9vbjEWMBQGA1UEAwwNb3B6b29uLmNvbS5jbjEdMBsGCSqGSIb3DQEJ

ARYOdGFjQG9wem9vbi5jb20wHhcNMTIwMjAxMjE0NTU1WhcNMTMwMTMxMjE0NTU1

WjCBizELMAkGA1UEBhMCQ04xDzANBgNVBAgMBmZ1amlhbjEPMA0GA1UEBwwGZnV6

aG91MQ8wDQYDVQQKDAZvcHpvb24xDzANBgNVBAsMBm9wem9vbjEWMBQGA1UEAwwN

b3B6b29uLmNvbS5jbjEgMB4GCSqGSIb3DQEJARYRZnVqaWFuQG9wem9vbi5jb20w

ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDYKeDI/qf6RLAaK3L1ZhxI

2uh8MyiwfSDftSQemVF4qm6HzQ3gburNUjAfh2eYGoo39BatImAFGF4WIbFIMSl7

ba5YoVwHBDdye0E3iWPsrzWaBkc/LMZT22giY62FoCHMC/MFpR0mB8XsGuMGiBhS

52VKGp3BHsv22/U/DzcBj4wFx7+P69Iyca5wENfvUoY30m2pBSSRwbVXOA6DjZD7

Fp8sprzRLu8+91CzVM/ZmO+iEq26yE7Ots6RLYpjzeNujfBysWeQNvHpBp9Fcwgq

Sk2jZsUAWf2BLlfajI3JIrHzjXcLouiPVC28j1izPC1LGhD6PkOLID/gJPwjwC1d

AgMBAAGjezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2Vu

ZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBQyWuYA7KWIxatzF3fx0wio/i2z

7jAfBgNVHSMEGDAWgBTivFEbLh50r06TDW7UrOUwNbRQMjANBgkqhkiG9w0BAQUF

AAOCAQEAoOO/HjuI4IYV7XsXgIjJL8LOuvTJloEHnkJR7ahHCzrFAWsdLdxtiopX

vMl6pwLjNet59Pdva/0RSdhNENi8fDF6fQ/Jki7WAZARK5bzEdmtr5elU8nyzVib

Zc1S2ICI3MXDWgnFh0aBV+Cv/haaHFCms+8q76v/7KmzQubsxqVwQ7xWJ6rpdlsC

hCvqluSST06Qy5QF2NLKsy2RT+6ho0pwkc/kH0VyOcrxJYAaTIrO7LzdYVd1/waE

Fl/xA5qeVhQYqJUUK1ODZVWTfFkOU+DHvZksNrdX81PI4oaAMG8xXWbPGZFonVBc

INyL5mGdDFapxz9vEyYGDrlR0Cak7g==

-----ENDCERTIFICATE-----

Signedcertificateisinnewcert.pem

[root@localhostcerts]#ls

newcert.pemnewkey.pemnewreq.pem

到此CA的建立和证书的制作已经完成，其中newcert.pem为证书文件，newkey.pem为证书密钥文件，/etc/pki/CA/目录下的cacert.pem为CA证书。

展开阅读全文