创建私有CA

1. 创建CA所需要的文件
生成整数索引数据库文件
touch /etc/pki/CA/index.txt
指定第一个颁发证书的序列号
echo 01 > /etc/pki/CA/serial
这两个文件在颁发整数前,提前创建好。不创建好的话,到时候会提示缺少这两个文件。
2.生成CA 私钥
作为证书颁发机构,他需要私钥。
cd /etc/pki/CA/
(umask 066; openssl genrsa -out private/cakey.pem 2048)
3.生成CA自签名证书
CA作为证书颁发机构,CA的整数从哪里来呢?按正常来说,是由它的上级给他办法,
但是我们在局域网中,CA证书颁发机构是第一个CA, 第一个CA整数是自己给自己颁发的
openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem

通过私钥生成一个自签名的证书

选项说明:

-new:生成新证书签署请求
-x509:专用与CA生成自签证书,证书格式x509
-key:生成请求时用到的私钥文件
-days n: 证书的有效期限
-out /PATH/TO/SOMESERTFILE: 证书保存路径

私有CA、证书申请和证书管理_私有证书


1.创建指定文件夹

centos7 有这些文件夹

centos8 需要手动创建

[root@VM-16-11-centos ~]# ls /etc/pki/CA
ls: cannot access '/etc/pki/CA': No such file or directory
[root@VM-16-11-centos ~]#
[root@VM-16-11-centos ~]# mkdir /etc/pki/CA/certs crl newcerts private
mkdir: cannot create directory ‘/etc/pki/CA/certs’: No such file or directory
[root@VM-16-11-centos ~]# mkdir /etc/pki/CA/{certs,crl,newcerts,private}
mkdir: cannot create directory ‘/etc/pki/CA/certs’: No such file or directory
mkdir: cannot create directory ‘/etc/pki/CA/crl’: No such file or directory
mkdir: cannot create directory ‘/etc/pki/CA/newcerts’: No such file or directory
mkdir: cannot create directory ‘/etc/pki/CA/private’: No such file or directory
[root@VM-16-11-centos ~]# ls /etc/pki/CA
ls: cannot access '/etc/pki/CA': No such file or directory
[root@VM-16-11-centos ~]# mkdir /etc/pki/CA/{certs,crl,newcerts,private} -p
[root@VM-16-11-centos ~]# ls /etc/pki/CA
certs crl newcerts private
[root@VM-16-11-centos ~]# tree /etc/pki/CA
/etc/pki/CA
├── certs
├── crl
├── newcerts
└── private

4 directories, 0 files
[root@VM-16-11-centos ~]#
  1. 生成私钥文件
[root@VM-16-11-centos ~]# cd /etc/pki/CA
[root@VM-16-11-centos CA]# ls
certs crl newcerts private
[root@VM-16-11-centos CA]# tree
.
├── certs
├── crl
├── newcerts
└── private

4 directories, 0 files
[root@VM-16-11-centos CA]# (umask 066; openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
.+++++
........................................................+++++
e is 65537 (0x010001)
[root@VM-16-11-centos CA]# tree
.
├── certs
├── crl
├── newcerts
└── private
└── cakey.pem

4 directories, 1 file
[root@VM-16-11-centos CA]#

[root@VM-16-11-centos CA]# ll private/
total 4
-rw------- 1 root root 1675 Jan 17 13:47 cakey.pem

CA 的证书有效期过期,要设置长一点

3.生成自签名整数

[root@VM-16-11-centos CA]# openssl req -new -x509  -key  /etc/pki/CA/private/cakey.pem  -days  3650  -out  /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:henan
Locality Name (eg, city) [Default City]:zhengzhou
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:ca.magedu,org
Email Address []:admin@magedu.org
[root@VM-16-11-centos CA]# tree
.
├── cacert.pem
├── certs
├── crl
├── newcerts
└── private
└── cakey.pem

4 directories, 2 files
[root@VM-16-11-centos CA]# cat cacert.pem
-----BEGIN CERTIFICATE-----
MIID8zCCAtugAwIBAgIURJLT24bzcGtXV2pBnP/c3Seu9gYwDQYJKoZIhvcNAQEL
BQAwgYgQIDAVoZW5hbjESMBAGA1UEBwwJemhlbmd6aG91MQ8wDQYDVQQKDAZtYWdl
ZHUxCzAJBgNVBAsMAml0MRYwFAYDVQQDDA1jYS5tYWdlZHUsb3JnMR8wHQYJKoZI
hvcNAQkBFhBhZG1pbkBtYWdlZHUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAyPB8hKjog894JHOUwnUF7dkHKPjJ9UeN0uBXojCYLac4EzwlHs6e
67QZ9nJy8oFpTLsQ2CnT3o1ZOwTm5TWOzWH2zLD/jXlJj+E0U7TTBfbeScjE2Qij
qRyb6y4M4pOOQyEKoiV0YFXn1PsRPweKURRWb+2wToa6wlckaX/YjVeziDVjanm5
Jay/QOZimHtDzeXyWMVPFq4dgMaLMEz/ufQNiRkbBvvxV9Qu+1bciihdcLeWU7CC
RqxecuzOXV3oar2lVqk7yOZcX8Q5Y9j243wEYk38R5OsLRYT592XFCCEsDqHngoH
vrXBGBxixj7jAPJGK6sxalDhKquqyP5PQwIDAQABo1MwUTAdBgNVHQ4EFgQUst3P
21otiqHWQNrVHtCvxCzAJBgNVBAYTAkNOMQ4wDAYDVQQIDAVoZW5hbjESMBAGA1UEBwwJemhl
bmd6aG91MQ8wDQYDVQQKDAZtYWdlZHUxCzAJBgNVBAsMAml0MRYwFAYDVQQDDA1j
YS5tYWdlZHUsb3JnMR8wHQYJKoZIhvcNAQkBFhBhZG1pbkBtYWdlZHUub3JnMB4X
DTIyMDExNzA1NTUzOFoXDTMyMDExNTA1NTUzOFowgYgxCzAJBgNVBAYTAkNOMQ4w
DAYDVQG9R6k6IwHwYDVR0jBBgwFoAUst3P21otiqHWQNrVHtCvG9R6
k6IwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAuygLe/HCoIxq
HBu2WaGtLtgZeUomhAvsHOuRgWbzCgmJnQ6VV1/7Tv2fxj2o/ya7+W07NAwxYK8z
+RoQ+fjx4UMJXBWGQu5LqXBEXntQs03R4EnJ1kvAd4d+NWkB2PvhO+1OfR2rdW7M
3OpjZp93TUbLPlvrfhmTEEib0FyHTve3SccJpvyX3YSkYtcu1jPGZPzCcrUYewwr
Mm0NQV8fl9ICb5jiiofgdRUvEulyO9Vma059GVN+FRkkVQfJMYnbVJP1FVWePX7j
t3mr40hYR1ZjLeIwyay0zyycemmO40XPEBnvJcFIjNtiZwpyrDBh+gm00znQ4v5X
cNupVv6WwA==
-----END CERTIFICATE-----
[root@VM-16-11-centos CA]#
[root@VM-16-11-centos CA]# openssl x509 -in cacert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
44:92:d3:db:86:f3:70:6b:57:57:6a:41:9c:ff:dc:dd:27:ae:f6:06
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CN, ST = henan, L = zhengzhou, O = magedu, OU = it, CN = "ca.magedu,org", emailAddress = admin@magedu.org
Validity
Not Before: Jan 17 05:55:38 2022 GMT
Not After : Jan 15 05:55:38 2032 GMT
Subject: C = CN, ST = henan, L = zhengzhou, O = magedu, OU = it, CN = "ca.magedu,org", emailAddress = admin@magedu.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:c8:f0:7c:84:a8:e8:83:cf:78:24:73:94:c2:75:
05:ed:d9:07:28:f8:c9:f5:47:8d:d2:e0:57:a2:30:
98:2d:a7:38:13:3c:25:1e:ce:9e:eb:b4:19:f6:72:
72:f2:81:69:4c:bb:10:d8:29:d3:de:8d:59:3b:04:
e6:e5:35:8e:cd:61:f6:cc:b0:ff:8d:79:49:8f:e1:
34:53:b4:d3:05:f6:de:49:c8:c4:d9:08:a3:a9:1c:
9b:eb:2e:0c:e2:93:8e:43:21:0a:a2:25:74:60:55:
e7:d4:fb:11:3f:07:8a:51:14:56:6f:ed:b0:4e:86:
ba:c2:57:24:69:7f:d8:8d:57:b3:88:35:63:6a:79:
b9:25:ac:bf:40:e6:62:98:7b:43:cd:e5:f2:58:c5:
4f:16:ae:1d:80:c6:8b:30:4c:ff:b9:f4:0d:89:19:
1b:06:fb:f1:57:d4:2e:fb:56:dc:8a:28:5d:70:b7:
96:53:b0:82:46:ac:5e:72:ec:ce:5d:5d:e8:6a:bd:
a5:56:a9:3b:c8:e6:5c:5f:c4:39:63:d8:f6:e3:7c:
04:62:4d:fc:47:93:ac:2d:16:13:e7:dd:97:14:20:
84:b0:3a:87:9e:0a:07:be:b5:c1:18:1c:62:c6:3e:
e3:00:f2:46:2b:ab:31:6a:50:e1:2a:ab:aa:c8:fe:
4f:43
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
B2:DD:CF:DB:5A:2D:8A:A1:D6:40:DA:D5:1E:D0:AF:1B:D4:7A:93:A2
X509v3 Authority Key Identifier:
keyid:B2:DD:CF:DB:5A:2D:8A:A1:D6:40:DA:D5:1E:D0:AF:1B:D4:7A:93:A2

X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
bb:28:0b:7b:f1:c2:a0:8c:6a:1c:1b:b6:59:a1:ad:2e:d8:19:
79:4a:26:84:0b:ec:1c:eb:91:81:66:f3:0a:09:89:9d:0e:95:
57:5f:fb:4e:fd:9f:c6:3d:a8:ff:26:bb:f9:6d:3b:34:0c:31:
60:af:33:f9:1a:10:f9:f8:f1:e1:43:09:5c:15:86:42:ee:4b:
a9:70:44:5e:7b:50:b3:4d:d1:e0:49:c9:d6:4b:c0:77:87:7e:
35:69:01:d8:fb:e1:3b:ed:4e:7d:1d:ab:75:6e:cc:dc:ea:63:
66:9f:77:4d:46:cb:3e:5b:eb:7e:19:93:10:48:9b:d0:5c:87:
4e:f7:b7:49:c7:09:a6:fc:97:dd:84:a4:62:d7:2e:d6:33:c6:
64:fc:c2:72:b5:18:7b:0c:2b:32:6d:0d:41:5f:1f:97:d2:02:
6f:98:e2:8a:87:e0:75:15:2f:12:e9:72:3b:d5:66:6b:4e:7d:
19:53:7e:15:19:24:55:07:c9:31:89:db:54:93:f5:15:55:9e:
3d:7e:e3:b7:79:ab:e3:48:58:47:56:63:2d:e2:30:c9:ac:b4:
cf:2c:9c:7a:69:8e:e3:45:cf:10:19:ef:25:c1:48:8c:db:62:
67:0a:72:ac:30:61:fa:09:b4:d3:39:d0:e2:fe:57:70:db:a9:
56:fe:96:c0
[root@VM-16-11-centos CA]#

因为是自签名 所以 issuer 和 subject 是同一个,自己给自己颁发。

[root@VM-16-11-centos CA]# openssl x509 -in cacert.pem -noout -dates
notBefore=Jan 17 05:55:38 2022 GMT
notAfter=Jan 15 05:55:38 2032 GMT
[root@VM-16-11-centos CA]# openssl x509 -in cacert.pem -noout -subject
subject=C = CN, ST = henan, L = zhengzhou, O = magedu, OU = it, CN = "ca.magedu,org", emailAddress = admin@magedu.org
[root@VM-16-11-centos CA]#


根CA已经搭出来了。

刚才颁发整数,我们用的是交互式的

我们可以改良成非交互式的。

如果你的服务只有一个,就直接颁发证书就可以了。

如果你的公司服务多,可以搭个ca证书服务。


[root@VM-16-11-centos CA]# openssl req  -utf8 -newkey rsa:1024  -subj "/CN=www.magedu.org" -keyout app.key -nodes -x509 -out app.crt
Generating a RSA private key
...........................+++++
................+++++
writing new private key to 'app.key'
-----
[root@VM-16-11-centos CA]# tree
.
├── app.crt
├── app.key
├── cacert.pem
├── certs
├── crl
├── newcerts
└── private
└── cakey.pem

4 directories, 4 files
[root@VM-16-11-centos CA]#


生成一个证书文件(app.crt)  一个私钥文件(app.key)

[root@VM-16-11-centos CA]# mv app* /data
[root@VM-16-11-centos CA]# cd /data/
[root@VM-16-11-centos data]# ls
app.crt app.key at2.log at.log
[root@VM-16-11-centos data]# ll
total 8
-rw-r--r-- 1 root root 774 Jan 17 14:07 app.crt
-rw------- 1 root root 916 Jan 17 14:07 app.key
-rw-r--r-- 1 root root 0 Jan 9 18:40 at2.log
-rw-r--r-- 1 root root 0 Jan 9 18:31 at.log
[root@VM-16-11-centos data]#
[root@VM-16-11-centos data]# cat app.key 
-----BEGIN PRIVATE KEY-----
MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBALJhN5p8wAA9/huN
MaNDmBfQeW/iJVGc2y9Fo5OnHmsLrFsi7fjd4LPoTgb2aKG9Ie59oLEexN5VWgra
QVmWdieZ/KBuR0QV8z9YE4+9w+0dpOgajZPoIzqvyHLaQ+xpnd5hxQZ8CRFKPjIM
wOaYs/Zr2WgQzjvATj2fEMCyBiXfAgMBAAECgYEAm/qsn3c0gUG0IK1vWT8zEKfo
eHA8h8fsVcLETcmVrK8RcMPzaWnDIi4hhK8VQVDcCepqiFbKeUwTJ2hAOrF58KMN
D1yAKzJ/pE+wzF71QllyVYHpiaMEKSLEj/ZhIMcDwB8nnEf/Sp1wl2p89rsr9avt
1SV5cemnRZq5SGJ17RkCQQDebudwdQGSwlxVeFrLjuUtA9ANVAiRkh/RG9YG5JxN
GEIuMuWt+G++DTVVCV155RVAbNTm94bgq00mjlxLm/pTAkEAzUxtvC2rGWsHHeeX
NQB8n6rwlmy6BaUc26fjNewPLjR/ymo1JCh7pRhLFttjXPzuq37eGUtMQtDTLxr3
w57sxQJATro6OFdxgxw/yhCbMkkVXGVpEg6YKc3qbPzJOA9aMv9PDUL+gCDajA3o
vnxeFXK7nt3mTQl3N7XpzKe+ixRd+QJBAKqNXPihA+yo4o+wbwikL+RBkX+WMfAw
nEnLLtIEGxRqnuNc2msAir+77928Qs7kfa7RRdfDm0ZCz77pa34DUHUCQCEHhxWd
tA+X1GqoKyhktWdIbdVroH723aLl5xZ+0WZ1MTUf8GY0AV976Bpzqc/hSpdFGjI9
PhSDsS8jS8WaXQE=
-----END PRIVATE KEY-----
[root@VM-16-11-centos data]# cat app.crt
-----BEGIN CERTIFICATE-----
MIICDjCCAXegAwIBAgIUV9Drtptx6V6jY8znyLDZghWeLQkwDQYJKoZIhvcNAQEL
BQAwGTEXMBUGA1UEAwwOd3d3Lm1hZ2VkdS5vcmcwHhcNMjIwMTE3MDYwNzUwWhcN
MjIwMjE2MDYwNzUwWjAZMRcwFQYDVQQDDA53d3cubWFnZWR1Lm9yZzCBnzANBgkq
hkiG9w0BAQEFAAOBjQAwgYkCgYEAsmE3mnzAAD3+G40xo0OYF9B5b+IlUZzbL0Wj
k6ceawusWyLt+N3gs+hOBvZoob0h7n2gsR7E3lVaCtpBWZZ2J5n8oG5HRBXzP1gT
j73D7R2k6BqNk+gjOq/IctpD7Gmd3mHFBnwJEUo+MgzA5piz9mvZaBDOO8BOPZ8Q
wLIGJd8CAwEAAaNTMFEwHQYDVR0OBBYEFEPLUE70Tgz1fDrRf2y32L5hYn4fMB8G
A1UdIwQYMBaAFEPLUE70Tgz1fDrRf2y32L5hYn4fMA8GA1UdEwEB/wQFMAMBAf8w
DQYJKoZIhvcNAQELBQADgYEASe839ZBkJoE7QX6LFv6kgMm/fDfYlqzRlWV/sqPN
4uvNfNsTq/F089XivYntsHayKVEERSeT19yw3DWucHZL60292XAlRL24j33UgnE+
AvjnhfejwDVYjJtfBddm0xchmz+Ne/Oe6ZF9wctr1mj8VCCsuXKdNoLOUB8gWgze
E5Y=
-----END CERTIFICATE-----
[root@VM-16-11-centos data]#


[root@VM-16-11-centos data]# openssl x509 -in app.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
57:d0:eb:b6:9b:71:e9:5e:a3:63:cc:e7:c8:b0:d9:82:15:9e:2d:09
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = www.magedu.org
Validity
Not Before: Jan 17 06:07:50 2022 GMT
Not After : Feb 16 06:07:50 2022 GMT
Subject: CN = www.magedu.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (1024 bit)
Modulus:
00:b2:61:37:9a:7c:c0:00:3d:fe:1b:8d:31:a3:43:
98:17:d0:79:6f:e2:25:51:9c:db:2f:45:a3:93:a7:
1e:6b:0b:ac:5b:22:ed:f8:dd:e0:b3:e8:4e:06:f6:
68:a1:bd:21:ee:7d:a0:b1:1e:c4:de:55:5a:0a:da:
41:59:96:76:27:99:fc:a0:6e:47:44:15:f3:3f:58:
13:8f:bd:c3:ed:1d:a4:e8:1a:8d:93:e8:23:3a:af:
c8:72:da:43:ec:69:9d:de:61:c5:06:7c:09:11:4a:
3e:32:0c:c0:e6:98:b3:f6:6b:d9:68:10:ce:3b:c0:
4e:3d:9f:10:c0:b2:06:25:df
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
43:CB:50:4E:F4:4E:0C:F5:7C:3A:D1:7F:6C:B7:D8:BE:61:62:7E:1F
X509v3 Authority Key Identifier:
keyid:43:CB:50:4E:F4:4E:0C:F5:7C:3A:D1:7F:6C:B7:D8:BE:61:62:7E:1F

X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
49:ef:37:f5:90:64:26:81:3b:41:7e:8b:16:fe:a4:80:c9:bf:
7c:37:d8:96:ac:d1:95:65:7f:b2:a3:cd:e2:eb:cd:7c:db:13:
ab:f1:74:f3:d5:e2:bd:89:ed:b0:76:b2:29:51:04:45:27:93:
d7:dc:b0:dc:35:ae:70:76:4b:eb:4d:bd:d9:70:25:44:bd:b8:
8f:7d:d4:82:71:3e:02:f8:e7:85:f7:a3:c0:35:58:8c:9b:5f:
05:d7:66:d3:17:21:9b:3f:8d:7b:f3:9e:e9:91:7d:c1:cb:6b:
d6:68:fc:54:20:ac:b9:72:9d:36:82:ce:50:1f:20:5a:0c:de:
13:96
[root@VM-16-11-centos data]#

在centos7 上有另外一种快捷的方式:centos8 不支持

私有CA、证书申请和证书管理_证书链_02

私有CA、证书申请和证书管理_CA证书_03

私有CA、证书申请和证书管理_私有证书_04

到此,我们实现了自签名的证书,我们利用自签名的证书搭建了一个CA

给用户生成证书

[root@VM-16-11-centos /]# cd data/
[root@VM-16-11-centos data]# ls
[root@VM-16-11-centos data]# mkdir app1
[root@VM-16-11-centos data]# ls
app1
[root@VM-16-11-centos data]# cd app1/
[root@VM-16-11-centos app1]# ls
[root@VM-16-11-centos app1]# pwd
/data/app1
[root@VM-16-11-centos app1]#

给app1 应用生成一个 私钥。

[root@VM-16-11-centos app1]# (umask 066; openssl genrsa -out  /data/app1/app1.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
..+++++
................................+++++
e is 65537 (0x010001)
[root@VM-16-11-centos app1]# ls
app1.key
[root@VM-16-11-centos app1]#

私钥文件生成了。我们要利用私钥文件来创建证书申请文件。

私有CA、证书申请和证书管理_证书链_05

国家省和组织 要求是和之前的根证书一致的

[root@VM-16-11-centos app1]# openssl req -new -key /data/app1/app1.key  -out /data/app1/app1.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:henan
Locality Name (eg, city) [Default City]:luoyang
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:sale
Common Name (eg, your name or your server's hostname) []:www.magedu.org
Email Address []:sale@magedu.org

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@VM-16-11-centos app1]#

证书的额外信息我们就不填了。

[root@VM-16-11-centos app1]# ls
app1.csr app1.key
[root@VM-16-11-centos app1]#

到此我们的证书申请文件就生成了。

接下来

颁发证书:

证书文件放的位置是有要求的。

私有CA、证书申请和证书管理_私有证书_06


私有CA、证书申请和证书管理_CA证书_07


私有CA、证书申请和证书管理_私有证书_08

[root@VM-16-11-centos app1]# touch /etc/pki/CA/index.txt
[root@VM-16-11-centos app1]# tree /etc/pki/CA
/etc/pki/CA
├── cacert.pem
├── certs
├── crl
├── index.txt
├── newcerts
└── private
└── cakey.pem

4 directories, 3 files
[root@VM-16-11-centos app1]#


私有CA、证书申请和证书管理_私有证书_09

[root@VM-16-11-centos app1]# echo 0F > /etc/pki/CA/serial
[root@VM-16-11-centos app1]# cat /etc/pki/CA/serial
0F
[root@VM-16-11-centos app1]#
[root@VM-16-11-centos app1]# openssl ca -in /data/app1/app1.csr -out /etc/pki/CA/certs/app1.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 15 (0xf)
Validity
Not Before: Jan 17 06:56:42 2022 GMT
Not After : Oct 13 06:56:42 2024 GMT
Subject:
countryName = CN
stateOrProvinceName = henan
organizationName = magedu
organizationalUnitName = sale
commonName = www.magedu.org
emailAddress = sale@magedu.org
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
88:55:FD:77:41:3D:E3:F0:32:1D:38:04:9B:88:20:31:04:EB:9C:EA
X509v3 Authority Key Identifier:
keyid:B2:DD:CF:DB:5A:2D:8A:A1:D6:40:DA:D5:1E:D0:AF:1B:D4:7A:93:A2

Certificate is to be certified until Oct 13 06:56:42 2024 GMT (1000 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@VM-16-11-centos app1]# tree /etc/pki/CA
/etc/pki/CA
├── cacert.pem
├── certs
│   └── app1.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│   └── 0F.pem
├── private
│   └── cakey.pem
├── serial
└── serial.old

4 directories, 9 files
[root@VM-16-11-centos app1]#


newcerts下的0F.pem 自动做的备份,是certs下的 app1.crt 的 备份。

[root@VM-16-11-centos app1]# cat /etc/pki/CA/index.txt
V 241013065642Z 0F unknown /C=CN/ST=henan/O=magedu/OU=sale/CN=www.magedu.org/emailAddress=sale@magedu.org
[root@VM-16-11-centos app1]#
[root@VM-16-11-centos app1]# cat /etc/pki/CA/serial
10

serial 记录了下一个颁发证书的序号

到此,证书的颁发已经完成了。

[root@VM-16-11-centos app1]# openssl ca -status 0F
Using configuration from /etc/pki/tls/openssl.cnf
0F=Valid (V)
[root@VM-16-11-centos app1]#

[root@VM-16-11-centos app1]# openssl ca -status 10
Using configuration from /etc/pki/tls/openssl.cnf
Serial 10 not present in db.
Error verifying serial 10!
[root@VM-16-11-centos app1]#

验证证书是否有效

现在我们把证书考到windows上看一下。

私有CA、证书申请和证书管理_证书链_10


私有CA、证书申请和证书管理_CA证书_11

这个证书 的证书链条无法显示出来,是因为

它的上级CA证书,并没有安装到windows上。

私有CA、证书申请和证书管理_证书链_12


你想看到证书链,需要把自签名的证书机构的证书,导入到windows系统中:

私有CA、证书申请和证书管理_私有证书_13


私有CA、证书申请和证书管理_证书链_14


私有CA、证书申请和证书管理_证书链_15


信任一下。

另外的方法:邮件安装证书文件

私有CA、证书申请和证书管理_证书链_16


另外的方法:再或者你双击,然后安装证书

私有CA、证书申请和证书管理_证书链_17


私有CA、证书申请和证书管理_CA证书_18


我们再看一下用户的证书:

私有CA、证书申请和证书管理_私有证书_19


私有CA、证书申请和证书管理_CA证书_20

证书没有问题了。

到此,我们的证书就完成了。

一旦证书生成完毕 ,证书申请文件就没有用了。

证书的私钥在这里:

[root@VM-16-11-centos app1]# pwd
/data/app1
[root@VM-16-11-centos app1]# ls
app1.csr app1.key
[root@VM-16-11-centos app1]#

证书在 

私有CA、证书申请和证书管理_CA证书_21


你将来要把 CA的整数文件 cacert.pem

用户的证书文件 app1.crt

用户的私钥文件 app1.key

打包给用户,给服务,用户或 服务就可以用了。

以后用各种服务时我们再说。


将来你可以改成脚本,来生成证书。


证书的吊销:

这个用户违反了规则,或者离职了,要吊销证书。


证书管理

用相同的整数申请文件,多次生产证书文件,事实上,他会有提醒。

[root@VM-16-11-centos app1]# openssl ca -in /data/app1/app1.csr -out /etc/pki/CA/certs/app1-new.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
ERROR:There is already a certificate for /C=CN/ST=henan/O=magedu/OU=sale/CN=www.magedu.org/emailAddress=sale@magedu.org
The matching entry has the following details
Type :Valid
Expires on :241013065642Z
Serial Number :0F
File name :unknown
Subject Name :/C=CN/ST=henan/O=magedu/OU=sale/CN=www.magedu.org/emailAddress=sale@magedu.org
[root@VM-16-11-centos app1]# tree /etc/pki/CA
/etc/pki/CA
├── cacert.pem
├── certs
│   └── app1.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│   └── 0F.pem
├── private
│   └── cakey.pem
├── serial
└── serial.old

4 directories, 9 files
[root@VM-16-11-centos app1]#

证书申请文件,中的用户信息,已经记录到index.txt文件中了。

如果还是拿同一个 证书申请文件。就会报错。


那可以解决吗?可以

去修改 /etc/pki/CA/index.txt.attr 文件

私有CA、证书申请和证书管理_证书链_22

改为no

然后就可以了。


有时候,我们省份 公司不一样。会报错。

私有CA、证书申请和证书管理_CA证书_23


如何才能不报错?

我们证书生成策略改为 policy_anything

私有CA、证书申请和证书管理_私有证书_24

也可以吧policy_match中match改为optional


这样就可以跨省份,跨国家了。

私有CA、证书申请和证书管理_证书链_25

不是私有CA了

是共有CA了,可以所有地区所有公司来用了。

私有CA、证书申请和证书管理_CA证书_26

带old的都是上一个的记录

吊销证书,

私有CA、证书申请和证书管理_私有证书_27


私有CA、证书申请和证书管理_CA证书_28

状态变成了吊销状态。

私有CA、证书申请和证书管理_私有证书_29

吊销了,别人知道吗?

你需要把吊销的证书放到证书吊销列表文件中。

把证书吊销文件列表放在一个公共的地方,公共的网络中,让大家获取到。

crl分发点

私有CA、证书申请和证书管理_证书链_30


私有CA、证书申请和证书管理_证书链_31


生成证书吊销列表。

其实整数吊销列表,是看index.txt文件,看那些证书被吊销了。把吊销列表信息提取出来,生成一个吊销列表文件。

私有CA、证书申请和证书管理_私有证书_32


私有CA、证书申请和证书管理_私有证书_33


私有CA、证书申请和证书管理_证书链_34


在以后,我们使用脚本颁发整数。

私有CA、证书申请和证书管理_证书链_35


私有CA、证书申请和证书管理_CA证书_36


私有CA、证书申请和证书管理_CA证书_37


未来,改改标题,改改有效期,执行,就完事了。


一个证书,给多个用户颁发证书

私有CA、证书申请和证书管理_证书链_38


私有CA、证书申请和证书管理_CA证书_39


私有CA、证书申请和证书管理_证书链_40


私有CA、证书申请和证书管理_CA证书_41