CA证书配置

配置文件：

1 [root@appsrv ~]# vim /etc/pki/tls/openssl.cnf

2 #修改42行，dir = /csk-rootca

3 #修改84行到90行，将mastch、supplied更改为optional

4 #底行模式替换 - :85,88s/mastch/optional

5 #将98行复制到87行 yy复制 p粘贴

创建证书必要文件：

1 [root@appsrv ~]# mkdir /csk-rootca

2 [root@appsrv ~]# cd /csk-rootca/

3 [root@appsrv csk-rootca]# mkdir private newcerts

4 [root@appsrv csk-rootca]# touch index.txt

5 [root@appsrv csk-rootca]# echo 01 > serial

6 [root@appsrv csk-rootca]#

生成密钥：

1 [root@appsrv csk-rootca]# openssl genrsa -out private/cakey.pem

2 Generating RSA private key, 2048 bit long modulus

3 .......................................................................................

.....................................+++

4 ......+++

5 e is 65537 (0x10001)

6 [root@appsrv csk-rootca]#

生成根证书：

1 [root@appsrv csk-rootca]# openssl req -new -x509 -key private/cakey.pem -out csk-ca.pem

2 You are about to be asked to enter information that will be incorporated

3 into your certificate request.

4 What you are about to enter is what is called a Distinguished Name or a DN.

5 There are quite a few fields but you can leave some blank

6 For some fields there will be a default value,7 If you enter '.', the field will be left blank.

8 -----

9 Country Name (2 letter code) [XX]:CN

10 State or Province Name (full name) []:China

11 Locality Name (eg, city) [Default City]:BeiJing

12 Organization Name (eg, company) [Default Company Ltd]:skills

13 Organizational Unit Name (eg, section) []:Operations Departments

14 Common Name (eg, your name or your server's hostname) []:CSK Global Root CA

15 Email Address []:

16 [root@appsrv csk-rootca]#

生成web的密钥：

1 [root@appsrv CA]# openssl genrsa -out httpd.key

2 Generating RSA private key, 2048 bit long modulus

3 ..............+++

4 .............................................................................+++

5 e is 65537 (0x10001)

6 [root@appsrv CA]#

生成web证书;

1 [root@appsrv CA]# openssl req -new -key httpd.key -out httpd.csr

2 You are about to be asked to enter information that will be incorporated

3 into your certificate request.

4 What you are about to enter is what is called a Distinguished Name or a DN.

5 There are quite a few fields but you can leave some blank

6 For some fields there will be a default value,

7 If you enter '.', the field will be left blank.

8 -----

9 Country Name (2 letter code) [XX]:CN

10 State or Province Name (full name) []:China

11 Locality Name (eg, city) [Default City]:BeiJing

12 Organization Name (eg, company) [Default Company Ltd]:skills

13 Organizational Unit Name (eg, section) []:Operations Departments

14 Common Name (eg, your name or your server's hostname) []:*.www.chinaskills.cn

15 Email Address []:16

17 Please enter the following 'extra' attributes

18 to be sent with your certificate request

19 A challenge password []:

20 An optional company name []:

21 [root@appsrv CA]#

web证书与根证书绑定:

1 [root@appsrv CA]# openssl ca -keyfile private/cakey.pem -cert csk-ca.pem -in httpd.csr

-out httpd.crt

2 Using configuration from /etc/pki/tls/openssl.cnf

3 Check that the request matches the signature

4 Signature ok

5 Certificate Details:

6 Serial Number: 1 (0x1)

7 Validity

8 Not Before: Apr 14 09:38:23 2022 GMT

9 Not After : Apr 14 09:38:23 2023 GMT

10 Subject:

11 countryName = CN

12 stateOrProvinceName = China

13 localityName = BeiJing

14 organizationName = skills

15 organizationalUnitName = Operations Departments

16 commonName = *.chinaskills.cn

17 X509v3 extensions:

18 X509v3 Basic Constraints:

19 CA:FALSE

20 Netscape Comment:

21 OpenSSL Generated Certificate

22 X509v3 Subject Key Identifier:

23 41:5E:AE:2B:9F:5B:5D:8E:FF:8F:BC:93:3E:0D:50:C9:63:E5:AC:EE

24 X509v3 Authority Key Identifier:

25 keyid:03:AD:1B:0E:37:5D:70:71:0A:61:01:8A:E2:9B:FB:7D:48:8B:E4:8A

26

27 Certificate is to be certified until Apr 14 09:38:23 2023 GMT (365 days)

28 Sign the certificate? [y/n]:y

2930

31 1 out of 1 certificate requests certified, commit? [y/n]y

32 Write out database with 1 new entries

33 Data Base Updated