CA服务端
-
安装CA认证软件包中心(linux默认安装了):
rpm -qf `which openssl `
yum -y install openssl-1.0.2k-8.el7.x86_64
-
修改配置文件
vim /etc/pki/tls/openssl.cnf
dir = /etc/pki/CA
certs = $dir/certs
crl_dir = $dir/crl
database = $dir/index.txt
new_certs_dir = $dir/newcerts
certificate = $dir/cacert.pem
serial = $dir/serial
crlnumber = $dir/crlnumber
crl = $dir/crl.pem
private_key = $dir/private/cakey.pem
RANDFILE = $dir/private/.rand
default_days = 365
basicConstraints=CA:TRUE
-
生成CA的公钥证书和私钥
/etc/pki/tls/misc/CA
-newcert 新证书
-newreq 新请求
-newreq-nodes 新请求节点
-newca 新的CA证书
-sign 签证
-verify 验证
/etc/pki/tls/misc/CA -newca
Enter PEM pass phrase:123456
Verifying - Enter PEM pass phrase:123456
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:guangdong
Locality Name (eg, city) [Default City]:guangzhou
Organization Name (eg, company) [Default Company Ltd]:yxhj
Organizational Unit Name (eg, section) []:yxhj
Common Name (eg, your name or your server's hostname) []:damowang.cn
Email Address []:454263577@qq.com
A challenge password []:回车
An optional company name []:回车
Enter pass phrase for /etc/pki/CA/private/./cakey.pem:123456
文件信息
/etc/pki/CA/cacert.pem #CA根证书公钥
/etc/pki/CA/private/cakey.pem #公证书的私钥
#吊销的证书存放目录 /etc/pki/CA/crl/
#存放CA签署(颁发)过的数字证书(证书备份目录) /etc/pki/CA/newcerts/
#用于存放CA的私钥 /etc/pki/CA/private/
客户端
-
生成一个私钥密钥(此时还没有生成公钥):
openssl genrsa -des3 -out ./server.key
Enter pass phrase for ./server.key:qwerty
Verifying - Enter pass phrase for ./server.key:qwerty
-
使用私钥生成证书请求文件
openssl req -new -x509 -key ./server.key -days 天数 -out /server.csr
Enter pass phrase for /etc/httpd/conf.d/server.key:qwerty
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:guangdong
Locality Name (eg, city) [Default City]:guangzhou
Organization Name (eg, company) [Default Company Ltd]:yxhj
Organizational Unit Name (eg, section) []:yxhj
Common Name (eg, your name or your server's hostname) []:www.cxk.com
Email Address []:454263577@qq.com
A challenge password []:回车
An optional company name []:回车
-
将证书请求文件发给CA服务器
scp ./server.csr 192.168.1.63:/tmp/
-
(ca服务端操作)服务端CA签名:
openssl ca -keyfile /etc/pki/CA/private/cakey.pem -cert /etc/pki/CA/cacert.pem -in ./server.csr -out ./server.crt -days 天数
Enter pass phrase for /etc/pki/CA/private/cakey.pem:123456
Certificate is to be certified until Dec 21 14:25:53 2015 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
-
(ca服务端操作)CA认证中心进行颁发证书给客户端
scp /server.crt 192.168.1.64:/
吊销证书
-
(客户端操作)根据请求文件获取要吊销的证书的serial
openssl x509 -in ./test.crt -noout -serial -subject
-
(Ca服务端操作)根据客户提交的serial与subject信息,对比检验是否与index.txt 文件中的信息一致,一致吊销证书
openssl ca -revoke /etc/pki/CA/newcerts/01.pem
-
(Ca服务端操作)CA更新证书吊销列表
openssl ca -gencrl -out /etc/pki/CA/crl/crl.pem
openssl crl -in /etc/pki/CA/crl/crl.pem -noout -text
欢迎朋友们相互交流可以加我vx: CXKLittleBrother
进入运维交流群
本文内容由网友自发贡献,版权归原作者所有,本站不承担相应法律责任。如您发现有涉嫌抄袭侵权的内容,请联系:hwhale#tublm.com(使用前将#替换为@)