I. INTRODUCTION OpenSSL is an open-source encryption tool. in a Linux environment, we can use it to build a CA for certificate issuance. it can be used in an enterprise's internal encryption tool, the following is a powerful OpenSSL tool. in Linux, a CA is built to implement Certificate Management. II. Build 1. First, let's take a look at the CA directory structure [root @ vpn ~] # Tree/etc/pki/C
I. INTRODUCTION
OpenSSL is an open-source encryption tool. in a Linux environment, we can use it to build a CA for certificate issuance. it can be used in an enterprise's internal encryption tool, the following is a powerful OpenSSL tool. in Linux, a CA is built to implement Certificate Management.
II. Construction
1. First, let's take a look at the CA directory structure.
[Root @ vpn ~] # Tree/etc/pki/CA
/Etc/pki/CA
── Certs
├ ── Crl
── Newcerts
── Private
2. switch to the/etc/pki/CA/directory and use the openssl command to generate a private key for yourself.
[Root @ vpn ~] # Cd/etc/pki/CA/
[Root @ vpn CA] # (umask 077; openssl genrsa-out private/cakey. pem2048)
Generating RSA private key, 2048 bit long modulus
..............................
........................................ ................. ++
E is 65537 (0x10001)
To view the public key corresponding to the private key, run the following command:
# Openssl rsa-in private/cakey. pem-pubout-text-noout
3. CA needs a self-signed certificate, so we use the openssl command to generate a self-signed certificate for it.
[Root @ vpn CA] # openssl req-new-x509-key private/cakey. pem-out cacert. pem-days 3655
Fill in the above information based on your actual situation
4. create the relevant directories and files of the CA, specify the start number of the serial number, and create them in the directory where the CA is located.
# Touch index.txt serial crlnumber
# Echo 01> serial
Now, our self-built CA has been set up. Next, we will issue certificates for other applications.
III. Signing of certificate application
1. when we apply for a certificate as a client, we should first create our own private key
# (Umask 077; openssl genrsa-out client. key 1024)
2. if the client wants to apply for a certificate, it must create an application certificate and pass it to the CA.
# Openssl req-new-key client. key-out client. csr
Csr: Certificate Signing Request (Certificate issuance application)
Finally, you can enter a password to encrypt the certificate application. I will not encrypt it here.
3. issue a certificate to the client on the CA side and use the openssl command
# Openssl ca-in client. csr-out client. crt-days 365
The certificate is successfully issued. the above is the issued information.