To create a private CA:
OpenSSL configuration file:/etc/pki/tls/openssl.cnf
(1) Create the required files
# Touch Index.txt
# echo > Serial
#
(2) CA self-signed certificate
# (Umask 077; OpenSSL Genrsa-out/etc/pki/ca/private/cakey.pem 2048)
# OpenSSL Req-new-x509-key/etc/pki/ca/private/cakey.epm-days 7300-out/etc/pki/ca/cacert.pem
-new: Generate a new certificate signing request;
-x509: Dedicated to CA generate self-signed certificate;
-key: The private key file used to generate the request;
-days N: Validity period of the certificate;
-out/path/to/somecertfile: The path to save the certificate;
(3) Issuing certificates
(a) Generate a certificate request from the host using the certificate;
# (Umask 077; OpenSSL genrsa-out/etc/httpd/ssl/httpd.key 2048)
# OpenSSL Req-new-key/etc/httpd/ssl/httpd.key-days 365-OUT/ETC/HTTPD/SSL/HTTPD.CSR
(b) Transfer the request file to the CA;
(c) The CA signs the certificate and sends the certificate back to the requestor;
# OpenSSL Ca-in/tmp/httpd.csr-out/etc/pki/ca/certs/httpd.crt-days 365
To view the information in the certificate:
OpenSSL x509-in/path/from/cert_file-noout-text|-subject|-serial
(4) Revocation of certificates
(a) The client obtains the serial of the certificate to be revoked
# OpenSSL X509-in/path/from/cert_file-noout-serial-subject
(b) CA
Based on the serial and subject information submitted by the customer, the comparison test is consistent with the information in the Index.txt file;
To revoke a certificate:
# OpenSSL Ca-revoke/etc/pki/ca/newcerts/serial.pem
(c) The number of the revocation certificate is generated (the first time a certificate is revoked)
# echo >/etc/pki/ca/crlnumber
(d) Updating the certificate revocation List
# OpenSSL Ca-gencrl-out thisca.crl
To view the CRL file:
# OpenSSL Crl-in/path/from/crl_file.crl-noout-text
This article is from the "86962983" blog, please be sure to keep this source http://wangzenghui.blog.51cto.com/9702487/1695441
Create a private CA