Create a private CA

To create a private CA:

OpenSSL configuration file:/etc/pki/tls/openssl.cnf

(1) Create the required files

# Touch Index.txt

# echo > Serial

#

(2) CA self-signed certificate

# (Umask 077; OpenSSL Genrsa-out/etc/pki/ca/private/cakey.pem 2048)

# OpenSSL Req-new-x509-key/etc/pki/ca/private/cakey.epm-days 7300-out/etc/pki/ca/cacert.pem

-new: Generate a new certificate signing request;

-x509: Dedicated to CA generate self-signed certificate;

-key: The private key file used to generate the request;

-days N: Validity period of the certificate;

-out/path/to/somecertfile: The path to save the certificate;

(3) Issuing certificates

(a) Generate a certificate request from the host using the certificate;

# (Umask 077; OpenSSL genrsa-out/etc/httpd/ssl/httpd.key 2048)

# OpenSSL Req-new-key/etc/httpd/ssl/httpd.key-days 365-OUT/ETC/HTTPD/SSL/HTTPD.CSR

(b) Transfer the request file to the CA;

(c) The CA signs the certificate and sends the certificate back to the requestor;

# OpenSSL Ca-in/tmp/httpd.csr-out/etc/pki/ca/certs/httpd.crt-days 365

To view the information in the certificate:

OpenSSL x509-in/path/from/cert_file-noout-text|-subject|-serial

(4) Revocation of certificates

(a) The client obtains the serial of the certificate to be revoked

# OpenSSL X509-in/path/from/cert_file-noout-serial-subject

(b) CA

Based on the serial and subject information submitted by the customer, the comparison test is consistent with the information in the Index.txt file;

To revoke a certificate:

# OpenSSL Ca-revoke/etc/pki/ca/newcerts/serial.pem

(c) The number of the revocation certificate is generated (the first time a certificate is revoked)

# echo >/etc/pki/ca/crlnumber

(d) Updating the certificate revocation List

# OpenSSL Ca-gencrl-out thisca.crl

To view the CRL file:

# OpenSSL Crl-in/path/from/crl_file.crl-noout-text

This article is from the "86962983" blog, please be sure to keep this source http://wangzenghui.blog.51cto.com/9702487/1695441

Create a private CA