Create a private private CA

To establish a private CA:

Generate a self-visa book on the server that is configured as a CA, and provide the required directories and files for the CA;

Steps:

(1) Generate the private key;

]# (umask 077; OpenSSL genrsa-out/etc/pki/ca/private/cakey.pem 4096)

Note: The filename should match the file name in the configuration file;

]# ll/etc/pki/ca/private/: Check the file permissions to ensure that it is 600;

(2) Generate self-signed certificate;

]# OpenSSL req-new-x509-key/etc/pki/ca/private/cakey.pem-out/etc/pki/ca/cacert.pem-days 3655

-new: Generate a new certificate signing request;

-x509: Generate a self-signed format certificate, designed to create a private CA;

-key: The private file path used to generate the request;

-out: The generated request file path, or if the self-signed operation will generate a signed certificate directly;

-days: The valid duration of the certificate, the Unit is day;

Input relevant information according to the prompt, complete can;

Prompt input: Country Name (2 letter code) [XX]:CN

Prompt input: State or province name (full name) []:beijing

Prompt input: Locality Name (eg, city) [Default city]:beijing

Prompt input: Organization Name (eg, company) [Default company ltd]:mageedu

Prompt input: Organizational Unit Name (eg, section) []:ops

Prompt input: Common name (eg, your name or your server ' s hostname) []:ca.magedu.com

If it is a personal communication for its own name, if the server is the server host name;

Prompt input: Email Address []:[email protected]

]# ls/etc/pki/ca/

View the 3 directories that you want to have certs CRL Newcerts, if you do not want to create them yourself;

(3) Provide the required directories and documents for the CA;

]# Mkdir-pv/etc/pki/ca/{certs,crl,newcerts}

]# Touch/etc/pki/ca/{serial,index.txt}

]# echo >/etc/pki/ca/serial

To operate on a server that uses certificates:

1. Create a directory to hold the host's private key;

2. Generate the private key;

3. Generate a Certificate signing request

4. Send the. csr file request to the CA host in a reliable manner;

Step: (Take httpd as an example)

(1) Use the certificate of the host to generate the private key;

]# Mkdir/etc/httpd/ssl

]# Cd/etc/httpd/ssl

]# (umask 077; OpenSSL genrsa-out/etc/httpd/ssl/httpd.key 2048)

(2) Generate certificate signing request

]# OpenSSL req-new-key/etc/httpd/ssl/httpd.key-out/etc/httpd/ssl/httpd.csr-days 365

Input relevant information according to the prompt, complete can;

Prompt input: Country Name (2 letter code) [XX]:CN

Prompt input: State or province name (full name) []:beijing

Prompt input: Locality Name (eg, city) [Default city]:beijing

Prompt input: Organization Name (eg, company) [Default company ltd]:mageedu

Prompt input: Organizational Unit Name (eg, section) []:ops

Prompt input: Common name (eg, your name or your server ' s hostname) []:www.magedu.com

The address that must be accessed for the client here;

Prompt input: Email Address []:[email protected]

Prompt input: A challenge Password []: Can be empty

Prompt input: An optional company name []: Nullable

(3) Send the request to the CA host by reliable means;

]# ls: Generates a HTTPD.CSR file that sends this file to the CA host in a reliable manner;

The actual application, is the CA company came to the scene to take away documents;

The experimental environment, which is the SCP command, can be used to copy files between two hosts.

]# SCP HTTPD.CSR [email protected]:/tmp/

Indicates that the HTTPD.CSR file is copied locally, and the file is copied to the remote host's/tmp/directory as the root user of the remote host 172.18.250.131

Enter Yes, confirm the connection, and then enter the remote host root user login password, you can copy the completion;

is the implementation of the HTTPD.CSR file copy of the CA host;

(4) Sign the certificate on the CA host;

]# OpenSSL ca-in/tmp/httpd.csr-out/etc/pki/ca/certs/httpd.crt-days 365

Display hint: Sign the certificate? [Y/n]:y

Display tip: 1 out of 1 certificate requests certified, commit? [Y/n]y

Send the signed certificate HTTPD.CRT to the server host:

In the experimental environment, it is also possible to copy files directly using SCP two host HTTPD.CRT;

]# SCP certs/httpd.crt [email protected]:/etc/httpd/ssl/

Enter Yes, confirm the connection, and then enter the remote host root user login password, you can copy the completion;

At this time on the server host HTTPD.CSR is useless, can be deleted;

The HTTPD.CSR on the host of the CA is useless, also can be deleted;

The above creates a private CA complete;

The certificate can be viewed on the server host or on the client host (as long as there is a certificate);

]# OpenSSL X509-in/etc/pki/ca/certs/httpd.crt-noout-serial-subject

Create a private private CA