Create a private CA and apply for a certificate using openssl in linux

Lab environment:

Virtual Machine: VMware® Workstation 12 Pro
Host A: the ip address is 10.1.20.55/16. Create a ca and provide the CA service to other hosts.
Host B: httpd server, ip address: 10.1.249.115/16
1. View the openssl configuration file/etc/pki/tls/openssl. cnf

[Root @ localhost ~] # Cat/etc/pki/tls/openssl. cnf (view the ca part of the configuration file)

......

[Ca]
Default_ca = CA_default # The default ca section

######################################## ############################
[CA_default]

Dir =/etc/pki/CA # Where everything is kept
Certs = $ dir/certs # Where the issued certs are kept
Crl_dir = $ dir/crl # Where the issued crl are kept
Database = $ dir/index.txt # database index file.
# Unique_subject = no # Set to 'no' to allow creation
New_certs_dir = $ dir/newcerts # default place for new certs.

Certificate = $ dir/cacert. pem # The CA certificate
Serial = $ dir/serial # The current serial number
Crlnumber = $ dir/crlnumber # the current crl number
Crl = $ dir/crl. pem # The current CRL
Private_key = $ dir/private/cakey. pem # The private key
RANDFILE = $ dir/private/. rand # private random number file

X509_extensions = usr_cert # The extentions to add to the cert

# Comment out the following two lines for the "traditional"
# (And highly broken) format.
Name_opt = ca_default # Subject Name options
Cert_opt = ca_default # Certificate field options

# Extension copying option: use with caution.
# Copy_extensions = copy

# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# So this is commented out by default to leave a V1 CRL.
# Crlnumber must also be commented out to leave a V1 CRL.
# Crl_extensions = crl_ext

Default_days = 365 # how long to certid
Default_crl_days = 30 # how long before next CRL
Default_md = sha256 # use SHA-256 by default
Preserve = no # keep passed DN ordering

# A few difference way of specifying how similar the request shold look
# For type CA, the listed attributes must be the same, and the optional
# And supplied fields are just that :-)
Policy = policy_match

# For the CA policy
[Policy_match]
CountryName = match
StateOrProvinceName = match
OrganizationName = match
OrganizationalUnitName = optional
CommonName = supplied
EmailAddress = optional

......
2. Create a required file based on the configuration file

[Root @ localhost ~] # Touch/etc/pki/CA/index.txt
[Root @ localhost ~] # Echo 01>/etc/pki/CA/serial
[Root @ localhost ~] # Ls/etc/pki/CA/
Certs crl index.txt newcerts private serial
Note: the file name must be the same as the name in the configuration file.

3. Create the CA Service on host A and sign it

(1) generate a private key

[Root @ localhost ~] # (Umask 077; openssl genrsa-out/etc/pki/CA/private/cakey. Pem2048)
Generating RSA private key, 2048 bit long modulus
........................................ ........................................ ........................................ ........................................ ...................... ++
........................................ ........................................ .................................... ++
E is 65537 (0x10001)
The parentheses indicate that the commands in parentheses are executed in the sub-shell without affecting the settings of the parent shell; setting umask to 077 is to prevent others from having the permission to view and modify the generated private key. Before 2048, you can add an encryption algorithm to the private key, such as 3des rsa, this example is not encrypted.

(2) generate self-signed documents

[Root @ localhost ~] # Openssl req-new-x509-key/etc/pki/CA/private/cakey. pem-days 7300
You are about to be asked to enter information that will be ininitialized
Into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]: cn
State or Province Name (full name) []: beijing
Locality Name (eg, city) [Default City]: haidian
Organization Name (eg, company) [Default Company Ltd]: linuxca.org
Organizational Unit Name (eg, section) []: ops
Common Name (eg, your name or your server's hostname) []: linuxCA
Email Address []: admin@linuxca.org

-New: generate a new certificate signing request
-X509: used to generate a self-signed certificate from CA
-Key: the private key file used to generate the request
-Days: validity period of the certificate
-Out/PATH/TO/SOMECERTFILE: certificate storage PATH

[Root @ localhost ~] # Ls/etc/pki/CA/
Cacert. pem certs crl index.txt newcerts private serial
[Root @ localhost ~] # Cat/etc/pki/CA/cacert. pem
----- Begin certificate -----
MIID5zCCAs + gAwIBAgIJAJrY1Gr0 + l + fMA0GCSqGSIb3DQEBCwUAMIGJMQswCQYD
VQQGEwJjbjEQMA4GA1UECAwHYmVpamluZzEQMA4GA1UEBwwHaGFpZGlhbjEUMBIG
A1UECgwLbGludXhjYS5vcmcxDDAKBgNVBAsMA29wczEQMA4GA1UEAwwHbGludXhD
QTEgMB4GCSqGSIb3DQEJARYRYWRtaW5AbGludXhjYS5vcmcwHhcNMTYwOTIzMDEw
NTE5WhcNMzYwOTE4MDEwNTE5WjCBiTELMAkGA1UEBhMCY24xEDAOBgNVBAgMB2Jl
Bytes
Bytes
Bytes
4Se9FQWwCe5oHKKfKLEeMlXwBJM + ubpwyyezmkil-8fkiexbmkgrj1lkpdmcdhzc
6 VRGOwHQ/2z387tlyhJbtnIYw5oO5YjEgQZTrN + VGV4TnhzV4ZqIuvs30QiWwgcU
Z9PUChtYlmoI1T6FK0UeyAA5Vq/kmtjXGI4h/m45fHJHq8BDFIygF/p0/ZchaHP/
G7BNk3Ctc2ZxawTyzTAkKBBIQ2AplM83eGFSGOfLxp41TYgDHEs95DU4hwV4wwox
EdmbLeeiIOU + 36QDi4SXrdBXSngzKXWpVe5VAu7PdptgP3h80e17 + gv0nK3WBWEz
0lifybpwcm8dtqtyfdljgqidaqab1awtjadbgnvhq4efgquhxaa/zbKpDOid9/t
R93Wy66uiFswHwYDVR0jBBgwFoAUHxaA/zbKpDOid9/tr93Wy66uiFswDAYDVR0T
BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAW + fovheulrq2kidnkmdq0jiyqscn
HMjmhjZScTSoqXcfcrarUzkz1ucUtThe5/t1bklWWhB60TSbnjY9L7tZEV5RlqWh
+ M1ieTEw2rvOj/WNfxJGnUnzivfYp5aq/3/kMZlVF8GDMpEYtYnvRmuaQ83xaZFM
EeoYJlb6652xzbsGaIvpta4bSxZqYE/hAEKgqo1LMLMjTskh + nc9NmAMH/ZaiaHr
8ycv8pbxzjdlnnm + 8u +/rC + 9p1q + peurayzubre6wgnv8wktqt6znxbnecvky
YdHaPqK + r9HCEOxoQIfJCtAenN9l7ETtYf1pfP + j6uTVF3Cd5TEpxKuRxQ =
----- End certificate -----
4. Generate a certificate request on the host (B) that requires the certificate

(1) generate a private key for the httpd server

[Root @ localhost ~] # Mkdir/etc/httpd/ssl
[Root @ localhost ~] # (Umask 077; openssl genrsa-out/etc/httpd/ssl/httpd. key 2048)
Generating RSA private key, 2048 bit long modulus
... + +
................ ++
E is 65537 (0x10001)
(2) generate a certificate application file

[Root @ localhost ~] # Oepnssl req-new-key/etc/httpd/ssl/httpd. key-days 365-out/etc/httpd/ssl/httpd. csr
-Bash: oepnssl: command not found
[Root @ localhost ~] # Openssl req-new-key/etc/httpd/ssl/httpd. key-days 365-out/etc/httpd/ssl/httpd. csr
You are about to be asked to enter information that will be ininitialized
Into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]: cn
State or Province Name (full name) []: beijing
Locality Name (eg, city) [Default City]: chaoyang
Organization Name (eg, company) [Default Company Ltd]: linuxca.org
Organizational Unit Name (eg, section) []: cwb
Common Name (eg, your name or your server's hostname) []: lovelinux
Email Address []: lovelinux@163.com

Please enter the following 'Extra 'attributes
To be sent with your certificate request
A challenge password []: the certificate application file is not encrypted here
An optional company name []:
Note: The default country, province, and company name must be the same as that of CA.

(3) transmit the certificate request file to the CA

[Root @ localhost ~] # Ls/etc/httpd/ssl/httpd.
Httpd. csr httpd. key
[Root @ localhost ~] # Scp/etc/httpd/ssl/httpd. csr 10.1.252.55:/testdir/
Root@10.1.252.55's password:
Httpd. csr 100% 1054 1.0KB/s
5. Sign the certificate on host A and issue it to the requester

(1) sign the certificate

[Root @ localhost testdir] # openssl ca-in/testdir/httpd. csr-out/etc/pki/CA/certs/httpd. crt-days 365
Using configuration from/etc/pki/tls/openssl. cnf
Check that the request matches the signature
Signature OK
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Sep 23 01:31:29 2016 GMT
Not After: Sep 23 01:31:29 2017 GMT
Subject:
CountryName = cn
StateOrProvinceName = beijing
OrganizationName = linuxca.org
OrganizationalUnitName = cwb
CommonName = lovelinux
EmailAddress = lovelinux@163.com
X509v3 extensions:
X509v3 Basic Constraints:
CA: FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
D0: 73: 48: EE: 41: 62: D5: 61: 30: 16: 09: 8D: 9B: 04: BD: 5B: B3: 5F: FD: 1D
X509v3 Authority Key Identifier:
Keyid: 1F: 16: 80: FF: 36: CA: A4: 33: A2: 77: DF: ED: AF: DD: D6: CB: AE: 88: 5B

Certificate is to be certified until Sep 23 01:31:29 2017 GMT (365 days)
Sign the certificate? [Y/n]: y

1 out of 1 certificate requests certified, commit? [Y/n] y
Write out database with 1 new entries
Data Base Updated
(2) issue a certificate

[Root @ localhost testdir] # ls/etc/pki/CA/certs/
Httpd. crt
[Root @ localhost testdir] # scp/etc/pki/CA/certs/httpd. crt 10.1.249.115:/etc/httpd/ssl
Root@10.1.249.115's password:
Httpd. crt 100% 4613 4.5KB/s
So far, the CA creation and application lab have been completed.