OpenSSL configuration file:/etc/pki/tls/openssl.cnf
Three strategies: matching, support, and optional. Match: The information required to fill in the request must be consistent with the CA setup information; Support: means the application information must be filled in; optional: means dispensable.
Experimental environment: Requires two hosts, I here with Host a (centos6:ip for 172.17.250.83) to create a CA and to other hosts to provide CA services; host B (centos7:ip is 172.17.253.204) is a httpd server used to request certificates.
1. First look at the contents of the configuration file, where the following content must be written when the CA is created:
dir = /etc/pki/ca # Where everything is keptcerts = $dir/certs # where the issued certs are keptcrl_dir = $dir/crl # Where the issued crl are keptdatabase = $dir/index.txt # database index file. #unique_subject = no # Set to ' No ' to allow creation of # several ctificates with same subject.new_certs_dir = $dir/newcerts # default place for new certs.certificate = $dir/cacert.pem # the ca certificateserial = $dir/serial # The current serial numbercrlnumber = $dir/crlnumber # the current crl number # must be commented out to leave a V1 crlcrl = $dir/crl.pem # The current CRLprivate_key = $dir/private/cakey.pem # the private key
2. Create the necessary files according to the needs of the configuration files.
[[Email protected] ~] #touch/etc/pki/ca/index.txt #生成证书索引数据库的文件 [[email protected] ~] #echo >/etc/pki/ca/serial #指定 The first serial number that issued the certificate [[email protected] ~] #tree/etc/pki/ca//etc/pki/ca/├──certs├──crl├──index.txt├──newcerts├──private└── Serial4 directories, 2 files
Note: The two files created, including the one created in the next experiment, must be the same as the file name in the configuration file.
3. Create the CA service on Host a (CENTOS6) and self-sign the certificate
(1) Generate private key
[[Email protected] ~]# (umask 066;openssl genrsa-out private/cakey.pem-des3 4096) #-des3 is encrypting files
650) this.width=650; "src=" Https://s1.51cto.com/wyfs02/M02/07/43/wKiom1nGH-XC0x6BAAAzS8BSZYI316.png "title=" Picture 1.png "alt=" Wkiom1ngh-xc0x6baaazs8bszyi316.png "/>
Note: The parentheses are used to indicate that the command inside the child shell is in parentheses and does not affect the parent Shell's settings The umask is set to 066 to prevent others from having permission to view and modify the generated private key , and to encrypt the private key before 4096, such as Des3, RSA, and so on, this example uses DES3 encryption .
You can look at some of the text after the encryption:
650) this.width=650; "src=" Https://s4.51cto.com/wyfs02/M00/07/43/wKiom1nGIBHx0fTJAAEZlBERHfM508.png "title=" Picture 2.png "alt=" Wkiom1ngibhx0ftjaaezlberhfm508.png "/>
(2) Generate self-signed certificate
[[Email protected] ~] #openssl req-new-x509-key private/cakey.pem-days 3650-out Cacert.pem
Where:-new: Generate a new certificate signing request
-x509: Dedicated to CA generate self-signed certificate
-key: The private key file used to generate the request
-days N: Validity period of the certificate
-out/path/to/somecertfile: Save path to Certificate
650) this.width=650; "src=" Https://s3.51cto.com/wyfs02/M00/A5/F4/wKioL1nGIALTsdqTAACDKwYoFtU103.png "title=" Picture 3.png "alt=" Wkiol1ngialtsdqtaacdkwyoftu103.png "/>
650) this.width=650; "src=" Https://s5.51cto.com/wyfs02/M02/07/43/wKiom1nGIEvR4PSkAAAi_-zrTf0764.png "title=" Picture 4.png "alt=" Wkiom1ngievr4pskaaai_-zrtf0764.png "/>
Look at some of the encrypted text for the certificate:
650) this.width=650; "Src=" https://s5.51cto.com/wyfs02/M02/07/43/ Wkiom1ngif-sondoaae2rjrgio0964.png "title=" image 5.png "alt=" Wkiom1ngif-sondoaae2rjrgio0964.png "/>
(3) Transfer the Cacert.pem file to Windows, because the . Pem suffix text is not recognized on Windows , so here we'll change the text to . cer For the suffix text, the modified file icon is 650) this.width=650; "Src=" https://s4.51cto.com/wyfs02/M02/A5/F4/ Wkiol1ngifkcpbdyaaabh0vmjss001.png "title=" Picture 6.png "alt=" Wkiol1ngifkcpbdyaaabh0vmjss001.png "/>.
Open the certificate on Windows and look at it.
650) this.width=650; "src=" Https://s4.51cto.com/wyfs02/M00/A5/F4/wKioL1nGISmiGB6qAADBioFeU3M056.png "title=" Picture 7.png "alt=" Wkiol1ngismigb6qaadbiofeu3m056.png "/>
4 . In the host that needs to use the certificate B (CENTOS7) To generate a certificate request on
(1) to httpd service Generation private key
[Email protected] ~]# (umask 066;openssl genrsa-out/etc/pki/tls/private/test.key-des3 4096) generating RSA private key, 4096 bit long modulus..........................................................++ ......................................................................................................................... ..... ..... ..... ..... ..... ............... ......... ..... ..... ..... ..... ..... ............. .......... ++e is 65537 ( 0x10001) Enter pass phrase for/etc/pki/tls/private/test.key:verifying-enter pass phrase for/etc/pki/tls/private/ Test.key:
(2) Generate certificate request file
[[Email protected] ~] #openssl req-new-key/etc/pki/tls/private/test.key-days 3650-OUT/ETC/PKI/TLS/TEST.PEM
650) this.width=650; "src=" Https://s1.51cto.com/wyfs02/M02/07/43/wKiom1nGIYeBSlejAAeHCoykxRA155.png "title=" Picture 8.png "alt=" Wkiom1ngiyebslejaaehcoykxra155.png "/>
(3) transfer the certificate request file to the CA
[[email protected] ~] #scp /etc/pki/tls/test.pem @ 172.17.250.83:/etc/pki/tls/the authenticity of host ' 172.17.250.83 (172.17.250.83) ' can ' t be established. Rsa key fingerprint is 09:52:06:53:a1:13:99:f3:b9:5c:5f:0a:c4:b6:1c:ed. are you sure you want to continue connecting (yes/no)? yesWarning : permanently added ' 172.17.250.83 ' (RSA) to the list of known hosts. [email protected] ' s password: test.pem 100% 1736 1.7kb/s 00:00
5. in the main Machine A ( Centos6) sign the certificate and issue it to the certificate requester (host B)
(1) Signing certificate
[[email protected] ~] #openssl ca -in /etc/pki/tls/test.pem -out /etc/pki/ca /certs/test.crt -days 3650using configuration from /etc/pki/tls/openssl.cnfenter pass phrase for /etc/pki/CA/private/cakey.pem:Check that the request matches the signaturesignature okcertificate details: Serial Number: 1 (0x1) validity not before: sep 12 23:04:23 2017 gmt not After : Sep 10 23:04:23 2027 GMT Subject: countryName = cn stateOrProvinceName = HeNan organizationName = Linuxca.org organizationalUnitName = dev commonName = linuxca emailaddress = [ email protected] x509v3 extensions: x509v3 basic constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 97:b6:0a:0a:70 :c6:fb:29:bb:b9:4a:26:98:3e:73:8b:20:f4:37:5e X509v3 Authority Key Identifier: keyid:73:e2:de:70:0b:9e:6b:fa:dd:5f:16:d5:0b:38:d2:a5:a0 : 2E:B4:D6 CERTIFICATE IS&Nbsp;to be certified until sep 10 23:04:23 2027 gmt (3650 Days) sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesdata base updated
(2) send the certificate to the host B ( centos7
[[email protected] ca] #scp certs/test.crt @ 172.17.253.204:/etc/pki/ca/the authenticity of host ' 172.17.253.204 (172.17.253.204) ' can ' t be established. rsa key fingerprint is 91:d3:76:ba:60:12:0d:13:9b:93:6a:39:71:18:fe:65.are you sure you want to continue connecting (yes/no)? yeswarning: permanently added ' 172.17.253.204 ' (RSA) to the list of known hosts. [email protected] ' s password: test.crt 100% 7311 7.1kb/s 00:00
650) this.width=650; "src=" Https://s5.51cto.com/wyfs02/M02/07/43/wKiom1nGIaLyhQStAAAd_Mk8lMo880.png "title=" Picture 9.png "alt=" Wkiom1ngialyhqstaaad_mk8lmo880.png "/>
(3) on host B(Centos7) to view the information in the certificate,
OpenSSL x509-in/path/from/cert_file
-text|issuer|subject|serial|dates
Opensslca-status Serial View the certificate status for a specified number
[[email protected] CA] #openssl x509-in test.crt-text
At this point, the CA's creation and application, issuance is complete.
How Linux creates private CAs and requests certificates