Use OpenSSL in RHEL6.3 to generate CA certificates and issue certificate instance resolution

1. Configure OPENSSL [root @ test1/] # rpm-qa | grepopensslopenssl-1.0.0-20.el6_2.5.i686 [root @ test1/] # cd/etc/pki/tls [root @ test1tls] # lscert. pemcertsmiscopen

1. Configure OPENSSL
[Root @ test1/] # rpm-qa | grep openssl
Openssl-1.0.0-20.el6_2.5.i686
[Root @ test1/] # cd/etc/pki/tls
[Root @ test1 tls] # ls
Cert. pem certs misc openssl. cnf private
[Root @ test1 tls] # vim openssl. cnf
######################################## ############################
[CA_default]
 
Dir =/etc/pki/CA # Where everything is kept (CA center Directory)
Certs = $ dir/certs # Where the issued certs are kept (certificate storage directory)
Crl_dir = $ dir/crl # Where the issued crl are kept (directory of the revoked certificate)
Database = $ dir/index.txt # database index file. (certificate index file)
# Unique_subject = no # Set to 'no' to allow creation
# Several ctificates with same subject.
New_certs_dir = $ dir/newcerts # default place for new certs. (certificate Backup Directory signed by the CA)
 
Certificate = $ dir/my-ca.crt # The CA certificate (CA's public key file name)
Serial = $ dir/serial # The current serial number (certificate serial number issued by The CA)
Crlnumber = $ dir/crlnumber # the current crl number (certificate serial number revoked)
# Must be commented out to leave a V1 CRL
Crl = $ dir/my-ca.crl # The current CRL (Certificate Revocation List)
Private_key = $ dir/private/my-ca.key # The private key (CA private key file)
RANDFILE = $ dir/private/. rand # private random number file
 
X509_extensions = usr_cert # The extentions to add to the cert
 
Default_days = 365 # how long to certid for (certificate validity period)
Default_crl_days = 30 # how long before next CRL
Default_md = default # use public key default MD
Preserve = no # keep passed DN ordering
 
[Policy_match] # This section is the certificate-related information option. match specifies the item and requires that the signed certificate must be consistent with the corresponding item of the CA.
CountryName = match
StateOrProvinceName = match
OrganizationName = match
OrganizationalUnitName = optional
CommonName = supplied
EmailAddress = optional
 
#
[Req_distinguished_name]
CountryName = Country Name (2 letter code)
CountryName_default = CN (country code needs to be modified by yourself)
CountryName_min = 2
CountryName_max = 2
 
StateOrProvinceName = State or Province Name (full name)
StateOrProvinceName_default = Hebei (the State or province name must be modified by yourself)
 
LocalityName = Locality Name (eg, city)
LocalityName_default = Beijing (the location name must be modified by yourself)
 
0. organizationName = Organization Name (eg, company)
0. organizationName_default = Tianli Company (the organization or Company name must be modified by yourself)
 

[Root @ test1 tls] # cd ../CA/
[Root @ test1 CA] # ls
Certs crl newcerts private
Note: You need to create these directories if they do not exist.
[Root @ test1 CA] # touch index.txt
[Root @ test1 CA] # echo "00"> serial
[Root @ test1 CA] # ls
Certs crl index.txt newcerts private serial
 
II. Key creation process
Create Private Key
[Root @ test1 CA] # (umask 077; openssl genrsa-out private/my-ca.key-des3 2048)
Generating RSA private key, 2048 bit long modulus
........................................ .................... ++
... + +
E is 65537 (0x10001)
Enter pass phrase for private/my-ca.key:
Verifying-Enter pass phrase for private/my-ca.key:
 
Generate a public key from the private key
[Root @ test1 CA] # openssl req-new-x509-key private/my-ca.key-days 365> my-ca.crt
Enter pass phrase for private/my-ca.key:
You are about to be asked to enter information that will be ininitialized
Into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]: CN
State or Province Name (full name) []: Hebei
Locality Name (eg, city) [Beijing]: Beijing
Organization Name (eg, company) [Default Company Ltd]: Tianli Company
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []: test1
Email Address []:
[Root @ test1 CA] # ls
Certs crl index.txt my-ca.crt newcerts private serial