1.初始化文件
### 建立数据库索引文件和证书编号文件
1 2 |
[root@base CA]# cd /etc/pki/CA [root@base CA]# touch serial index.txt |
### 设定证书编号初始值
1 |
[root@base CA]# echo "01" > serial |
2.生成CA私钥
1 2 |
[root@base CA]# cd /etc/pki/CA/ [root@base CA]# openssl genrsa -out private/cakey.pem 2048 |
3.自签CA证书
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
[root@base CA]# openssl req -new -x509 -key ./private/cakey.pem -days 3650 -out cacert.pem You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN ### 定义证书所属国家,两个字母简写 State or Province Name (full name) []:Zhejiang ### 定义证书所属省份(州) Locality Name (eg, city) [Default City]:Hangzhou ### 定义证书所属城市 Organization Name (eg, company) [Default Company Ltd]:ldap ### 定义证书所属的组织 Organizational Unit Name (eg, section) []:IT ### 定义证书所属部门 Common Name (eg, your name or your server's hostname) []:ldap ### 定义证书主机名称,必须与证书所有者能解析到的名字保持一致,否则将无法通过验证。 Email Address []:admin@ldap.com ### 定义管理员邮箱 |
4.获取证书信息
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 |
[root@base CA]# openssl x509 -noout -text -in /etc/pki/CA/cacert.pem Certificate: Data: Version: 3 (0x2) Serial Number: 12060678561544518346 (0xa76023406307baca) Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, ST=Zhejiang, L=Hangzhou, O=ldap, OU=IT, CN=ldap/emailAddress=admin@ldap.com Validity Not Before: May 15 07:48:19 2019 GMT Not After : May 12 07:48:19 2029 GMT Subject: C=CN, ST=Zhejiang, L=Hangzhou, O=ldap, OU=IT, CN=ldap/emailAddress=admin@ldap.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:98:c2:fa:4c:6a:6b:dd:c5:a9:79:18:32:b9:16: 7a:31:f8:00:87:0e:37:2d:aa:5a:42:b8:9b:9e:85: b7:c8:b1:5f:36:ae:34:25:12:96:10:58:c5:09:58: de:bc:5a:29:85:dd:ab:3d:e4:d7:67:19:64:47:e6: 0b:98:21:cb:9a:25:10:cf:2b:2c:25:af:d3:2f:62: 2e:27:da:59:87:97:df:38:cf:e3:45:7c:43:94:8e: e8:f7:95:48:d7:71:02:4b:01:b3:26:73:2b:9a:16: 0c:53:b8:d9:17:ee:a8:6a:e7:36:02:cc:66:e8:9b: b0:20:09:60:93:a2:f8:aa:83:f7:2f:fe:0a:90:d7: 81:63:5f:15:fb:97:fd:5f:59:41:e7:91:03:f0:72: 54:c8:d0:84:82:25:85:b0:48:97:a6:cb:10:4b:e2: 9e:63:a6:13:cc:da:cd:c5:20:c6:54:01:c0:2c:6c: 72:b7:6d:b0:f0:21:a3:26:61:67:c8:8f:b2:f4:7d: 61:da:da:02:90:50:8e:94:81:38:0b:1d:f7:eb:cb: 3e:d5:bd:9e:ca:14:96:8e:29:47:9b:4c:5f:49:0a: 74:e0:ae:7d:c4:75:5c:77:e5:0c:47:7b:dc:39:db: 23:1e:ef:a1:fb:9a:4c:fe:30:0b:97:4b:41:c0:4d: 7e:af Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 44:32:05:B2:19:AA:09:CE:80:A2:45:FD:E8:3C:15:4D:24:9F:31:D3 X509v3 Authority Key Identifier: keyid:44:32:05:B2:19:AA:09:CE:80:A2:45:FD:E8:3C:15:4D:24:9F:31:D3 X509v3 Basic Constraints: CA:TRUE Signature Algorithm: sha256WithRSAEncryption 31:46:a8:a9:cd:ff:56:d8:de:71:81:ea:9b:23:c0:8f:23:ed: 07:2b:71:a7:06:ff:49:79:a5:60:e6:a9:1a:8f:77:11:8f:86: 7a:59:fd:f3:cf:14:7d:31:9d:15:94:41:42:fd:a5:81:f7:89: f9:e6:92:56:2b:fc:3d:47:14:a7:44:3a:3a:02:1a:a3:23:11: d9:77:51:0e:53:c7:07:e7:b3:a0:24:e7:6f:7f:50:da:eb:1f: 8c:4a:44:ad:48:22:21:fb:20:87:ac:ed:1f:8f:f5:94:a3:17: 81:44:bd:35:4a:c4:94:ea:03:2f:a7:3b:5d:f7:2c:5e:46:37: 9c:ea:d7:c9:24:95:c4:40:d0:09:f7:c9:f4:79:97:04:bb:e8: f1:b1:89:a2:11:e6:b6:28:1f:7c:bc:36:10:2d:40:bb:82:ec: ef:df:d0:ac:b6:3b:2c:9c:9c:56:21:c1:77:24:21:0e:97:6d: de:ab:2e:b7:cb:cd:60:4c:28:1c:70:9e:99:28:93:6c:4c:58: ad:3f:0c:fc:4f:ed:80:fd:1c:e0:3e:a7:d3:71:27:e2:cf:0a: 8e:b1:e2:b1:5b:d8:ac:8e:06:f1:15:4e:53:64:48:31:e7:d7: b3:e2:56:c8:6e:fc:1b:6f:86:00:a7:7e:50:cd:10:3a:64:97: f8:fc:db:d1 |
5.CA签署证书
5.1客户端申请证书,生成私钥
1 |
[root@base CA]# openssl genrsa -out private/ldap.key 2048 |
5.2生成证书签署请求
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
[root@base CA]# openssl req -new -key private/ldap.key -out ldap.csr -days 3650 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN ###和CA保持一致,否则报错 State or Province Name (full name) []:Zhejiang ###和CA保持一致,否则报错 Locality Name (eg, city) [Default City]:Hangzhou ###和CA保持一致,否则报错 Organization Name (eg, company) [Default Company Ltd]:ldap ###和CA保持一致,否则报错 Organizational Unit Name (eg, section) []:IT ###和CA保持一致,否则报错 Common Name (eg, your name or your server's hostname) []:www.myldap.com Email Address []:admin@myldap.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: ###可为空,如果填写密码,需要一次发送到CA An optional company name []: |
5.3CA通过ca证书使用签署请求进行签署证书
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 |
[root@base CA]# openssl ca -in ldap.csr -out ldapcert.pem -days 3650 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: May 15 07:53:04 2019 GMT Not After : May 12 07:53:04 2029 GMT Subject: countryName = CN stateOrProvinceName = Zhejiang organizationName = ldap organizationalUnitName = IT commonName = www.myldap.com emailAddress = admin@myldap.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 2E:B3:0F:CE:3F:79:42:42:96:77:24:E7:A4:DD:19:4F:D3:60:E9:1F X509v3 Authority Key Identifier: keyid:44:32:05:B2:19:AA:09:CE:80:A2:45:FD:E8:3C:15:4D:24:9F:31:D3 Certificate is to be certified until May 12 07:53:04 2029 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated |
6.目录结构
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
[root@base CA]# tree . ├── cacert.pem ├── certs ├── crl ├── index.txt ├── index.txt.attr ├── index.txt.old ├── ldapcert.pem ├── ldap.csr ├── newcerts │ └── 01.pem ├── private │ ├── cakey.pem │ └── ldap.key ├── serial └── serial.old |
7.验证生成证书的信息
1 2 3 |
[root@base CA]# openssl x509 -in ldapcert.pem -noout -serial -subject serial=01 subject= /C=CN/ST=Zhejiang/O=ldap/OU=IT/CN=www.myldap.com/emailAddress=admin@myldap.com |
-----------------------------------------------END-----------------------------------------
配置过程中有问题可在下方留言哦