使用openssl自签发CA证书

2019-05-2720:12:19已关闭评论 112

1.初始化文件

### 建立数据库索引文件和证书编号文件

[root@base CA]# cd /etc/pki/CA                                                    
[root@base CA]# touch serial index.txt

1 2	[root@base CA]# cd /etc/pki/CA [root@base CA]# touch serial index.txt

### 设定证书编号初始值

[root@base CA]# echo "01" &gt; serial

1	[root@base CA]# echo "01" > serial

2.生成CA私钥

[root@base CA]# cd /etc/pki/CA/
[root@base CA]# openssl genrsa -out private/cakey.pem 2048

1 2	[root@base CA]# cd /etc/pki/CA/ [root@base CA]# openssl genrsa -out private/cakey.pem 2048

3.自签CA证书

[root@base CA]# openssl req -new -x509 -key ./private/cakey.pem -days 3650 -out cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN                                                           ### 定义证书所属国家，两个字母简写
State or Province Name (full name) []:Zhejiang                                             ### 定义证书所属省份（州）
Locality Name (eg, city) [Default City]:Hangzhou                                          ### 定义证书所属城市
Organization Name (eg, company) [Default Company Ltd]:ldap                  ### 定义证书所属的组织
Organizational Unit Name (eg, section) []:IT                                                  ### 定义证书所属部门
Common Name (eg, your name or your server's hostname) []:ldap             ### 定义证书主机名称，必须与证书所有者能解析到的名字保持一致，否则将无法通过验证。
Email Address []:admin@ldap.com                                                                 ### 定义管理员邮箱

[root@base CA]# openssl req -new -x509 -key ./private/cakey.pem -days 3650 -out cacert.pem

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN ### 定义证书所属国家，两个字母简写

State or Province Name (full name) []:Zhejiang ### 定义证书所属省份（州）

Locality Name (eg, city) [Default City]:Hangzhou ### 定义证书所属城市

Organization Name (eg, company) [Default Company Ltd]:ldap ### 定义证书所属的组织

Organizational Unit Name (eg, section) []:IT ### 定义证书所属部门

Common Name (eg, your name or your server's hostname) []:ldap ### 定义证书主机名称，必须与证书所有者能解析到的名字保持一致，否则将无法通过验证。

Email Address []:admin@ldap.com ### 定义管理员邮箱

4.获取证书信息

[root@base CA]# openssl x509 -noout -text -in /etc/pki/CA/cacert.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 12060678561544518346 (0xa76023406307baca)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=Zhejiang, L=Hangzhou, O=ldap, OU=IT, CN=ldap/emailAddress=admin@ldap.com
        Validity
            Not Before: May 15 07:48:19 2019 GMT
            Not After : May 12 07:48:19 2029 GMT
        Subject: C=CN, ST=Zhejiang, L=Hangzhou, O=ldap, OU=IT, CN=ldap/emailAddress=admin@ldap.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:98:c2:fa:4c:6a:6b:dd:c5:a9:79:18:32:b9:16:
                    7a:31:f8:00:87:0e:37:2d:aa:5a:42:b8:9b:9e:85:
                    b7:c8:b1:5f:36:ae:34:25:12:96:10:58:c5:09:58:
                    de:bc:5a:29:85:dd:ab:3d:e4:d7:67:19:64:47:e6:
                    0b:98:21:cb:9a:25:10:cf:2b:2c:25:af:d3:2f:62:
                    2e:27:da:59:87:97:df:38:cf:e3:45:7c:43:94:8e:
                    e8:f7:95:48:d7:71:02:4b:01:b3:26:73:2b:9a:16:
                    0c:53:b8:d9:17:ee:a8:6a:e7:36:02:cc:66:e8:9b:
                    b0:20:09:60:93:a2:f8:aa:83:f7:2f:fe:0a:90:d7:
                    81:63:5f:15:fb:97:fd:5f:59:41:e7:91:03:f0:72:
                    54:c8:d0:84:82:25:85:b0:48:97:a6:cb:10:4b:e2:
                    9e:63:a6:13:cc:da:cd:c5:20:c6:54:01:c0:2c:6c:
                    72:b7:6d:b0:f0:21:a3:26:61:67:c8:8f:b2:f4:7d:
                    61:da:da:02:90:50:8e:94:81:38:0b:1d:f7:eb:cb:
                    3e:d5:bd:9e:ca:14:96:8e:29:47:9b:4c:5f:49:0a:
                    74:e0:ae:7d:c4:75:5c:77:e5:0c:47:7b:dc:39:db:
                    23:1e:ef:a1:fb:9a:4c:fe:30:0b:97:4b:41:c0:4d:
                    7e:af
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                44:32:05:B2:19:AA:09:CE:80:A2:45:FD:E8:3C:15:4D:24:9F:31:D3
            X509v3 Authority Key Identifier:
                keyid:44:32:05:B2:19:AA:09:CE:80:A2:45:FD:E8:3C:15:4D:24:9F:31:D3

            X509v3 Basic Constraints:
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         31:46:a8:a9:cd:ff:56:d8:de:71:81:ea:9b:23:c0:8f:23:ed:
         07:2b:71:a7:06:ff:49:79:a5:60:e6:a9:1a:8f:77:11:8f:86:
         7a:59:fd:f3:cf:14:7d:31:9d:15:94:41:42:fd:a5:81:f7:89:
         f9:e6:92:56:2b:fc:3d:47:14:a7:44:3a:3a:02:1a:a3:23:11:
         d9:77:51:0e:53:c7:07:e7:b3:a0:24:e7:6f:7f:50:da:eb:1f:
         8c:4a:44:ad:48:22:21:fb:20:87:ac:ed:1f:8f:f5:94:a3:17:
         81:44:bd:35:4a:c4:94:ea:03:2f:a7:3b:5d:f7:2c:5e:46:37:
         9c:ea:d7:c9:24:95:c4:40:d0:09:f7:c9:f4:79:97:04:bb:e8:
         f1:b1:89:a2:11:e6:b6:28:1f:7c:bc:36:10:2d:40:bb:82:ec:
         ef:df:d0:ac:b6:3b:2c:9c:9c:56:21:c1:77:24:21:0e:97:6d:
         de:ab:2e:b7:cb:cd:60:4c:28:1c:70:9e:99:28:93:6c:4c:58:
         ad:3f:0c:fc:4f:ed:80:fd:1c:e0:3e:a7:d3:71:27:e2:cf:0a:
         8e:b1:e2:b1:5b:d8:ac:8e:06:f1:15:4e:53:64:48:31:e7:d7:
         b3:e2:56:c8:6e:fc:1b:6f:86:00:a7:7e:50:cd:10:3a:64:97:
         f8:fc:db:d1

[root@base CA]# openssl x509 -noout -text -in /etc/pki/CA/cacert.pem

Certificate:

Data:

Version: 3 (0x2)

Serial Number: 12060678561544518346 (0xa76023406307baca)

Signature Algorithm: sha256WithRSAEncryption

Issuer: C=CN, ST=Zhejiang, L=Hangzhou, O=ldap, OU=IT, CN=ldap/emailAddress=admin@ldap.com

Validity

Not Before: May 15 07:48:19 2019 GMT

Not After : May 12 07:48:19 2029 GMT

Subject: C=CN, ST=Zhejiang, L=Hangzhou, O=ldap, OU=IT, CN=ldap/emailAddress=admin@ldap.com

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

Public-Key: (2048 bit)

Modulus:

00:98:c2:fa:4c:6a:6b:dd:c5:a9:79:18:32:b9:16:

7a:31:f8:00:87:0e:37:2d:aa:5a:42:b8:9b:9e:85:

b7:c8:b1:5f:36:ae:34:25:12:96:10:58:c5:09:58:

de:bc:5a:29:85:dd:ab:3d:e4:d7:67:19:64:47:e6:

0b:98:21:cb:9a:25:10:cf:2b:2c:25:af:d3:2f:62:

2e:27:da:59:87:97:df:38:cf:e3:45:7c:43:94:8e:

e8:f7:95:48:d7:71:02:4b:01:b3:26:73:2b:9a:16:

0c:53:b8:d9:17:ee:a8:6a:e7:36:02:cc:66:e8:9b:

b0:20:09:60:93:a2:f8:aa:83:f7:2f:fe:0a:90:d7:

81:63:5f:15:fb:97:fd:5f:59:41:e7:91:03:f0:72:

54:c8:d0:84:82:25:85:b0:48:97:a6:cb:10:4b:e2:

9e:63:a6:13:cc:da:cd:c5:20:c6:54:01:c0:2c:6c:

72:b7:6d:b0:f0:21:a3:26:61:67:c8:8f:b2:f4:7d:

61:da:da:02:90:50:8e:94:81:38:0b:1d:f7:eb:cb:

3e:d5:bd:9e:ca:14:96:8e:29:47:9b:4c:5f:49:0a:

74:e0:ae:7d:c4:75:5c:77:e5:0c:47:7b:dc:39:db:

23:1e:ef:a1:fb:9a:4c:fe:30:0b:97:4b:41:c0:4d:

7e:af

Exponent: 65537 (0x10001)

X509v3 extensions:

X509v3 Subject Key Identifier:

44:32:05:B2:19:AA:09:CE:80:A2:45:FD:E8:3C:15:4D:24:9F:31:D3

X509v3 Authority Key Identifier:

keyid:44:32:05:B2:19:AA:09:CE:80:A2:45:FD:E8:3C:15:4D:24:9F:31:D3

X509v3 Basic Constraints:

CA:TRUE

Signature Algorithm: sha256WithRSAEncryption

31:46:a8:a9:cd:ff:56:d8:de:71:81:ea:9b:23:c0:8f:23:ed:

07:2b:71:a7:06:ff:49:79:a5:60:e6:a9:1a:8f:77:11:8f:86:

7a:59:fd:f3:cf:14:7d:31:9d:15:94:41:42:fd:a5:81:f7:89:

f9:e6:92:56:2b:fc:3d:47:14:a7:44:3a:3a:02:1a:a3:23:11:

d9:77:51:0e:53:c7:07:e7:b3:a0:24:e7:6f:7f:50:da:eb:1f:

8c:4a:44:ad:48:22:21:fb:20:87:ac:ed:1f:8f:f5:94:a3:17:

81:44:bd:35:4a:c4:94:ea:03:2f:a7:3b:5d:f7:2c:5e:46:37:

9c:ea:d7:c9:24:95:c4:40:d0:09:f7:c9:f4:79:97:04:bb:e8:

f1:b1:89:a2:11:e6:b6:28:1f:7c:bc:36:10:2d:40:bb:82:ec:

ef:df:d0:ac:b6:3b:2c:9c:9c:56:21:c1:77:24:21:0e:97:6d:

de:ab:2e:b7:cb:cd:60:4c:28:1c:70:9e:99:28:93:6c:4c:58:

ad:3f:0c:fc:4f:ed:80:fd:1c:e0:3e:a7:d3:71:27:e2:cf:0a:

8e:b1:e2:b1:5b:d8:ac:8e:06:f1:15:4e:53:64:48:31:e7:d7:

b3:e2:56:c8:6e:fc:1b:6f:86:00:a7:7e:50:cd:10:3a:64:97:

f8:fc:db:d1

5.CA签署证书

5.1客户端申请证书,生成私钥

[root@base CA]# openssl genrsa -out private/ldap.key 2048

1	[root@base CA]# openssl genrsa -out private/ldap.key 2048

5.2生成证书签署请求

[root@base CA]# openssl req -new -key private/ldap.key -out ldap.csr -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN                                                                       ###和CA保持一致，否则报错
State or Province Name (full name) []:Zhejiang                                                         ###和CA保持一致，否则报错
Locality Name (eg, city) [Default City]:Hangzhou                                                      ###和CA保持一致，否则报错
Organization Name (eg, company) [Default Company Ltd]:ldap                              ###和CA保持一致，否则报错
Organizational Unit Name (eg, section) []:IT                                                             ###和CA保持一致，否则报错
Common Name (eg, your name or your server's hostname) []:www.myldap.com
Email Address []:admin@myldap.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:                                                                                            ###可为空，如果填写密码，需要一次发送到CA
An optional company name []:

[root@base CA]# openssl req -new -key private/ldap.key -out ldap.csr -days 3650

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN ###和CA保持一致，否则报错

State or Province Name (full name) []:Zhejiang ###和CA保持一致，否则报错

Locality Name (eg, city) [Default City]:Hangzhou ###和CA保持一致，否则报错

Organization Name (eg, company) [Default Company Ltd]:ldap ###和CA保持一致，否则报错

Organizational Unit Name (eg, section) []:IT ###和CA保持一致，否则报错

Common Name (eg, your name or your server's hostname) []:www.myldap.com

Email Address []:admin@myldap.com

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []: ###可为空，如果填写密码，需要一次发送到CA

An optional company name []:

5.3CA通过ca证书使用签署请求进行签署证书

[root@base CA]# openssl ca -in ldap.csr -out ldapcert.pem -days 3650
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: May 15 07:53:04 2019 GMT
            Not After : May 12 07:53:04 2029 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = Zhejiang
            organizationName          = ldap
            organizationalUnitName    = IT
            commonName                = www.myldap.com
            emailAddress              = admin@myldap.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                2E:B3:0F:CE:3F:79:42:42:96:77:24:E7:A4:DD:19:4F:D3:60:E9:1F
            X509v3 Authority Key Identifier:
                keyid:44:32:05:B2:19:AA:09:CE:80:A2:45:FD:E8:3C:15:4D:24:9F:31:D3

Certificate is to be certified until May 12 07:53:04 2029 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

[root@base CA]# openssl ca -in ldap.csr -out ldapcert.pem -days 3650

Using configuration from /etc/pki/tls/openssl.cnf

Check that the request matches the signature

Signature ok

Certificate Details:

Serial Number: 1 (0x1)

Validity

Not Before: May 15 07:53:04 2019 GMT

Not After : May 12 07:53:04 2029 GMT

Subject:

countryName = CN

stateOrProvinceName = Zhejiang

organizationName = ldap

organizationalUnitName = IT

commonName = www.myldap.com

emailAddress = admin@myldap.com

X509v3 extensions:

X509v3 Basic Constraints:

CA:FALSE

Netscape Comment:

OpenSSL Generated Certificate

X509v3 Subject Key Identifier:

2E:B3:0F:CE:3F:79:42:42:96:77:24:E7:A4:DD:19:4F:D3:60:E9:1F

X509v3 Authority Key Identifier:

keyid:44:32:05:B2:19:AA:09:CE:80:A2:45:FD:E8:3C:15:4D:24:9F:31:D3

Certificate is to be certified until May 12 07:53:04 2029 GMT (3650 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

6.目录结构

[root@base CA]# tree
.
├── cacert.pem
├── certs
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── ldapcert.pem
├── ldap.csr
├── newcerts
│   └── 01.pem
├── private
│   ├── cakey.pem
│   └── ldap.key
├── serial
└── serial.old

[root@base CA]# tree

├── cacert.pem

├── certs

├── crl

├── index.txt

├── index.txt.attr

├── index.txt.old

├── ldapcert.pem

├── ldap.csr

├── newcerts

│ └── 01.pem

├── private

│ ├── cakey.pem

│ └── ldap.key

├── serial

└── serial.old

7.验证生成证书的信息

[root@base CA]# openssl x509 -in ldapcert.pem -noout -serial -subject
serial=01
subject= /C=CN/ST=Zhejiang/O=ldap/OU=IT/CN=www.myldap.com/emailAddress=admin@myldap.com

[root@base CA]# openssl x509 -in ldapcert.pem -noout -serial -subject

serial=01

subject= /C=CN/ST=Zhejiang/O=ldap/OU=IT/CN=www.myldap.com/emailAddress=admin@myldap.com

-----------------------------------------------END-----------------------------------------

配置过程中有问题可在下方留言哦

登录 找回密码

登录找回密码