openssl创建CA、申请证书及其给web服务颁发证书

一、创建私有的CA  

1)查看openssl的配置文件:/etc/pki/tls/openssl.cnf  

2)创建所需的文件

touch /etc/pki/CA/index.txt   echo 01 >/etc/pki/CA/serial

3)CA自签证书生成私钥

cd /etc/pki/CA

(umask 066;openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)

4)生成自签名证书

openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 7300 -out /etc/pki/CA/cacert.pem

-new:生成新的证书签署请求

-x509:专用CA生成自签证书

-key:生成请求时用到的私钥文件

-days n:证书的有限期

-out /path/to/somecertfile:证书的保存路径

代码演示:


[[email protected] ~]# ls /etc/pki/CA/
certs  crl  newcerts  private
[[email protected] ~]# touch /etc/pki/CA/index.txt
[[email protected] ~]# ll /etc/pki/CA/
total 16
drwxr-xr-x. 2 root root 4096 May  9 22:56 certs
drwxr-xr-x. 2 root root 4096 May  9 22:56 crl
-rw-r--r--. 1 root root    0 Sep 23 07:08 index.txt
drwxr-xr-x. 2 root root 4096 May  9 22:56 newcerts
drwx------. 2 root root 4096 May  9 22:56 private
[[email protected] ~]# echo 01 > /etc/pki/CA/serial
[[email protected] ~]# ll /etc/pki/CA/
total 20
drwxr-xr-x. 2 root root 4096 May  9 22:56 certs
drwxr-xr-x. 2 root root 4096 May  9 22:56 crl
-rw-r--r--. 1 root root    0 Sep 23 07:08 index.txt
drwxr-xr-x. 2 root root 4096 May  9 22:56 newcerts
drwx------. 2 root root 4096 May  9 22:56 private
-rw-r--r--. 1 root root    3 Sep 23 07:09 serial
[[email protected] ~]# cd /etc/pki/CA
[[email protected] CA]# ls
certs  crl  index.txt  newcerts  private  serial
[[email protected] CA]# (nmask 066;openssl genrsa -out private/cakey.pem 2048)
-bash: nmask: command not found
Generating RSA private key, 2048 bit long modulus
..................................+++
.............................+++
e is 65537 (0x10001)
[[email protected] CA]# cd private/
[[email protected] private]# cat cakey.pem
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAyvOMUreRADORN9F0bk08d4n/xASELShJzW6V2K57ma/lmB7e
PBrOWrGCWhZR9tF8+Ewk/OCeQLukAHLgeLlte7au7uXf6RjFwi/XXemKzEUDEcOl
+CKTU7wio7if86rzX8xOPmP2+l4pItqqAKp7Kx9TOuAhT7gcQKKr5iU6lTvS/EJf
xBLtwoTRIIUdYxLI7XFZe7Lm5uOiYDHIhF70TQC3s0/1lnGEsWmAZ+uOCFy6bKck
v6orwDu2UfjhSqkiIJBFSvZQJqh6s3kt5dN+MyAkG1wJ6daJS87FKuguLI+ISxIJ
Z7tXXCQqZFle5Iu1LuwRDAoieWfwO868WI+HmQIDAQABAoIBAFaVwXAo0Lv9RB9E
RSAp43o8bdn680kwvwvd+iAPkLvox1M3GCkcZp1azfoRO7bJeT+VfNJGIj4Lz9RB
LnNS6Nq2/br+Z6DS6MwIDSIL2SN87epORiiu15wJz915jwQuEtb0Gw2TKHN4aKRu
Fcli8llba+7aYFvaeHM684ukpnGz6bRYwRDrEgUvMksFvPA2dqzvP/OjEIqvvf/l
d+rhOQGlB18E2oQ3048PJpgPHyceKLuuFkvFGsHofI8a5hLqD3PJ4AjHuPPF/Yqz
ZQwxmncV+YM9nJ/s8J5PJQ+3hPkA6pbhpM1eXHSPajnnkWiMV1RkUBltkHdJGPT9
h4t2o2ECgYEA5z/8HvbnXlAHC8+5mKO0rkBifxUyG9FVYmGOPKJwoK16eRxWuQgo
VboVZm5mK4LCtsMzUXobSXtgsb941O6U7lxrogflcYEQkvWL7JNg8vdIMwHs75zF
vXnoyCF9ZoDFr0juTP94AI4WW8GTfSo3caL+T8pnQalu5y3JvBQIRVcCgYEA4Kw1
8VAGix+QYWK9h1R35cKcnZQb0eq0ChZ8XFd7leLImPCpv7t1R86mvwIvZkYMIqD3
btUXk8G2ezyoufntEP5KGv9QbsQS8vFDw0RSsYkwWJZBeIUV6yPdUHniIWT6Ozwv
pD6hJwVSAv7m4tNTwJLH2Ebbs22Di05q/kfqFI8CgYEA4SVD0+Xx57ok0hQhkAI7
BLh87Vv2mGzcI9f1gwVogJfGOSolKStPEgAFm9/6q3w5FXXBfh9Td9yejRBtlWrg
J55l0LC9bCALwfk9jU0ERCoL6lWCmNvbDhomUMuCaw0O6xUnpmHINUohbJ5weZlj
t8jIr2jR1XUgHAZRdkNOtisCgYAfOU+13b1LEHPsVOCqMh8Hm2hQrgi/v7KNxFo8
KxxN1Fq0hp3Qu6is9hdObGtR92IwXdaFXLAOJNnLfr6kOgusVOrPnbP78NwBT25v
cMtdSQejCB7JNRW6vB1B1e6LXZE5MkAcv2d+GMsxB2PnGh+Fn+COOirGYO3rKlbM
SApMGQKBgQCaAaZzscT3KnnZEFi3e2IrlJMxY09zCm2xRle70m0lK0BHZsoxvcAl
bf19tZsoD2wPcvB6j+SLhB5jdG5iJ6SCp+vx+p/XFORlU+3V5gD/+P9I2LZfVZ+z
7YvRfXzuEiZi0h4ljBb4Oh8Di/0ytKnBzbWs00Trj7ariZ/WfgmTDw==
-----END RSA PRIVATE KEY-----
[[email protected] private]# ll
total 4
-rw-r--r--. 1 root root 1679 Sep 23 07:10 cakey.pem
[[email protected] private]# openssl req -new -x509 -key cakey.pem  -days 7300 -out ../ca
cert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:bj
Organization Name (eg, company) [Default Company Ltd]:chen.com
Organizational Unit Name (eg, section) []:alren_1
Common Name (eg, your name or your server‘s hostname) []:centos6.localdomain
Email Address []:[email protected]
[[email protected] private]# cd ../
[[email protected] CA]# cat cacert.pem
-----BEGIN CERTIFICATE-----
MIID7zCCAtegAwIBAgIJANEOQWU3qHpeMA0GCSqGSIb3DQEBBQUAMIGNMQswCQYD
VQQGEwJDTjEQMA4GA1UECAwHYmVpamluZzELMAkGA1UEBwwCYmoxETAPBgNVBAoM
CGNoZW4uY29tMRAwDgYDVQQLDAdhbHJlbl8xMRwwGgYDVQQDDBNjZW50b3M2Lmxv
Y2FsZG9tYWluMRwwGgYJKoZIhvcNAQkBFg1hbHJlbkAxNjMuY29tMB4XDTE2MDky
MjIzMTc1MFoXDTM2MDkxNzIzMTc1MFowgY0xCzAJBgNVBAYTAkNOMRAwDgYDVQQI
DAdiZWlqaW5nMQswCQYDVQQHDAJiajERMA8GA1UECgwIY2hlbi5jb20xEDAOBgNV
BAsMB2FscmVuXzExHDAaBgNVBAMME2NlbnRvczYubG9jYWxkb21haW4xHDAaBgkq
hkiG9w0BCQEWDWFscmVuQDE2My5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQDK84xSt5EAM5E30XRuTTx3if/EBIQtKEnNbpXYrnuZr+WYHt48Gs5a
sYJaFlH20Xz4TCT84J5Au6QAcuB4uW17tq7u5d/pGMXCL9dd6YrMRQMRw6X4IpNT
vCKjuJ/zqvNfzE4+Y/b6Xiki2qoAqnsrH1M64CFPuBxAoqvmJTqVO9L8Ql/EEu3C
hNEghR1jEsjtcVl7subm46JgMciEXvRNALezT/WWcYSxaYBn644IXLpspyS/qivA
O7ZR+OFKqSIgkEVK9lAmqHqzeS3l034zICQbXAnp1olLzsUq6C4sj4hLEglnu1dc
JCpkWV7ki7Uu7BEMCiJ5Z/A7zrxYj4eZAgMBAAGjUDBOMB0GA1UdDgQWBBQmophw
H4o7o6EFDot5NMVm+rmm2TAfBgNVHSMEGDAWgBQmophwH4o7o6EFDot5NMVm+rmm
2TAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQBkZgymfLYgWOK4RPv+
Vzs2eW+AaYNcNBcot/Ju6rByEZ/Sa4nWxNBVge/0ffSDUsmkSlUdS8oYUbLQU5Kq
pqDaQ0jbwqoMkR+YEau0Q8R+N9WtTOWew3xprRu9BvY9jTjBG5pyFp4pqOEcOTm3
YQyzv8C+0KUS2HDi13nBRet6PjYnt7zgiI2qjAuWaz70ntwFduvNDC7biX18CyJe
ydLnQDGot2dXWqGo/p4eDtIPxpsaH8UCz4SHDKnKZvVOg2r85Wv4F8If0puGGl7m
qhe40zy/s+F1V0lWeJ3nbk2vBSETdoZViUWuRz6acy0at6znlgcMLnwjum8jcp8K
IOnK
-----END CERTIFICATE-----
[[email protected] CA]# openssl x509 -in cacert.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 15064049706582178398 (0xd10e416537a87a5e)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=CN, ST=beijing, L=bj, O=chen.com, OU=alren_1, CN=centos6.localdomain/[email protected]
        Validity
            Not Before: Sep 22 23:17:50 2016 GMT
            Not After : Sep 17 23:17:50 2036 GMT
        Subject: C=CN, ST=beijing, L=bj, O=chen.com, OU=alren_1, CN=centos6.localdomain/[email protected]
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:ca:f3:8c:52:b7:91:00:33:91:37:d1:74:6e:4d:
                    3c:77:89:ff:c4:04:84:2d:28:49:cd:6e:95:d8:ae:
                    7b:99:af:e5:98:1e:de:3c:1a:ce:5a:b1:82:5a:16:
                    51:f6:d1:7c:f8:4c:24:fc:e0:9e:40:bb:a4:00:72:
                    e0:78:b9:6d:7b:b6:ae:ee:e5:df:e9:18:c5:c2:2f:
                    d7:5d:e9:8a:cc:45:03:11:c3:a5:f8:22:93:53:bc:
                    22:a3:b8:9f:f3:aa:f3:5f:cc:4e:3e:63:f6:fa:5e:
                    29:22:da:aa:00:aa:7b:2b:1f:53:3a:e0:21:4f:b8:
                    1c:40:a2:ab:e6:25:3a:95:3b:d2:fc:42:5f:c4:12:
                    ed:c2:84:d1:20:85:1d:63:12:c8:ed:71:59:7b:b2:
                    e6:e6:e3:a2:60:31:c8:84:5e:f4:4d:00:b7:b3:4f:
                    f5:96:71:84:b1:69:80:67:eb:8e:08:5c:ba:6c:a7:
                    24:bf:aa:2b:c0:3b:b6:51:f8:e1:4a:a9:22:20:90:
                    45:4a:f6:50:26:a8:7a:b3:79:2d:e5:d3:7e:33:20:
                    24:1b:5c:09:e9:d6:89:4b:ce:c5:2a:e8:2e:2c:8f:
                    88:4b:12:09:67:bb:57:5c:24:2a:64:59:5e:e4:8b:
                    b5:2e:ec:11:0c:0a:22:79:67:f0:3b:ce:bc:58:8f:
                    87:99
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                26:A2:98:70:1F:8A:3B:A3:A1:05:0E:8B:79:34:C5:66:FA:B9:A6:D9
            X509v3 Authority Key Identifier:
                keyid:26:A2:98:70:1F:8A:3B:A3:A1:05:0E:8B:79:34:C5:66:FA:B9:A6:D9
            X509v3 Basic Constraints:
                CA:TRUE
    Signature Algorithm: sha1WithRSAEncryption
         64:66:0c:a6:7c:b6:20:58:e2:b8:44:fb:fe:57:3b:36:79:6f:
         80:69:83:5c:34:17:28:b7:f2:6e:ea:b0:72:11:9f:d2:6b:89:
         d6:c4:d0:55:81:ef:f4:7d:f4:83:52:c9:a4:4a:55:1d:4b:ca:
         18:51:b2:d0:53:92:aa:a6:a0:da:43:48:db:c2:aa:0c:91:1f:
         98:11:ab:b4:43:c4:7e:37:d5:ad:4c:e5:9e:c3:7c:69:ad:1b:
         bd:06:f6:3d:8d:38:c1:1b:9a:72:16:9e:29:a8:e1:1c:39:39:
         b7:61:0c:b3:bf:c0:be:d0:a5:12:d8:70:e2:d7:79:c1:45:eb:
         7a:3e:36:27:b7:bc:e0:88:8d:aa:8c:0b:96:6b:3e:f4:9e:dc:
         05:76:eb:cd:0c:2e:db:89:7d:7c:0b:22:5e:c9:d2:e7:40:31:
         a8:b7:67:57:5a:a1:a8:fe:9e:1e:0e:d2:0f:c6:9b:1a:1f:c5:
         02:cf:84:87:0c:a9:ca:66:f5:4e:83:6a:fc:e5:6b:f8:17:c2:
         1f:d2:9b:86:1a:5e:e6:aa:17:b8:d3:3c:bf:b3:e1:75:57:49:
         56:78:9d:e7:6e:4d:af:05:21:13:76:86:55:89:45:ae:47:3e:
         9a:73:2d:1a:b7:ac:e7:96:07:0c:2e:7c:23:ba:6f:23:72:9f:
         0a:20:e9:ca
[[email protected] CA]# openssl x509 -in cacert.pem -noout -dates
notBefore=Sep 22 23:17:50 2016 GMT
notAfter=Sep 17 23:17:50 2036 GMT

二、颁发及其吊销证书

1)颁发证书,在需要使用证书的主机生成证书请求,给web服务器生成私钥(本实验在另一台主机上)

(umask 066;openssl genrsa -out /etc/httpd/ssl/httpd.key 2048)

2)生成证书申请文件

openssl req -new-key /etc/httpd/ssl/httpd.key -days 365 -out /etc/httpd/ssl/httpd.csr

3)将证书文件传给CA,CA签署证书并将证书颁发给请求者,注意:默认国家、省和公司必须和CA一致

openssl ca -in /tmp/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365

4)查看证书中的信息

opessl x509 -in /path/from/cert_file -noout -text|sbuject|serial|dates

5)吊销证书,在客户端获取要吊销的证书的serial

openssl x509 -in /PATH/FROM/CERT_FILE -noout -serial -subject

6)在CA上,根据客户提交的serial与subject信息,对比检验 是否与index.txt文件中的信息一致吊销证书

openssl ca -revoke /etc/pki/CA/newcerts/ SERIAL.pem

7)生成吊销证书的编号(第一次吊销一个证书时才需要执行)

echo 01 > /etc/pki/CA/crlnumber

8)更新证书吊销列表,查看crl文件

openssl ca -gencrl -out /etc/pki/CA/crl/ca.crl

openssl crl -in /etc/pki/CA/crl/ca.crl -noout -text

代码演示:


[[email protected] ~]# (umask 066;openssl genrsa -out /etc/pki/tls/private/httpd.key 2048)
Generating RSA private key, 2048 bit long modulus
..................+++
.....................+++
e is 65537 (0x10001)
[[email protected] ~]# cd /etc/pki/tls/private/
[[email protected] private]# cat httpd.key
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAydNdaHEea6lQpeMOof1bARNbNjerS+CG6bZWxYp3FVIEsqnQ
5dGZ9uvWFcN3XWAb3nTQR0cEjULIkLQS/RnoQA3t9uy83+PmL7imXnB6eDhBXOhb
QYXjAyShhR/Y+OHBJT6HhDZYxqNPoKIxi7ObJVmG6ovuE8P5SQJl5bX21/YB+CmJ
PpoY37WVd4lJagECSK2NjIuMCdMnmIKZIZgCU3XKnw1kDsG8DJXj7ZVuiimxgspM
wyXFI94vHDVxQ7mEJiIBT3F9rn95+Fy35p+fHBcXS4Iw+gJaa4GZeOuYaNxdwI9l
9nLwx9hW69UJ0wcuJQGc8kyN8AFul/sh2aWExQIDAQABAoIBAQC4snRN6w9CyVzj
oqm2dsv8bQFQ2ZsqQhxU7yfzeWbHHRrtgdiJKMq0nFh77DhlPFnkt5QPVp+EwrQX
MKQb+cSAMf8utLGYVtBFpb6iuF5rfFfctUsl6Ge6baBe2qlOAhMmiVWtGasehT+O
qj+bME9v28FLDalfbz3HoakskdyG/ptb6MEh/8Z4bAFovyYfI+IY+P3dzDd018Sv
V6wgj+A11wmhNUyete++DoO/JJtQJZuh0LeN4eg2W51M9vnnH7hrosyRwHfcYioU
SUoKEWs4Md78zVL7IeFcRwV3mSgm356u9SKl2gs+X9Qpb9Uyt5zs1q2jxGxwoe5s
ige9ERbVAoGBAPBIoELS4Cvdr1McaYbvnU6XfCVuWti0ZFDKcEaK2XUz2xMaCeBV
WPfNHq0PiC52RG8h0f9cqSt6m3rB8/5HjTuf9fyv2C6rnpUxfzqZ0P3euMBPIMHM
e2nBwr6hOMNeQwxs6YfXILlcRzMub4c4jqxNGESrWoQTogFe4TEINoe/AoGBANcG
yXsZRwI76lPEm5Z8eyFiHqKAq+QazyZoH1xXW6ByqtDA6toqHGOtuzhUIwR2HfiG
O2I3CWYVnIxWcnBMvdJ4XwIORVzfG9sh6fBqCRbYd2LhD6xTXPqq6dfssT/qI2ql
Cy5PNc0Q2XDFdar0dpIjbjcYuxGPlPPlDtdwALR7AoGBAJtZKRvrAHn72nVuYh+W
XWrJb783iM6gWlcNeudwr8UhoJrJ8+aw51NWr2WOLCp11irPf9iMjOcKXulP6jLV
Cc+pzLzw52DNHjsxBCPb/I2V6HaU8gW58XRfjEv5KhzNnaWz6IwlnweYTIQfmoWf
IEbvlSgYbO4FT3F5aThtKew7AoGADojo6adFw4LlThBGLB/x+sm1JGrqM5sUUZZM
OGO3T9swbLf9qA2cqag+tYoKa+zIDdqU/QiXXA0t7daSGcE2O5njYjIwwhxat69N
LvEb+C1dtJNeCdoAuPkAoZXgTV+4USci4Fh+XIQ9DoBqecnYkfxPIO5NBtzbxri/
DhUGFy0CgYB6Q0T2w3e8SkgF6FSgqIe4u5vio6RCsPIVhHuuZacOgeyzAqCEwQJg
b3SDZIexAUyPAnhNtkllnAYSKdFa97fXyGUdLNh0otj74C9Na6yLrUQ8zdEC1o3u
VOJyOO57bfBykghXYi9JN+29sBB0YOj9uDE0nOUImR95eiwKsP5QXg==
-----END RSA PRIVATE KEY-----
[[email protected] private]# openssl req -new -key /etc/pki/tls/private/httpd.key  -days 365 -out  httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:bj
Organization Name (eg, company) [Default Company Ltd]:chen.com
Organizational Unit Name (eg, section) []:alren_1
Common Name (eg, your name or your server‘s hostname) []:www.alren.com
Email Address []:[email protected]
Please enter the following ‘extra‘ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[[email protected] private]# ls
httpd.csr  httpd.key
[[email protected] private]# scp httpd.csr 10.1.249.94:
[[email protected] CA]# cp /root/httpd.csr  .
[[email protected] CA]# ls
cacert.pem  certs  crl  httpd.csr  index.txt  newcerts  private  serial
[[email protected] CA]# openssl ca -in httpd.csr  -out  certs/httpd.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Sep 22 23:43:02 2016 GMT
            Not After : Sep 22 23:43:02 2017 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = beijing
            organizationName          = chen.com
            organizationalUnitName    = alren_1
            commonName                = www.alren.com
            emailAddress              = [email protected]
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                CA:82:B2:CF:4A:A2:49:9B:1D:46:84:04:F8:C6:F6:0D:E0:49:B7:A4
            X509v3 Authority Key Identifier:
                keyid:26:A2:98:70:1F:8A:3B:A3:A1:05:0E:8B:79:34:C5:66:FA:B9:A6:D9

Certificate is to be certified until Sep 22 23:43:02 2017 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[[email protected] CA]# ls
cacert.pem  crl        index.txt       index.txt.old  private  serial.old
certs       httpd.csr  index.txt.attr  newcerts       serial
[[email protected] CA]# cat index.txt.attr
unique_subject = yes
[[email protected] CA]# cat index.txt
V	170922234302Z		01	unknown	/C=CN/ST=beijing/O=chen.com/OU=alren_1/CN=www.alren.com/[email protected]
[[email protected] CA]# cat serial
02
[[email protected] CA]# cd certs/
[[email protected] certs]# ls
httpd.crt
[[email protected] certs]# openssl x509 -in httpd.crt  -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=CN, ST=beijing, L=bj, O=chen.com, OU=alren_1, CN=centos6.localdomain/[email protected]
        Validity
            Not Before: Sep 22 23:43:02 2016 GMT
            Not After : Sep 22 23:43:02 2017 GMT
        Subject: C=CN, ST=beijing, O=chen.com, OU=alren_1, CN=www.alren.com/[email protected]
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c9:d3:5d:68:71:1e:6b:a9:50:a5:e3:0e:a1:fd:
                    5b:01:13:5b:36:37:ab:4b:e0:86:e9:b6:56:c5:8a:
                    77:15:52:04:b2:a9:d0:e5:d1:99:f6:eb:d6:15:c3:
                    77:5d:60:1b:de:74:d0:47:47:04:8d:42:c8:90:b4:
                    12:fd:19:e8:40:0d:ed:f6:ec:bc:df:e3:e6:2f:b8:
                    a6:5e:70:7a:78:38:41:5c:e8:5b:41:85:e3:03:24:
                    a1:85:1f:d8:f8:e1:c1:25:3e:87:84:36:58:c6:a3:
                    4f:a0:a2:31:8b:b3:9b:25:59:86:ea:8b:ee:13:c3:
                    f9:49:02:65:e5:b5:f6:d7:f6:01:f8:29:89:3e:9a:
                    18:df:b5:95:77:89:49:6a:01:02:48:ad:8d:8c:8b:
                    8c:09:d3:27:98:82:99:21:98:02:53:75:ca:9f:0d:
                    64:0e:c1:bc:0c:95:e3:ed:95:6e:8a:29:b1:82:ca:
                    4c:c3:25:c5:23:de:2f:1c:35:71:43:b9:84:26:22:
                    01:4f:71:7d:ae:7f:79:f8:5c:b7:e6:9f:9f:1c:17:
                    17:4b:82:30:fa:02:5a:6b:81:99:78:eb:98:68:dc:
                    5d:c0:8f:65:f6:72:f0:c7:d8:56:eb:d5:09:d3:07:
                    2e:25:01:9c:f2:4c:8d:f0:01:6e:97:fb:21:d9:a5:
                    84:c5
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                CA:82:B2:CF:4A:A2:49:9B:1D:46:84:04:F8:C6:F6:0D:E0:49:B7:A4
            X509v3 Authority Key Identifier:
                keyid:26:A2:98:70:1F:8A:3B:A3:A1:05:0E:8B:79:34:C5:66:FA:B9:A6:D9

    Signature Algorithm: sha1WithRSAEncryption
         5f:b8:37:e2:e5:e0:5e:65:99:60:9f:2f:5a:81:7e:55:e7:dc:
         85:94:bc:d0:ae:82:db:c0:cd:bb:0c:7c:7d:6e:97:41:35:94:
         71:d9:bc:a4:3e:76:d1:4e:09:3d:a2:a9:5e:a2:24:9c:98:f3:
         ac:7d:ea:f0:f2:ff:17:0d:47:fb:47:04:d6:29:7f:d8:3a:08:
         df:33:45:8c:15:2a:a0:be:03:dc:4e:9c:91:ef:a1:99:a8:6d:
         f2:4c:10:1d:9c:7b:23:28:0a:17:bd:cf:c4:2d:c6:07:d1:73:
         48:2c:f9:a0:0f:2a:21:d0:f7:a4:9c:85:d5:75:02:c0:09:19:
         97:b8:aa:1d:e0:e3:8a:39:29:f5:4c:d7:69:01:e8:e6:50:91:
         fe:75:8a:3d:75:1c:df:94:36:01:32:43:4e:9c:49:f4:4c:f2:
         d9:85:9d:45:89:7f:6d:47:a9:48:48:bc:b3:8b:ed:06:34:f5:
         30:6e:c9:8f:a9:54:f6:6d:e7:2d:ce:03:9d:2f:ea:fa:47:fa:
         ee:13:f2:26:3b:a8:7a:e8:fd:66:ae:c6:97:37:03:a7:e8:c7:
         ad:c3:d9:e1:b1:b9:b0:61:ba:34:ea:80:6b:42:e4:d9:b7:38:
         0d:49:13:b1:89:2f:ca:a0:aa:69:e5:95:c0:c0:e3:ba:af:9f:
         68:80:5a:4f
[[email protected] certs]#
[[email protected] certs]#
[[email protected] certs]# openssl ca  -revoke httpd.crt
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 01.
Data Base Updated
[[email protected] certs]# cd ../
[[email protected] CA]# ls
cacert.pem  crl        index.txt       index.txt.attr.old  newcerts  serial
certs       httpd.csr  index.txt.attr  index.txt.old       private   serial.old
[[email protected] CA]# cat index.txt
R	170922234302Z	160922234706Z	01	unknown	/C=CN/ST=beijing/O=chen.com/OU=alren_1/CN=www.alren.com/[email protected]
[[email protected] CA]# echo 01 > crlnumber
[[email protected] CA]# openssl ca -gencrl -out crl
crl/       crlnumber
[[email protected] CA]# openssl ca -gencrl -out crl/ca.rcl
Using configuration from /etc/pki/tls/openssl.cnf
[[email protected] CA]# cat crl/ca.rcl
-----BEGIN X509 CRL-----
MIIB/TCB5gIBATANBgkqhkiG9w0BAQUFADCBjTELMAkGA1UEBhMCQ04xEDAOBgNV
BAgMB2JlaWppbmcxCzAJBgNVBAcMAmJqMREwDwYDVQQKDAhjaGVuLmNvbTEQMA4G
A1UECwwHYWxyZW5fMTEcMBoGA1UEAwwTY2VudG9zNi5sb2NhbGRvbWFpbjEcMBoG
CSqGSIb3DQEJARYNYWxyZW5AMTYzLmNvbRcNMTYwOTIyMjM1MDU0WhcNMTYxMDIy
MjM1MDU0WjAUMBICAQEXDTE2MDkyMjIzNDcwNlqgDjAMMAoGA1UdFAQDAgEBMA0G
CSqGSIb3DQEBBQUAA4IBAQADo6PBGbyqpM+noDuaDZxy349jgqcmRLCPDYKRZ4L+
1PyRTVhuIZztSUu2u5x7ZEYx3jyR7rFY8tpHRYT4ZnJe9ol4pTUb8INNx0lIZ4r1
hGlKWKQSDS3WVrQnCswBhWcAccd9wU2+YTj4m7f1drTbu6d5elfaZR1yKsTLnZdV
ESKmr4MXjcD0F80Q8Dc0hpKVKt71JiDwJt0WuHI6XPz90ta8EAN7Ry87Aj8f9/HD
LDnOWEEA50F7JgUQgFKI72wvekQoZ9Cj/KeFbOov+wde7+uCGNqRcPLznnTxVz8a
e0/e9HGQaDLGKDoN/vxVXCRQ030fZrPzag810yqSxxgZ
-----END X509 CRL-----
[[email protected] CA]# openssl crl -in crl/ca.rcl  -noout -text
Certificate Revocation List (CRL):
        Version 2 (0x1)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: /C=CN/ST=beijing/L=bj/O=chen.com/OU=alren_1/CN=centos6.localdomain/[email protected]
        Last Update: Sep 22 23:50:54 2016 GMT
        Next Update: Oct 22 23:50:54 2016 GMT
        CRL extensions:
            X509v3 CRL Number:
                1
Revoked Certificates:
    Serial Number: 01
        Revocation Date: Sep 22 23:47:06 2016 GMT
    Signature Algorithm: sha1WithRSAEncryption
         03:a3:a3:c1:19:bc:aa:a4:cf:a7:a0:3b:9a:0d:9c:72:df:8f:
         63:82:a7:26:44:b0:8f:0d:82:91:67:82:fe:d4:fc:91:4d:58:
         6e:21:9c:ed:49:4b:b6:bb:9c:7b:64:46:31:de:3c:91:ee:b1:
         58:f2:da:47:45:84:f8:66:72:5e:f6:89:78:a5:35:1b:f0:83:
         4d:c7:49:48:67:8a:f5:84:69:4a:58:a4:12:0d:2d:d6:56:b4:
         27:0a:cc:01:85:67:00:71:c7:7d:c1:4d:be:61:38:f8:9b:b7:
         f5:76:b4:db:bb:a7:79:7a:57:da:65:1d:72:2a:c4:cb:9d:97:
         55:11:22:a6:af:83:17:8d:c0:f4:17:cd:10:f0:37:34:86:92:
         95:2a:de:f5:26:20:f0:26:dd:16:b8:72:3a:5c:fc:fd:d2:d6:
         bc:10:03:7b:47:2f:3b:02:3f:1f:f7:f1:c3:2c:39:ce:58:41:
         00:e7:41:7b:26:05:10:80:52:88:ef:6c:2f:7a:44:28:67:d0:
         a3:fc:a7:85:6c:ea:2f:fb:07:5e:ef:eb:82:18:da:91:70:f2:
         f3:9e:74:f1:57:3f:1a:7b:4f:de:f4:71:90:68:32:c6:28:3a:
         0d:fe:fc:55:5c:24:50:d3:7d:1f:66:b3:f3:6a:0f:35:d3:2a:
         92:c7:18:19
[[email protected] CA]#


不同主机之间拷贝文件小技巧:

在使用ssh远程登录时提示:remote host indentification has changed!则需清除~/.ssh/known_hosts文件即可,因为系统检测出rsa钥匙发生了改变。清除此配置文件重连。


[[email protected] ~]# ssh  10.1.229.40
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
3d:bb:7b:99:51:b3:9f:b8:81:4e:fd:6e:b5:ac:92:02.
Please contact your system administrator.
Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Offending key in /root/.ssh/known_hosts:1
RSA host key for 10.1.229.40 has changed and you have requested strict checking.
Host key verification failed.

[[email protected] .ssh]#
[[email protected] .ssh]# ssh [email protected]
The authenticity of host ‘10.1.249.93 (10.1.249.93)‘ can‘t be established.
RSA key fingerprint is d3:e3:99:1d:b6:00:fe:18:26:58:a5:7d:eb:14:c3:57.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘10.1.229.93‘ (RSA) to the list of known hosts.
[email protected]‘s password:


本文出自 “小耳朵” 博客,请务必保留此出处http://purify.blog.51cto.com/10572011/1856060

时间: 09-23

openssl创建CA、申请证书及其给web服务颁发证书的相关文章

Openssl 创建CA和申请证书

Openssl 创建CA和申请证书 =============================================================================== 概述: 本章是上篇加密解密技术的续,主要介绍Openssl创建CA.申请证书.办法证书的整个操作,具体内容如下: 创建私有CA: 给节点颁发证书: 吊销证书  详情查看上篇加密解密技术:http://1992tao.blog.51cto.com/11606804/1856438 ============

使用OpenSSL创建CA和申请证书

OpenSSL简介 OpenSSL是一种加密工具套件,可实现安全套接字层(SSL v2 / v3)和传输层安全性(TLS v1)网络协议以及它们所需的相关加密标准. openssl命令行工具用于从shell程序使用OpenSSL加密库的各种加密功能. 它可以用于: 创建和管理私钥,公钥和参数 公钥加密操作 创建X.509证书,CSR和CRL 消息摘要的计算 使用密码进行加密和解密 SSL / TLS客户端和服务器测试 处理S / MIME签名或加密的邮件 时间戳记请求,生成和验证 openssl

加密、解密的原理及Openssl创建CA和ssh的基础应用

加密.解密的原理及Openssl创建CA和ssh的基础应用 随着互联网的不断发展和技术的不断成熟,在互联网上传输文件不在安全,在需要传送重要的数据时就必须加密处理. 密码算法分为三种:分别是对称加密,公钥加密,单向加密:以及需要对加密算法的认证,叫做认证协议.下面为大家概述对称加密,公钥加密,单向加密及认证协议 对称加密: 采用单钥密码系统的加密方法,同一个密钥可以同时用作信息的加密和解密,这种加密方法称为对称加密,也称为单密钥加密. 需要对加密和解密使用相同密钥的加密算法.由于其速度快,对称性

使用openssl给web站点颁发证书

背景介绍 在生产环境中,有时会需要用到自签名的证书,而谷歌浏览器从2016年开始就降低了sha1的算法级别,openssl默认使用的是sha1的算法,以下就来介绍openssl如何使用sha256的加密算法对web站点进行加密.拓扑图如下: 操作步骤 1.安装httpd服务 yum -y install httpd chkconfig httpd on service httpd start 没有域名解析的话,httpd会启动很慢同时提示 解决的方法是修改httpd配置文件vim /etc/ht

https CA自签名证书,并给Webserver颁发证书

**CA主机执行命令** [[email protected] ~]# cd /etc/pki/CA [[email protected] CA]# touch index.txt [[email protected] CA]# echo 01 > serial 生成私钥文件 [[email protected] CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048) Generating RSA private key, 2048

python 创建一次性,快速的小型web服务

原文地址:https://www.cnblogs.com/yanxiatingyu/p/9318827.html

使用OpenSSL创建私有CA、签署证书

OpenSSL工具包是Linux上SSL v2/v3和TLS v1协议的实现方式之一,并建提供了常用的加密解密功能. OpenSSL主要由三部分组成: 1:libcrypto:加密库,主要用来实现加密.解密的功能库 2:libssl:实现SSL服务器端功能会话库 3:openssl命令行工具:/usr/bin/openssl 本文仅是介绍如何通过openssl命令创建私有CA,以及如何申请证书.签署证书等过程. 证书主要包含的就是拥有者自身的属性信息.公钥以及CA的签名,核心就是用户的公钥.服务

在企业内部使用openssl创建私有CA

随着计算机技术的发展,信息网络技术的应用日益深入,这些应用改进了企业工作方式,提高了工作效率.而如何确保在网络中传输的身份认证.机密性.完整性.合法性.不可抵赖性等问题成为企业进一步发展和推动企业信息化应用的关键.要解决这些问题,需要用到CA认证功能.而当企业的应用仅仅在企业内部实现时,我们只需要在企业内部自建CA服务器,完成认证功能,而无需采用第三方机构提供的CA,在总体上节省成本. 使用openssl可以实现企业内部自建CA,首先我们需要安装openssl 软件包,利用openssl创建CA

创建私有CA及颁发证书

证书申请及签署步骤: 1.生成申请请求 2.RA核验 3.CA签署 4.获取证书 三种策略:匹配.支持和可选 ①匹配:指要求申请填写的信息跟CA设置信息必须一致,默认国家.省.公司信息必须一致 ②支持:指必须填写这项申请信息,但是可以和CA信息不一致 ③可选:指可有可无 创建私有CA及颁发证书步骤: 1.创建所需要的文件 ①openssl的配置文件:/etc/pki/tls/openssl.cnf 如果没有这个文件,那么需要安装一个包 rpm -ivh openssl-libs-1.0.1e-6