运维开发网
广告位招商联系QQ:123077622
 
广告位招商联系QQ:123077622

自建CA及吊销证书

运维开发网 https://www.qedev.com 2020-09-05 13:04 出处:51CTO 作者:菜机运维
#######################################################################自建CA===========>centos7==========>DIR:/etc/pki/CACountryName(2lettercode)[XX]:CNStateorProvinceName(fullname)[]:WUHANLocali

#######################################################################

自建CA ===========>centos7==========>DIR:/etc/pki/CA

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:WUHAN

Locality Name (eg, city) [Default City]:JIANGXIA

Organization Name (eg, company) [Default Company Ltd]:CA.jack.com

Organizational Unit Name (eg, section) []:

Common Name (eg, your name or your server's hostname) []:JACK WANG

Email Address []:[email protected]

[email protected]######

openssl配置文件: /etc/pki/tls/openssl.cnf 关于证书和吊销列表配置

touch index.txt (生成索引数据库,即证书的相关信息)

echo 01 > serial (给定初始证书编号)

(umask 066;openssl genrsa -out private/cakey.pem 2048)生成CA私钥

openssl req -new -x509 -key private/cakey.pem -days 3650 -out cacert.pem

#用私钥生成CA自签名证书

openssl x509 -in cacert.pem -noout -text (查看CA证书信息,也可发送win查看,改后缀:crt)

#接受申请者的私钥

openssl req -new -key /root/.ssh/wh5003.com.key -out wh5003.com.csr (用申请者的私钥生成证书申请)

openssl ca -in wh5003.com.csr -out certs/wh5003.com.crt -days 710 (为申请者生成有效期710天的证书)

openssl x509 -in certs/wh5003.com.crt -noout -serial -subject (查看生成的证书的信息)

openssl ca -status 01 (查看状态)

#######################################################################

证书申请============>centos6==========>DIR:/data/certs

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:WUHAN

Locality Name (eg, city) [Default City]:WUCHANG

Organization Name (eg, company) [Default Company Ltd]:CA.jack.com

Organizational Unit Name (eg, section) []:IT

Common Name (eg, your name or your server's hostname) []:JACK LIN

Email Address []:[email protected]

[email protected]######

(umask 066;openssl genrsa -out wh5003.com.key 2048) 申请者生成私钥

scp wh5003.com.key jack7:/root/.ssh/ 发送给CA机构

#######################################################################

将CA和申请者证书安装在windows即可查看效果

#######################################################################

#######################################################################

证书吊销==========>centos7(CA)=======>DIR:/etc/pki/CA

openssl x509 -in certs/wh5003.com.crt -noout -serial -subject (查看需要吊销的证书编号)

openssl ca -revoke newcerts/01.pem (核对吊销信息)

echo 01 > crlnumber (生成初始吊销编号)

openssl ca -gencrl -out crl.pem (生成吊销列表证书)

openssl ca -status 01 (查看被吊销的编号状态)

cat index.txt (查看数据库索引信息)

sz crl.pem (也可在windows查看,改后缀:crl)

######################################################################
[20:43:[email protected] CA]#tree /etc/pki/CA/

/etc/pki/CA/

├── cacert.pem

├── certs

│   └── wh5003.com.crt

├── crl

├── crlnumber

├── crlnumber.old

├── crl.pem

├── index.txt

├── index.txt.attr

├── index.txt.attr.old

├── index.txt.old

├── newcerts

│   └── 01.pem

├── private

│   └── cakey.pem

├── serial

├── serial.old

└── wh5003.com.csr

扫码领视频副本.gif

0

精彩评论

暂无评论...
验证码 换一张
取 消

关注公众号