openssl证书颁发机构基本搭建
2012-06-13 15:26
274 查看
1、查看是否安装,默认RHEL是安装的
[root@bogon tmp]# rpm -qa | grep openssl
openssl-0.9.8e-22.el5
openssl-devel-0.9.8e-22.el5
2、编辑配置文件
[root@bogon ~]# vim /etc/pki/tls/openssl.cnf
####################################################################
[ CA_default ]
dir = /etc/pki/CA //CA目录改成绝对路径
certs = $dir/certs //公钥
crl_dir = $dir/crl //证书吊销列表
database = $dir/index.txt //证书颁发信息
new_certs_dir = $dir/newcerts //证书备份,副本
certificate = $dir/cacert.pem //CA公钥
serial = $dir/serial /学列号
crlnumber = $dir/crlnumber //吊销证书次数
crl = $dir/crl.pem //黑名单列表
private_key = $dir/private/cakey.pem//CA中心私钥
3、默认的CA下目录文件是没有的,需要我们手动建立下
[root@bogon ~]# cd /etc/pki/CA/
[root@bogon CA]# mkdir certs newcerts crl
[root@bogon CA]# touch index.txt
[root@bogon CA]# echo 01 > serial
4、自签证书,生成自己的证书,依次按屏幕提示输入个人信息即可
[root@bogon CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048
[root@bogon CA]# openssl req -x509 -new -key private/cakey.pem -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:Beijing
Locality Name (eg, city) [Newbury]:BJ
Organization Name (eg, company) [My Company Ltd]:Peace
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:ca.peace.com
Email Address []:
5、客户端申请证书,生成密钥
[root@bogon ssl]# (umask 077;openssl genrsa 1024 > client.key)
[root@bogon ssl]# openssl req -new -key client.key -out client.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:Beijing
Locality Name (eg, city) [Newbury]:BJ
Organization Name (eg, company) [My Company Ltd]:Peace
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:www.peace.com
Email Address []:peace@adim.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@bogon ssl]# scp client.csr root@192.168.80.135:/tmp //这里我就用scp传给CA了
6、CA验证颁发,发回给客户端
[root@bogon tmp]# openssl ca -in client.csr -out client.crt -days 365
[root@bogon tmp]# scp client.crt root@192.168.80.136:/ssl
至此简单的CA证书申请颁发就结束了,当然这只是简简单单的一个申请过程而已。
[root@bogon tmp]# rpm -qa | grep openssl
openssl-0.9.8e-22.el5
openssl-devel-0.9.8e-22.el5
2、编辑配置文件
[root@bogon ~]# vim /etc/pki/tls/openssl.cnf
####################################################################
[ CA_default ]
dir = /etc/pki/CA //CA目录改成绝对路径
certs = $dir/certs //公钥
crl_dir = $dir/crl //证书吊销列表
database = $dir/index.txt //证书颁发信息
new_certs_dir = $dir/newcerts //证书备份,副本
certificate = $dir/cacert.pem //CA公钥
serial = $dir/serial /学列号
crlnumber = $dir/crlnumber //吊销证书次数
crl = $dir/crl.pem //黑名单列表
private_key = $dir/private/cakey.pem//CA中心私钥
3、默认的CA下目录文件是没有的,需要我们手动建立下
[root@bogon ~]# cd /etc/pki/CA/
[root@bogon CA]# mkdir certs newcerts crl
[root@bogon CA]# touch index.txt
[root@bogon CA]# echo 01 > serial
4、自签证书,生成自己的证书,依次按屏幕提示输入个人信息即可
[root@bogon CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048
[root@bogon CA]# openssl req -x509 -new -key private/cakey.pem -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:Beijing
Locality Name (eg, city) [Newbury]:BJ
Organization Name (eg, company) [My Company Ltd]:Peace
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:ca.peace.com
Email Address []:
5、客户端申请证书,生成密钥
[root@bogon ssl]# (umask 077;openssl genrsa 1024 > client.key)
[root@bogon ssl]# openssl req -new -key client.key -out client.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:Beijing
Locality Name (eg, city) [Newbury]:BJ
Organization Name (eg, company) [My Company Ltd]:Peace
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:www.peace.com
Email Address []:peace@adim.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@bogon ssl]# scp client.csr root@192.168.80.135:/tmp //这里我就用scp传给CA了
6、CA验证颁发,发回给客户端
[root@bogon tmp]# openssl ca -in client.csr -out client.crt -days 365
[root@bogon tmp]# scp client.crt root@192.168.80.136:/ssl
至此简单的CA证书申请颁发就结束了,当然这只是简简单单的一个申请过程而已。
相关文章推荐
- 通过OpenSSL获取证书扩展属性之四:“CRL 分发点”和"颁发机构信息访问"
- openssl 颁发中文机构证书
- 通过OpenSSL获取证书扩展属性之三:“颁发机构密钥标识”和"使用者密钥标识"
- Linux下如何颁发证书:学习使用openssl搭建一个CA
- Linux下如何颁发证书:学习使用openssl搭建一个CA
- Linux下如何颁发证书:学习使用openssl搭建一个CA
- 安装VS2012 update3提示缺少Microsoft根证书颁发机构2010或2011的解决方法
- Linux下使用openssl制作CA及证书颁发
- 创建推送证书 遇到 “此证书由未知颁发机构签名”
- OpenSSL 给自己颁发根证书,由根证书签发下级证书的步骤。
- openssl创建CA、申请证书及其给web服务颁发证书
- Netscaler 10.5 VPX与XenApp XenDesktop 集成配置系列之二申请域根证书颁发机构签发的服务器证书
- CA加密,网络安全-CA(证书颁发机构)配置概述
- Openssl建立根CA及证书的自签和颁发
- 安装企业从属证书颁发机构
- linux下简单自建证书颁发机构-CA
- OPENSSL 颁发证书出错
- OpenSSL - 利用OpenSSL自签证书和CA颁发证书
- 此证书是由未知颁发机构签名的解决办法