利用openssl搭建CA
2013-10-18 09:33
148 查看
需求描述:
(1) 在节点上搭建一个CA;
(2) 给用户user1颁发证书;
(3) 验证证书的可信。
1.创建CA
–(1)创建CA需要用到的目录和文件
–mkdir "$HOME/testca"
–cd "$HOME/testca"
–mkdir newcerts private conf
–chmod g-rwx,o-rwx private
–echo"01" > serial
–touchindex.txt
•说明:
–$HOME/testca为待建CA的主目录,其中,
•newcerts子目录将存放CA签署(颁发)过的数字证书(证书备份目录);
•Private子目录用于存放CA的私钥;
•目录conf只是用于存放一些简化参数用的配置文件;
•文件serial和index.txt分别用于存放下一个证书的序列号和证书信息数据库。
–(2)生成CA的私钥和自签名证书(即根证书)
–vi"$HOME/testca/conf/gentestca.conf"
–cd "$HOME/testca"
–openssl req -x509 -newkey rsa:2048 -outcacert.pem -outform PEM -days 2190 -config "$HOME/testca/conf/gentestca.conf"
–查看证书(私钥存储文件/private/cakey.pem)
•openssl x509 -in cacert.pem-text -noout
–(3)创建一个配置文件,以便后续CA日常操作中使用
–vi"$HOME/testca/conf/testca.conf"
•2. CA给User1签发证书
–(1)CA为网关User1创建密钥和证书请求(证书请求里包含了公钥)
–mkdir $HOME/testuser
–cd $HOME/testuser
–openssl req -newkey rsa:1024 -keyout testkey.pem -keyform PEM -out testreq.pem-outform PEM -subj "/O=TestCom/OU=TestOU/CN=testuser“
–查看req
–openssl req -in testreq.pem-text -noout
–(2)CA为user1签发证书
–openssl ca -in testreq.pem-out testcert.pem -config "$HOME/testca/conf/testca.conf"
–查看证书
–openssl x509 -intestcert.pem -text -noout
•3.证书可信校验163
–openssl verify -CAfile testca/cacert.pem –verbose testuser/testcert.pem
文件:gentestca.conf
==============================
[ req ]
default_keyfile = $ENV::HOME/testca/private/cakey.pem
default_md = md5
prompt = no
distinguished_name = ca_distinguished_name
x509_extensions = ca_extensions
[ ca_distinguished_name ]
organizationName = TestOrg
organizationalUnitName = TestDepartment
commonName = TestCA
emailAddress = ca_admin@testorg.com
[ ca_extensions ]
basicConstraints = CA:true
==================================
文件:testca.conf
==================
[ ca ]
default_ca = testca # The default ca section
[ testca ]
dir = $ENV::HOME/testca # top dir
database = $dir/index.txt # index file.
new_certs_dir = $dir/newcerts # new certs dir
certificate = $dir/cacert.pem # The CA cert
serial = $dir/serial # serial no file
private_key = $dir/private/cakey.pem # CA private key
RANDFILE = $dir/private/.rand # random number file
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = md5 # message digest method to use
unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
policy = policy_any # default policy
[ policy_any ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
==================================
(1) 在节点上搭建一个CA;
(2) 给用户user1颁发证书;
(3) 验证证书的可信。
1.创建CA
–(1)创建CA需要用到的目录和文件
–mkdir "$HOME/testca"
–cd "$HOME/testca"
–mkdir newcerts private conf
–chmod g-rwx,o-rwx private
–echo"01" > serial
–touchindex.txt
•说明:
–$HOME/testca为待建CA的主目录,其中,
•newcerts子目录将存放CA签署(颁发)过的数字证书(证书备份目录);
•Private子目录用于存放CA的私钥;
•目录conf只是用于存放一些简化参数用的配置文件;
•文件serial和index.txt分别用于存放下一个证书的序列号和证书信息数据库。
–(2)生成CA的私钥和自签名证书(即根证书)
–vi"$HOME/testca/conf/gentestca.conf"
–cd "$HOME/testca"
–openssl req -x509 -newkey rsa:2048 -outcacert.pem -outform PEM -days 2190 -config "$HOME/testca/conf/gentestca.conf"
–查看证书(私钥存储文件/private/cakey.pem)
•openssl x509 -in cacert.pem-text -noout
–(3)创建一个配置文件,以便后续CA日常操作中使用
–vi"$HOME/testca/conf/testca.conf"
•2. CA给User1签发证书
–(1)CA为网关User1创建密钥和证书请求(证书请求里包含了公钥)
–mkdir $HOME/testuser
–cd $HOME/testuser
–openssl req -newkey rsa:1024 -keyout testkey.pem -keyform PEM -out testreq.pem-outform PEM -subj "/O=TestCom/OU=TestOU/CN=testuser“
–查看req
–openssl req -in testreq.pem-text -noout
–(2)CA为user1签发证书
–openssl ca -in testreq.pem-out testcert.pem -config "$HOME/testca/conf/testca.conf"
–查看证书
–openssl x509 -intestcert.pem -text -noout
•3.证书可信校验163
–openssl verify -CAfile testca/cacert.pem –verbose testuser/testcert.pem
文件:gentestca.conf
==============================
[ req ]
default_keyfile = $ENV::HOME/testca/private/cakey.pem
default_md = md5
prompt = no
distinguished_name = ca_distinguished_name
x509_extensions = ca_extensions
[ ca_distinguished_name ]
organizationName = TestOrg
organizationalUnitName = TestDepartment
commonName = TestCA
emailAddress = ca_admin@testorg.com
[ ca_extensions ]
basicConstraints = CA:true
==================================
文件:testca.conf
==================
[ ca ]
default_ca = testca # The default ca section
[ testca ]
dir = $ENV::HOME/testca # top dir
database = $dir/index.txt # index file.
new_certs_dir = $dir/newcerts # new certs dir
certificate = $dir/cacert.pem # The CA cert
serial = $dir/serial # serial no file
private_key = $dir/private/cakey.pem # CA private key
RANDFILE = $dir/private/.rand # random number file
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = md5 # message digest method to use
unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
policy = policy_any # default policy
[ policy_any ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
==================================
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- 怎样安装openssl 2011-12-11
- Java OpenSSL生成的RSA公私钥进行数据加解密详细介绍
- linux openssl基础介绍
- 使用Openssl验证证书链
- 使用openssl操作P12证书
- H3C交换机 802.1X+AD+CA+IAS进行802.1x身份验证
- CA新品简化应用问题解决
- SSL和CA基础知识
- Windows XP下编译openssl-1.0.0 (上)
- 数字证书注册审批机构--RA
- 证书管理机构——CA
- PKI/CA 技术的介绍
- CA Technologies重磅推出云计算新品-【转】
- SSL应用系列之一:CA证书颁发机构(中心)安装图文详解
- foolscap实现rpc(三)
- 自定义 CA 来对Exchange 2003 OWA设置SSL
- arch linux上安装 httpd+php+mysql+ openssl
- 服务器证书安装配置指南(IIS7.0)
- 调整代码签名证书链