openssl创建CA、申请证书及其给web服务颁发证书

本文涉及的产品
函数计算FC,每月15万CU 3个月
简介:

一、创建私有的CA  

1)查看openssl的配置文件:/etc/pki/tls/openssl.cnf  

wKiom1fmDR-x_qsqAABbhmr_3bU145.png

2)创建所需的文件 

touch /etc/pki/CA/index.txt   echo 01 >/etc/pki/CA/serial  


3)CA自签证书生成私钥

cd /etc/pki/CA 

(umask 066;openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)


4)生成自签名证书   

openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 7300 -out /etc/pki/CA/cacert.pem  


-new:生成新的证书签署请求     

-x509:专用CA生成自签证书 

-key:生成请求时用到的私钥文件 

-days n:证书的有限期 

-out /path/to/somecertfile:证书的保存路径 



代码演示:



1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
[root@centos6 ~] # ls /etc/pki/CA/
certs  crl  newcerts  private
[root@centos6 ~] # touch /etc/pki/CA/index.txt
[root@centos6 ~] # ll /etc/pki/CA/
total 16
drwxr-xr-x. 2 root root 4096 May  9 22:56 certs
drwxr-xr-x. 2 root root 4096 May  9 22:56 crl
-rw-r--r--. 1 root root    0 Sep 23 07:08 index.txt
drwxr-xr-x. 2 root root 4096 May  9 22:56 newcerts
drwx------. 2 root root 4096 May  9 22:56 private
[root@centos6 ~] # echo 01 > /etc/pki/CA/serial
[root@centos6 ~] # ll /etc/pki/CA/
total 20
drwxr-xr-x. 2 root root 4096 May  9 22:56 certs
drwxr-xr-x. 2 root root 4096 May  9 22:56 crl
-rw-r--r--. 1 root root    0 Sep 23 07:08 index.txt
drwxr-xr-x. 2 root root 4096 May  9 22:56 newcerts
drwx------. 2 root root 4096 May  9 22:56 private
-rw-r--r--. 1 root root    3 Sep 23 07:09 serial
[root@centos6 ~] # cd /etc/pki/CA
[root@centos6 CA] # ls
certs  crl  index.txt  newcerts  private  serial
[root@centos6 CA] # (nmask 066;openssl genrsa -out private/cakey.pem 2048)
- bash : nmask:  command  not found
Generating RSA private key, 2048 bit long modulus
..................................+++
.............................+++
e is 65537 (0x10001)
[root@centos6 CA] # cd private/
[root@centos6 private] # cat cakey.pem
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAyvOMUreRADORN9F0bk08d4n /xASELShJzW6V2K57ma/lmB7e
PBrOWrGCWhZR9tF8+Ewk /OCeQLukAHLgeLlte7au7uXf6RjFwi/XXemKzEUDEcOl
+CKTU7wio7if86rzX8xOPmP2+l4pItqqAKp7Kx9TOuAhT7gcQKKr5iU6lTvS /EJf
xBLtwoTRIIUdYxLI7XFZe7Lm5uOiYDHIhF70TQC3s0 /1lnGEsWmAZ +uOCFy6bKck
v6orwDu2UfjhSqkiIJBFSvZQJqh6s3kt5dN+MyAkG1wJ6daJS87FKuguLI+ISxIJ
Z7tXXCQqZFle5Iu1LuwRDAoieWfwO868WI+HmQIDAQABAoIBAFaVwXAo0Lv9RB9E
RSAp43o8bdn680kwvwvd+iAPkLvox1M3GCkcZp1azfoRO7bJeT+VfNJGIj4Lz9RB
LnNS6Nq2 /br +Z6DS6MwIDSIL2SN87epORiiu15wJz915jwQuEtb0Gw2TKHN4aKRu
Fcli8llba+7aYFvaeHM684ukpnGz6bRYwRDrEgUvMksFvPA2dqzvP /OjEIqvvf/l
d+rhOQGlB18E2oQ3048PJpgPHyceKLuuFkvFGsHofI8a5hLqD3PJ4AjHuPPF /Yqz
ZQwxmncV+YM9nJ /s8J5PJQ +3hPkA6pbhpM1eXHSPajnnkWiMV1RkUBltkHdJGPT9
h4t2o2ECgYEA5z /8HvbnXlAHC8 +5mKO0rkBifxUyG9FVYmGOPKJwoK16eRxWuQgo
VboVZm5mK4LCtsMzUXobSXtgsb941O6U7lxrogflcYEQkvWL7JNg8vdIMwHs75zF
vXnoyCF9ZoDFr0juTP94AI4WW8GTfSo3caL+T8pnQalu5y3JvBQIRVcCgYEA4Kw1
8VAGix+QYWK9h1R35cKcnZQb0eq0ChZ8XFd7leLImPCpv7t1R86mvwIvZkYMIqD3
btUXk8G2ezyoufntEP5KGv9QbsQS8vFDw0RSsYkwWJZBeIUV6yPdUHniIWT6Ozwv
pD6hJwVSAv7m4tNTwJLH2Ebbs22Di05q /kfqFI8CgYEA4SVD0 +Xx57ok0hQhkAI7
BLh87Vv2mGzcI9f1gwVogJfGOSolKStPEgAFm9 /6q3w5FXXBfh9Td9yejRBtlWrg
J55l0LC9bCALwfk9jU0ERCoL6lWCmNvbDhomUMuCaw0O6xUnpmHINUohbJ5weZlj
t8jIr2jR1XUgHAZRdkNOtisCgYAfOU+13b1LEHPsVOCqMh8Hm2hQrgi /v7KNxFo8
KxxN1Fq0hp3Qu6is9hdObGtR92IwXdaFXLAOJNnLfr6kOgusVOrPnbP78NwBT25v
cMtdSQejCB7JNRW6vB1B1e6LXZE5MkAcv2d+GMsxB2PnGh+Fn+COOirGYO3rKlbM
SApMGQKBgQCaAaZzscT3KnnZEFi3e2IrlJMxY09zCm2xRle70m0lK0BHZsoxvcAl
bf19tZsoD2wPcvB6j+SLhB5jdG5iJ6SCp+vx+p /XFORlU +3V5gD/+P9I2LZfVZ+z
7YvRfXzuEiZi0h4ljBb4Oh8Di /0ytKnBzbWs00Trj7ariZ/WfgmTDw ==
-----END RSA PRIVATE KEY-----
[root@centos6 private] # ll
total 4
-rw-r--r--. 1 root root 1679 Sep 23 07:10 cakey.pem
[root@centos6 private] # openssl req -new -x509 -key cakey.pem  -days 7300 -out ../ca
cert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter  '.' , the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:bj
Organization Name (eg, company) [Default Company Ltd]:chen.com
Organizational Unit Name (eg, section) []:alren_1
Common Name (eg, your name or your server's  hostname ) []:centos6.localdomain
Email Address []:alren@163.com
[root@centos6 private] # cd ../
[root@centos6 CA] # cat cacert.pem
-----BEGIN CERTIFICATE-----
MIID7zCCAtegAwIBAgIJANEOQWU3qHpeMA0GCSqGSIb3DQEBBQUAMIGNMQswCQYD
VQQGEwJDTjEQMA4GA1UECAwHYmVpamluZzELMAkGA1UEBwwCYmoxETAPBgNVBAoM
CGNoZW4uY29tMRAwDgYDVQQLDAdhbHJlbl8xMRwwGgYDVQQDDBNjZW50b3M2Lmxv
Y2FsZG9tYWluMRwwGgYJKoZIhvcNAQkBFg1hbHJlbkAxNjMuY29tMB4XDTE2MDky
MjIzMTc1MFoXDTM2MDkxNzIzMTc1MFowgY0xCzAJBgNVBAYTAkNOMRAwDgYDVQQI
DAdiZWlqaW5nMQswCQYDVQQHDAJiajERMA8GA1UECgwIY2hlbi5jb20xEDAOBgNV
BAsMB2FscmVuXzExHDAaBgNVBAMME2NlbnRvczYubG9jYWxkb21haW4xHDAaBgkq
hkiG9w0BCQEWDWFscmVuQDE2My5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQDK84xSt5EAM5E30XRuTTx3if /EBIQtKEnNbpXYrnuZr +WYHt48Gs5a
sYJaFlH20Xz4TCT84J5Au6QAcuB4uW17tq7u5d /pGMXCL9dd6YrMRQMRw6X4IpNT
vCKjuJ /zqvNfzE4 +Y /b6Xiki2qoAqnsrH1M64CFPuBxAoqvmJTqVO9L8Ql/EEu3C
hNEghR1jEsjtcVl7subm46JgMciEXvRNALezT /WWcYSxaYBn644IXLpspyS/qivA
O7ZR+OFKqSIgkEVK9lAmqHqzeS3l034zICQbXAnp1olLzsUq6C4sj4hLEglnu1dc
JCpkWV7ki7Uu7BEMCiJ5Z /A7zrxYj4eZAgMBAAGjUDBOMB0GA1UdDgQWBBQmophw
H4o7o6EFDot5NMVm+rmm2TAfBgNVHSMEGDAWgBQmophwH4o7o6EFDot5NMVm+rmm
2TAMBgNVHRMEBTADAQH /MA0GCSqGSIb3DQEBBQUAA4IBAQBkZgymfLYgWOK4RPv +
Vzs2eW+AaYNcNBcot /Ju6rByEZ/Sa4nWxNBVge/0ffSDUsmkSlUdS8oYUbLQU5Kq
pqDaQ0jbwqoMkR+YEau0Q8R+N9WtTOWew3xprRu9BvY9jTjBG5pyFp4pqOEcOTm3
YQyzv8C+0KUS2HDi13nBRet6PjYnt7zgiI2qjAuWaz70ntwFduvNDC7biX18CyJe
ydLnQDGot2dXWqGo /p4eDtIPxpsaH8UCz4SHDKnKZvVOg2r85Wv4F8If0puGGl7m
qhe40zy /s +F1V0lWeJ3nbk2vBSETdoZViUWuRz6acy0at6znlgcMLnwjum8jcp8K
IOnK
-----END CERTIFICATE-----
[root@centos6 CA] # openssl x509 -in cacert.pem -noout -text
Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 15064049706582178398 (0xd10e416537a87a5e)
     Signature Algorithm: sha1WithRSAEncryption
         Issuer: C=CN, ST=beijing, L=bj, O=chen.com, OU=alren_1, CN=centos6.localdomain /emailAddress =alren@163.com
         Validity
             Not Before: Sep 22 23:17:50 2016 GMT
             Not After : Sep 17 23:17:50 2036 GMT
         Subject: C=CN, ST=beijing, L=bj, O=chen.com, OU=alren_1, CN=centos6.localdomain /emailAddress =alren@163.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
                 Public-Key: (2048 bit)
                 Modulus:
                     00:ca:f3:8c:52:b7:91:00:33:91:37:d1:74:6e:4d:
                     3c:77:89:ff:c4:04:84:2d:28:49: cd :6e:95:d8:ae:
                     7b:99:af:e5:98:1e:de:3c:1a:ce:5a:b1:82:5a:16:
                     51:f6:d1:7c:f8:4c:24:fc:e0:9e:40:bb:a4:00:72:
                     e0:78:b9:6d:7b:b6:ae:ee:e5: df :e9:18:c5:c2:2f:
                     d7:5d:e9:8a:cc:45:03:11:c3:a5:f8:22:93:53: bc :
                     22:a3:b8:9f:f3:aa:f3:5f:cc:4e:3e:63:f6:fa:5e:
                     29:22:da:aa:00:aa:7b:2b:1f:53:3a:e0:21:4f:b8:
                     1c:40:a2:ab:e6:25:3a:95:3b:d2:fc:42:5f:c4:12:
                     ed:c2:84:d1:20:85:1d:63:12:c8:ed:71:59:7b:b2:
                     e6:e6:e3:a2:60:31:c8:84:5e:f4:4d:00:b7:b3:4f:
                     f5:96:71:84:b1:69:80:67:eb:8e:08:5c:ba:6c:a7:
                     24:bf:aa:2b:c0:3b:b6:51:f8:e1:4a:a9:22:20:90:
                     45:4a:f6:50:26:a8:7a:b3:79:2d:e5:d3:7e:33:20:
                     24:1b:5c:09:e9:d6:89:4b:ce:c5:2a:e8:2e:2c:8f:
                     88:4b:12:09:67:bb:57:5c:24:2a:64:59:5e:e4:8b:
                     b5:2e:ec:11:0c:0a:22:79:67:f0:3b:ce: bc :58:8f:
                     87:99
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Subject Key Identifier:
                 26:A2:98:70:1F:8A:3B:A3:A1:05:0E:8B:79:34:C5:66:FA:B9:A6:D9
             X509v3 Authority Key Identifier:
                 keyid:26:A2:98:70:1F:8A:3B:A3:A1:05:0E:8B:79:34:C5:66:FA:B9:A6:D9
             X509v3 Basic Constraints:
                 CA:TRUE
     Signature Algorithm: sha1WithRSAEncryption
          64:66:0c:a6:7c:b6:20:58:e2:b8:44:fb:fe:57:3b:36:79:6f:
          80:69:83:5c:34:17:28:b7:f2:6e:ea:b0:72:11:9f:d2:6b:89:
          d6:c4:d0:55:81:ef:f4:7d:f4:83:52:c9:a4:4a:55:1d:4b:ca:
          18:51:b2:d0:53:92:aa:a6:a0:da:43:48:db:c2:aa:0c:91:1f:
          98:11:ab:b4:43:c4:7e:37:d5:ad:4c:e5:9e:c3:7c:69:ad:1b:
          bd:06:f6:3d:8d:38:c1:1b:9a:72:16:9e:29:a8:e1:1c:39:39:
          b7:61:0c:b3:bf:c0:be:d0:a5:12:d8:70:e2:d7:79:c1:45:eb:
          7a:3e:36:27:b7: bc :e0:88:8d:aa:8c:0b:96:6b:3e:f4:9e: dc :
          05:76:eb: cd :0c:2e:db:89:7d:7c:0b:22:5e:c9:d2:e7:40:31:
          a8:b7:67:57:5a:a1:a8:fe:9e:1e:0e:d2:0f:c6:9b:1a:1f:c5:
          02:cf:84:87:0c:a9:ca:66:f5:4e:83:6a:fc:e5:6b:f8:17:c2:
          1f:d2:9b:86:1a:5e:e6:aa:17:b8:d3:3c:bf:b3:e1:75:57:49:
          56:78:9d:e7:6e:4d:af:05:21:13:76:86:55:89:45:ae:47:3e:
          9a:73:2d:1a:b7:ac:e7:96:07:0c:2e:7c:23:ba:6f:23:72:9f:
          0a:20:e9:ca
[root@centos6 CA] # openssl x509 -in cacert.pem -noout -dates
notBefore=Sep 22 23:17:50 2016 GMT
notAfter=Sep 17 23:17:50 2036 GMT


二、颁发及其吊销证书  

1)颁发证书,在需要使用证书的主机生成证书请求,给web服务器生成私钥(本实验在另一台主机上)

(umask 066;openssl genrsa -out /etc/httpd/ssl/httpd.key 2048)


2)生成证书申请文件

openssl req -new-key /etc/httpd/ssl/httpd.key -days 365 -out /etc/httpd/ssl/httpd.csr 


3)将证书文件传给CA,CA签署证书并将证书颁发给请求者,注意:默认国家、省和公司必须和CA一致

openssl ca -in /tmp/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365 


4)查看证书中的信息

opessl x509 -in /path/from/cert_file -noout -text|sbuject|serial|dates 


5)吊销证书,在客户端获取要吊销的证书的serial 

openssl x509 -in /PATH/FROM/CERT_FILE -noout -serial -subject


6)在CA上,根据客户提交的serial与subject信息,对比检验 是否与index.txt文件中的信息一致吊销证书

 openssl ca -revoke /etc/pki/CA/newcerts/ SERIAL.pem

7)生成吊销证书的编号(第一次吊销一个证书时才需要执行) 

echo 01 > /etc/pki/CA/crlnumber 


8)更新证书吊销列表,查看crl文件

openssl ca -gencrl -out /etc/pki/CA/crl/ca.crl 

openssl crl -in /etc/pki/CA/crl/ca.crl -noout -text

9)安装mod_ssl模块并修改/etc/httpd/conf.d/ssl.conf配置文件

DocumentRoot "/web/pma"

ServerName www.chen.net:443

<Directory "/web/pma">

  AllowOverride All

  Options None

  require all granted

</Directory>


SSLCertificateFile /etc/httpd/ssl/httpd.crt

SSLCertificateFile /etc/httpd/ssl/httpd.key

图示:


授权目录

wKioL1f8mQejaZ6GAABSUdPrPYM286.png

wKiom1f8mQfAUbX_AAB3A2J8UuU585.png



10)测试

openssl  s_client  [-connect host:port] [-cert filename] [-CApath directory] [-CAfile filename]

实例:

openssl s_client -connect www.chen.net:443 -CAfile /etc/pki/CA/cacert.pem

curl --cacert /etc/pki/CA/cacert.pem  https://www.chen.net/


实现图示:


wKiom1f8kOixxPd4AACTeN1PM7Q878.png


代码演示:


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
[root@chen ~] # (umask 066;openssl genrsa -out /etc/pki/tls/private/httpd.key 2048)
Generating RSA private key, 2048 bit long modulus
..................+++
.....................+++
e is 65537 (0x10001)
[root@chen ~] # cd /etc/pki/tls/private/
[root@chen private] # cat httpd.key
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAydNdaHEea6lQpeMOof1bARNbNjerS+CG6bZWxYp3FVIEsqnQ
5dGZ9uvWFcN3XWAb3nTQR0cEjULIkLQS /RnoQA3t9uy83 +PmL7imXnB6eDhBXOhb
QYXjAyShhR /Y +OHBJT6HhDZYxqNPoKIxi7ObJVmG6ovuE8P5SQJl5bX21 /YB +CmJ
PpoY37WVd4lJagECSK2NjIuMCdMnmIKZIZgCU3XKnw1kDsG8DJXj7ZVuiimxgspM
wyXFI94vHDVxQ7mEJiIBT3F9rn95+Fy35p+fHBcXS4Iw+gJaa4GZeOuYaNxdwI9l
9nLwx9hW69UJ0wcuJQGc8kyN8AFul /sh2aWExQIDAQABAoIBAQC4snRN6w9CyVzj
oqm2dsv8bQFQ2ZsqQhxU7yfzeWbHHRrtgdiJKMq0nFh77DhlPFnkt5QPVp+EwrQX
MKQb+cSAMf8utLGYVtBFpb6iuF5rfFfctUsl6Ge6baBe2qlOAhMmiVWtGasehT+O
qj+bME9v28FLDalfbz3HoakskdyG /ptb6MEh/8Z4bAFovyYfI +IY+P3dzDd018Sv
V6wgj+A11wmhNUyete++DoO /JJtQJZuh0LeN4eg2W51M9vnnH7hrosyRwHfcYioU
SUoKEWs4Md78zVL7IeFcRwV3mSgm356u9SKl2gs+X9Qpb9Uyt5zs1q2jxGxwoe5s
ige9ERbVAoGBAPBIoELS4Cvdr1McaYbvnU6XfCVuWti0ZFDKcEaK2XUz2xMaCeBV
WPfNHq0PiC52RG8h0f9cqSt6m3rB8 /5HjTuf9fyv2C6rnpUxfzqZ0P3euMBPIMHM
e2nBwr6hOMNeQwxs6YfXILlcRzMub4c4jqxNGESrWoQTogFe4TEINoe /AoGBANcG
yXsZRwI76lPEm5Z8eyFiHqKAq+QazyZoH1xXW6ByqtDA6toqHGOtuzhUIwR2HfiG
O2I3CWYVnIxWcnBMvdJ4XwIORVzfG9sh6fBqCRbYd2LhD6xTXPqq6dfssT /qI2ql
Cy5PNc0Q2XDFdar0dpIjbjcYuxGPlPPlDtdwALR7AoGBAJtZKRvrAHn72nVuYh+W
XWrJb783iM6gWlcNeudwr8UhoJrJ8+aw51NWr2WOLCp11irPf9iMjOcKXulP6jLV
Cc+pzLzw52DNHjsxBCPb /I2V6HaU8gW58XRfjEv5KhzNnaWz6IwlnweYTIQfmoWf
IEbvlSgYbO4FT3F5aThtKew7AoGADojo6adFw4LlThBGLB /x +sm1JGrqM5sUUZZM
OGO3T9swbLf9qA2cqag+tYoKa+zIDdqU /QiXXA0t7daSGcE2O5njYjIwwhxat69N
LvEb+C1dtJNeCdoAuPkAoZXgTV+4USci4Fh+XIQ9DoBqecnYkfxPIO5NBtzbxri/
DhUGFy0CgYB6Q0T2w3e8SkgF6FSgqIe4u5vio6RCsPIVhHuuZacOgeyzAqCEwQJg
b3SDZIexAUyPAnhNtkllnAYSKdFa97fXyGUdLNh0otj74C9Na6yLrUQ8zdEC1o3u
VOJyOO57bfBykghXYi9JN+29sBB0YOj9uDE0nOUImR95eiwKsP5QXg==
-----END RSA PRIVATE KEY-----
[root@chen private] # openssl req -new -key /etc/pki/tls/private/httpd.key  -days 365 -out  httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter  '.' , the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:bj
Organization Name (eg, company) [Default Company Ltd]:chen.com
Organizational Unit Name (eg, section) []:alren_1
Common Name (eg, your name or your server's  hostname ) []:www.alren.com
Email Address []:admin@chen.com
Please enter the following  'extra'  attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@chen private] # ls
httpd.csr  httpd.key
[root@chen private] # scp httpd.csr 10.1.249.94:
[root@centos6 CA] # cp /root/httpd.csr  .
[root@centos6 CA] # ls
cacert.pem  certs  crl  httpd.csr  index.txt  newcerts  private  serial
[root@centos6 CA] # openssl ca -in httpd.csr  -out  certs/httpd.crt
Using configuration from  /etc/pki/tls/openssl .cnf
Check that the request matches the signature
Signature ok
Certificate Details:
         Serial Number: 1 (0x1)
         Validity
             Not Before: Sep 22 23:43:02 2016 GMT
             Not After : Sep 22 23:43:02 2017 GMT
         Subject:
             countryName               = CN
             stateOrProvinceName       = beijing
             organizationName          = chen.com
             organizationalUnitName    = alren_1
             commonName                = www.alren.com
             emailAddress              = admin@chen.com
         X509v3 extensions:
             X509v3 Basic Constraints:
                 CA:FALSE
             Netscape Comment:
                 OpenSSL Generated Certificate
             X509v3 Subject Key Identifier:
                 CA:82:B2:CF:4A:A2:49:9B:1D:46:84:04:F8:C6:F6:0D:E0:49:B7:A4
             X509v3 Authority Key Identifier:
                 keyid:26:A2:98:70:1F:8A:3B:A3:A1:05:0E:8B:79:34:C5:66:FA:B9:A6:D9
 
Certificate is to be certified  until  Sep 22 23:43:02 2017 GMT (365 days)
Sign the certificate? [y /n ]:y
 
1 out of 1 certificate requests certified, commit? [y /n ]y
Write out database with 1 new entries
Data Base Updated
[root@centos6 CA] # ls
cacert.pem  crl        index.txt       index.txt.old  private  serial.old
certs       httpd.csr  index.txt.attr  newcerts       serial
[root@centos6 CA] # cat index.txt.attr
unique_subject =  yes
[root@centos6 CA] # cat index.txt
V   170922234302Z       01  unknown  /C =CN /ST =beijing /O =chen.com /OU =alren_1 /CN =www.alren.com /emailAddress =admin@chen.com
[root@centos6 CA] # cat serial
02
[root@centos6 CA] # cd certs/
[root@centos6 certs] # ls
httpd.crt
[root@centos6 certs] # openssl x509 -in httpd.crt  -noout -text
Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 1 (0x1)
     Signature Algorithm: sha1WithRSAEncryption
         Issuer: C=CN, ST=beijing, L=bj, O=chen.com, OU=alren_1, CN=centos6.localdomain /emailAddress =alren@163.com
         Validity
             Not Before: Sep 22 23:43:02 2016 GMT
             Not After : Sep 22 23:43:02 2017 GMT
         Subject: C=CN, ST=beijing, O=chen.com, OU=alren_1, CN=www.alren.com /emailAddress =admin@chen.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
                 Public-Key: (2048 bit)
                 Modulus:
                     00:c9:d3:5d:68:71:1e:6b:a9:50:a5:e3:0e:a1:fd:
                     5b:01:13:5b:36:37:ab:4b:e0:86:e9:b6:56:c5:8a:
                     77:15:52:04:b2:a9:d0:e5:d1:99:f6:eb:d6:15:c3:
                     77:5d:60:1b:de:74:d0:47:47:04:8d:42:c8:90:b4:
                     12:fd:19:e8:40:0d:ed:f6:ec: bc : df :e3:e6:2f:b8:
                     a6:5e:70:7a:78:38:41:5c:e8:5b:41:85:e3:03:24:
                     a1:85:1f:d8:f8:e1:c1:25:3e:87:84:36:58:c6:a3:
                     4f:a0:a2:31:8b:b3:9b:25:59:86:ea:8b:ee:13:c3:
                     f9:49:02:65:e5:b5:f6:d7:f6:01:f8:29:89:3e:9a:
                     18: df :b5:95:77:89:49:6a:01:02:48:ad:8d:8c:8b:
                     8c:09:d3:27:98:82:99:21:98:02:53:75:ca:9f:0d:
                     64:0e:c1: bc :0c:95:e3:ed:95:6e:8a:29:b1:82:ca:
                     4c:c3:25:c5:23:de:2f:1c:35:71:43:b9:84:26:22:
                     01:4f:71:7d:ae:7f:79:f8:5c:b7:e6:9f:9f:1c:17:
                     17:4b:82:30:fa:02:5a:6b:81:99:78:eb:98:68: dc :
                     5d:c0:8f:65:f6:72:f0:c7:d8:56:eb:d5:09:d3:07:
                     2e:25:01:9c:f2:4c:8d:f0:01:6e:97:fb:21:d9:a5:
                     84:c5
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints:
                 CA:FALSE
             Netscape Comment:
                 OpenSSL Generated Certificate
             X509v3 Subject Key Identifier:
                 CA:82:B2:CF:4A:A2:49:9B:1D:46:84:04:F8:C6:F6:0D:E0:49:B7:A4
             X509v3 Authority Key Identifier:
                 keyid:26:A2:98:70:1F:8A:3B:A3:A1:05:0E:8B:79:34:C5:66:FA:B9:A6:D9
 
     Signature Algorithm: sha1WithRSAEncryption
          5f:b8:37:e2:e5:e0:5e:65:99:60:9f:2f:5a:81:7e:55:e7: dc :
          85:94: bc :d0:ae:82:db:c0: cd :bb:0c:7c:7d:6e:97:41:35:94:
          71:d9: bc :a4:3e:76:d1:4e:09:3d:a2:a9:5e:a2:24:9c:98:f3:
          ac:7d:ea:f0:f2:ff:17:0d:47:fb:47:04:d6:29:7f:d8:3a:08:
          df :33:45:8c:15:2a:a0:be:03: dc :4e:9c:91:ef:a1:99:a8:6d:
          f2:4c:10:1d:9c:7b:23:28:0a:17:bd:cf:c4:2d:c6:07:d1:73:
          48:2c:f9:a0:0f:2a:21:d0:f7:a4:9c:85:d5:75:02:c0:09:19:
          97:b8:aa:1d:e0:e3:8a:39:29:f5:4c:d7:69:01:e8:e6:50:91:
          fe:75:8a:3d:75:1c: df :94:36:01:32:43:4e:9c:49:f4:4c:f2:
          d9:85:9d:45:89:7f:6d:47:a9:48:48: bc :b3:8b:ed:06:34:f5:
          30:6e:c9:8f:a9:54:f6:6d:e7:2d:ce:03:9d:2f:ea:fa:47:fa:
          ee:13:f2:26:3b:a8:7a:e8:fd:66:ae:c6:97:37:03:a7:e8:c7:
          ad:c3:d9:e1:b1:b9:b0:61:ba:34:ea:80:6b:42:e4:d9:b7:38:
          0d:49:13:b1:89:2f:ca:a0:aa:69:e5:95:c0:c0:e3:ba:af:9f:
          68:80:5a:4f
[root@centos6 certs] #
[root@centos6 certs] #
[root@centos6 certs] # openssl ca  -revoke httpd.crt
Using configuration from  /etc/pki/tls/openssl .cnf
Revoking Certificate 01.
Data Base Updated
[root@centos6 certs] # cd ../
[root@centos6 CA] # ls
cacert.pem  crl        index.txt       index.txt.attr.old  newcerts  serial
certs       httpd.csr  index.txt.attr  index.txt.old       private   serial.old
[root@centos6 CA] # cat index.txt
R   170922234302Z   160922234706Z   01  unknown  /C =CN /ST =beijing /O =chen.com /OU =alren_1 /CN =www.alren.com /emailAddress =admin@chen.com
[root@centos6 CA] # echo 01 > crlnumber
[root@centos6 CA] # openssl ca -gencrl -out crl
crl/       crlnumber
[root@centos6 CA] # openssl ca -gencrl -out crl/ca.rcl
Using configuration from  /etc/pki/tls/openssl .cnf
[root@centos6 CA] # cat crl/ca.rcl
-----BEGIN X509 CRL-----
MIIB /TCB5gIBATANBgkqhkiG9w0BAQUFADCBjTELMAkGA1UEBhMCQ04xEDAOBgNV
BAgMB2JlaWppbmcxCzAJBgNVBAcMAmJqMREwDwYDVQQKDAhjaGVuLmNvbTEQMA4G
A1UECwwHYWxyZW5fMTEcMBoGA1UEAwwTY2VudG9zNi5sb2NhbGRvbWFpbjEcMBoG
CSqGSIb3DQEJARYNYWxyZW5AMTYzLmNvbRcNMTYwOTIyMjM1MDU0WhcNMTYxMDIy
MjM1MDU0WjAUMBICAQEXDTE2MDkyMjIzNDcwNlqgDjAMMAoGA1UdFAQDAgEBMA0G
CSqGSIb3DQEBBQUAA4IBAQADo6PBGbyqpM+noDuaDZxy349jgqcmRLCPDYKRZ4L+
1PyRTVhuIZztSUu2u5x7ZEYx3jyR7rFY8tpHRYT4ZnJe9ol4pTUb8INNx0lIZ4r1
hGlKWKQSDS3WVrQnCswBhWcAccd9wU2+YTj4m7f1drTbu6d5elfaZR1yKsTLnZdV
ESKmr4MXjcD0F80Q8Dc0hpKVKt71JiDwJt0WuHI6XPz90ta8EAN7Ry87Aj8f9 /HD
LDnOWEEA50F7JgUQgFKI72wvekQoZ9Cj /KeFbOov +wde7+uCGNqRcPLznnTxVz8a
e0 /e9HGQaDLGKDoN/vxVXCRQ030fZrPzag810yqSxxgZ
-----END X509 CRL-----
[root@centos6 CA] # openssl crl -in crl/ca.rcl  -noout -text
Certificate Revocation List (CRL):
         Version 2 (0x1)
     Signature Algorithm: sha1WithRSAEncryption
         Issuer:  /C =CN /ST =beijing /L =bj /O =chen.com /OU =alren_1 /CN =centos6.localdomain /emailAddress =alren@163.com
         Last Update: Sep 22 23:50:54 2016 GMT
         Next Update: Oct 22 23:50:54 2016 GMT
         CRL extensions:
             X509v3 CRL Number:
                 1
Revoked Certificates:
     Serial Number: 01
         Revocation Date: Sep 22 23:47:06 2016 GMT
     Signature Algorithm: sha1WithRSAEncryption
          03:a3:a3:c1:19: bc :aa:a4:cf:a7:a0:3b:9a:0d:9c:72: df :8f:
          63:82:a7:26:44:b0:8f:0d:82:91:67:82:fe:d4:fc:91:4d:58:
          6e:21:9c:ed:49:4b:b6:bb:9c:7b:64:46:31:de:3c:91:ee:b1:
          58:f2:da:47:45:84:f8:66:72:5e:f6:89:78:a5:35:1b:f0:83:
          4d:c7:49:48:67:8a:f5:84:69:4a:58:a4:12:0d:2d:d6:56:b4:
          27:0a:cc:01:85:67:00:71:c7:7d:c1:4d:be:61:38:f8:9b:b7:
          f5:76:b4:db:bb:a7:79:7a:57:da:65:1d:72:2a:c4:cb:9d:97:
          55:11:22:a6:af:83:17:8d:c0:f4:17: cd :10:f0:37:34:86:92:
          95:2a:de:f5:26:20:f0:26: dd :16:b8:72:3a:5c:fc:fd:d2:d6:
          bc :10:03:7b:47:2f:3b:02:3f:1f:f7:f1:c3:2c:39:ce:58:41:
          00:e7:41:7b:26:05:10:80:52:88:ef:6c:2f:7a:44:28:67:d0:
          a3:fc:a7:85:6c:ea:2f:fb:07:5e:ef:eb:82:18:da:91:70:f2:
          f3:9e:74:f1:57:3f:1a:7b:4f:de:f4:71:90:68:32:c6:28:3a:
          0d:fe:fc:55:5c:24:50:d3:7d:1f:66:b3:f3:6a:0f:35:d3:2a:
          92:c7:18:19
[root@centos6 CA] #


不同主机之间拷贝文件小技巧:

在使用ssh远程登录时提示:remote host indentification has changed!则需清除~/.ssh/known_hosts文件即可,因为系统检测出rsa钥匙发生了改变。清除此配置文件重连。



1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
[root@centos6 ~] # ssh  10.1.229.40
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now ( man - in -the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint  for  the RSA key sent by the remote host is
3d:bb:7b:99:51:b3:9f:b8:81:4e:fd:6e:b5:ac:92:02.
Please contact your system administrator.
Add correct host key  in  /root/ . ssh /known_hosts  to get rid of this message.
Offending key  in  /root/ . ssh /known_hosts :1
RSA host key  for  10.1.229.40 has changed and you have requested strict checking.
Host key verification failed.
 
[root@centos6 . ssh ] #
[root@centos6 . ssh ] # ssh root@10.1.229.93
The authenticity of host  '10.1.249.93 (10.1.249.93)'  can't be established.
RSA key fingerprint is d3:e3:99:1d:b6:00:fe:18:26:58:a5:7d:eb:14:c3:57.
Are you sure you want to  continue  connecting ( yes /no )?  yes
Warning: Permanently added  '10.1.229.93'  (RSA) to the list of known hosts.
root@10.1.249.93's password:



本文转自chengong1013 51CTO博客,原文链接:http://blog.51cto.com/purify/1856060,如需转载请自行联系原作者

相关文章
|
22天前
|
开发框架 JSON 中间件
Go语言Web开发框架实践:使用 Gin 快速构建 Web 服务
Gin 是一个高效、轻量级的 Go 语言 Web 框架,支持中间件机制,非常适合开发 RESTful API。本文从安装到进阶技巧全面解析 Gin 的使用:快速入门示例(Hello Gin)、定义 RESTful 用户服务(增删改查接口实现),以及推荐实践如参数校验、中间件和路由分组等。通过对比标准库 `net/http`,Gin 提供更简洁灵活的开发体验。此外,还推荐了 GORM、Viper、Zap 等配合使用的工具库,助力高效开发。
|
3月前
|
中间件 Go
Golang | Gin:net/http与Gin启动web服务的简单比较
总的来说,`net/http`和 `Gin`都是优秀的库,它们各有优缺点。你应该根据你的需求和经验来选择最适合你的工具。希望这个比较可以帮助你做出决策。
113 35
|
9月前
|
XML JSON 数据安全/隐私保护
Web服务
【10月更文挑战第18天】Web服务
141 9
|
5月前
|
数据采集 Web App开发 API
FastAPI与Selenium:打造高效的Web数据抓取服务 —— 采集Pixabay中的图片及相关信息
本文介绍了如何使用FastAPI和Selenium搭建RESTful接口,访问免版权图片网站Pixabay并采集图片及其描述信息。通过配置代理IP、User-Agent和Cookie,提高爬虫的稳定性和防封禁能力。环境依赖包括FastAPI、Uvicorn和Selenium等库。代码示例展示了完整的实现过程,涵盖代理设置、浏览器模拟及数据提取,并提供了详细的中文注释。适用于需要高效、稳定的Web数据抓取服务的开发者。
251 15
FastAPI与Selenium:打造高效的Web数据抓取服务 —— 采集Pixabay中的图片及相关信息
|
5月前
|
网络协议 Java Shell
java spring 项目若依框架启动失败,启动不了服务提示端口8080占用escription: Web server failed to start. Port 8080 was already in use. Action: Identify and stop the process that’s listening on port 8080 or configure this application to listen on another port-优雅草卓伊凡解决方案
java spring 项目若依框架启动失败,启动不了服务提示端口8080占用escription: Web server failed to start. Port 8080 was already in use. Action: Identify and stop the process that’s listening on port 8080 or configure this application to listen on another port-优雅草卓伊凡解决方案
205 7
|
9月前
|
XML JSON 安全
Web服务是通过标准化的通信协议和数据格式
【10月更文挑战第18天】Web服务是通过标准化的通信协议和数据格式
261 69
|
7月前
|
安全 应用服务中间件 网络安全
实战经验分享:利用免费SSL证书构建安全可靠的Web应用
本文分享了利用免费SSL证书构建安全Web应用的实战经验,涵盖选择合适的证书颁发机构、申请与获取证书、配置Web服务器、优化安全性及实际案例。帮助开发者提升应用安全性,增强用户信任。
|
8月前
|
Go UED
Go Web服务中如何优雅平滑重启?
在生产环境中,服务升级时如何确保不中断当前请求并应用新代码是一个挑战。本文介绍了如何使用 Go 语言的 `endless` 包实现服务的优雅重启,确保在不停止服务的情况下完成无缝升级。通过示例代码和测试步骤,详细展示了 `endless` 包的工作原理和实际应用。
150 3
|
8月前
|
JSON Go UED
Go Web服务中如何优雅关机?
在构建 Web 服务时,优雅关机是一个关键的技术点,它确保服务关闭时所有正在处理的请求都能顺利完成。本文通过一个简单的 Go 语言示例,展示了如何使用 Gin 框架实现优雅关机。通过捕获系统信号和使用 `http.Server` 的 `Shutdown` 方法,我们可以在服务关闭前等待所有请求处理完毕,从而提升用户体验,避免数据丢失或不一致。
113 1
|
9月前
|
XML JSON 安全
定义Web服务
【10月更文挑战第18天】定义Web服务
187 12

热门文章

最新文章