产品解决方案文档与社区免费试用定价云市场合作伙伴支持与服务了解阿里云
备案控制台登录/注册
开发者社区 安全 文章 正文

openssl创建CA、申请证书及其给web服务颁发证书

2017-11-16 1791
版权
版权声明:
本文内容由阿里云实名注册用户自发贡献,版权归原作者所有,阿里云开发者社区不拥有其著作权,亦不承担相应法律责任。具体规则请查看《 阿里云开发者社区用户服务协议》和 《阿里云开发者社区知识产权保护指引》。如果您发现本社区中有涉嫌抄袭的内容,填写 侵权投诉表单进行举报,一经查实,本社区将立刻删除涉嫌侵权内容。
简介:
+关注继续查看

一、创建私有的CA  

1)查看openssl的配置文件:/etc/pki/tls/openssl.cnf  

wKiom1fmDR-x_qsqAABbhmr_3bU145.png

2)创建所需的文件 

touch /etc/pki/CA/index.txt   echo 01 >/etc/pki/CA/serial  


3)CA自签证书生成私钥

cd /etc/pki/CA 

(umask 066;openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)


4)生成自签名证书   

openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 7300 -out /etc/pki/CA/cacert.pem  


-new:生成新的证书签署请求     

-x509:专用CA生成自签证书 

-key:生成请求时用到的私钥文件 

-days n:证书的有限期 

-out /path/to/somecertfile:证书的保存路径 



代码演示:


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
[root@centos6 ~]# ls /etc/pki/CA/
certs  crl  newcerts  private
[root@centos6 ~]# touch /etc/pki/CA/index.txt
[root@centos6 ~]# ll /etc/pki/CA/
total 16
drwxr-xr-x. 2 root root 4096 May  9 22:56 certs
drwxr-xr-x. 2 root root 4096 May  9 22:56 crl
-rw-r--r--. 1 root root    0 Sep 23 07:08 index.txt
drwxr-xr-x. 2 root root 4096 May  9 22:56 newcerts
drwx------. 2 root root 4096 May  9 22:56 private
[root@centos6 ~]# echo 01 > /etc/pki/CA/serial
[root@centos6 ~]# ll /etc/pki/CA/
total 20
drwxr-xr-x. 2 root root 4096 May  9 22:56 certs
drwxr-xr-x. 2 root root 4096 May  9 22:56 crl
-rw-r--r--. 1 root root    0 Sep 23 07:08 index.txt
drwxr-xr-x. 2 root root 4096 May  9 22:56 newcerts
drwx------. 2 root root 4096 May  9 22:56 private
-rw-r--r--. 1 root root    3 Sep 23 07:09 serial
[root@centos6 ~]# cd /etc/pki/CA
[root@centos6 CA]# ls
certs  crl  index.txt  newcerts  private  serial
[root@centos6 CA]# (nmask 066;openssl genrsa -out private/cakey.pem 2048)
-bash: nmask: command not found
Generating RSA private key, 2048 bit long modulus
..................................+++
.............................+++
e is 65537 (0x10001)
[root@centos6 CA]# cd private/
[root@centos6 private]# cat cakey.pem
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAyvOMUreRADORN9F0bk08d4n/xASELShJzW6V2K57ma/lmB7e
PBrOWrGCWhZR9tF8+Ewk/OCeQLukAHLgeLlte7au7uXf6RjFwi/XXemKzEUDEcOl
+CKTU7wio7if86rzX8xOPmP2+l4pItqqAKp7Kx9TOuAhT7gcQKKr5iU6lTvS/EJf
xBLtwoTRIIUdYxLI7XFZe7Lm5uOiYDHIhF70TQC3s0/1lnGEsWmAZ+uOCFy6bKck
v6orwDu2UfjhSqkiIJBFSvZQJqh6s3kt5dN+MyAkG1wJ6daJS87FKuguLI+ISxIJ
Z7tXXCQqZFle5Iu1LuwRDAoieWfwO868WI+HmQIDAQABAoIBAFaVwXAo0Lv9RB9E
RSAp43o8bdn680kwvwvd+iAPkLvox1M3GCkcZp1azfoRO7bJeT+VfNJGIj4Lz9RB
LnNS6Nq2/br+Z6DS6MwIDSIL2SN87epORiiu15wJz915jwQuEtb0Gw2TKHN4aKRu
Fcli8llba+7aYFvaeHM684ukpnGz6bRYwRDrEgUvMksFvPA2dqzvP/OjEIqvvf/l
d+rhOQGlB18E2oQ3048PJpgPHyceKLuuFkvFGsHofI8a5hLqD3PJ4AjHuPPF/Yqz
ZQwxmncV+YM9nJ/s8J5PJQ+3hPkA6pbhpM1eXHSPajnnkWiMV1RkUBltkHdJGPT9
h4t2o2ECgYEA5z/8HvbnXlAHC8+5mKO0rkBifxUyG9FVYmGOPKJwoK16eRxWuQgo
VboVZm5mK4LCtsMzUXobSXtgsb941O6U7lxrogflcYEQkvWL7JNg8vdIMwHs75zF
vXnoyCF9ZoDFr0juTP94AI4WW8GTfSo3caL+T8pnQalu5y3JvBQIRVcCgYEA4Kw1
8VAGix+QYWK9h1R35cKcnZQb0eq0ChZ8XFd7leLImPCpv7t1R86mvwIvZkYMIqD3
btUXk8G2ezyoufntEP5KGv9QbsQS8vFDw0RSsYkwWJZBeIUV6yPdUHniIWT6Ozwv
pD6hJwVSAv7m4tNTwJLH2Ebbs22Di05q/kfqFI8CgYEA4SVD0+Xx57ok0hQhkAI7
BLh87Vv2mGzcI9f1gwVogJfGOSolKStPEgAFm9/6q3w5FXXBfh9Td9yejRBtlWrg
J55l0LC9bCALwfk9jU0ERCoL6lWCmNvbDhomUMuCaw0O6xUnpmHINUohbJ5weZlj
t8jIr2jR1XUgHAZRdkNOtisCgYAfOU+13b1LEHPsVOCqMh8Hm2hQrgi/v7KNxFo8
KxxN1Fq0hp3Qu6is9hdObGtR92IwXdaFXLAOJNnLfr6kOgusVOrPnbP78NwBT25v
cMtdSQejCB7JNRW6vB1B1e6LXZE5MkAcv2d+GMsxB2PnGh+Fn+COOirGYO3rKlbM
SApMGQKBgQCaAaZzscT3KnnZEFi3e2IrlJMxY09zCm2xRle70m0lK0BHZsoxvcAl
bf19tZsoD2wPcvB6j+SLhB5jdG5iJ6SCp+vx+p/XFORlU+3V5gD/+P9I2LZfVZ+z
7YvRfXzuEiZi0h4ljBb4Oh8Di/0ytKnBzbWs00Trj7ariZ/WfgmTDw==
-----END RSA PRIVATE KEY-----
[root@centos6 private]# ll
total 4
-rw-r--r--. 1 root root 1679 Sep 23 07:10 cakey.pem
[root@centos6 private]# openssl req -new -x509 -key cakey.pem  -days 7300 -out ../ca
cert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:bj
Organization Name (eg, company) [Default Company Ltd]:chen.com
Organizational Unit Name (eg, section) []:alren_1
Common Name (eg, your name or your server's hostname) []:centos6.localdomain
Email Address []:alren@163.com
[root@centos6 private]# cd ../
[root@centos6 CA]# cat cacert.pem
-----BEGIN CERTIFICATE-----
MIID7zCCAtegAwIBAgIJANEOQWU3qHpeMA0GCSqGSIb3DQEBBQUAMIGNMQswCQYD
VQQGEwJDTjEQMA4GA1UECAwHYmVpamluZzELMAkGA1UEBwwCYmoxETAPBgNVBAoM
CGNoZW4uY29tMRAwDgYDVQQLDAdhbHJlbl8xMRwwGgYDVQQDDBNjZW50b3M2Lmxv
Y2FsZG9tYWluMRwwGgYJKoZIhvcNAQkBFg1hbHJlbkAxNjMuY29tMB4XDTE2MDky
MjIzMTc1MFoXDTM2MDkxNzIzMTc1MFowgY0xCzAJBgNVBAYTAkNOMRAwDgYDVQQI
DAdiZWlqaW5nMQswCQYDVQQHDAJiajERMA8GA1UECgwIY2hlbi5jb20xEDAOBgNV
BAsMB2FscmVuXzExHDAaBgNVBAMME2NlbnRvczYubG9jYWxkb21haW4xHDAaBgkq
hkiG9w0BCQEWDWFscmVuQDE2My5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQDK84xSt5EAM5E30XRuTTx3if/EBIQtKEnNbpXYrnuZr+WYHt48Gs5a
sYJaFlH20Xz4TCT84J5Au6QAcuB4uW17tq7u5d/pGMXCL9dd6YrMRQMRw6X4IpNT
vCKjuJ/zqvNfzE4+Y/b6Xiki2qoAqnsrH1M64CFPuBxAoqvmJTqVO9L8Ql/EEu3C
hNEghR1jEsjtcVl7subm46JgMciEXvRNALezT/WWcYSxaYBn644IXLpspyS/qivA
O7ZR+OFKqSIgkEVK9lAmqHqzeS3l034zICQbXAnp1olLzsUq6C4sj4hLEglnu1dc
JCpkWV7ki7Uu7BEMCiJ5Z/A7zrxYj4eZAgMBAAGjUDBOMB0GA1UdDgQWBBQmophw
H4o7o6EFDot5NMVm+rmm2TAfBgNVHSMEGDAWgBQmophwH4o7o6EFDot5NMVm+rmm
2TAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQBkZgymfLYgWOK4RPv+
Vzs2eW+AaYNcNBcot/Ju6rByEZ/Sa4nWxNBVge/0ffSDUsmkSlUdS8oYUbLQU5Kq
pqDaQ0jbwqoMkR+YEau0Q8R+N9WtTOWew3xprRu9BvY9jTjBG5pyFp4pqOEcOTm3
YQyzv8C+0KUS2HDi13nBRet6PjYnt7zgiI2qjAuWaz70ntwFduvNDC7biX18CyJe
ydLnQDGot2dXWqGo/p4eDtIPxpsaH8UCz4SHDKnKZvVOg2r85Wv4F8If0puGGl7m
qhe40zy/s+F1V0lWeJ3nbk2vBSETdoZViUWuRz6acy0at6znlgcMLnwjum8jcp8K
IOnK
-----END CERTIFICATE-----
[root@centos6 CA]# openssl x509 -in cacert.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 15064049706582178398 (0xd10e416537a87a5e)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=CN, ST=beijing, L=bj, O=chen.com, OU=alren_1, CN=centos6.localdomain/emailAddress=alren@163.com
        Validity
            Not Before: Sep 22 23:17:50 2016 GMT
            Not After : Sep 17 23:17:50 2036 GMT
        Subject: C=CN, ST=beijing, L=bj, O=chen.com, OU=alren_1, CN=centos6.localdomain/emailAddress=alren@163.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:ca:f3:8c:52:b7:91:00:33:91:37:d1:74:6e:4d:
                    3c:77:89:ff:c4:04:84:2d:28:49:cd:6e:95:d8:ae:
                    7b:99:af:e5:98:1e:de:3c:1a:ce:5a:b1:82:5a:16:
                    51:f6:d1:7c:f8:4c:24:fc:e0:9e:40:bb:a4:00:72:
                    e0:78:b9:6d:7b:b6:ae:ee:e5:df:e9:18:c5:c2:2f:
                    d7:5d:e9:8a:cc:45:03:11:c3:a5:f8:22:93:53:bc:
                    22:a3:b8:9f:f3:aa:f3:5f:cc:4e:3e:63:f6:fa:5e:
                    29:22:da:aa:00:aa:7b:2b:1f:53:3a:e0:21:4f:b8:
                    1c:40:a2:ab:e6:25:3a:95:3b:d2:fc:42:5f:c4:12:
                    ed:c2:84:d1:20:85:1d:63:12:c8:ed:71:59:7b:b2:
                    e6:e6:e3:a2:60:31:c8:84:5e:f4:4d:00:b7:b3:4f:
                    f5:96:71:84:b1:69:80:67:eb:8e:08:5c:ba:6c:a7:
                    24:bf:aa:2b:c0:3b:b6:51:f8:e1:4a:a9:22:20:90:
                    45:4a:f6:50:26:a8:7a:b3:79:2d:e5:d3:7e:33:20:
                    24:1b:5c:09:e9:d6:89:4b:ce:c5:2a:e8:2e:2c:8f:
                    88:4b:12:09:67:bb:57:5c:24:2a:64:59:5e:e4:8b:
                    b5:2e:ec:11:0c:0a:22:79:67:f0:3b:ce:bc:58:8f:
                    87:99
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                26:A2:98:70:1F:8A:3B:A3:A1:05:0E:8B:79:34:C5:66:FA:B9:A6:D9
            X509v3 Authority Key Identifier:
                keyid:26:A2:98:70:1F:8A:3B:A3:A1:05:0E:8B:79:34:C5:66:FA:B9:A6:D9
            X509v3 Basic Constraints:
                CA:TRUE
    Signature Algorithm: sha1WithRSAEncryption
         64:66:0c:a6:7c:b6:20:58:e2:b8:44:fb:fe:57:3b:36:79:6f:
         80:69:83:5c:34:17:28:b7:f2:6e:ea:b0:72:11:9f:d2:6b:89:
         d6:c4:d0:55:81:ef:f4:7d:f4:83:52:c9:a4:4a:55:1d:4b:ca:
         18:51:b2:d0:53:92:aa:a6:a0:da:43:48:db:c2:aa:0c:91:1f:
         98:11:ab:b4:43:c4:7e:37:d5:ad:4c:e5:9e:c3:7c:69:ad:1b:
         bd:06:f6:3d:8d:38:c1:1b:9a:72:16:9e:29:a8:e1:1c:39:39:
         b7:61:0c:b3:bf:c0:be:d0:a5:12:d8:70:e2:d7:79:c1:45:eb:
         7a:3e:36:27:b7:bc:e0:88:8d:aa:8c:0b:96:6b:3e:f4:9e:dc:
         05:76:eb:cd:0c:2e:db:89:7d:7c:0b:22:5e:c9:d2:e7:40:31:
         a8:b7:67:57:5a:a1:a8:fe:9e:1e:0e:d2:0f:c6:9b:1a:1f:c5:
         02:cf:84:87:0c:a9:ca:66:f5:4e:83:6a:fc:e5:6b:f8:17:c2:
         1f:d2:9b:86:1a:5e:e6:aa:17:b8:d3:3c:bf:b3:e1:75:57:49:
         56:78:9d:e7:6e:4d:af:05:21:13:76:86:55:89:45:ae:47:3e:
         9a:73:2d:1a:b7:ac:e7:96:07:0c:2e:7c:23:ba:6f:23:72:9f:
         0a:20:e9:ca
[root@centos6 CA]# openssl x509 -in cacert.pem -noout -dates
notBefore=Sep 22 23:17:50 2016 GMT
notAfter=Sep 17 23:17:50 2036 GMT


二、颁发及其吊销证书  

1)颁发证书,在需要使用证书的主机生成证书请求,给web服务器生成私钥(本实验在另一台主机上)

(umask 066;openssl genrsa -out /etc/httpd/ssl/httpd.key 2048)


2)生成证书申请文件

openssl req -new-key /etc/httpd/ssl/httpd.key -days 365 -out /etc/httpd/ssl/httpd.csr 


3)将证书文件传给CA,CA签署证书并将证书颁发给请求者,注意:默认国家、省和公司必须和CA一致

openssl ca -in /tmp/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365 


4)查看证书中的信息

opessl x509 -in /path/from/cert_file -noout -text|sbuject|serial|dates 


5)吊销证书,在客户端获取要吊销的证书的serial 

openssl x509 -in /PATH/FROM/CERT_FILE -noout -serial -subject


6)在CA上,根据客户提交的serial与subject信息,对比检验 是否与index.txt文件中的信息一致吊销证书

 openssl ca -revoke /etc/pki/CA/newcerts/ SERIAL.pem

7)生成吊销证书的编号(第一次吊销一个证书时才需要执行) 

echo 01 > /etc/pki/CA/crlnumber 


8)更新证书吊销列表,查看crl文件

openssl ca -gencrl -out /etc/pki/CA/crl/ca.crl 

openssl crl -in /etc/pki/CA/crl/ca.crl -noout -text

9)安装mod_ssl模块并修改/etc/httpd/conf.d/ssl.conf配置文件

DocumentRoot "/web/pma"

ServerName www.chen.net:443

<Directory "/web/pma">

  AllowOverride All

  Options None

  require all granted

</Directory>


SSLCertificateFile /etc/httpd/ssl/httpd.crt

SSLCertificateFile /etc/httpd/ssl/httpd.key

图示:

授权目录

wKioL1f8mQejaZ6GAABSUdPrPYM286.png

wKiom1f8mQfAUbX_AAB3A2J8UuU585.png



10)测试

openssl  s_client  [-connect host:port] [-cert filename] [-CApath directory] [-CAfile filename]

实例:

openssl s_client -connect www.chen.net:443 -CAfile /etc/pki/CA/cacert.pem

curl --cacert /etc/pki/CA/cacert.pem  https://www.chen.net/


实现图示:

wKiom1f8kOixxPd4AACTeN1PM7Q878.png


代码演示:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
[root@chen ~]# (umask 066;openssl genrsa -out /etc/pki/tls/private/httpd.key 2048)
Generating RSA private key, 2048 bit long modulus
..................+++
.....................+++
e is 65537 (0x10001)
[root@chen ~]# cd /etc/pki/tls/private/
[root@chen private]# cat httpd.key
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAydNdaHEea6lQpeMOof1bARNbNjerS+CG6bZWxYp3FVIEsqnQ
5dGZ9uvWFcN3XWAb3nTQR0cEjULIkLQS/RnoQA3t9uy83+PmL7imXnB6eDhBXOhb
QYXjAyShhR/Y+OHBJT6HhDZYxqNPoKIxi7ObJVmG6ovuE8P5SQJl5bX21/YB+CmJ
PpoY37WVd4lJagECSK2NjIuMCdMnmIKZIZgCU3XKnw1kDsG8DJXj7ZVuiimxgspM
wyXFI94vHDVxQ7mEJiIBT3F9rn95+Fy35p+fHBcXS4Iw+gJaa4GZeOuYaNxdwI9l
9nLwx9hW69UJ0wcuJQGc8kyN8AFul/sh2aWExQIDAQABAoIBAQC4snRN6w9CyVzj
oqm2dsv8bQFQ2ZsqQhxU7yfzeWbHHRrtgdiJKMq0nFh77DhlPFnkt5QPVp+EwrQX
MKQb+cSAMf8utLGYVtBFpb6iuF5rfFfctUsl6Ge6baBe2qlOAhMmiVWtGasehT+O
qj+bME9v28FLDalfbz3HoakskdyG/ptb6MEh/8Z4bAFovyYfI+IY+P3dzDd018Sv
V6wgj+A11wmhNUyete++DoO/JJtQJZuh0LeN4eg2W51M9vnnH7hrosyRwHfcYioU
SUoKEWs4Md78zVL7IeFcRwV3mSgm356u9SKl2gs+X9Qpb9Uyt5zs1q2jxGxwoe5s
ige9ERbVAoGBAPBIoELS4Cvdr1McaYbvnU6XfCVuWti0ZFDKcEaK2XUz2xMaCeBV
WPfNHq0PiC52RG8h0f9cqSt6m3rB8/5HjTuf9fyv2C6rnpUxfzqZ0P3euMBPIMHM
e2nBwr6hOMNeQwxs6YfXILlcRzMub4c4jqxNGESrWoQTogFe4TEINoe/AoGBANcG
yXsZRwI76lPEm5Z8eyFiHqKAq+QazyZoH1xXW6ByqtDA6toqHGOtuzhUIwR2HfiG
O2I3CWYVnIxWcnBMvdJ4XwIORVzfG9sh6fBqCRbYd2LhD6xTXPqq6dfssT/qI2ql
Cy5PNc0Q2XDFdar0dpIjbjcYuxGPlPPlDtdwALR7AoGBAJtZKRvrAHn72nVuYh+W
XWrJb783iM6gWlcNeudwr8UhoJrJ8+aw51NWr2WOLCp11irPf9iMjOcKXulP6jLV
Cc+pzLzw52DNHjsxBCPb/I2V6HaU8gW58XRfjEv5KhzNnaWz6IwlnweYTIQfmoWf
IEbvlSgYbO4FT3F5aThtKew7AoGADojo6adFw4LlThBGLB/x+sm1JGrqM5sUUZZM
OGO3T9swbLf9qA2cqag+tYoKa+zIDdqU/QiXXA0t7daSGcE2O5njYjIwwhxat69N
LvEb+C1dtJNeCdoAuPkAoZXgTV+4USci4Fh+XIQ9DoBqecnYkfxPIO5NBtzbxri/
DhUGFy0CgYB6Q0T2w3e8SkgF6FSgqIe4u5vio6RCsPIVhHuuZacOgeyzAqCEwQJg
b3SDZIexAUyPAnhNtkllnAYSKdFa97fXyGUdLNh0otj74C9Na6yLrUQ8zdEC1o3u
VOJyOO57bfBykghXYi9JN+29sBB0YOj9uDE0nOUImR95eiwKsP5QXg==
-----END RSA PRIVATE KEY-----
[root@chen private]# openssl req -new -key /etc/pki/tls/private/httpd.key  -days 365 -out  httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:bj
Organization Name (eg, company) [Default Company Ltd]:chen.com
Organizational Unit Name (eg, section) []:alren_1
Common Name (eg, your name or your server's hostname) []:www.alren.com
Email Address []:admin@chen.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@chen private]# ls
httpd.csr  httpd.key
[root@chen private]# scp httpd.csr 10.1.249.94:
[root@centos6 CA]# cp /root/httpd.csr  .
[root@centos6 CA]# ls
cacert.pem  certs  crl  httpd.csr  index.txt  newcerts  private  serial
[root@centos6 CA]# openssl ca -in httpd.csr  -out  certs/httpd.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Sep 22 23:43:02 2016 GMT
            Not After : Sep 22 23:43:02 2017 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = beijing
            organizationName          = chen.com
            organizationalUnitName    = alren_1
            commonName                = www.alren.com
            emailAddress              = admin@chen.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                CA:82:B2:CF:4A:A2:49:9B:1D:46:84:04:F8:C6:F6:0D:E0:49:B7:A4
            X509v3 Authority Key Identifier:
                keyid:26:A2:98:70:1F:8A:3B:A3:A1:05:0E:8B:79:34:C5:66:FA:B9:A6:D9
 
Certificate is to be certified until Sep 22 23:43:02 2017 GMT (365 days)
Sign the certificate? [y/n]:y
 
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@centos6 CA]# ls
cacert.pem  crl        index.txt       index.txt.old  private  serial.old
certs       httpd.csr  index.txt.attr  newcerts       serial
[root@centos6 CA]# cat index.txt.attr
unique_subject = yes
[root@centos6 CA]# cat index.txt
V   170922234302Z       01  unknown /C=CN/ST=beijing/O=chen.com/OU=alren_1/CN=www.alren.com/emailAddress=admin@chen.com
[root@centos6 CA]# cat serial
02
[root@centos6 CA]# cd certs/
[root@centos6 certs]# ls
httpd.crt
[root@centos6 certs]# openssl x509 -in httpd.crt  -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=CN, ST=beijing, L=bj, O=chen.com, OU=alren_1, CN=centos6.localdomain/emailAddress=alren@163.com
        Validity
            Not Before: Sep 22 23:43:02 2016 GMT
            Not After : Sep 22 23:43:02 2017 GMT
        Subject: C=CN, ST=beijing, O=chen.com, OU=alren_1, CN=www.alren.com/emailAddress=admin@chen.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c9:d3:5d:68:71:1e:6b:a9:50:a5:e3:0e:a1:fd:
                    5b:01:13:5b:36:37:ab:4b:e0:86:e9:b6:56:c5:8a:
                    77:15:52:04:b2:a9:d0:e5:d1:99:f6:eb:d6:15:c3:
                    77:5d:60:1b:de:74:d0:47:47:04:8d:42:c8:90:b4:
                    12:fd:19:e8:40:0d:ed:f6:ec:bc:df:e3:e6:2f:b8:
                    a6:5e:70:7a:78:38:41:5c:e8:5b:41:85:e3:03:24:
                    a1:85:1f:d8:f8:e1:c1:25:3e:87:84:36:58:c6:a3:
                    4f:a0:a2:31:8b:b3:9b:25:59:86:ea:8b:ee:13:c3:
                    f9:49:02:65:e5:b5:f6:d7:f6:01:f8:29:89:3e:9a:
                    18:df:b5:95:77:89:49:6a:01:02:48:ad:8d:8c:8b:
                    8c:09:d3:27:98:82:99:21:98:02:53:75:ca:9f:0d:
                    64:0e:c1:bc:0c:95:e3:ed:95:6e:8a:29:b1:82:ca:
                    4c:c3:25:c5:23:de:2f:1c:35:71:43:b9:84:26:22:
                    01:4f:71:7d:ae:7f:79:f8:5c:b7:e6:9f:9f:1c:17:
                    17:4b:82:30:fa:02:5a:6b:81:99:78:eb:98:68:dc:
                    5d:c0:8f:65:f6:72:f0:c7:d8:56:eb:d5:09:d3:07:
                    2e:25:01:9c:f2:4c:8d:f0:01:6e:97:fb:21:d9:a5:
                    84:c5
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                CA:82:B2:CF:4A:A2:49:9B:1D:46:84:04:F8:C6:F6:0D:E0:49:B7:A4
            X509v3 Authority Key Identifier:
                keyid:26:A2:98:70:1F:8A:3B:A3:A1:05:0E:8B:79:34:C5:66:FA:B9:A6:D9
 
    Signature Algorithm: sha1WithRSAEncryption
         5f:b8:37:e2:e5:e0:5e:65:99:60:9f:2f:5a:81:7e:55:e7:dc:
         85:94:bc:d0:ae:82:db:c0:cd:bb:0c:7c:7d:6e:97:41:35:94:
         71:d9:bc:a4:3e:76:d1:4e:09:3d:a2:a9:5e:a2:24:9c:98:f3:
         ac:7d:ea:f0:f2:ff:17:0d:47:fb:47:04:d6:29:7f:d8:3a:08:
         df:33:45:8c:15:2a:a0:be:03:dc:4e:9c:91:ef:a1:99:a8:6d:
         f2:4c:10:1d:9c:7b:23:28:0a:17:bd:cf:c4:2d:c6:07:d1:73:
         48:2c:f9:a0:0f:2a:21:d0:f7:a4:9c:85:d5:75:02:c0:09:19:
         97:b8:aa:1d:e0:e3:8a:39:29:f5:4c:d7:69:01:e8:e6:50:91:
         fe:75:8a:3d:75:1c:df:94:36:01:32:43:4e:9c:49:f4:4c:f2:
         d9:85:9d:45:89:7f:6d:47:a9:48:48:bc:b3:8b:ed:06:34:f5:
         30:6e:c9:8f:a9:54:f6:6d:e7:2d:ce:03:9d:2f:ea:fa:47:fa:
         ee:13:f2:26:3b:a8:7a:e8:fd:66:ae:c6:97:37:03:a7:e8:c7:
         ad:c3:d9:e1:b1:b9:b0:61:ba:34:ea:80:6b:42:e4:d9:b7:38:
         0d:49:13:b1:89:2f:ca:a0:aa:69:e5:95:c0:c0:e3:ba:af:9f:
         68:80:5a:4f
[root@centos6 certs]#
[root@centos6 certs]#
[root@centos6 certs]# openssl ca  -revoke httpd.crt
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 01.
Data Base Updated
[root@centos6 certs]# cd ../
[root@centos6 CA]# ls
cacert.pem  crl        index.txt       index.txt.attr.old  newcerts  serial
certs       httpd.csr  index.txt.attr  index.txt.old       private   serial.old
[root@centos6 CA]# cat index.txt
R   170922234302Z   160922234706Z   01  unknown /C=CN/ST=beijing/O=chen.com/OU=alren_1/CN=www.alren.com/emailAddress=admin@chen.com
[root@centos6 CA]# echo 01 > crlnumber
[root@centos6 CA]# openssl ca -gencrl -out crl
crl/       crlnumber
[root@centos6 CA]# openssl ca -gencrl -out crl/ca.rcl
Using configuration from /etc/pki/tls/openssl.cnf
[root@centos6 CA]# cat crl/ca.rcl
-----BEGIN X509 CRL-----
MIIB/TCB5gIBATANBgkqhkiG9w0BAQUFADCBjTELMAkGA1UEBhMCQ04xEDAOBgNV
BAgMB2JlaWppbmcxCzAJBgNVBAcMAmJqMREwDwYDVQQKDAhjaGVuLmNvbTEQMA4G
A1UECwwHYWxyZW5fMTEcMBoGA1UEAwwTY2VudG9zNi5sb2NhbGRvbWFpbjEcMBoG
CSqGSIb3DQEJARYNYWxyZW5AMTYzLmNvbRcNMTYwOTIyMjM1MDU0WhcNMTYxMDIy
MjM1MDU0WjAUMBICAQEXDTE2MDkyMjIzNDcwNlqgDjAMMAoGA1UdFAQDAgEBMA0G
CSqGSIb3DQEBBQUAA4IBAQADo6PBGbyqpM+noDuaDZxy349jgqcmRLCPDYKRZ4L+
1PyRTVhuIZztSUu2u5x7ZEYx3jyR7rFY8tpHRYT4ZnJe9ol4pTUb8INNx0lIZ4r1
hGlKWKQSDS3WVrQnCswBhWcAccd9wU2+YTj4m7f1drTbu6d5elfaZR1yKsTLnZdV
ESKmr4MXjcD0F80Q8Dc0hpKVKt71JiDwJt0WuHI6XPz90ta8EAN7Ry87Aj8f9/HD
LDnOWEEA50F7JgUQgFKI72wvekQoZ9Cj/KeFbOov+wde7+uCGNqRcPLznnTxVz8a
e0/e9HGQaDLGKDoN/vxVXCRQ030fZrPzag810yqSxxgZ
-----END X509 CRL-----
[root@centos6 CA]# openssl crl -in crl/ca.rcl  -noout -text
Certificate Revocation List (CRL):
        Version 2 (0x1)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: /C=CN/ST=beijing/L=bj/O=chen.com/OU=alren_1/CN=centos6.localdomain/emailAddress=alren@163.com
        Last Update: Sep 22 23:50:54 2016 GMT
        Next Update: Oct 22 23:50:54 2016 GMT
        CRL extensions:
            X509v3 CRL Number:
                1
Revoked Certificates:
    Serial Number: 01
        Revocation Date: Sep 22 23:47:06 2016 GMT
    Signature Algorithm: sha1WithRSAEncryption
         03:a3:a3:c1:19:bc:aa:a4:cf:a7:a0:3b:9a:0d:9c:72:df:8f:
         63:82:a7:26:44:b0:8f:0d:82:91:67:82:fe:d4:fc:91:4d:58:
         6e:21:9c:ed:49:4b:b6:bb:9c:7b:64:46:31:de:3c:91:ee:b1:
         58:f2:da:47:45:84:f8:66:72:5e:f6:89:78:a5:35:1b:f0:83:
         4d:c7:49:48:67:8a:f5:84:69:4a:58:a4:12:0d:2d:d6:56:b4:
         27:0a:cc:01:85:67:00:71:c7:7d:c1:4d:be:61:38:f8:9b:b7:
         f5:76:b4:db:bb:a7:79:7a:57:da:65:1d:72:2a:c4:cb:9d:97:
         55:11:22:a6:af:83:17:8d:c0:f4:17:cd:10:f0:37:34:86:92:
         95:2a:de:f5:26:20:f0:26:dd:16:b8:72:3a:5c:fc:fd:d2:d6:
         bc:10:03:7b:47:2f:3b:02:3f:1f:f7:f1:c3:2c:39:ce:58:41:
         00:e7:41:7b:26:05:10:80:52:88:ef:6c:2f:7a:44:28:67:d0:
         a3:fc:a7:85:6c:ea:2f:fb:07:5e:ef:eb:82:18:da:91:70:f2:
         f3:9e:74:f1:57:3f:1a:7b:4f:de:f4:71:90:68:32:c6:28:3a:
         0d:fe:fc:55:5c:24:50:d3:7d:1f:66:b3:f3:6a:0f:35:d3:2a:
         92:c7:18:19
[root@centos6 CA]#


不同主机之间拷贝文件小技巧:

在使用ssh远程登录时提示:remote host indentification has changed!则需清除~/.ssh/known_hosts文件即可,因为系统检测出rsa钥匙发生了改变。清除此配置文件重连。


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
[root@centos6 ~]# ssh  10.1.229.40
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
3d:bb:7b:99:51:b3:9f:b8:81:4e:fd:6e:b5:ac:92:02.
Please contact your system administrator.
Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Offending key in /root/.ssh/known_hosts:1
RSA host key for 10.1.229.40 has changed and you have requested strict checking.
Host key verification failed.
 
[root@centos6 .ssh]#
[root@centos6 .ssh]# ssh root@10.1.229.93
The authenticity of host '10.1.249.93 (10.1.249.93)' can't be established.
RSA key fingerprint is d3:e3:99:1d:b6:00:fe:18:26:58:a5:7d:eb:14:c3:57.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.1.229.93' (RSA) to the list of known hosts.
root@10.1.249.93's password:



本文转自chengong1013 51CTO博客,原文链接:http://blog.51cto.com/purify/1856060,如需转载请自行联系原作者

文章标签:
高速通道
函数计算
索引
Web App开发
网络安全
关键词:
web服务
web证书
web创建
web申请
科技小先锋
目录
相关文章
vohelon
|
3天前
|
存储 数据库连接 数据库
无法连接到元数据库可能是导致你的 Web 服务无法启动的原因
无法连接到元数据库可能是导致你的 Web 服务无法启动的原因
vohelon
14 2
ftw2fzqaoykua
|
18天前
|
弹性计算 Kubernetes 索引
使用Kubectl部署web服务到K8s集群
本场景带您体验如何使用k8s的原生命令kubectl部署一个web应用(魔方应用)的镜像到k8s集群中,并通过Ingress将部署的服务暴露出来由外部访问。
ftw2fzqaoykua
86 0
coleak
|
2月前
|
Ubuntu 网络安全 Apache
物理机不能访问虚拟机kali的web服务解决方案记录
物理机不能访问虚拟机kali的web服务解决方案记录
coleak
53 0
周周的奇妙编程
|
2月前
|
弹性计算 Kubernetes 容器
使用Kubectl部署web服务到K8s集群
本次基于阿里云实验室提供的实验环境,使用预创建好的创建云服务器ECS和ACK集群资源,实现通过Kubectl部署web服务到K8s集群。
周周的奇妙编程
208 2
Python编程与实战
|
2月前
|
Unix 应用服务中间件 nginx
一个高性能的web服务是如何搭建的?
一个高性能的web服务是如何搭建的?
Python编程与实战
29 0
小Lee
|
2月前
|
存储 测试技术 网络性能优化
Web服务应用
文件存储NAS可用于各种内容管理系统和Web服务应用程序,为网站及应用程序提供高效存储服务。通过CNFS(Container Network File System)挂载NAS文件系统可提升NAS文件系统的性能和QoS控制。您可以通过CNFS创建一个新的NAS文件系统或通过CNFS管理已存在的NAS文件系统。
小Lee
30 1
三掌柜666
|
2月前
|
存储 容灾 网络性能优化
关于Web服务和内容管理的体验
Web服务和内容管理在当今数字化时代扮演着重要的角色,随着互联网的普及和信息量的爆炸增长,效率和可靠性成为了内容管理系统和Web服务应用程序的关键要素。本文通过阿里云的文件存储NAS的使用体验,探讨其在Web服务和内容管理方面的使用体验。
三掌柜666
45 1
关于Web服务和内容管理的体验
漏刻有时
|
3月前
|
编解码 JavaScript 前端开发
百度地图:使用javascript和web服务API自动实现经纬度编码的解决方案
百度地图:使用javascript和web服务API自动实现经纬度编码的解决方案
漏刻有时
38 1
漏刻有时
|
3月前
|
定位技术 API
高德地图web服务API接口开发:获取IP定位显示当前位置的天气预报解决方案
高德地图web服务API接口开发:获取IP定位显示当前位置的天气预报解决方案
漏刻有时
121 0
漏刻有时
|
3月前
|
API 定位技术
百度地图web服务API接口实现IP到简要地址的转化
百度地图web服务API接口实现IP到简要地址的转化
漏刻有时
34 0
热门文章
最新文章
1
课时10:典型案例3:十分钟搭建弹性可扩展的 Web API(二)
2
课时10:典型案例3:十分钟搭建弹性可扩展的 Web API(一)
3
通过部署流行Web框架掌握Serverless技术
4
课时10:典型案例3:十分钟搭建弹性可扩展的 Web API
5
课时8:典型案例1:一键迁移 Web 应用
6
使用SLB+2ECS+NAS,部署电商web网站的高可用架构
7
Python Web框架Flask快速入门
8
课时8:典型案例1:一键迁移 Web 应用
9
Python Web框架Django快速入门
10
Go 框架三件套详解(Web/RPC/ORM)
1
关于 Web 应用的 Above-the-Fold Loading 加载机制
15
2
关于 Web 应用的内联 css 和 scss 文件里的 var 关键字用法
24
3
Web 应用中的 RAIL 模型 和 Chrome 开发者工具 Performances 面板对其的度量方法
33
4
无法连接到元数据库可能是导致你的 Web 服务无法启动的原因
14
5
web 开发里 SSR,CSR 和 SSG 的区别
18
6
Web 服务器启用 connection - keep-alive 的一些前置条件
17
7
基于 Angular 的企业级 Web 应用服务器端渲染的推荐建构
28
8
什么是 SAP UI5 的 Hybrid Web Containers
15
9
关于 SAP UI5 Web Components
32
10
Web Server 设置缓存响应字段的一些推荐方案
22
相关课程
更多
Java面试疑难点解析 - Java Web开发 Java Web项目实战 - 图书商城 高校精品课-西安交通大学-Web 编程技术 企业Web常用架构LAMP-LNMP实战 Java Web开发系列课程 - Spring框架入门 Python Web开发基础
相关电子书
更多
Web应用系统性能优化 高性能Web架构之缓存体系 PWA:移动Web的现在与未来
相关实验场景
更多
使用SLB+2ECS+NAS,部署电商web网站的高可用架构 1分钟SAE部署Web在线游戏 数字证书 云上Web及FTP WEB网页编程实战 WEB入门开发系列实验
推荐文章
更多
重磅来袭!参与评测赢Iphone14 pro! 文件存储NAS评测征集令! 招募!寻找技术人的伯乐! 乘风者计划邀您入驻社区,精彩权益即刻享
下一篇
欢迎加入 databricks 数据洞察产品交流钉钉群