一、创建私有的CA
1)查看openssl的配置文件:/etc/pki/tls/openssl.cnf
2)创建所需的文件
touch /etc/pki/CA/index.txt echo 01 >/etc/pki/CA/serial
3)CA自签证书生成私钥
cd /etc/pki/CA
(umask 066;openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
4)生成自签名证书
openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 7300 -out /etc/pki/CA/cacert.pem
-new:生成新的证书签署请求
-x509:专用CA生成自签证书
-key:生成请求时用到的私钥文件
-days n:证书的有限期
-out /path/to/somecertfile:证书的保存路径
代码演示:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
|
[root@centos6 ~]
# ls /etc/pki/CA/
certs crl newcerts private
[root@centos6 ~]
# touch /etc/pki/CA/index.txt
[root@centos6 ~]
# ll /etc/pki/CA/
total 16
drwxr-xr-x. 2 root root 4096 May 9 22:56 certs
drwxr-xr-x. 2 root root 4096 May 9 22:56 crl
-rw-r--r--. 1 root root 0 Sep 23 07:08 index.txt
drwxr-xr-x. 2 root root 4096 May 9 22:56 newcerts
drwx------. 2 root root 4096 May 9 22:56 private
[root@centos6 ~]
# echo 01 > /etc/pki/CA/serial
[root@centos6 ~]
# ll /etc/pki/CA/
total 20
drwxr-xr-x. 2 root root 4096 May 9 22:56 certs
drwxr-xr-x. 2 root root 4096 May 9 22:56 crl
-rw-r--r--. 1 root root 0 Sep 23 07:08 index.txt
drwxr-xr-x. 2 root root 4096 May 9 22:56 newcerts
drwx------. 2 root root 4096 May 9 22:56 private
-rw-r--r--. 1 root root 3 Sep 23 07:09 serial
[root@centos6 ~]
# cd /etc/pki/CA
[root@centos6 CA]
# ls
certs crl index.txt newcerts private serial
[root@centos6 CA]
# (nmask 066;openssl genrsa -out private/cakey.pem 2048)
-
bash
: nmask:
command
not found
Generating RSA private key, 2048 bit long modulus
..................................+++
.............................+++
e is 65537 (0x10001)
[root@centos6 CA]
# cd private/
[root@centos6 private]
# cat cakey.pem
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAyvOMUreRADORN9F0bk08d4n
/xASELShJzW6V2K57ma/lmB7e
PBrOWrGCWhZR9tF8+Ewk
/OCeQLukAHLgeLlte7au7uXf6RjFwi/XXemKzEUDEcOl
+CKTU7wio7if86rzX8xOPmP2+l4pItqqAKp7Kx9TOuAhT7gcQKKr5iU6lTvS
/EJf
xBLtwoTRIIUdYxLI7XFZe7Lm5uOiYDHIhF70TQC3s0
/1lnGEsWmAZ
+uOCFy6bKck
v6orwDu2UfjhSqkiIJBFSvZQJqh6s3kt5dN+MyAkG1wJ6daJS87FKuguLI+ISxIJ
Z7tXXCQqZFle5Iu1LuwRDAoieWfwO868WI+HmQIDAQABAoIBAFaVwXAo0Lv9RB9E
RSAp43o8bdn680kwvwvd+iAPkLvox1M3GCkcZp1azfoRO7bJeT+VfNJGIj4Lz9RB
LnNS6Nq2
/br
+Z6DS6MwIDSIL2SN87epORiiu15wJz915jwQuEtb0Gw2TKHN4aKRu
Fcli8llba+7aYFvaeHM684ukpnGz6bRYwRDrEgUvMksFvPA2dqzvP
/OjEIqvvf/l
d+rhOQGlB18E2oQ3048PJpgPHyceKLuuFkvFGsHofI8a5hLqD3PJ4AjHuPPF
/Yqz
ZQwxmncV+YM9nJ
/s8J5PJQ
+3hPkA6pbhpM1eXHSPajnnkWiMV1RkUBltkHdJGPT9
h4t2o2ECgYEA5z
/8HvbnXlAHC8
+5mKO0rkBifxUyG9FVYmGOPKJwoK16eRxWuQgo
VboVZm5mK4LCtsMzUXobSXtgsb941O6U7lxrogflcYEQkvWL7JNg8vdIMwHs75zF
vXnoyCF9ZoDFr0juTP94AI4WW8GTfSo3caL+T8pnQalu5y3JvBQIRVcCgYEA4Kw1
8VAGix+QYWK9h1R35cKcnZQb0eq0ChZ8XFd7leLImPCpv7t1R86mvwIvZkYMIqD3
btUXk8G2ezyoufntEP5KGv9QbsQS8vFDw0RSsYkwWJZBeIUV6yPdUHniIWT6Ozwv
pD6hJwVSAv7m4tNTwJLH2Ebbs22Di05q
/kfqFI8CgYEA4SVD0
+Xx57ok0hQhkAI7
BLh87Vv2mGzcI9f1gwVogJfGOSolKStPEgAFm9
/6q3w5FXXBfh9Td9yejRBtlWrg
J55l0LC9bCALwfk9jU0ERCoL6lWCmNvbDhomUMuCaw0O6xUnpmHINUohbJ5weZlj
t8jIr2jR1XUgHAZRdkNOtisCgYAfOU+13b1LEHPsVOCqMh8Hm2hQrgi
/v7KNxFo8
KxxN1Fq0hp3Qu6is9hdObGtR92IwXdaFXLAOJNnLfr6kOgusVOrPnbP78NwBT25v
cMtdSQejCB7JNRW6vB1B1e6LXZE5MkAcv2d+GMsxB2PnGh+Fn+COOirGYO3rKlbM
SApMGQKBgQCaAaZzscT3KnnZEFi3e2IrlJMxY09zCm2xRle70m0lK0BHZsoxvcAl
bf19tZsoD2wPcvB6j+SLhB5jdG5iJ6SCp+vx+p
/XFORlU
+3V5gD/+P9I2LZfVZ+z
7YvRfXzuEiZi0h4ljBb4Oh8Di
/0ytKnBzbWs00Trj7ariZ/WfgmTDw
==
-----END RSA PRIVATE KEY-----
[root@centos6 private]
# ll
total 4
-rw-r--r--. 1 root root 1679 Sep 23 07:10 cakey.pem
[root@centos6 private]
# openssl req -new -x509 -key cakey.pem -days 7300 -out ../ca
cert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter
'.'
, the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:bj
Organization Name (eg, company) [Default Company Ltd]:chen.com
Organizational Unit Name (eg, section) []:alren_1
Common Name (eg, your name or your server's
hostname
) []:centos6.localdomain
Email Address []:alren@163.com
[root@centos6 private]
# cd ../
[root@centos6 CA]
# cat cacert.pem
-----BEGIN CERTIFICATE-----
MIID7zCCAtegAwIBAgIJANEOQWU3qHpeMA0GCSqGSIb3DQEBBQUAMIGNMQswCQYD
VQQGEwJDTjEQMA4GA1UECAwHYmVpamluZzELMAkGA1UEBwwCYmoxETAPBgNVBAoM
CGNoZW4uY29tMRAwDgYDVQQLDAdhbHJlbl8xMRwwGgYDVQQDDBNjZW50b3M2Lmxv
Y2FsZG9tYWluMRwwGgYJKoZIhvcNAQkBFg1hbHJlbkAxNjMuY29tMB4XDTE2MDky
MjIzMTc1MFoXDTM2MDkxNzIzMTc1MFowgY0xCzAJBgNVBAYTAkNOMRAwDgYDVQQI
DAdiZWlqaW5nMQswCQYDVQQHDAJiajERMA8GA1UECgwIY2hlbi5jb20xEDAOBgNV
BAsMB2FscmVuXzExHDAaBgNVBAMME2NlbnRvczYubG9jYWxkb21haW4xHDAaBgkq
hkiG9w0BCQEWDWFscmVuQDE2My5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQDK84xSt5EAM5E30XRuTTx3if
/EBIQtKEnNbpXYrnuZr
+WYHt48Gs5a
sYJaFlH20Xz4TCT84J5Au6QAcuB4uW17tq7u5d
/pGMXCL9dd6YrMRQMRw6X4IpNT
vCKjuJ
/zqvNfzE4
+Y
/b6Xiki2qoAqnsrH1M64CFPuBxAoqvmJTqVO9L8Ql/EEu3C
hNEghR1jEsjtcVl7subm46JgMciEXvRNALezT
/WWcYSxaYBn644IXLpspyS/qivA
O7ZR+OFKqSIgkEVK9lAmqHqzeS3l034zICQbXAnp1olLzsUq6C4sj4hLEglnu1dc
JCpkWV7ki7Uu7BEMCiJ5Z
/A7zrxYj4eZAgMBAAGjUDBOMB0GA1UdDgQWBBQmophw
H4o7o6EFDot5NMVm+rmm2TAfBgNVHSMEGDAWgBQmophwH4o7o6EFDot5NMVm+rmm
2TAMBgNVHRMEBTADAQH
/MA0GCSqGSIb3DQEBBQUAA4IBAQBkZgymfLYgWOK4RPv
+
Vzs2eW+AaYNcNBcot
/Ju6rByEZ/Sa4nWxNBVge/0ffSDUsmkSlUdS8oYUbLQU5Kq
pqDaQ0jbwqoMkR+YEau0Q8R+N9WtTOWew3xprRu9BvY9jTjBG5pyFp4pqOEcOTm3
YQyzv8C+0KUS2HDi13nBRet6PjYnt7zgiI2qjAuWaz70ntwFduvNDC7biX18CyJe
ydLnQDGot2dXWqGo
/p4eDtIPxpsaH8UCz4SHDKnKZvVOg2r85Wv4F8If0puGGl7m
qhe40zy
/s
+F1V0lWeJ3nbk2vBSETdoZViUWuRz6acy0at6znlgcMLnwjum8jcp8K
IOnK
-----END CERTIFICATE-----
[root@centos6 CA]
# openssl x509 -in cacert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 15064049706582178398 (0xd10e416537a87a5e)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=CN, ST=beijing, L=bj, O=chen.com, OU=alren_1, CN=centos6.localdomain
/emailAddress
=alren@163.com
Validity
Not Before: Sep 22 23:17:50 2016 GMT
Not After : Sep 17 23:17:50 2036 GMT
Subject: C=CN, ST=beijing, L=bj, O=chen.com, OU=alren_1, CN=centos6.localdomain
/emailAddress
=alren@163.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ca:f3:8c:52:b7:91:00:33:91:37:d1:74:6e:4d:
3c:77:89:ff:c4:04:84:2d:28:49:
cd
:6e:95:d8:ae:
7b:99:af:e5:98:1e:de:3c:1a:ce:5a:b1:82:5a:16:
51:f6:d1:7c:f8:4c:24:fc:e0:9e:40:bb:a4:00:72:
e0:78:b9:6d:7b:b6:ae:ee:e5:
df
:e9:18:c5:c2:2f:
d7:5d:e9:8a:cc:45:03:11:c3:a5:f8:22:93:53:
bc
:
22:a3:b8:9f:f3:aa:f3:5f:cc:4e:3e:63:f6:fa:5e:
29:22:da:aa:00:aa:7b:2b:1f:53:3a:e0:21:4f:b8:
1c:40:a2:ab:e6:25:3a:95:3b:d2:fc:42:5f:c4:12:
ed:c2:84:d1:20:85:1d:63:12:c8:ed:71:59:7b:b2:
e6:e6:e3:a2:60:31:c8:84:5e:f4:4d:00:b7:b3:4f:
f5:96:71:84:b1:69:80:67:eb:8e:08:5c:ba:6c:a7:
24:bf:aa:2b:c0:3b:b6:51:f8:e1:4a:a9:22:20:90:
45:4a:f6:50:26:a8:7a:b3:79:2d:e5:d3:7e:33:20:
24:1b:5c:09:e9:d6:89:4b:ce:c5:2a:e8:2e:2c:8f:
88:4b:12:09:67:bb:57:5c:24:2a:64:59:5e:e4:8b:
b5:2e:ec:11:0c:0a:22:79:67:f0:3b:ce:
bc
:58:8f:
87:99
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
26:A2:98:70:1F:8A:3B:A3:A1:05:0E:8B:79:34:C5:66:FA:B9:A6:D9
X509v3 Authority Key Identifier:
keyid:26:A2:98:70:1F:8A:3B:A3:A1:05:0E:8B:79:34:C5:66:FA:B9:A6:D9
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha1WithRSAEncryption
64:66:0c:a6:7c:b6:20:58:e2:b8:44:fb:fe:57:3b:36:79:6f:
80:69:83:5c:34:17:28:b7:f2:6e:ea:b0:72:11:9f:d2:6b:89:
d6:c4:d0:55:81:ef:f4:7d:f4:83:52:c9:a4:4a:55:1d:4b:ca:
18:51:b2:d0:53:92:aa:a6:a0:da:43:48:db:c2:aa:0c:91:1f:
98:11:ab:b4:43:c4:7e:37:d5:ad:4c:e5:9e:c3:7c:69:ad:1b:
bd:06:f6:3d:8d:38:c1:1b:9a:72:16:9e:29:a8:e1:1c:39:39:
b7:61:0c:b3:bf:c0:be:d0:a5:12:d8:70:e2:d7:79:c1:45:eb:
7a:3e:36:27:b7:
bc
:e0:88:8d:aa:8c:0b:96:6b:3e:f4:9e:
dc
:
05:76:eb:
cd
:0c:2e:db:89:7d:7c:0b:22:5e:c9:d2:e7:40:31:
a8:b7:67:57:5a:a1:a8:fe:9e:1e:0e:d2:0f:c6:9b:1a:1f:c5:
02:cf:84:87:0c:a9:ca:66:f5:4e:83:6a:fc:e5:6b:f8:17:c2:
1f:d2:9b:86:1a:5e:e6:aa:17:b8:d3:3c:bf:b3:e1:75:57:49:
56:78:9d:e7:6e:4d:af:05:21:13:76:86:55:89:45:ae:47:3e:
9a:73:2d:1a:b7:ac:e7:96:07:0c:2e:7c:23:ba:6f:23:72:9f:
0a:20:e9:ca
[root@centos6 CA]
# openssl x509 -in cacert.pem -noout -dates
notBefore=Sep 22 23:17:50 2016 GMT
notAfter=Sep 17 23:17:50 2036 GMT
|
二、颁发及其吊销证书
1)颁发证书,在需要使用证书的主机生成证书请求,给web服务器生成私钥(本实验在另一台主机上)
(umask 066;openssl genrsa -out /etc/httpd/ssl/httpd.key 2048)
2)生成证书申请文件
openssl req -new-key /etc/httpd/ssl/httpd.key -days 365 -out /etc/httpd/ssl/httpd.csr
3)将证书文件传给CA,CA签署证书并将证书颁发给请求者,注意:默认国家、省和公司必须和CA一致
openssl ca -in /tmp/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365
4)查看证书中的信息
opessl x509 -in /path/from/cert_file -noout -text|sbuject|serial|dates
5)吊销证书,在客户端获取要吊销的证书的serial
openssl x509 -in /PATH/FROM/CERT_FILE -noout -serial -subject
6)在CA上,根据客户提交的serial与subject信息,对比检验 是否与index.txt文件中的信息一致吊销证书
openssl ca -revoke /etc/pki/CA/newcerts/ SERIAL.pem
7)生成吊销证书的编号(第一次吊销一个证书时才需要执行)
echo 01 > /etc/pki/CA/crlnumber
8)更新证书吊销列表,查看crl文件
openssl ca -gencrl -out /etc/pki/CA/crl/ca.crl
openssl crl -in /etc/pki/CA/crl/ca.crl -noout -text
9)安装mod_ssl模块并修改/etc/httpd/conf.d/ssl.conf配置文件
DocumentRoot "/web/pma"
ServerName www.chen.net:443
<Directory "/web/pma">
AllowOverride All
Options None
require all granted
</Directory>
SSLCertificateFile /etc/httpd/ssl/httpd.crt
SSLCertificateFile /etc/httpd/ssl/httpd.key
图示:
授权目录
10)测试
openssl s_client [-connect host:port] [-cert filename] [-CApath directory] [-CAfile filename]
实例:
openssl s_client -connect www.chen.net:443 -CAfile /etc/pki/CA/cacert.pem
curl --cacert /etc/pki/CA/cacert.pem https://www.chen.net/
实现图示:
代码演示:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
|
[root@chen ~]
# (umask 066;openssl genrsa -out /etc/pki/tls/private/httpd.key 2048)
Generating RSA private key, 2048 bit long modulus
..................+++
.....................+++
e is 65537 (0x10001)
[root@chen ~]
# cd /etc/pki/tls/private/
[root@chen private]
# cat httpd.key
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAydNdaHEea6lQpeMOof1bARNbNjerS+CG6bZWxYp3FVIEsqnQ
5dGZ9uvWFcN3XWAb3nTQR0cEjULIkLQS
/RnoQA3t9uy83
+PmL7imXnB6eDhBXOhb
QYXjAyShhR
/Y
+OHBJT6HhDZYxqNPoKIxi7ObJVmG6ovuE8P5SQJl5bX21
/YB
+CmJ
PpoY37WVd4lJagECSK2NjIuMCdMnmIKZIZgCU3XKnw1kDsG8DJXj7ZVuiimxgspM
wyXFI94vHDVxQ7mEJiIBT3F9rn95+Fy35p+fHBcXS4Iw+gJaa4GZeOuYaNxdwI9l
9nLwx9hW69UJ0wcuJQGc8kyN8AFul
/sh2aWExQIDAQABAoIBAQC4snRN6w9CyVzj
oqm2dsv8bQFQ2ZsqQhxU7yfzeWbHHRrtgdiJKMq0nFh77DhlPFnkt5QPVp+EwrQX
MKQb+cSAMf8utLGYVtBFpb6iuF5rfFfctUsl6Ge6baBe2qlOAhMmiVWtGasehT+O
qj+bME9v28FLDalfbz3HoakskdyG
/ptb6MEh/8Z4bAFovyYfI
+IY+P3dzDd018Sv
V6wgj+A11wmhNUyete++DoO
/JJtQJZuh0LeN4eg2W51M9vnnH7hrosyRwHfcYioU
SUoKEWs4Md78zVL7IeFcRwV3mSgm356u9SKl2gs+X9Qpb9Uyt5zs1q2jxGxwoe5s
ige9ERbVAoGBAPBIoELS4Cvdr1McaYbvnU6XfCVuWti0ZFDKcEaK2XUz2xMaCeBV
WPfNHq0PiC52RG8h0f9cqSt6m3rB8
/5HjTuf9fyv2C6rnpUxfzqZ0P3euMBPIMHM
e2nBwr6hOMNeQwxs6YfXILlcRzMub4c4jqxNGESrWoQTogFe4TEINoe
/AoGBANcG
yXsZRwI76lPEm5Z8eyFiHqKAq+QazyZoH1xXW6ByqtDA6toqHGOtuzhUIwR2HfiG
O2I3CWYVnIxWcnBMvdJ4XwIORVzfG9sh6fBqCRbYd2LhD6xTXPqq6dfssT
/qI2ql
Cy5PNc0Q2XDFdar0dpIjbjcYuxGPlPPlDtdwALR7AoGBAJtZKRvrAHn72nVuYh+W
XWrJb783iM6gWlcNeudwr8UhoJrJ8+aw51NWr2WOLCp11irPf9iMjOcKXulP6jLV
Cc+pzLzw52DNHjsxBCPb
/I2V6HaU8gW58XRfjEv5KhzNnaWz6IwlnweYTIQfmoWf
IEbvlSgYbO4FT3F5aThtKew7AoGADojo6adFw4LlThBGLB
/x
+sm1JGrqM5sUUZZM
OGO3T9swbLf9qA2cqag+tYoKa+zIDdqU
/QiXXA0t7daSGcE2O5njYjIwwhxat69N
LvEb+C1dtJNeCdoAuPkAoZXgTV+4USci4Fh+XIQ9DoBqecnYkfxPIO5NBtzbxri/
DhUGFy0CgYB6Q0T2w3e8SkgF6FSgqIe4u5vio6RCsPIVhHuuZacOgeyzAqCEwQJg
b3SDZIexAUyPAnhNtkllnAYSKdFa97fXyGUdLNh0otj74C9Na6yLrUQ8zdEC1o3u
VOJyOO57bfBykghXYi9JN+29sBB0YOj9uDE0nOUImR95eiwKsP5QXg==
-----END RSA PRIVATE KEY-----
[root@chen private]
# openssl req -new -key /etc/pki/tls/private/httpd.key -days 365 -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter
'.'
, the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:bj
Organization Name (eg, company) [Default Company Ltd]:chen.com
Organizational Unit Name (eg, section) []:alren_1
Common Name (eg, your name or your server's
hostname
) []:www.alren.com
Email Address []:admin@chen.com
Please enter the following
'extra'
attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@chen private]
# ls
httpd.csr httpd.key
[root@chen private]
# scp httpd.csr 10.1.249.94:
[root@centos6 CA]
# cp /root/httpd.csr .
[root@centos6 CA]
# ls
cacert.pem certs crl httpd.csr index.txt newcerts private serial
[root@centos6 CA]
# openssl ca -in httpd.csr -out certs/httpd.crt
Using configuration from
/etc/pki/tls/openssl
.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Sep 22 23:43:02 2016 GMT
Not After : Sep 22 23:43:02 2017 GMT
Subject:
countryName = CN
stateOrProvinceName = beijing
organizationName = chen.com
organizationalUnitName = alren_1
commonName = www.alren.com
emailAddress = admin@chen.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
CA:82:B2:CF:4A:A2:49:9B:1D:46:84:04:F8:C6:F6:0D:E0:49:B7:A4
X509v3 Authority Key Identifier:
keyid:26:A2:98:70:1F:8A:3B:A3:A1:05:0E:8B:79:34:C5:66:FA:B9:A6:D9
Certificate is to be certified
until
Sep 22 23:43:02 2017 GMT (365 days)
Sign the certificate? [y
/n
]:y
1 out of 1 certificate requests certified, commit? [y
/n
]y
Write out database with 1 new entries
Data Base Updated
[root@centos6 CA]
# ls
cacert.pem crl index.txt index.txt.old private serial.old
certs httpd.csr index.txt.attr newcerts serial
[root@centos6 CA]
# cat index.txt.attr
unique_subject =
yes
[root@centos6 CA]
# cat index.txt
V 170922234302Z 01 unknown
/C
=CN
/ST
=beijing
/O
=chen.com
/OU
=alren_1
/CN
=www.alren.com
/emailAddress
=admin@chen.com
[root@centos6 CA]
# cat serial
02
[root@centos6 CA]
# cd certs/
[root@centos6 certs]
# ls
httpd.crt
[root@centos6 certs]
# openssl x509 -in httpd.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=CN, ST=beijing, L=bj, O=chen.com, OU=alren_1, CN=centos6.localdomain
/emailAddress
=alren@163.com
Validity
Not Before: Sep 22 23:43:02 2016 GMT
Not After : Sep 22 23:43:02 2017 GMT
Subject: C=CN, ST=beijing, O=chen.com, OU=alren_1, CN=www.alren.com
/emailAddress
=admin@chen.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c9:d3:5d:68:71:1e:6b:a9:50:a5:e3:0e:a1:fd:
5b:01:13:5b:36:37:ab:4b:e0:86:e9:b6:56:c5:8a:
77:15:52:04:b2:a9:d0:e5:d1:99:f6:eb:d6:15:c3:
77:5d:60:1b:de:74:d0:47:47:04:8d:42:c8:90:b4:
12:fd:19:e8:40:0d:ed:f6:ec:
bc
:
df
:e3:e6:2f:b8:
a6:5e:70:7a:78:38:41:5c:e8:5b:41:85:e3:03:24:
a1:85:1f:d8:f8:e1:c1:25:3e:87:84:36:58:c6:a3:
4f:a0:a2:31:8b:b3:9b:25:59:86:ea:8b:ee:13:c3:
f9:49:02:65:e5:b5:f6:d7:f6:01:f8:29:89:3e:9a:
18:
df
:b5:95:77:89:49:6a:01:02:48:ad:8d:8c:8b:
8c:09:d3:27:98:82:99:21:98:02:53:75:ca:9f:0d:
64:0e:c1:
bc
:0c:95:e3:ed:95:6e:8a:29:b1:82:ca:
4c:c3:25:c5:23:de:2f:1c:35:71:43:b9:84:26:22:
01:4f:71:7d:ae:7f:79:f8:5c:b7:e6:9f:9f:1c:17:
17:4b:82:30:fa:02:5a:6b:81:99:78:eb:98:68:
dc
:
5d:c0:8f:65:f6:72:f0:c7:d8:56:eb:d5:09:d3:07:
2e:25:01:9c:f2:4c:8d:f0:01:6e:97:fb:21:d9:a5:
84:c5
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
CA:82:B2:CF:4A:A2:49:9B:1D:46:84:04:F8:C6:F6:0D:E0:49:B7:A4
X509v3 Authority Key Identifier:
keyid:26:A2:98:70:1F:8A:3B:A3:A1:05:0E:8B:79:34:C5:66:FA:B9:A6:D9
Signature Algorithm: sha1WithRSAEncryption
5f:b8:37:e2:e5:e0:5e:65:99:60:9f:2f:5a:81:7e:55:e7:
dc
:
85:94:
bc
:d0:ae:82:db:c0:
cd
:bb:0c:7c:7d:6e:97:41:35:94:
71:d9:
bc
:a4:3e:76:d1:4e:09:3d:a2:a9:5e:a2:24:9c:98:f3:
ac:7d:ea:f0:f2:ff:17:0d:47:fb:47:04:d6:29:7f:d8:3a:08:
df
:33:45:8c:15:2a:a0:be:03:
dc
:4e:9c:91:ef:a1:99:a8:6d:
f2:4c:10:1d:9c:7b:23:28:0a:17:bd:cf:c4:2d:c6:07:d1:73:
48:2c:f9:a0:0f:2a:21:d0:f7:a4:9c:85:d5:75:02:c0:09:19:
97:b8:aa:1d:e0:e3:8a:39:29:f5:4c:d7:69:01:e8:e6:50:91:
fe:75:8a:3d:75:1c:
df
:94:36:01:32:43:4e:9c:49:f4:4c:f2:
d9:85:9d:45:89:7f:6d:47:a9:48:48:
bc
:b3:8b:ed:06:34:f5:
30:6e:c9:8f:a9:54:f6:6d:e7:2d:ce:03:9d:2f:ea:fa:47:fa:
ee:13:f2:26:3b:a8:7a:e8:fd:66:ae:c6:97:37:03:a7:e8:c7:
ad:c3:d9:e1:b1:b9:b0:61:ba:34:ea:80:6b:42:e4:d9:b7:38:
0d:49:13:b1:89:2f:ca:a0:aa:69:e5:95:c0:c0:e3:ba:af:9f:
68:80:5a:4f
[root@centos6 certs]
#
[root@centos6 certs]
#
[root@centos6 certs]
# openssl ca -revoke httpd.crt
Using configuration from
/etc/pki/tls/openssl
.cnf
Revoking Certificate 01.
Data Base Updated
[root@centos6 certs]
# cd ../
[root@centos6 CA]
# ls
cacert.pem crl index.txt index.txt.attr.old newcerts serial
certs httpd.csr index.txt.attr index.txt.old private serial.old
[root@centos6 CA]
# cat index.txt
R 170922234302Z 160922234706Z 01 unknown
/C
=CN
/ST
=beijing
/O
=chen.com
/OU
=alren_1
/CN
=www.alren.com
/emailAddress
=admin@chen.com
[root@centos6 CA]
# echo 01 > crlnumber
[root@centos6 CA]
# openssl ca -gencrl -out crl
crl/ crlnumber
[root@centos6 CA]
# openssl ca -gencrl -out crl/ca.rcl
Using configuration from
/etc/pki/tls/openssl
.cnf
[root@centos6 CA]
# cat crl/ca.rcl
-----BEGIN X509 CRL-----
MIIB
/TCB5gIBATANBgkqhkiG9w0BAQUFADCBjTELMAkGA1UEBhMCQ04xEDAOBgNV
BAgMB2JlaWppbmcxCzAJBgNVBAcMAmJqMREwDwYDVQQKDAhjaGVuLmNvbTEQMA4G
A1UECwwHYWxyZW5fMTEcMBoGA1UEAwwTY2VudG9zNi5sb2NhbGRvbWFpbjEcMBoG
CSqGSIb3DQEJARYNYWxyZW5AMTYzLmNvbRcNMTYwOTIyMjM1MDU0WhcNMTYxMDIy
MjM1MDU0WjAUMBICAQEXDTE2MDkyMjIzNDcwNlqgDjAMMAoGA1UdFAQDAgEBMA0G
CSqGSIb3DQEBBQUAA4IBAQADo6PBGbyqpM+noDuaDZxy349jgqcmRLCPDYKRZ4L+
1PyRTVhuIZztSUu2u5x7ZEYx3jyR7rFY8tpHRYT4ZnJe9ol4pTUb8INNx0lIZ4r1
hGlKWKQSDS3WVrQnCswBhWcAccd9wU2+YTj4m7f1drTbu6d5elfaZR1yKsTLnZdV
ESKmr4MXjcD0F80Q8Dc0hpKVKt71JiDwJt0WuHI6XPz90ta8EAN7Ry87Aj8f9
/HD
LDnOWEEA50F7JgUQgFKI72wvekQoZ9Cj
/KeFbOov
+wde7+uCGNqRcPLznnTxVz8a
e0
/e9HGQaDLGKDoN/vxVXCRQ030fZrPzag810yqSxxgZ
-----END X509 CRL-----
[root@centos6 CA]
# openssl crl -in crl/ca.rcl -noout -text
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer:
/C
=CN
/ST
=beijing
/L
=bj
/O
=chen.com
/OU
=alren_1
/CN
=centos6.localdomain
/emailAddress
=alren@163.com
Last Update: Sep 22 23:50:54 2016 GMT
Next Update: Oct 22 23:50:54 2016 GMT
CRL extensions:
X509v3 CRL Number:
1
Revoked Certificates:
Serial Number: 01
Revocation Date: Sep 22 23:47:06 2016 GMT
Signature Algorithm: sha1WithRSAEncryption
03:a3:a3:c1:19:
bc
:aa:a4:cf:a7:a0:3b:9a:0d:9c:72:
df
:8f:
63:82:a7:26:44:b0:8f:0d:82:91:67:82:fe:d4:fc:91:4d:58:
6e:21:9c:ed:49:4b:b6:bb:9c:7b:64:46:31:de:3c:91:ee:b1:
58:f2:da:47:45:84:f8:66:72:5e:f6:89:78:a5:35:1b:f0:83:
4d:c7:49:48:67:8a:f5:84:69:4a:58:a4:12:0d:2d:d6:56:b4:
27:0a:cc:01:85:67:00:71:c7:7d:c1:4d:be:61:38:f8:9b:b7:
f5:76:b4:db:bb:a7:79:7a:57:da:65:1d:72:2a:c4:cb:9d:97:
55:11:22:a6:af:83:17:8d:c0:f4:17:
cd
:10:f0:37:34:86:92:
95:2a:de:f5:26:20:f0:26:
dd
:16:b8:72:3a:5c:fc:fd:d2:d6:
bc
:10:03:7b:47:2f:3b:02:3f:1f:f7:f1:c3:2c:39:ce:58:41:
00:e7:41:7b:26:05:10:80:52:88:ef:6c:2f:7a:44:28:67:d0:
a3:fc:a7:85:6c:ea:2f:fb:07:5e:ef:eb:82:18:da:91:70:f2:
f3:9e:74:f1:57:3f:1a:7b:4f:de:f4:71:90:68:32:c6:28:3a:
0d:fe:fc:55:5c:24:50:d3:7d:1f:66:b3:f3:6a:0f:35:d3:2a:
92:c7:18:19
[root@centos6 CA]
#
|
不同主机之间拷贝文件小技巧:
在使用ssh远程登录时提示:remote host indentification has changed!则需清除~/.ssh/known_hosts文件即可,因为系统检测出rsa钥匙发生了改变。清除此配置文件重连。
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
|
[root@centos6 ~]
# ssh 10.1.229.40
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (
man
-
in
-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint
for
the RSA key sent by the remote host is
3d:bb:7b:99:51:b3:9f:b8:81:4e:fd:6e:b5:ac:92:02.
Please contact your system administrator.
Add correct host key
in
/root/
.
ssh
/known_hosts
to get rid of this message.
Offending key
in
/root/
.
ssh
/known_hosts
:1
RSA host key
for
10.1.229.40 has changed and you have requested strict checking.
Host key verification failed.
[root@centos6 .
ssh
]
#
[root@centos6 .
ssh
]
# ssh root@10.1.229.93
The authenticity of host
'10.1.249.93 (10.1.249.93)'
can't be established.
RSA key fingerprint is d3:e3:99:1d:b6:00:fe:18:26:58:a5:7d:eb:14:c3:57.
Are you sure you want to
continue
connecting (
yes
/no
)?
yes
Warning: Permanently added
'10.1.229.93'
(RSA) to the list of known hosts.
root@10.1.249.93's password:
|
本文转自chengong1013 51CTO博客,原文链接:http://blog.51cto.com/purify/1856060,如需转载请自行联系原作者
