CA
的自签认证,当然在做自签认证的同时应该把本机提升为
CA
,应为只有
CA
才有权利为别人颁发证书,同时也包括自己,然后才能让
CA
做自签
1
现进入目录
/etc/pki/CA
生成
key
文件
.
生成
key
文件有两种方法
第一方法:
#make test.pem
注:但是用
make
生成
pem
文件时
必须在
/etc/pki/CA/private
第二方法:
# opennssl genrsa 1024 > test.pem
或者
# openssl genrsa 1024 –out ttest.pem
注:
但是这种方法生成
key
文件是,该文件必须存在,不然不能成功
# opennssl genrsa 1024 > my.pem
Generating RSA private key, 1024 bit long modulus
....++++++
...........................................++++++
e is 65537 (0x10001)
2
生成
key
文件后,提取公钥
# openssl req -new -x509 -key cakey.pem -out ../cacert.pem –days 3660
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:HENAN
Locality Name (eg, city) [Newbury]:ZHENGZHOU
Organization Name (eg, company) [My Company Ltd]:ZZU
Organizational Unit Name (eg, section) []:CA
Common Name (eg, your name or your server's hostname) []:station.example.com
Email Address []:root@station.example.co
注;红色的部分是根具自己企业的情况自己添加的一些企业信息
4
编辑文件
/etc/pki/tls/openssl.conf
文件改变一些设置
[ CA_default ]
dir = /etc/pki/CA # Where everything is kept
把相对路径该文绝对路径
并保存
5
创建文件在
/etc/pki/CA
#mkdir newcerts
# touch ./{serial,index.txt}
6
给
serial
文件一些初始值
#echo “00” >./serial
7
创建目录
myca
,并进如该目录,创建
key
文件
#openssl genrsa 1024> my.key
Generating RSA private key, 1024 bit long modulus
.................++++++
......................................++++++
e is 65537 (0x10001)
8
提取公钥
#openssl rsa -in my.key -pubout -out pub.key
writing RSA key
9
创建请求文件
#openssl req -new -key my.key -out m.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:HENAN
Locality Name (eg, city) [Newbury]:ZHENGZHOU
Organization Name (eg, company) [My Company Ltd]:ZZU
Organizational Unit Name (eg, section) []:CA
Common Name (eg, your name or your server's hostname) []:station.example.com
Email Address []:root@station.example.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
注:红色内容必须和创建
my.pem
是的信息相同,不然在自签不是不能成功
10
查看创建的请求文件
#openssl req -in test.csr -noout -text
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=CN, ST=HENAN, L=ZHENGZHOU, O=ZZU, OU=CA, CN=station.example.com/emailAddress=root@station.example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:db:47:20:6b:fd:76:51:8c:35:31:df:08:59:d2:
f7:c5:2a:f4:00:dd:04:e1:34:73:09:2f:92:cd:42:
5b:92:50:c8:e3:7f:da:72:d4:f1:83:34:07:7e:ed:
48:fe:02:90:49:97:a6:6b:57:3d:18:56:f0:29:e4:
59:2c:d3:aa:c9:d7:ea:b8:c3:8d:49:f5:99:6f:49:
58:35:0e:74:56:b7:f2:32:31:ad:05:59:06:a0:a7:
25:88:75:9a:22:54:89:13:85:66:76:bd:9f:77:f8:
ad:70:90:65:39:98:26:83:c2:1a:65:ed:f6:42:54:
c5:77:68:02:bb:e4:44:01:4f
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha1WithRSAEncryption
34:82:de:72:60:14:cc:98:5d:f2:0f:1b:36:69:c2:1e:72:8e:
7c:7d:b7:5f:be:ad:d7:d3:19:01:d7:37:74:e9:18:5a:1c:df:
c7:76:b9:89:6e:ac:ea:78:4f:1b:38:9f:46:8e:c8:50:2f:7a:
22:72:a2:ca:2e:b1:4a:fd:45:e5:18:9c:16:bc:65:2c:7d:87:
ef:33:d3:18:1e:a8:bb:5f:ca:56:51:a7:44:fa:38:bf:13:4b:
2f:7d:c6:e3:80:79:22:41:50:68:8d:01:28:ad:a4:e6:5a:95:
0b:de:4a:79:e4:41:f6:b4:35:8b:29:95:ef:e4:f6:a4:70:81:
97:e7
11
让
CA
自签
#openssl ca –in test.csr –out test.crt -days 1900
k that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Feb 26 14:58:40 2010 GMT
Not After : May 11 14:58:40 2015 GMT
Subject:
countryName = CN
stateOrProvinceName = HENAN
organizationName = ZZU
organizationalUnitName = CA
commonName = station.example.com
emailAddress = root@station.example.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
C4:3C:E5:6D:D0:6B:C7:DC:DB:35:4E:9F:E4:63:24:FD:F5:35:6E:89
X509v3 Authority Key Identifier:
keyid:2B:18:5D:BF:28:71:50:13:AB:EF:6A:AC:BA:1C:DD:56:94:E5:39:1B
Certificate is to be certified until May 11 14:58:40 2015 GMT (1900 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
当出现该信息是则说明
CA
自签成功
11
查看自签文件
# openssl x509 -in my.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=CN, ST=HENAN, L=ZHENGZHOU, O=ZZU, OU=CA, CN=station.example.com/emailAddress=root@station.exmaple.com
Validity
Not Before: Feb 26 14:58:40 2010 GMT
Not After : May 11 14:58:40 2015 GMT
Subject: C=CN, ST=HENAN, O=ZZU, OU=CA, CN=station.example.com/emailAddress=root@station.example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:db:47:20:6b:fd:76:51:8c:35:31:df:08:59:d2:
f7:c5:2a:f4:00:dd:04:e1:34:73:09:2f:92:cd:42:
5b:92:50:c8:e3:7f:da:72:d4:f1:83:34:07:7e:ed:
48:fe:02:90:49:97:a6:6b:57:3d:18:56:f0:29:e4:
59:2c:d3:aa:c9:d7:ea:b8:c3:8d:49:f5:99:6f:49:
58:35:0e:74:56:b7:f2:32:31:ad:05:59:06:a0:a7:
25:88:75:9a:22:54:89:13:85:66:76:bd:9f:77:f8:
ad:70:90:65:39:98:26:83:c2:1a:65:ed:f6:42:54:
c5:77:68:02:bb:e4:44:01:4f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
C4:3C:E5:6D:D0:6B:C7:DC:DB:35:4E:9F:E4:63:24:FD:F5:35:6E:89
X509v3 Authority Key Identifier:
keyid:2B:18:5D:BF:28:71:50:13:AB:EF:6A:AC:BA:1C:DD:56:94:E5:39:1B
Signature Algorithm: sha1WithRSAEncryption
5e:41:da:24:5b:2a:81:0e:ce:33:6d:9a:75:97:25:da:fd:e1:
a7:51:b3:ac:57:c1:dc:1c:5d:43:c7:59:dd:f3:3d:71:86:86:
1a:02:a4:e4:2e:bb:37:a9:08:6d:48:81:ff:46:31:cb:e9:16:
64:86:aa:d2:a2:78:fb:6b:53:82:40:19:d9:fb:ae:09:46:79:
3b:cc:ae:1c:dc:ce:90:da:e2:09:09:d4:4d:12:c0:5c:69:83:
80:f5:28:5c:05:17:82:19:be:ff:4b:b7:c3:d6:67:9b:48:95:
65:c4:70:c9:b4:d7:4c:9e:a6:d0:50:6a:b0:42:2a:58:53:2b:
d0:fe:4b:cd:45:8b:06:f7:7d:38:d4:4a:cd:bf:92:4d:fd:06:
73:8e:ed:42:6a:cb:52:43:94:c3:e8:81:2c:80:ac:a8:c1:60:
3f:66:81:46:79:97:a4:b8:37:99:1c:fb:1f:8d:ac:e6:a5:ca:
6b:e0:3b:0d:96:5e:02:c7:6a:e3:a2:f4:48:4a:78:cc:b7:d9:
eb:b5:c6:4b:5f:9d:eb:c2:ad:b7:89:a1:75:51:c3:1c:58:a6:
b3:4f:ed:cd:d7:8d:46:15:ac:21:64:ed:43:1f:61:01:60:bb:
96:14:c9:b5:11:e9:ad:33:f9:d2:a7:25:9b:2f:e1:30:48:20:
6e:f0:0f:9e
本文转自 freehat08 51CTO博客,原文链接:http://blog.51cto.com/freehat/278917,如需转载请自行联系原作者