关于CA 自签

简介:
CA  的自签认证,当然在做自签认证的同时应该把本机提升为 CA ,应为只有 CA 才有权利为别人颁发证书,同时也包括自己,然后才能让 CA  做自签

 

1        现进入目录 /etc/pki/CA

  生成 key 文件 . 生成 key  文件有两种方法

  第一方法:  #make  test.pem  注:但是用 make  生成 pem 文件时   必须在 /etc/pki/CA/private

  

  第二方法: # opennssl genrsa  1024 > test.pem

       或者 # openssl  genrsa    1024 –out  ttest.pem  注:   但是这种方法生成 key 文件是,该文件必须存在,不然不能成功

# opennssl genrsa  1024 > my.pem

 Generating RSA private key, 1024 bit long modulus

....++++++

...........................................++++++

e is 65537 (0x10001)

生成 key 文件后,提取公钥

  openssl  req  -new  -x509  -key   cakey.pem  -out  ../cacert.pem  –days  3660

  Country Name (2 letter code) [GB]:CN

State or Province Name (full name) [Berkshire]:HENAN

Locality Name (eg, city) [Newbury]:ZHENGZHOU

Organization Name (eg, company) [My Company Ltd]:ZZU

Organizational Unit Name (eg, section) []:CA

Common Name (eg, your name or your server's hostname) []:station.example.com

Email Address []:root@station.example.co

   注;红色的部分是根具自己企业的情况自己添加的一些企业信息

编辑文件 /etc/pki/tls/openssl.conf 文件改变一些设置

 

 [ CA_default ]

 

dir             = /etc/pki/CA           # Where everything is kept

   把相对路径该文绝对路径

  并保存

 5 创建文件在 /etc/pki/CA

 #mkdir   newcerts

 # touch ./{serial,index.txt}

serial 文件一些初始值

 #echo  “00” >./serial

7 创建目录 myca ,并进如该目录,创建 key 文件

  #openssl genrsa  1024> my.key

Generating RSA private key, 1024 bit long modulus

.................++++++

......................................++++++

e is 65537 (0x10001)

 

8 提取公钥

 #openssl  rsa  -in my.key  -pubout  -out  pub.key

 writing RSA key

9 创建请求文件

 #openssl  req  -new  -key  my.key  -out  m.csr

  You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [GB]:CN

State or Province Name (full name) [Berkshire]:HENAN

Locality Name (eg, city) [Newbury]:ZHENGZHOU

Organization Name (eg, company) [My Company Ltd]:ZZU

Organizational Unit Name (eg, section) []:CA

Common Name (eg, your name or your server's hostname) []:station.example.com

Email Address []:root@station.example.com

 

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

  注:红色内容必须和创建 my.pem 是的信息相同,不然在自签不是不能成功

10  查看创建的请求文件

 #openssl  req  -in  test.csr  -noout   -text

 

Certificate Request:

    Data:

        Version: 0 (0x0)

        Subject: C=CN, ST=HENAN, L=ZHENGZHOU, O=ZZU, OU=CA, CN=station.example.com/emailAddress=root@station.example.com

        Subject Public Key Info:

            Public Key Algorithm: rsaEncryption

            RSA Public Key: (1024 bit)

                Modulus (1024 bit):

                    00:db:47:20:6b:fd:76:51:8c:35:31:df:08:59:d2:

                    f7:c5:2a:f4:00:dd:04:e1:34:73:09:2f:92:cd:42:

                    5b:92:50:c8:e3:7f:da:72:d4:f1:83:34:07:7e:ed:

                    48:fe:02:90:49:97:a6:6b:57:3d:18:56:f0:29:e4:

                    59:2c:d3:aa:c9:d7:ea:b8:c3:8d:49:f5:99:6f:49:

                    58:35:0e:74:56:b7:f2:32:31:ad:05:59:06:a0:a7:

                    25:88:75:9a:22:54:89:13:85:66:76:bd:9f:77:f8:

                    ad:70:90:65:39:98:26:83:c2:1a:65:ed:f6:42:54:

                    c5:77:68:02:bb:e4:44:01:4f

                Exponent: 65537 (0x10001)

        Attributes:

            a0:00

    Signature Algorithm: sha1WithRSAEncryption

        34:82:de:72:60:14:cc:98:5d:f2:0f:1b:36:69:c2:1e:72:8e:

        7c:7d:b7:5f:be:ad:d7:d3:19:01:d7:37:74:e9:18:5a:1c:df:

        c7:76:b9:89:6e:ac:ea:78:4f:1b:38:9f:46:8e:c8:50:2f:7a:

        22:72:a2:ca:2e:b1:4a:fd:45:e5:18:9c:16:bc:65:2c:7d:87:

        ef:33:d3:18:1e:a8:bb:5f:ca:56:51:a7:44:fa:38:bf:13:4b:

        2f:7d:c6:e3:80:79:22:41:50:68:8d:01:28:ad:a4:e6:5a:95:

        0b:de:4a:79:e4:41:f6:b4:35:8b:29:95:ef:e4:f6:a4:70:81:

        97:e7

 11  CA 自签

  #openssl ca –in test.csr –out test.crt  -days 1900

 k that the request matches the signature

Signature ok

Certificate Details:

        Serial Number: 0 (0x0)

        Validity

            Not Before: Feb 26 14:58:40 2010 GMT

            Not After : May 11 14:58:40 2015 GMT

        Subject:

            countryName               = CN

            stateOrProvinceName       = HENAN

            organizationName          = ZZU

            organizationalUnitName    = CA

            commonName                = station.example.com

            emailAddress              = root@station.example.com

        X509v3 extensions:

            X509v3 Basic Constraints:

                CA:FALSE

            Netscape Comment:

                OpenSSL Generated Certificate

            X509v3 Subject Key Identifier:

                C4:3C:E5:6D:D0:6B:C7:DC:DB:35:4E:9F:E4:63:24:FD:F5:35:6E:89

            X509v3 Authority Key Identifier:

                keyid:2B:18:5D:BF:28:71:50:13:AB:EF:6A:AC:BA:1C:DD:56:94:E5:39:1B

 

Certificate is to be certified until May 11 14:58:40 2015 GMT (1900 days)

Sign the certificate? [y/n]:y

 

 

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

  当出现该信息是则说明 CA  自签成功

11  查看自签文件

 # openssl  x509  -in my.crt  -noout  -text

 Certificate:

    Data:

        Version: 3 (0x2)

        Serial Number: 0 (0x0)

        Signature Algorithm: sha1WithRSAEncryption

        Issuer: C=CN, ST=HENAN, L=ZHENGZHOU, O=ZZU, OU=CA, CN=station.example.com/emailAddress=root@station.exmaple.com

        Validity

            Not Before: Feb 26 14:58:40 2010 GMT

            Not After : May 11 14:58:40 2015 GMT

        Subject: C=CN, ST=HENAN, O=ZZU, OU=CA, CN=station.example.com/emailAddress=root@station.example.com

        Subject Public Key Info:

            Public Key Algorithm: rsaEncryption

            RSA Public Key: (1024 bit)

                Modulus (1024 bit):

                    00:db:47:20:6b:fd:76:51:8c:35:31:df:08:59:d2:

                    f7:c5:2a:f4:00:dd:04:e1:34:73:09:2f:92:cd:42:

                    5b:92:50:c8:e3:7f:da:72:d4:f1:83:34:07:7e:ed:

                    48:fe:02:90:49:97:a6:6b:57:3d:18:56:f0:29:e4:

                    59:2c:d3:aa:c9:d7:ea:b8:c3:8d:49:f5:99:6f:49:

                    58:35:0e:74:56:b7:f2:32:31:ad:05:59:06:a0:a7:

                    25:88:75:9a:22:54:89:13:85:66:76:bd:9f:77:f8:

                    ad:70:90:65:39:98:26:83:c2:1a:65:ed:f6:42:54:

                    c5:77:68:02:bb:e4:44:01:4f

                Exponent: 65537 (0x10001)

        X509v3 extensions:

            X509v3 Basic Constraints:

                CA:FALSE

            Netscape Comment:

                OpenSSL Generated Certificate

            X509v3 Subject Key Identifier:

                C4:3C:E5:6D:D0:6B:C7:DC:DB:35:4E:9F:E4:63:24:FD:F5:35:6E:89

            X509v3 Authority Key Identifier:

                keyid:2B:18:5D:BF:28:71:50:13:AB:EF:6A:AC:BA:1C:DD:56:94:E5:39:1B

 

    Signature Algorithm: sha1WithRSAEncryption

        5e:41:da:24:5b:2a:81:0e:ce:33:6d:9a:75:97:25:da:fd:e1:

        a7:51:b3:ac:57:c1:dc:1c:5d:43:c7:59:dd:f3:3d:71:86:86:

        1a:02:a4:e4:2e:bb:37:a9:08:6d:48:81:ff:46:31:cb:e9:16:

        64:86:aa:d2:a2:78:fb:6b:53:82:40:19:d9:fb:ae:09:46:79:

        3b:cc:ae:1c:dc:ce:90:da:e2:09:09:d4:4d:12:c0:5c:69:83:

        80:f5:28:5c:05:17:82:19:be:ff:4b:b7:c3:d6:67:9b:48:95:

        65:c4:70:c9:b4:d7:4c:9e:a6:d0:50:6a:b0:42:2a:58:53:2b:

        d0:fe:4b:cd:45:8b:06:f7:7d:38:d4:4a:cd:bf:92:4d:fd:06:

        73:8e:ed:42:6a:cb:52:43:94:c3:e8:81:2c:80:ac:a8:c1:60:

        3f:66:81:46:79:97:a4:b8:37:99:1c:fb:1f:8d:ac:e6:a5:ca:

        6b:e0:3b:0d:96:5e:02:c7:6a:e3:a2:f4:48:4a:78:cc:b7:d9:

        eb:b5:c6:4b:5f:9d:eb:c2:ad:b7:89:a1:75:51:c3:1c:58:a6:

        b3:4f:ed:cd:d7:8d:46:15:ac:21:64:ed:43:1f:61:01:60:bb:

        96:14:c9:b5:11:e9:ad:33:f9:d2:a7:25:9b:2f:e1:30:48:20:

        6e:f0:0f:9e









本文转自 freehat08 51CTO博客,原文链接:http://blog.51cto.com/freehat/278917,如需转载请自行联系原作者
目录
相关文章
|
8天前
|
监控 算法
Error: 500-InternalError, Out of host capacity.
【10月更文挑战第28天】Error: 500-InternalError, Out of host capacity.
20 5
|
4月前
|
Web App开发 编解码 JavaScript
Desired Capabilities
Desired Capabilities
|
5月前
|
存储 运维 网络协议
CloudStack 中 op_host_capacity 表中的 capacity_type 取值详解
CloudStack 中 op_host_capacity 表中的 capacity_type 取值详解
|
5月前
|
存储 算法 安全
详细解读CA认证原理以及实现(上)
详细解读CA认证原理以及实现(上)
63 0
|
6月前
HOSTAPD ht_capab设置
HOSTAPD ht_capab设置
232 1
|
6月前
|
安全 中间件 数据管理
DCAS和CA
DCAS和CA
82 0
|
算法 数据安全/隐私保护
从零学习 CA 系列 (八) -- 数字信封
本文参考《PKI/CA 与数字证书技术大全》书籍,如有理解bug, 请大家指正。 对称密码优点是加解密运算非常快,适合处理大批量数据,但其密码的分发与管理比较复杂。
1883 0
|
新零售 Web App开发 安全
CA和证书那些事
全站HTTPS之CA和证书那些事儿。
19574 0
|
容器 Kubernetes Docker