1、创建CA所需要的证书
#生成证书索引数据库文件
[root@centos8 ~]#mkdir /etc/pki/CA
[root@centos8 ~]#touch /etc/pki/CA/index.txt
#指定第一个颁发证书的序列号
[root@centos8 ~]#echo 01 > /etc/pki/CA/serial
2、生成CA私钥
[ root@centos8 CA]#mkdir private
[ root@centos8 CA]#umask;openssl genrsa -out private/cakey.pem 2048
0022
Generating RSA private key, 2048 bit long modulus (2 primes)
........................+++++
..........+++++
e is 65537 (0x010001)
3、生成CA自己的自签名证书
[ root@centos8 CA]#oopenssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:hubei
Locality Name (eg, city) [Default City]:wuhan
Organization Name (eg, company) [Default Company Ltd]:chuangyi
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:cn.chuangyi.org
Email Address []:admin@chuangyi.org
#说明:
-new:生成新证书签署请求
-x509:专用于CA生成自签证书
-key:生成请求时用到的私钥文件
-days n:证书的有效期限
-out /PATH/TO/SOMECERTFILE: 证书的保存路径
#查看生成的cacert.pem文件
[ root@centos8 CA]#openssl x509 -in cacert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
02:c3:ab:17:97:60:56:b8:ef:75:6d:67:a7:f7:b3:91:36:7e:78:c3
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CN, ST = hubei, L = wuhan, O = chuangyi, OU = it, CN = cn.chuangyi.org, emailAddress = admin@chuangyi.org
Validity
Not Before: Oct 27 12:37:21 2021 GMT
Not After : Oct 25 12:37:21 2031 GMT
Subject: C = CN, ST = hubei, L = wuhan, O = chuangyi, OU = it, CN = cn.chuangyi.org, emailAddress = admin@chuangyi.org
......
#如果公司就只有一个服务,没必要搭建CA服务器,可以使用以下命令创建一个给服务用的自签名证书
[ root@centos8 CA]#openssl req -utf8 -newkey rsa:1024 -subj "/CN=www.magedu.org" -keyout app.key -nodes -x509 -out app.crt
Generating a RSA private key
......+++++
.................+++++
writing new private key to 'app.key'
-----
#生成的私钥app.key 自签名证书app.crt
#centos7上才支持的简单的创建自签名证书的方法,可以把centos7上的/etc/pki/tls/certs/MakeFile文件拷贝过来,就可以make创建不同后缀文件名的文件,来做对应的事情
[root@localhost certs]# make /data/httpd.crt
umask 77 ; \
/usr/bin/openssl genrsa -aes128 2048 > /data/httpd.key
Generating RSA private key, 2048 bit long modulus
................................+++
....+++
e is 65537 (0x10001)
Enter pass phrase:
Verifying - Enter pass phrase:
umask 77 ; \
/usr/bin/openssl req -utf8 -new -key /data/httpd.key -x509 -days 365 -out /data/httpd.crt
Enter pass phrase for /data/httpd.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:hubei
Locality Name (eg, city) [Default City]:wuhan
Organization Name (eg, company) [Default Company Ltd]:it
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:www.chuanyi.org
Email Address []:admin@chuanyi.org
4、为需要使用证书的主机生成私钥
[ root@centos8 CA]#mkdir /data/app1
[ root@centos8 app1]#(umask 066; openssl genrsa -out /data/app1/app1.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
.....+++++
.........+++++
e is 65537 (0x010001)
Generating RSA private key, 2048 bit long modulus (2 primes)
...............+++++
..+++++
e is 65537 (0x010001)
5、为需要使用证书的主机生成证书申请文件
[ root@centos8 app1]#openssl req -new -key /data/app1/app1.key -out /data/app1/app1.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:hubei
Locality Name (eg, city) [Default City]:wuhan
Organization Name (eg, company) [Default Company Ltd]:chuangyi
Organizational Unit Name (eg, section) []:sale
Common Name (eg, your name or your server's hostname) []:sale.chuangyi.org
Email Address []:sale@chuangyi.org
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
6、颁发证书,放在配置文件规定的certs目录下
[ root@centos8 certs]#openssl ca -in /data/app1/app1.csr -out /etc/pki/CA/certs/app1.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Oct 27 13:46:18 2021 GMT
Not After : Jul 23 13:46:18 2024 GMT
Subject:
countryName = CN
stateOrProvinceName = hubei
organizationName = chuangyi
organizationalUnitName = sale
commonName = sale.chuangyi.org
emailAddress = sale@chuangyi.org
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
96:D5:F1:07:13:C7:C3:9E:2D:09:46:24:A2:4E:2E:9E:2F:23:44:DF
X509v3 Authority Key Identifier:
keyid:7B:9E:BE:0D:B3:71:91:FB:D3:3A:6B:47:98:07:62:34:86:2A:57:9E
Certificate is to be certified until Jul 23 13:46:18 2024 GMT (1000 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
7、颁发证书完成,将生成的证书相关文件发送到客户端使用
[ root@centos8 certs]#cp /etc/pki/CA/certs/app1.crt /data/app1/
[ root@centos8 certs]#tree /data/app1/
/data/app1/
├── app1.crt
├── app1.csr
└── app1.key
8、默认生成的证书,windows十不被信任的,将CA的根证书,cacert.pem改名为cacert.pem.crt使windows可以识别该文件,双击安装cacert.pem.crt文件或者导入到“受信任的根证书颁发机构”。windows再次打开app1.crt就是没问题了。