私有CA建立和证书申请
发表于:2025-12-02 作者:千家信息网编辑
千家信息网最后更新 2025年12月02日,私有CA建立和证书申请CA在创建时有规定的格式,详细需要参考/etc/pki/tls/openssl.cnf此文件存放了CA相关的一些配置信息。以下为比较重要的2个相关配置:1.此段为CA的详细目录结
千家信息网最后更新 2025年12月02日私有CA建立和证书申请
私有CA建立和证书申请
CA在创建时有规定的格式,详细需要参考/etc/pki/tls/openssl.cnf此文件存放了CA相关的一些配置信息。
以下为比较重要的2个相关配置:
1.此段为CA的详细目录结构
####################################################################[ ca ]default_ca = CA_default # The default ca section####################################################################[ CA_default ]dir = /etc/pki/CA # Where everything is keptcerts = $dir/certs # Where the issued certs are keptcrl_dir = $dir/crl # Where the issued crl are keptdatabase = $dir/index.txt # database index file.#unique_subject = no # Set to 'no' to allow creation of # several ctificates with same subject.new_certs_dir = $dir/newcerts # default place for new certs.certificate = $dir/cacert.pem # The CA certificateserial = $dir/serial # The current serial numbercrlnumber = $dir/crlnumber # the current crl number # must be commented out to leave a V1 CRLcrl = $dir/crl.pem # The current CRLprivate_key = $dir/private/cakey.pem# The private keyRANDFILE = $dir/private/.rand # private random number filex509_extensions = usr_cert # The extentions to add to the cert2.此段为证书签署的相关规则,其中标记为match的表示客户端在提交证书签署申请时必须和CA相同的部分。若要不同也可以修改policy规则
# A few difference way of specifying how similar the request should look# For type CA, the listed attributes must be the same, and the optional# and supplied fields are just that :-)policy = policy_match #此处若修改为policy_anything就能实现客户端申请证书时countryName、stateOrProvinceName、organizationName和CA不同也能签署。# For the CA policy[ policy_match ]countryName = matchstateOrProvinceName = matchorganizationName = matchorganizationalUnitName = optionalcommonName = suppliedemailAddress = optional# For the 'anything' policy# At this point in time, you must list all acceptable 'object'# types.[ policy_anything ]countryName = optionalstateOrProvinceName = optionallocalityName = optionalorganizationName = optionalorganizationalUnitName = optionalcommonName = suppliedemailAddress = optional一、创建私有CA
1.生成证书索引数据库文件
[root@centos7 CA]# touch index.txt2.指定证书颁发序列号
[root@centos7 CA]# echo 01 > serial3.生成私钥
私钥必须存放在/etc/pki/CA/private下取名为cakey.pem
[root@centos7 CA]# (umask 066;openssl genrsa -out private/cakey.pem 4096) #生成私钥,指定长度为4096位Generating RSA private key, 4096 bit long modulus.........................................++.....................++e is 65537 (0x10001)4.生成自签证书
自签证书的存放位置和命名也有规定,必须存放在/etc/pki/CA/下,取名为cacert.pem
[root@centos7 CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650 #生成自签证书,指定有效时长为3650天You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:CNState or Province Name (full name) []:beijing Locality Name (eg, city) [Default City]:beijingOrganization Name (eg, company) [Default Company Ltd]:mageduOrganizational Unit Name (eg, section) []:opsCommon Name (eg, your name or your server's hostname) []:ca.magedu.comEmail Address []:二、客户端申请证书
1.在客户端生成私钥文件
客户端的私钥一般在需要生成私钥的应用下生成
[root@centos7 data]# (umask 066;openssl genrsa -out test.key 1024)Generating RSA private key, 1024 bit long modulus....................................................................................................................++++++.....++++++e is 65537 (0x10001)2.利用私钥生成证书签署请求
签署请求中Country Name、State or Provice Name、Organization Name必须相同。
[root@centos7 data]# openssl req -new -key test.key -out test.csrYou are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:CNState or Province Name (full name) []:beijingLocality Name (eg, city) [Default City]:beijingOrganization Name (eg, company) [Default Company Ltd]:mageduOrganizational Unit Name (eg, section) []:opsCommon Name (eg, your name or your server's hostname) []:www.mylinuxops.comEmail Address []:Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:3.将证书签署请求发给CA
[root@centos7 data]# scp test.csr 192.168.73.132:/tmpThe authenticity of host '192.168.73.132 (192.168.73.132)' can't be established.ECDSA key fingerprint is SHA256:YNlH0VBV0kp4lAClVvfMWVx/bHcbKKHXQwyd13d+MME.ECDSA key fingerprint is MD5:8a:1c:3d:c2:04:b1:be:05:95:33:9e:16:e8:ad:6c:25.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added '192.168.73.132' (ECDSA) to the list of known hosts.root@192.168.73.132's password: test.csr 100% 660 220.9KB/s 00:00 三、CA服务器端签署证书
CA服务器签署证书时,需要指定证书有效时长
[root@centos7 CA]# openssl ca -in /tmp/test.csr -out certs/test.crt -days 365Using configuration from /etc/pki/tls/openssl.cnfCheck that the request matches the signatureSignature okCertificate Details: Serial Number: 1 (0x1) Validity Not Before: Apr 15 22:42:33 2019 GMT Not After : Apr 14 22:42:33 2020 GMT Subject: countryName = CN stateOrProvinceName = beijing organizationName = magedu organizationalUnitName = ops commonName = www.mylinuxops.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 6F:FE:2A:6D:CA:54:71:43:EC:58:54:8B:94:8E:92:BC:04:9B:6D:91 X509v3 Authority Key Identifier: keyid:EE:25:E6:80:F8:8A:68:3F:E5:5E:C4:38:FB:1C:B9:93:C9:2B:5B:ADCertificate is to be certified until Apr 14 22:42:33 2020 GMT (365 days)Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base Updated四、其他
1.查看证书中的信息:
[root@centos7 CA]# openssl x509 -in certs/test.crt -noout -textCertificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, ST=beijing, L=beijing, O=magedu, OU=ops, CN=ca.magedu.com Validity Not Before: Apr 15 22:42:33 2019 GMT Not After : Apr 14 22:42:33 2020 GMT Subject: C=CN, ST=beijing, O=magedu, OU=ops, CN=www.mylinuxops.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:d1:ab:99:29:51:31:e8:2d:69:e6:04:25:89:61: 2d:81:71:c6:cf:b0:a2:a2:8a:94:6f:b3:ab:40:fa: 1f:da:40:33:7b:46:0f:f7:61:21:18:be:3b:5d:b8: 18:a2:8a:9e:99:66:9c:9c:7c:68:2e:ab:73:00:87: 3a:91:aa:b5:a0:f0:2c:ec:d0:f2:44:15:86:74:2a: 39:d0:64:42:a8:d5:69:ca:c2:79:a1:5a:e3:c9:dc: 6e:9e:1e:ab:89:cf:47:62:57:67:17:d3:9f:09:4f: 0d:ed:f3:b7:d1:99:b0:49:95:99:25:0b:70:30:ef: a2:72:8d:42:90:8b:51:bb:41 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 6F:FE:2A:6D:CA:54:71:43:EC:58:54:8B:94:8E:92:BC:04:9B:6D:91 X509v3 Authority Key Identifier: keyid:EE:25:E6:80:F8:8A:68:3F:E5:5E:C4:38:FB:1C:B9:93:C9:2B:5B:AD Signature Algorithm: sha256WithRSAEncryption a0:b9:ac:ef:a6:cb:9c:af:99:5b:f8:f2:dd:f4:0b:dc:63:51: 99:16:3d:b9:53:91:5e:e5:61:f0:9d:85:cb:57:19:b8:fd:fd: 6e:3a:9c:f2:2a:d0:69:90:89:ff:75:90:20:f6:25:d0:d2:f9: 4f:23:34:fd:b7:3c:25:00:7c:a3:7f:f3:14:2b:54:54:3e:cf: 19:fa:80:48:b2:f3:3a:c7:cf:20:7a:91:3e:43:6f:88:2d:36: 9a:50:23:12:d1:0c:fa:78:c3:3a:7e:90:85:b1:ba:a8:4a:f0: c9:a1:6c:e9:7c:ff:e5:8a:f1:30:8d:36:33:1c:22:03:5b:37: 73:95:a8:6f:2d:68:42:5d:78:e2:9c:24:c4:b2:f7:59:37:1e: af:90:ea:1e:bc:73:d7:95:83:42:64:f5:e1:fb:45:e6:9c:e3: 2b:04:6f:de:d0:de:01:d9:dc:af:9c:47:2d:31:5e:c3:71:6d: 23:a6:f3:e0:77:65:c9:a3:39:c0:f2:c5:d2:21:df:84:64:cd: 0f:4b:19:ea:b4:d5:75:2a:52:54:38:e4:d6:6a:e0:9e:61:c6: 3a:04:21:cb:d5:2f:c9:f3:21:15:a6:bf:48:ea:06:f4:a8:20: 43:49:e9:e5:d5:c6:74:06:6a:53:c6:31:48:08:89:6f:af:9a: aa:d7:62:e3:9b:60:f2:55:1e:0d:e0:e2:ab:02:76:ab:f0:2f: c5:39:fe:11:e3:1d:51:19:96:2d:57:6b:a6:d1:97:8d:fb:cb: 4f:08:b5:29:af:c8:b8:c7:c9:32:7d:a6:30:ee:ad:c7:13:af: d9:9f:c4:09:f1:57:6b:aa:66:de:ad:28:c9:ea:a3:52:26:9b: 29:e2:0a:14:30:c5:fb:06:70:89:69:f2:5a:de:49:bd:4a:f3: af:20:f0:b6:c5:97:37:9a:b4:35:03:5e:75:6c:a0:82:1e:bb: 0c:68:fe:f4:ee:06:3b:0a:2e:e1:72:0c:b1:32:f4:f3:0f:c0: ee:66:1e:5b:9b:e5:02:72:8a:f4:f8:94:3b:c3:85:5f:53:38: 47:b4:47:61:1a:a1:fd:36:9d:40:81:0a:65:37:47:ad:9e:d5: a3:0f:58:87:d5:2f:7f:b5:bc:15:e8:cc:f4:16:c0:67:fa:a2: b6:f1:2b:4e:5d:ac:8f:fe:c5:20:3a:b5:49:18:5d:be:29:01: 67:5f:2f:e9:77:31:34:5c:e2:12:78:1c:a2:c8:3a:67:d1:90: 3b:24:ed:49:68:5d:c4:f3:f7:8f:4c:bf:02:88:15:3b:11:90: 9e:f0:fc:d2:41:48:8b:6c:53:22:8d:b0:1b:53:67:05:dc:f5: 72:37:19:1b:05:24:4b:3b2.查看指定编号的证书状态
[root@centos7 CA]# openssl ca -status 01Using configuration from /etc/pki/tls/openssl.cnf01=Valid (V)CA证书的吊销
一、在客户机上查看索要吊销的证书的serial和subject
[root@centos7 certs]# openssl x509 -in test.crt -noout -serial -subjectserial=01subject= /C=CN/ST=beijing/O=magedu/OU=ops/CN=www.mylinuxops.com二、根据客户端所提交的信息,在CA服务器端比对index.txt内的信息
[root@centos7 CA]# cat index.txtV 200414224233Z 01 unknown /C=CN/ST=beijing/O=magedu/OU=ops/CN=www.mylinuxops.com 三、吊销证书
[root@centos7 CA]# openssl ca -revoke /etc/pki/CA/newcerts/01.pem Using configuration from /etc/pki/tls/openssl.cnfRevoking Certificate 01.Data Base Updated四、指定第一个证书吊销的编号(第一次执行吊销时需要执行此步骤)
[root@centos7 CA]# echo 01 > /etc/pki/CA/crlnumber五、生成证书吊销列表
[root@centos7 CA]# openssl ca -gencrl -out /etc/pki/CA/crl.pemUsing configuration from /etc/pki/tls/openssl.cnf六、查看证书吊销列表
[root@centos7 CA]# openssl crl -in crl.pem -noout -textCertificate Revocation List (CRL): Version 2 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: /C=CN/ST=beijing/L=beijing/O=magedu/OU=ops/CN=ca.magedu.com Last Update: Apr 16 08:41:46 2019 GMT Next Update: May 16 08:41:46 2019 GMT CRL extensions: X509v3 CRL Number: 1Revoked Certificates: Serial Number: 01 Revocation Date: Apr 16 08:38:37 2019 GMT Signature Algorithm: sha256WithRSAEncryption a3:07:8f:b4:a8:ec:76:fb:d1:6c:88:f6:1d:ba:e6:79:5e:19: 59:3a:38:8d:26:d0:15:d2:22:b1:2f:a5:b0:b0:fc:49:11:00: 0a:2a:93:22:8d:44:ec:18:c9:5d:ad:66:60:32:36:8a:55:77: 03:9e:fb:51:b4:8e:9d:b7:d8:3b:d1:da:64:9e:ae:9f:5a:04: 19:69:f6:e9:de:94:75:92:f4:f4:33:b6:2b:e9:8e:27:dd:40: 9f:90:11:0f:36:d4:4a:ef:af:55:08:ec:87:81:c6:7c:38:02: fb:e2:d9:77:61:dc:2a:2c:61:c5:36:aa:6e:34:59:77:fe:47: 81:6d:02:15:e5:4b:f2:1f:ae:b3:e0:2e:5e:49:9d:c1:51:f9: 2e:69:d5:5f:9b:26:25:20:d9:88:ac:30:94:e2:25:e5:ee:17: f4:62:ca:ea:be:af:aa:7a:07:e7:e5:91:24:80:cc:52:9b:30: e2:3e:59:66:2a:77:28:7b:6a:10:99:a3:a3:27:30:17:a1:94: 49:bb:ae:eb:7f:53:d9:07:a5:0c:8f:b0:97:0a:cb:42:d8:37: 22:d9:0b:48:5e:a9:a0:13:78:0d:71:5b:76:25:11:f2:62:7b: e7:a5:f5:52:03:a6:25:ea:3a:da:d6:37:5a:55:ed:89:3e:67: 6f:b7:d7:a9:75:94:e8:17:af:cc:87:ed:bb:4d:19:3c:ee:af: a5:4d:fe:5e:f9:80:7a:16:4d:8c:99:36:77:75:e7:81:03:05: 92:91:01:5c:5e:d7:d0:d3:2b:ef:62:cd:20:5b:1b:40:30:29: 41:83:c6:7b:cc:29:2a:c3:6c:76:88:ed:a8:ac:be:83:00:7b: 56:c6:de:97:cf:6a:a5:bd:38:1e:84:b1:00:37:e5:85:15:eb: 86:51:f8:51:f6:e4:7e:2e:25:e2:8b:10:7d:3e:a6:4d:e5:bd: cb:8b:1e:2f:71:60:83:e5:75:1b:91:87:90:39:4a:67:88:87: 51:d3:b9:ff:0a:f6:36:3c:ba:a0:ae:32:6d:48:d7:e0:3d:20: 06:b5:ae:05:74:ab:13:84:49:dc:d7:91:c3:48:38:2d:b3:e9: b7:f0:13:9d:54:44:f1:5c:52:35:95:f5:da:9c:85:62:3f:28: 3a:c1:8a:32:e9:f6:f6:93:d2:40:7f:8a:71:20:6e:04:2f:2f: 33:2b:ac:2a:bb:33:b1:09:4d:4b:67:69:a9:48:a7:a7:a4:cb: 7e:61:fb:3e:85:dd:1f:99:8b:35:d6:7d:75:9d:34:61:84:8e: 46:39:e7:4b:09:e3:00:44:69:24:73:ac:37:82:73:1b:42:0d: 1f:60:5a:e7:47:6c:5f:a6使用脚本创建私有CA
#!/bin/bashPS3="plese choose a nember: "select menu in 创建CA 申请证书 签发证书 退出;do case $menu in 创建CA) cd /etc/pki/CA touch serial echo 01 > index.txt (umask 066;openssl genrsa -out private/cakey.pem 4096) openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650 ;; 申请证书) read -p "please input your need crt appdir: " APPDIR read -p "please input your need crt app name: " NAME read -p "please input CA server ip: " IP cd $APPDIR (unmask 066;openssl genrsa -out $NAME.key 2048) openssl req -new -key ${NAME}.key -out ${NAME}.csr scp ${NAME}.csr ${IP}:/tmp unset IP ;; 签发证书) read -p "please input client ip: " IP NAME=`cd /tmp;ls *.csr` openssl ca -in /tmp/${NAME}.csr -out /etc/pki/CA/certs/${NAME}.crt rm -rf /tmp/*.csr scp /etc/pki/CA/certs/${NAME}.crt $IP:/tmp unset IP ;; 退出) break ;; esacdone~
证书
生成
客户
客户端
信息
私有
文件
服务器
签证
服务
不同
有效
相同
时长
规则
配置
重要
位置
序列
序列号
数据库的安全要保护哪些东西
数据库安全各自的含义是什么
生产安全数据库录入
数据库的安全性及管理
数据库安全策略包含哪些
海淀数据库安全审计系统
建立农村房屋安全信息数据库
易用的数据库客户端支持安全管理
连接数据库失败ssl安全错误
数据库的锁怎样保障安全
部队个人网络安全十条风险
地铁逃生如何把服务器改成亚服
服务器挂的别的网站链接打不开
vb给数据库添加密码
晋宁区参考软件开发
大树网络安全
数据库与数据挖掘pdf
网络安全主题绘画作品高中生
网络安全事件的等级为
sql数据库授权方式
黑龙江电信服务器地址云空间
你还知道哪些网络安全防疫小技巧
组织软件开发能力
常熟营销网络技术优势
硬盘服务器安全吗
云计算软件开发教学
汇众天下网络技术有限公司
主机屋永久服务器
全国网络安全法学习
进口串口服务器多少钱
星型结构 数据库
服务器可以改装电脑吗
查找名字所对应数据库
阿里云服务器怎么退款
浙大网络安全考研19专业课
梦幻服战服务器要求
voc数据库分割
杨浦区网络技术开发咨询热线
中小学网络安全教育事例
上海通讯软件开发服务价格优惠
