#yyds干货盘点#私有CA和证书申请
Posted 王华_linux
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了#yyds干货盘点#私有CA和证书申请相关的知识,希望对你有一定的参考价值。
建立私有CA:
OpenCA:OpenCA开源组织使用Perl对OpenSSL进行二次开发而成的一套完善的PKI免费软件openssl:相关包 openssl和openssl-libs
证书申请及签署步骤:
1、生成证书申请请求
2、RA核验
3、CA签署
4、获取证书
[root@C8-8 ~]# whereis openssl
openssl: /usr/bin/openssl /usr/share/man/man1/openssl.1ssl.gz
1.openssl-libs包
[root@C8-8 ~]# rpm -ql openssl-libs
/etc/pki/tls
/etc/pki/tls/certs
/etc/pki/tls/ct_log_list.cnf
/etc/pki/tls/misc
/etc/pki/tls/openssl.cnf
/etc/pki/tls/private
/usr/lib/.build-id
/usr/lib/.build-id/00
/usr/lib/.build-id/00/2a6b0c4063f20cd80099a3b4d9e3732e0bbc73
/usr/lib/.build-id/32
/usr/lib/.build-id/32/e275760859214d906dab89c9ab008bc40f6e6f
/usr/lib/.build-id/39
/usr/lib/.build-id/39/da39ce3c907073d0e69f48906646b3e288ca78
/usr/lib/.build-id/54
....
2.openssl的配置文件:
/etc/pki/tls/openssl.cnf
三种策略:match匹配、optional可选、supplied提供match:要求申请填写的信息跟CA设置信息必须一致optional:可有可无,跟CA设置信息可不一致supplied:必须填写这项申请信息
[root@C8-8 ~]# cat /etc/pki/tls/openssl.cnf
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = /etc/pki/CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
crl = $dir/crl.pem # The current CRL private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extensions to add to the cert
name_opt = ca_default # Subject Name options
cert_opt = ca_default #yyds干货盘点#怎样使用cfssl为etcd颁发SSL证书#yyds干货盘点#Windows Server之CA证书服务器看不到"web服务器"模板