实验:CentOS下构建私有CA
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了实验:CentOS下构建私有CA相关的知识,希望对你有一定的参考价值。
一、建立一CA颁发主机(机构)
1、生成私钥;2、自签证书
[[email protected] ~]# (umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 4096)
Generating RSA private key, 4096 bit long modulus
..............................++
....++
e is 65537 (0x10001)
[[email protected] ~]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out
/etc/pki/CA/cacert.pem -days 360
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:GuangXi
Locality Name (eg, city) [Default City]:GuiLin
Organization Name (eg, company) [Default Company Ltd]:jinglin
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server‘s hostname) []:ca.jinglin.com
Email Address []:[email protected] #可留空
[[email protected] ~]# ls /etc/pki/CA/
cacert.pem certs crl newcerts private
[[email protected] ~]# touch /etc/pki/CA/{serial,index.txt} #为CA提供所需的目录及文件
[[email protected] ~]# echo 01 > /etc/pki/CA/serial
二、向CA主机请求签署证书
1、生成私钥;2、生成证书签署请求,3、将请求(通过可靠方式)发送给CA主机;4、CA主机签署证书
[[email protected] httpd]# mkdir ssl #以httpd为例,创建一目录,
[[email protected] httpd]# cd ssl/
[[email protected] ssl]# (umask 077; openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus
.+++
...............+++
e is 65537 (0x10001)
[[email protected] ssl]# openssl req -new -key httpd.key -out httpd.csr -days 365
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:GuangXi
Locality Name (eg, city) [Default City]:GuiLin
Organization Name (eg, company) [Default Company Ltd]:jinglin
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server‘s hostname) []:www.jinglin.com
Email Address []:[email protected]
Please enter the following ‘extra‘ attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:123456
[[email protected] ssl]# scp httpd.csr [email protected]:/tmp/
[[email protected] ~]# openssl ca -in /tmp/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365
[[email protected] ~]# cd /etc/pki/CA/
[[email protected] CA]# cat index.txt
V 190802095707Z 01 unknown /C=CN/ST=GuangXi/O=jinglin/OU=ca.jinglin.com/CN=www.jinglin.org/[email protected]
[[email protected] CA]# scp certs/httpd.crt [email protected]:/etc/httpd/ssl/ #签完后发回,然后删除两台主机上的httpd.csr
[[email protected] ssl]# openssl x509 -in httpd.crt -noout -serial -subject #查看证书信息
serial=01
subject= /C=CN/ST=GuangXi/O=jinglin/OU=ca.jinglin.com/CN=www.jinglin.org/[email protected]
私有CA构建完成
以上是关于实验:CentOS下构建私有CA的主要内容,如果未能解决你的问题,请参考以下文章