Centos8上搭建CA證書

要在centos8上實(shí)現(xiàn)自建CA證書要利用openssl，首先查看openssl配置文件

冀州網(wǎng)站制作公司哪家好，找成都創(chuàng)新互聯(lián)！從網(wǎng)頁設(shè)計(jì)、網(wǎng)站建設(shè)、微信開發(fā)、APP開發(fā)、成都響應(yīng)式網(wǎng)站建設(shè)等網(wǎng)站項(xiàng)目制作，到程序開發(fā)，運(yùn)營維護(hù)。成都創(chuàng)新互聯(lián)于2013年創(chuàng)立到現(xiàn)在10年的時(shí)間，我們擁有了豐富的建站經(jīng)驗(yàn)和運(yùn)維經(jīng)驗(yàn)，來保證我們的工作的順利進(jìn)行。專注于網(wǎng)站建設(shè)就選成都創(chuàng)新互聯(lián)。

[root@Centos8 data]#vim /etc/pki/tls/openssl.cnf
[ CA_default ]

dir             = /etc/pki/CA           # Where everything is kept
certs           = $dir/certs            # Where the issued certs are kept
crl_dir         = $dir/crl              # Where the issued crl are kept
database        = $dir/index.txt        # database index file.
#unique_subject = no                    # Set to 'no' to allow creation of
                                        # several certs with same subject.
new_certs_dir   = $dir/newcerts         # default place for new certs.

certificate     = $dir/cacert.pem       # The CA certificate
serial          = $dir/serial           # The current serial number
crlnumber       = $dir/crlnumber        # the current crl number
                                        # must be commented out to leave a V1 CRL
crl             = $dir/crl.pem          # The current CRL
private_key     = $dir/private/cakey.pem# The private key
RANDFILE        = $dir/private/.rand    # private random number file

x509_extensions = usr_cert              # The extensions to add to the cert

這段配置代表了CA的目錄結(jié)構(gòu)，和每個(gè)目錄是放置什么文件，有什么作用，做出了一些解釋。
因?yàn)閏entos7上CA相關(guān)的目錄是系統(tǒng)自帶的，但是centos8上只有CA家目錄，也就是 /etc/pki/CA，這個(gè)目錄，所以參考centos7上的目錄結(jié)構(gòu)來新建CA相關(guān)目錄
centos7上目錄結(jié)構(gòu)：

[root@centos7 ~]#cd /etc/pki/CA/  
[root@centos7 CA]#tree 
.
├── certs
├── crl
├── newcerts
└── private

4 directories, 0 files

在centos8上運(yùn)行：

[root@Centos8 data]mkdir -p /etc/pki/CA/{certs,crl,newcerts,private}

cd private/
生成私鑰：

(umask 077; openssl genrsa -out cakey.pem 4096)

生成自簽的CA證書：

openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650

[root@Centos8 CA]#openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650  
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing  
Organization Name (eg, company) [Default Company Ltd]:wj02
Organizational Unit Name (eg, section) []:M39  
Common Name (eg, your name or your server's hostname) []:www.wj02.com
Email Address []:
[root@Centos8 CA]#

要輸入的內(nèi)容依次為:

輸入：（國家代碼）CN
輸入：（所在省份）beijing
輸入：（所在城市）beijing
輸入：（公司名稱）wj02
輸入：（部門名稱）M39
輸入：（用戶名或主機(jī)名）www.wj02.com
輸入：（郵箱地址）可留空，直接回車
根據(jù)提示，輸入相應(yīng)信息即可。

查看自簽證書詳細(xì)內(nèi)容命令：

[root@Centos8 CA]#openssl x509 -in cacert.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            43:cf:75:6e:3a:94:cc:98:38:c1:48:c7:d9:37:70:e3:fb:71:19:e6
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = CN, ST = beijing, L = beijing, O = wj02, OU = M39, CN = www.wj02.com
        Validity
            Not Before: Nov 12 06:50:53 2019 GMT
            Not After : Nov  9 06:50:53 2029 GMT
        Subject: C = CN, ST = beijing, L = beijing, O = wj02, OU = M39, CN = www.wj02.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (4096 bit)
                Modulus:

可以看到證書的詳細(xì)信息
然后在另一臺(tái)機(jī)器，因?yàn)橐匦律伤借€，所以要至少兩臺(tái)機(jī)器。
生成私鑰：

(umask 077; openssl genrsa -out app.key 1024)

生成ca證書請求文件：

openssl req -new -key app.key -out app.csr

值得注意的是，有三項(xiàng)，就是國家，所在省，公司名稱這三項(xiàng)一定要和自簽證書一致
因?yàn)樵谂渲梦募镉幸?guī)定：

policy          = policy_match

# For the CA policy
[ policy_match ]
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

這三項(xiàng)是強(qiáng)制一樣的，當(dāng)然也可以修改配置文件
利用scp將cs請求文件發(fā)送到server

scp test.csr 192.168.38.120:/etc/pki/CA

接下來就是server給test.csr簽署證書：

[root@Centos8 CA]#openssl ca -in test.csr -out test.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
140011092936512:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:72:fopen('/etc/pki/CA/index.txt','r')
140011092936512:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:79:
[root@Centos8 CA]#

額，報(bào)錯(cuò)了？莫慌，這個(gè)是因?yàn)槿鄙傥募?dǎo)致的，報(bào)錯(cuò)信息可以看到，我們?nèi)鄙?etc/pki/CA/index.txt這個(gè)文件

touch /etc/pki/CA/index.txt

再次運(yùn)行：

[root@Centos8 CA]#openssl ca -in test.csr -out test.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Can't open /etc/pki/CA/index.txt.attr for reading, No such file or directory
140275620157248:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:72:fopen('/etc/pki/CA/index.txt.attr','r')
140275620157248:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:79:
/etc/pki/CA/serial: No such file or directory
error while loading serial number
140275620157248:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:72:fopen('/etc/pki/CA/serial','r')
140275620157248:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:79:
[root@Centos8 CA]#

還錯(cuò)？現(xiàn)在是缺少/etc/pki/CA/serial這個(gè)文件，但是這個(gè)文件不能是空文件，它里面是有東西的。
查看配置文件我們發(fā)現(xiàn)這個(gè)文件是記錄證書序列號(hào)的，所以，，，，

[root@Centos8 CA]#echo 01 > /etc/pki/CA/serial

我們給他指定一個(gè)序列號(hào)不就好啦
再次運(yùn)行

[root@Centos8 CA]#openssl ca -in test.csr -out test.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Can't open /etc/pki/CA/index.txt.attr for reading, No such file or directory
140145607882560:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:72:fopen('/etc/pki/CA/index.txt.attr','r')
140145607882560:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:79:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Nov 12 07:26:38 2019 GMT
            Not After : Nov 11 07:26:38 2020 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = beijing
            organizationName          = wj02
            organizationalUnitName    = M39
            commonName                = www.wj02.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                A2:A8:2B:77:95:4C:E8:80:0C:50:DF:0E:89:ED:17:94:4E:DF:AC:71
            X509v3 Authority Key Identifier: 
                keyid:D8:E4:A8:09:2A:2D:13:39:29:63:83:5E:CF:8D:EA:99:A6:79:0B:67

Certificate is to be certified until Nov 11 07:26:38 2020 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@Centos8 CA]#

成功。嗯，記得輸入兩次y
到此，自建CA證書生成完成，可以使用了。

另外有需要云服務(wù)器可以了解下創(chuàng)新互聯(lián)cdcxhl.cn，海內(nèi)外云服務(wù)器15元起步，三天無理由+7*72小時(shí)售后在線，公司持有idc許可證，提供“云服務(wù)器、裸金屬服務(wù)器、高防服務(wù)器、香港服務(wù)器、美國服務(wù)器、虛擬主機(jī)、免備案服務(wù)器”等云主機(jī)租用服務(wù)以及企業(yè)上云的綜合解決方案，具有“安全穩(wěn)定、簡單易用、服務(wù)可用性高、性價(jià)比高”等特點(diǎn)與優(yōu)勢，專為企業(yè)上云打造定制，能夠滿足用戶豐富、多元化的應(yīng)用場景需求。

網(wǎng)站題目：Centos8上搭建CA證書-創(chuàng)新互聯(lián)
轉(zhuǎn)載來于：http://weahome.cn/article/deesig.html