真实的国产乱ⅩXXX66竹夫人,五月香六月婷婷激情综合,亚洲日本VA一区二区三区,亚洲精品一区二区三区麻豆

成都創(chuàng)新互聯(lián)網(wǎng)站制作重慶分公司

opensslca(簽署和自建CA)

openssl ca(簽署和自建CA)

自建CA總結:

#建立數(shù)據(jù)庫索引文件和序列文件
[root@linux5 ~]# touch /etc/pki/CA/index.txt
[root@linux5 ~]# echo "01" > /etc/pki/CA/serial
#生成私鑰
[root@linux5 ~]# openssl genrsa -out /etc/pki/CA/private/cakey.pem
#創(chuàng)建CA請求文件
[root@linux5 ~]# openssl req -new -key /etc/pki/CA/private/cakey.pem -out rootCA.csr
#自簽署
[root@linux5 ~]# openssl ca -selfsign -in rootCA.csr
#把自簽的證書放到/etc/pki/CA/下
[root@linux5 ~]# cp /etc/pki/CA/newcerts/01.pem /etc/pki/CA/cacert.pem

然后使用該CA給老王頒發(fā)證書總結

#老王生成私鑰
[wang@linux5 ~]$ openssl genrsa -out wangkey.pem
#老王生成請求文件
[wang@linux5 ~]$ openssl req -new -key wangkey.pem -out wangwangwang.csr
#老王將證書請求文件發(fā)給CA機構(國家,域名,組織必須和subject一致)
[wang@linux5 ~]$ scp wangwangwang.csr root@192.168.38.146:/root/
#CA幫忙簽
[root@linux5 ~]# openssl ca -in wangwangwang.csr 
#CA將證書發(fā)給老王
[root@linux5 ~]# scp /etc/pki/CA/newcerts/02.pem wang@192.168.38.146:~/

證書請求文件使用CA的私鑰簽署之后就是證書,簽署之后將證書發(fā)給申請者就是頒發(fā)證書。在簽署時,為了保證證書的完整性和一致性,還應該對簽署的證書生成數(shù)字摘要,即使用單向加密算法。

成都創(chuàng)新互聯(lián)公司自2013年創(chuàng)立以來,是專業(yè)互聯(lián)網(wǎng)技術服務公司,擁有項目成都網(wǎng)站設計、網(wǎng)站建設網(wǎng)站策劃,項目實施與項目整合能力。我們以讓每一個夢想脫穎而出為使命,1280元九江做網(wǎng)站,已為上家服務,為九江各地企業(yè)和個人服務,聯(lián)系電話:18980820575

在配置文件中指定了簽署證書時所需文件的結構,默認openssl.cnf中的結構要求如下

[ CA_default ]
dir             = /etc/pki/CA             # 定義路徑變量
certs           = $dir/certs              # 已頒發(fā)證書的保存目錄
database        = $dir/index.txt          # 數(shù)據(jù)庫索引文件
new_certs_dir   = $dir/newcerts           # 新簽署的證書保存目錄
certificate     = $dir/cacert.pem         # CA證書路徑名
serial          = $dir/serial             # 當前證書序列號
private_key     = $dir/private/cakey.pem  # CA的私鑰路徑名

其中目錄/etc/pki/CA/{certs,newcerts,private}在安裝openssl后就默認存在,所以無需獨立創(chuàng)建,但證書的database文件index.txt和序列文件serial必須創(chuàng)建好,且序列號文件中得先給定一個序號,如"01"

創(chuàng)建數(shù)據(jù)庫索引文件和序列文件

[root@linux5 ~]# touch /etc/pki/CA/index.txt
[root@linux5 ~]# echo "01" > /etc/pki/CA/serial

創(chuàng)建私鑰

另外,要簽署證書請求,需要CA自己的私鑰文件以及CA自己的證書,先創(chuàng)建好CA的私鑰,存放位置為配置文件中private_key所指定的值,默認為/etc/pki/CA/private/cakey.pem。

[root@linux5 ~]# openssl genrsa -out /etc/pki/CA/private/cakey.pem

使用openssl ca自建CA

要提供CA自己的證書,測試環(huán)境下CA只能自簽署,使用"openssl req -x509"、"openssl x509"和"openssl ca"都可以自簽署證書請求文件,此處僅介紹openssl ca命令自身自簽署的方法。

先創(chuàng)建CA的證書請求文件,建議使用CA的私鑰文件/etc/pki/CA/private/cakey.pem來創(chuàng)建待自簽署的證書請求文件,雖非必須,但方便管理。創(chuàng)建請求文件時,其中Country Name、State or Province Name、Organization Name和Common Name默認是必須提供的。

創(chuàng)建CA的證書請求文件

[root@linux5 ~]# openssl req -new -key /etc/pki/CA/private/cakey.pem -out rootCA.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN   
State or Province Name (full name) []:BJ
Locality Name (eg, city) [Default City]:BJ
Organization Name (eg, company) [Default Company Ltd]:MG
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:www.baidu.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

然后使用openssl ca命令自簽署該證書請求文件。

如果有兩次交互式詢問則表示自簽署將成功,如果失敗,則考慮數(shù)據(jù)庫文件index.txt是否創(chuàng)建、序列號文件serial是否存在且有序號值、私鑰文件cakey.pem是否路徑正確、創(chuàng)建證書請求文件時是否該提供的沒有提供等情況。

[root@linux5 ~]# openssl ca -selfsign -in rootCA.csr
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Sep  1 12:18:39 2019 GMT
            Not After : Aug 31 12:18:39 2020 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = BJ
            organizationName          = MG
            organizationalUnitName    = IT
            commonName                = www.baidu.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                78:5F:19:3D:9B:CD:5D:60:5A:00:E5:DA:95:7D:4C:EC:2C:20:B1:3F
            X509v3 Authority Key Identifier: 
                keyid:78:5F:19:3D:9B:CD:5D:60:5A:00:E5:DA:95:7D:4C:EC:2C:20:B1:3F

Certificate is to be certified until Aug 31 12:18:39 2020 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=BJ, O=MG, OU=IT, CN=www.baidu.com
        Validity
            Not Before: Sep  1 12:18:39 2019 GMT
            Not After : Aug 31 12:18:39 2020 GMT
        Subject: C=CN, ST=BJ, O=MG, OU=IT, CN=www.baidu.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b8:1d:69:b1:34:dc:9d:68:77:3d:9a:66:62:74:
                    f4:45:46:80:64:78:21:a5:b0:b5:7c:89:9a:6e:72:
                    2f:01:2a:e7:30:57:1c:cd:3b:5e:e5:97:b9:a5:80:
                    7d:87:5d:6a:59:8c:5f:b9:0c:6f:d4:33:05:63:c2:
                    ff:50:12:11:29:7b:5f:e6:74:4a:11:c5:97:71:c4:
                    67:63:2d:36:d2:6f:b4:3a:7c:59:4a:80:79:35:b6:
                    e6:9f:c9:7b:82:18:11:95:19:c8:37:f7:9a:28:00:
                    98:6c:a3:73:00:01:4f:fe:7b:8e:d8:c5:82:06:c2:
                    c8:9e:44:8d:36:ca:05:0e:50:8a:17:32:05:91:18:
                    d1:e8:9b:a5:52:43:88:3f:99:01:84:7e:8b:c2:46:
                    23:d0:c1:91:a8:9e:f5:ef:c8:91:22:06:9e:b0:30:
                    1f:8c:f9:3e:f5:30:8c:27:95:54:05:03:82:ac:70:
                    f9:30:f9:0e:a2:8f:e6:9a:53:b5:f4:82:f1:ab:17:
                    6a:22:f9:b2:c4:0b:8d:6e:49:51:35:f9:dd:8c:4f:
                    eb:ee:ba:f0:08:1d:70:fd:90:11:47:0d:34:bd:b2:
                    3e:71:c5:a7:d5:c9:61:88:79:76:2a:59:74:b2:32:
                    fd:37:a4:2e:e0:8b:2f:98:76:ae:ae:19:57:23:93:
                    cb:3d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                78:5F:19:3D:9B:CD:5D:60:5A:00:E5:DA:95:7D:4C:EC:2C:20:B1:3F
            X509v3 Authority Key Identifier: 
                keyid:78:5F:19:3D:9B:CD:5D:60:5A:00:E5:DA:95:7D:4C:EC:2C:20:B1:3F

    Signature Algorithm: sha256WithRSAEncryption
         33:c4:da:33:67:d6:f8:c5:80:17:c0:db:b2:dd:5a:4e:f2:0c:
         3a:21:fa:f6:da:86:0a:b3:66:fe:31:23:ed:00:8d:2a:0f:26:
         c5:0b:9b:af:1c:0b:31:ba:60:d6:d7:24:74:29:0f:3a:8a:a1:
         1f:f2:e9:de:96:1f:05:19:50:67:2f:5e:20:0b:8a:21:f4:95:
         3b:30:88:2b:7c:2c:13:c9:b5:b4:17:c7:0c:84:20:0d:68:d8:
         4d:31:ad:03:77:66:11:d3:96:68:38:d4:48:75:e3:2c:3a:fe:
         ad:63:2b:89:61:9b:7e:07:97:c0:45:20:e7:4c:f4:1a:c3:6e:
         49:81:16:33:f1:79:74:d3:f5:08:2c:21:42:b4:bd:65:a3:c2:
         9d:56:7d:a8:3f:52:d0:55:94:ba:69:45:28:2a:05:13:4b:a2:
         d5:00:dd:47:3d:92:27:7e:b0:23:f6:5a:96:0e:9b:e7:fd:7f:
         57:3a:f0:43:88:05:60:73:db:3d:d8:f0:0e:90:97:18:94:f1:
         53:56:e0:e6:0c:5a:60:f7:bb:86:bf:70:82:b2:d2:2a:64:c0:
         b1:a6:13:69:ee:ae:ce:d6:8b:fa:b2:05:42:69:79:74:2a:6b:
         04:e9:29:cc:55:6d:7d:4a:0f:43:63:2a:83:bb:de:0d:09:dd:
         fa:f5:9c:70
-----BEGIN CERTIFICATE-----
MIIDjjCCAnagAwIBAgIBATANBgkqhkiG9w0BAQsFADBMMQswCQYDVQQGEwJDTjEL
MAkGA1UECAwCQkoxCzAJBgNVBAoMAk1HMQswCQYDVQQLDAJJVDEWMBQGA1UEAwwN
d3d3LmJhaWR1LmNvbTAeFw0xOTA5MDExMjE4MzlaFw0yMDA4MzExMjE4MzlaMEwx
CzAJBgNVBAYTAkNOMQswCQYDVQQIDAJCSjELMAkGA1UECgwCTUcxCzAJBgNVBAsM
AklUMRYwFAYDVQQDDA13d3cuYmFpZHUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAuB1psTTcnWh4PZpmYnT0RUaAZHghpbC1fImabnIvASrnMFcc
zTte5Ze5pYB9h21qWYxfuQxv1DMFY8L/UBIRKXtf5nRKEcWXccRnYy020m+0OnxZ
SoB5Nbbmn8l7ghgRlRnIN/eaKACYbKNzAAFP/nuO2MWCBsLInkSNNsoFDlCKFzIF
kRjR6JulUkOIP5kBhH6LwkYj0MGRqJ7178iRIgaesDAfjPk+9TCMJ5VUBQOCrHD5
MPkOoo/mmlO19ILxqxdqIvmyxAuNbklRNfndjE/r7rrwCB1w/ZARRw00vbI+ccWn
1clhiHl2Kll0sjL9N6Qu4IsvmHaurhlXI5PLPQIDAQABo3sweTAJBgNVHRMEAjAA
MCwGCWCGSAGG+EIBDQQfFh2PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAd
BgNVHQ4EFgQUeF8ZPZvNXWBaAOXalX1M7CwgsT8wHwYDVR0jBBgwFoAUeF8ZPZvN
XWBaAOXalX1M7CwgsT8wDQYJKoZIhvcNAQELBQADggEBADPE2jNn1vjFgBfA27Ld
Wk7yDDoh+vbahgqzZv4xI+0AjSoPJsULm68cCzG6YNbXJHQpDzqKoR/y6d6WHwUZ
UGcvXiALiiH0lTswiCt8LBPJtbQXxwyEIA1o2E0xrQN3ZhHTlmg41Eh24yw6/q1j
K4lhm34Hl8BFIOdM9BrDbkmBFjPxeXTT9QgsIUK0vWWjwp1Wfag/UtBVlLppRSgq
BRNLotUA3Uc9kid+sCP2WpYOm+f9f1c68EOIBWBz2z3Y8A6QlxiU8VNW4OYMWmD3
u4a/cIKy0ipkwLGmE2nurs7Wi/qyBUJpeXQqawTpKcxVbX1KD0NjKoO73g0J3fr1
nHA=
-----END CERTIFICATE-----
Data Base Updated

自簽署成功后,在/etc/pki/CA目錄下將生成一系列文件。

[root@linux5 ~]# tree -C /etc/pki/CA
/etc/pki/CA
|-- certs
|-- crl
|-- index.txt
|-- index.txt.attr
|-- index.txt.old
|-- newcerts
|   `-- 01.pem
|-- private
|   `-- cakey.pem
|-- serial
`-- serial.old

其中newcerts目錄下的01.pem即為剛才自簽署的證書文件,因為它是CA自身的證書,所以根據(jù)配置文件中的"certificate=$dir/cacert.pem"項,應該將其放入/etc/pki/CA目錄下,且命名為cacert.pem,只有這樣以后才能簽署其它證書請求。

將自簽證書放到/etc/pki/CA/目錄下面

[root@linux5 ~]# cp /etc/pki/CA/newcerts/01.pem /etc/pki/CA/cacert.pem

至此,自建CA就完成了,

查看下數(shù)據(jù)庫索引文件和序列號文件。

[root@linux5 ~]# cat /etc/pki/CA/index.txt
V   200831121839Z       01  unknown /C=CN/ST=BJ/O=MG/OU=IT/CN=www.baidu.com

那么,下次簽署證書請求時,序列號將是"02"。


自簽CA命令總結

[root@linux5 ~]# touch /etc/pki/CA/index.txt
[root@linux5 ~]# echo "01" > /etc/pki/CA/serial
[root@linux5 ~]# openssl genrsa -out /etc/pki/CA/private/cakey.pem
[root@linux5 ~]# openssl req -new -key /etc/pki/CA/private/cakey.pem -out rootCA.csr
[root@linux5 ~]# openssl ca -selfsign -in rootCA.csr
[root@linux5 ~]# cp /etc/pki/CA/newcerts/01.pem /etc/pki/CA/cacert.pem

以上過程是完全讀取默認配置文件創(chuàng)建的,其實很多過程是沒有那么嚴格的,openssl ca命令自身可以指定很多選項覆蓋配置文件中的項,但既然提供了默認的配置文件及目錄結構,為了方便管理,仍然建議完全采用配置文件中的項。


給老王頒發(fā)個證書

1、老王生成自己的私鑰

[wang@linux5 ~]$ openssl genrsa -out wangkey.pem

2、老王生成證書請求文件

[wang@linux5 ~]$ openssl req -new -key wangkey.pem -out wangwangwang.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BJ
Locality Name (eg, city) [Default City]:BJ
Organization Name (eg, company) [Default Company Ltd]:MG
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:www.wangwangwang.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

其中Country Name、State or Province Name、Organization Name和Common Name必須提供,且前三者必須和CA的subject中的對應項完全相同。這些是由配置文件中的匹配策略決定的。

[ ca ]
default_ca      = CA_default            # The default ca section
[ CA_default ]
policy          = policy_match
[ policy_match ]
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

3、laowang將請求文件發(fā)給CA

[wang@linux5 ~]$ scp wangwangwang.csr root@192.168.38.146:/root/

4、CA幫忙簽

[root@linux5 ~]# openssl ca -in wangwangwang.csr 
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 2 (0x2)
        Validity
            Not Before: Sep  1 12:52:13 2019 GMT
            Not After : Aug 31 12:52:13 2020 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = BJ
            organizationName          = MG
            commonName                = www.wangwangwang.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                5C:B0:F3:C6:8B:F0:96:40:73:5C:B6:A8:2F:E4:DF:8C:2E:5B:C5:C5
            X509v3 Authority Key Identifier: 
                keyid:78:5F:19:3D:9B:CD:5D:60:5A:00:E5:DA:95:7D:4C:EC:2C:20:B1:3F

Certificate is to be certified until Aug 31 12:52:13 2020 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 2 (0x2)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=BJ, O=MG, OU=IT, CN=www.baidu.com
        Validity
            Not Before: Sep  1 12:52:13 2019 GMT
            Not After : Aug 31 12:52:13 2020 GMT
        Subject: C=CN, ST=BJ, O=MG, CN=www.wangwangwang.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:d5:44:3a:e8:1e:de:4b:06:df:24:bc:4e:99:f3:
                    9a:a0:1c:84:e2:b2:32:cf:9d:f3:a1:e1:1e:9b:65:
                    d3:84:96:f1:73:7f:88:32:ea:d7:fa:c9:35:82:60:
                    86:b0:b1:33:b9:45:a9:a9:62:33:7d:b7:23:56:08:
                    d2:00:ef:c1:e4:e1:bb:ca:e7:a7:26:de:43:76:e1:
                    07:7f:92:06:b4:88:61:6a:38:27:88:e4:5e:82:c4:
                    90:b4:88:b2:46:bf:3a:6f:44:95:01:94:be:33:be:
                    62:74:bd:7c:01:d1:3f:a3:95:26:d4:21:87:de:2d:
                    e2:f9:96:09:25:6b:19:aa:30:c8:c9:68:7c:73:fe:
                    35:0e:b5:7c:68:6c:2e:3d:99:40:d8:b4:ee:cc:88:
                    a2:53:b3:1e:31:ac:f5:ce:ad:5c:93:b9:ba:eb:fb:
                    d2:0c:46:90:8b:fc:ae:b9:42:dd:d1:00:61:96:47:
                    1a:3f:58:df:7f:c1:b6:ee:ca:b5:5e:4f:91:ca:3d:
                    4e:8a:39:36:58:26:a2:7e:97:a2:72:89:27:ef:9d:
                    2b:4e:4d:cc:91:bf:2e:66:f3:25:8f:f4:6f:97:da:
                    2b:6a:d1:64:2d:f9:c6:4f:72:6b:59:d0:96:48:6e:
                    4b:58:97:6e:78:0e:57:75:a1:da:c4:85:90:d4:08:
                    cd:45
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                5C:B0:F3:C6:8B:F0:96:40:73:5C:B6:A8:2F:E4:DF:8C:2E:5B:C5:C5
            X509v3 Authority Key Identifier: 
                keyid:78:5F:19:3D:9B:CD:5D:60:5A:00:E5:DA:95:7D:4C:EC:2C:20:B1:3F

    Signature Algorithm: sha256WithRSAEncryption
         25:f1:7a:b5:e2:8f:25:6e:90:1d:dc:40:7e:73:8d:88:84:3c:
         72:ea:15:3f:fe:93:a5:e9:e3:f3:3f:d2:47:75:39:72:55:98:
         89:a7:99:ee:07:fb:03:a6:4d:84:fa:49:7b:98:07:2e:7b:53:
         c4:16:5e:30:1f:6e:62:ba:a8:b0:01:07:bc:a0:82:1f:7f:a3:
         77:36:74:f5:d1:e6:7e:fe:e1:0d:05:d6:b2:28:76:2d:21:57:
         73:67:37:91:40:a2:4b:74:e3:b7:39:10:32:f2:8f:03:34:be:
         2d:c3:d7:c9:84:00:39:1f:44:dc:08:cc:5f:91:ec:7a:72:48:
         4b:5e:f8:de:a2:ed:29:c9:d0:48:ca:9c:a5:d9:48:31:c2:52:
         d2:6d:2c:14:b6:7c:c7:f3:9b:16:7e:0e:e2:26:0d:03:57:92:
         e2:a0:fa:11:ed:26:cd:1e:ef:8c:c5:03:1c:80:91:af:06:4a:
         2b:78:42:1a:23:02:1b:d7:67:4f:0d:ec:07:7c:6d:1b:9f:85:
         38:c9:69:22:2f:e4:d0:bf:91:26:73:20:e5:fa:09:b1:30:80:
         de:ad:97:c0:53:3c:02:a1:5b:5f:4a:55:4f:b3:cf:fb:6b:24:
         95:82:2c:45:71:39:70:c4:2b:44:68:b6:5e:d7:6f:23:f5:fb:
         46:31:93:f9
-----BEGIN CERTIFICATE-----
MIIDiDCCAnCgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBMMQswCQYDVQQGEwJDTjEL
MAkGA1UECAwCQkoxCzAJBgNVBAoMAk1HMQswCQYDVQQLDAJJVDEWMBQGA1UEAwwN
d3d3LmJhaWR1LmNvbTAeFw0xOTA5MDExMjUyMTNaFw0yMDA4MzExMjUyMTNaMEYx
CzAJBgNVBAYTAkNOMQswCQYDVQQIDAJCSjELMAkGA1UECgwCTUcxHTAbBgNVBAMM
FHd3dy53YW5nd2FuZ3dhbmcuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEA1UQ66B7eSwbfJLxOmfOaoByE4rIyz53zoeEem2XThJbxc3+IMurX+sk1
gmCGsLEzuUWpqWIzfbcjVgjSAO/B5OG7yuenJt5DduEHf5IGtIhhajgniORegsSQ
tIiyRr86b0SVAZS+M75idL18AdE/o5Um1CGH3i3i+ZYJJWsZqjDIyWh8c/41DrV8
aGwuPZlA2LTuzIiiU7MeMaz1zq1ck7m66/vSDEaQi/yuuULd0QBhlkcaP1jff8G2
7sq1Xk+Ryj1Oijk2WCaifpeicokn750rTk3Mkb8uZvMlj/Rvl9oratFkLfnGT3Jr
WdCWSG5LWJdueA5XdaHaxIWQ1AjNRQIDAQABo3sweTAJBgNVHRMEAjAAMCwGCWCG
SAGG+EIBDQQfFh2PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4E
FgQUXLDzxovwlkBzXLaoL+TfjC5bxcUwHwYDVR0jBBgwFoAUeF8ZPZvNXWBaAOXa
lX1M7CwgsT8wDQYJKoZIhvcNAQELBQADggEBACXxerXijyVukB3cQH5zjYiEPHLq
FT/+k6Xp4/M/0kd1OXJVmImnme4H+wOmTYT6SXuYBy57U8QWXjAfbmK6qLABB7yg
gh9/o3c2dPXR5n7+4Q0F1rIodi0hV3NnN5FAokt047c5EDLyjwM0vi3D18mEADkf
RNwIzF+R7HpySEte+N6i7SnJ0EjKnKXZSDHCUtJtLBS2fMfzmxZ+DuImDQNXkuKg
+hHtJs0e74zFAxyAka8GSit4QhojAhvXZ08N7Ad8bRufhTjJaSIv5NC/kSZzIOX6
CbEwgN6tl8BTPAKhW19KVU+zz/trJJWCLEVxOXDEK0Rotl7XbyP1+0Yxk/k=
-----END CERTIFICATE-----
Data Base Updated

5、簽署完成,查看下目錄結構

[root@linux5 ~]# tree -C /etc/pki/CA
/etc/pki/CA
|-- cacert.pem
|-- certs
|-- crl
|-- index.txt
|-- index.txt.attr
|-- index.txt.attr.old
|-- index.txt.old
|-- newcerts
|   |-- 01.pem
|   `-- 02.pem
|-- private
|   `-- cakey.pem
|-- serial
`-- serial.old

6、其中"02.pem"就是剛才簽署成功的證書,將此證書發(fā)送給申請者即表示頒發(fā)完成。

7、再看下數(shù)據(jù)庫索引文件和序列號文件

[root@linux5 ~]# cat /etc/pki/CA/index.txt
V   200831121839Z       01  unknown /C=CN/ST=BJ/O=MG/OU=IT/CN=www.baidu.com
V   200831125213Z       02  unknown /C=CN/ST=BJ/O=MG/CN=www.wangwangwang.com
[root@linux5 ~]# cat /etc/pki/CA/serial
03

給老王頒發(fā)證書總結

#老王生成私鑰
[wang@linux5 ~]$ openssl genrsa -out wangkey.pem
#老王生成請求文件
[wang@linux5 ~]$ openssl req -new -key wangkey.pem -out wangwangwang.csr
#老王將證書請求文件發(fā)給CA機構(國家,域名,組織必須和subject一致)
[wang@linux5 ~]$ scp wangwangwang.csr root@192.168.38.146:/root/
#CA幫忙簽
[root@linux5 ~]# openssl ca -in wangwangwang.csr 
#CA將證書發(fā)給老王
[root@linux5 ~]# scp /etc/pki/CA/newcerts/02.pem wang@192.168.38.146:~/

當前文章:opensslca(簽署和自建CA)
網(wǎng)站URL:http://weahome.cn/article/iijhos.html

其他資訊

在線咨詢

微信咨詢

電話咨詢

028-86922220(工作日)

18980820575(7×24)

提交需求

返回頂部