版权声明:本文为博主原创文章,未经博主允许不得转载。 https://blog.csdn.net/weixin_43215250/article/details/83347146
-
生成私钥[带密码]
[root@node00 security]# openssl genrsa [-des3] -out ca.key 2048 Generating RSA private key, 2048 bit long modulus ..............................................+++ ...................+++ e is 65537 (0x10001) Enter pass phrase for ca.key: Verifying - Enter pass phrase for ca.key: [root@node00 security]#
-
生成证书请求文件
[root@node00 security]# openssl req -new -key ca.key -out ca.csr Enter pass phrase for ca.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:GuangDong Locality Name (eg, city) [Default City]:ShenZhen Organization Name (eg, company) [Default Company Ltd]:Hinabian Organizational Unit Name (eg, section) []:data Common Name (eg, your name or your server's hostname) []:node00 Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: [root@node00 security]#
-
用自己的私钥给自己签发根证书
[root@node00 security]# openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt Signature ok subject=/C=CN/ST=GuangDong/L=ShenZhen/O=Hinabian/OU=data/CN=node00 Getting Private key Enter pass phrase for ca.key: [root@node00 security]#
-
用CA根证书来签名服务器端的证书请求文件
4.1 创建 /etc/pki/CA/index.txt文件
[root@node00 security]# openssl ca -days 3650 -keyfile ca.key -cert ca.crt -in pki/node00.csr -out node00.pem Using configuration from /etc/pki/tls/openssl.cnf Enter pass phrase for ca.key: /etc/pki/CA/index.txt: No such file or directory unable to open '/etc/pki/CA/index.txt' 140358162147216:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/pki/CA/index.txt','r') 140358162147216:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:
用来跟踪已经颁发的证书。
[root@node00 CA]# touch /etc/pki/CA/index.txt
4.2 创建 /etc/pki/CA/index.txt文件
[root@node00 security]# openssl ca -days 3650 -keyfile ca.key -cert ca.crt -in pki/node00.csr -out node00.pem Using configuration from /etc/pki/tls/openssl.cnf Enter pass phrase for ca.key: /etc/pki/CA/serial: No such file or directory error while loading serial number 140017638942608:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/pki/CA/serial','r') 140017638942608:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404: [root@node00 security]#
用来跟踪最后一次颁发的证书的序列号。
[root@node00 CA]# echo "01" > /etc/pki/CA/serial [root@node00 CA]#
4.3 用CA根证书来签名服务器端的证书请求文件
[root@node00 security]# openssl ca -days 3650 -keyfile ca.key -cert ca.crt -in pki/node00.csr -out node00.pem Using configuration from /etc/pki/tls/openssl.cnf Enter pass phrase for ca.key: Check that the request matches the signature Signature ok The stateOrProvinceName field needed to be the same in the CA certificate (GuangDong) and the request (GuangDong) [root@node00 security]# ll total 12 -rw-r--r-- 1 root root 1200 Oct 24 16:42 ca.crt -rw-r--r-- 1 root root 1005 Oct 24 16:42 ca.csr -rw-r--r-- 1 root root 1743 Oct 24 16:37 ca.key -rw-r--r-- 1 root root 0 Oct 24 16:45 node00.pem drwxr-xr-x 2 root root 42 Oct 24 16:45 pki [root@node00 security]#
问题:
The stateOrProvinceName field needed to be the same in the CA certificate (GuangDong) and the request (GuangDong)
解决方案: 修改 /etc/pki/tls/openssl.cnf 文件
# A few difference way of specifying how similar the request should look # For type CA, the listed attributes must be the same, and the optional # and supplied fields are just that :-) policy = policy_match # For the CA policy [ policy_match ] countryName = match #stateOrProvinceName = match (将 match 改为 optional ) #organizationName = match (将 match 改为 optional ) stateOrProvinceName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional
再次执行:
[root@node00 security]# openssl ca -days 3650 -keyfile ca.key -cert ca.crt -in pki/node00.csr -out node00.pem Using configuration from /etc/pki/tls/openssl.cnf Enter pass phrase for ca.key: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Oct 24 08:54:57 2018 GMT Not After : Oct 21 08:54:57 2028 GMT Subject: countryName = CN stateOrProvinceName = GuangDong organizationName = Hinabian organizationalUnitName = data commonName = node00 X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 58:30:7D:B3:7E:85:D4:39:22:2F:B3:96:55:A3:38:68:FE:7F:03:88 X509v3 Authority Key Identifier: DirName:/C=CN/ST=GuangDong/L=ShenZhen/O=Hinabian/OU=data/CN=node00 serial:E1:40:B9:DB:A9:83:F9:C3 Certificate is to be certified until Oct 21 08:54:57 2028 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated [root@node00 security]# ll total 20 -rw-r--r-- 1 root root 1200 Oct 24 16:42 ca.crt -rw-r--r-- 1 root root 1005 Oct 24 16:42 ca.csr -rw-r--r-- 1 root root 1743 Oct 24 16:37 ca.key -rw-r--r-- 1 root root 4632 Oct 24 16:55 node00.pem drwxr-xr-x 2 root root 42 Oct 24 16:45 pki [root@node00 security]#
成功生成证书签名node00.pem!