前往小程序,Get更优阅读体验!
立即前往
首页
学习
活动
专区
工具
TVP
发布
社区首页 >专栏 >网络系统管理Linux环境——AppSrv之CA

网络系统管理Linux环境——AppSrv之CA

作者头像
冷影玺
修改2024-09-14 13:55:59
3200
修改2024-09-14 13:55:59
举报
文章被收录于专栏:冷影玺

题目要求

服务器AppSrv上的工作任务

6.  CA(证书颁发机构)

CA根证书路径/csk-rootca/csk-ca.pem;

签发数字证书,颁发者信息:(仅包含如下信息)

    C = CN

    ST = China

    L = BeiJing

    O = skills

    OU = Operations Departments

    CN = CSK Global Root CA

项目实施

修改证书配置文件:

代码语言:javascript
复制
[root@appsrv ~]# vim /etc/pki/tls/openssl.cnf
#修改42行,dir = /csk-rootca
#修改84行到90行,将mastch、supplied更改为optional
#底行模式替换 - :85,88s/mastch/optional
#将98行复制到87行  yy复制   p粘贴

创建证书必要文件:

代码语言:javascript
复制
[root@appsrv ~]# mkdir /csk-rootca
[root@appsrv ~]# cd /csk-rootca/
[root@appsrv csk-rootca]# mkdir private newcerts
[root@appsrv csk-rootca]# touch index.txt
[root@appsrv csk-rootca]# echo 01 > serial
[root@appsrv csk-rootca]#

生成密钥:

代码语言:javascript
复制
[root@appsrv csk-rootca]# openssl genrsa -out private/cakey.pem
Generating RSA private key, 2048 bit long modulus
............................................................................................................................+++
......+++
e is 65537 (0x10001)
[root@appsrv csk-rootca]#

生成根证书:

代码语言:javascript
复制
[root@appsrv csk-rootca]# openssl req -new -x509 -key private/cakey.pem -out csk-ca.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:China
Locality Name (eg, city) [Default City]:BeiJing
Organization Name (eg, company) [Default Company Ltd]:skills
Organizational Unit Name (eg, section) []:Operations Departments
Common Name (eg, your name or your server's hostname) []:CSK Global Root CA
Email Address []:
[root@appsrv csk-rootca]#

生成web的密钥:

代码语言:javascript
复制
[root@appsrv CA]# openssl genrsa -out httpd.key
Generating RSA private key, 2048 bit long modulus
..............+++
.............................................................................+++
e is 65537 (0x10001)
[root@appsrv CA]#

生成web证书;

代码语言:javascript
复制
[root@appsrv CA]# openssl req -new -key httpd.key -out  httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:China
Locality Name (eg, city) [Default City]:BeiJing
Organization Name (eg, company) [Default Company Ltd]:skills
Organizational Unit Name (eg, section) []:Operations Departments
Common Name (eg, your name or your server's hostname) []:*.www.chinaskills.cn
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@appsrv CA]#

web证书与根证书绑定:

代码语言:javascript
复制
[root@appsrv CA]# openssl ca -keyfile private/cakey.pem -cert csk-ca.pem -in httpd.csr  -out httpd.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Apr 14 09:38:23 2022 GMT
            Not After : Apr 14 09:38:23 2023 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = China
            localityName              = BeiJing
            organizationName          = skills
            organizationalUnitName    = Operations Departments
            commonName                = *.chinaskills.cn
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                41:5E:AE:2B:9F:5B:5D:8E:FF:8F:BC:93:3E:0D:50:C9:63:E5:AC:EE
            X509v3 Authority Key Identifier: 
                keyid:03:AD:1B:0E:37:5D:70:71:0A:61:01:8A:E2:9B:FB:7D:48:8B:E4:8A

Certificate is to be certified until Apr 14 09:38:23 2023 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
本文参与 腾讯云自媒体同步曝光计划,分享自作者个人站点/博客。
原始发表:2023-03-19,如有侵权请联系 cloudcommunity@tencent.com 删除

本文分享自 作者个人站点/博客 前往查看

如有侵权,请联系 cloudcommunity@tencent.com 删除。

本文参与 腾讯云自媒体同步曝光计划  ,欢迎热爱写作的你一起参与!

评论
登录后参与评论
0 条评论
热度
最新
推荐阅读
目录
  • 题目要求
    • 服务器AppSrv上的工作任务
    • 项目实施
    领券
    问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档