6. CA(证书颁发机构)
CA根证书路径/csk-rootca/csk-ca.pem;
签发数字证书,颁发者信息:(仅包含如下信息)
C = CN
ST = China
L = BeiJing
O = skills
OU = Operations Departments
CN = CSK Global Root CA
修改证书配置文件:
[root@appsrv ~]# vim /etc/pki/tls/openssl.cnf
#修改42行,dir = /csk-rootca
#修改84行到90行,将mastch、supplied更改为optional
#底行模式替换 - :85,88s/mastch/optional
#将98行复制到87行 yy复制 p粘贴
创建证书必要文件:
[root@appsrv ~]# mkdir /csk-rootca
[root@appsrv ~]# cd /csk-rootca/
[root@appsrv csk-rootca]# mkdir private newcerts
[root@appsrv csk-rootca]# touch index.txt
[root@appsrv csk-rootca]# echo 01 > serial
[root@appsrv csk-rootca]#
生成密钥:
[root@appsrv csk-rootca]# openssl genrsa -out private/cakey.pem
Generating RSA private key, 2048 bit long modulus
............................................................................................................................+++
......+++
e is 65537 (0x10001)
[root@appsrv csk-rootca]#
生成根证书:
[root@appsrv csk-rootca]# openssl req -new -x509 -key private/cakey.pem -out csk-ca.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:China
Locality Name (eg, city) [Default City]:BeiJing
Organization Name (eg, company) [Default Company Ltd]:skills
Organizational Unit Name (eg, section) []:Operations Departments
Common Name (eg, your name or your server's hostname) []:CSK Global Root CA
Email Address []:
[root@appsrv csk-rootca]#
生成web的密钥:
[root@appsrv CA]# openssl genrsa -out httpd.key
Generating RSA private key, 2048 bit long modulus
..............+++
.............................................................................+++
e is 65537 (0x10001)
[root@appsrv CA]#
生成web证书;
[root@appsrv CA]# openssl req -new -key httpd.key -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:China
Locality Name (eg, city) [Default City]:BeiJing
Organization Name (eg, company) [Default Company Ltd]:skills
Organizational Unit Name (eg, section) []:Operations Departments
Common Name (eg, your name or your server's hostname) []:*.www.chinaskills.cn
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@appsrv CA]#
web证书与根证书绑定:
[root@appsrv CA]# openssl ca -keyfile private/cakey.pem -cert csk-ca.pem -in httpd.csr -out httpd.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Apr 14 09:38:23 2022 GMT
Not After : Apr 14 09:38:23 2023 GMT
Subject:
countryName = CN
stateOrProvinceName = China
localityName = BeiJing
organizationName = skills
organizationalUnitName = Operations Departments
commonName = *.chinaskills.cn
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
41:5E:AE:2B:9F:5B:5D:8E:FF:8F:BC:93:3E:0D:50:C9:63:E5:AC:EE
X509v3 Authority Key Identifier:
keyid:03:AD:1B:0E:37:5D:70:71:0A:61:01:8A:E2:9B:FB:7D:48:8B:E4:8A
Certificate is to be certified until Apr 14 09:38:23 2023 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated