91超碰碰碰碰久久久久久综合_超碰av人澡人澡人澡人澡人掠_国产黄大片在线观看画质优化_txt小说免费全本

溫馨提示×

溫馨提示×

您好,登錄后才能下訂單哦!

密碼登錄×
登錄注冊×
其他方式登錄
點擊 登錄注冊 即表示同意《億速云用戶服務條款》

rhel6.3下如何使用openssl來生成CA證書并頒發證書

發布時間:2021-11-17 11:12:22 來源:億速云 閱讀:142 作者:小新 欄目:云計算

小編給大家分享一下rhel6.3下如何使用openssl來生成CA證書并頒發證書,希望大家閱讀完這篇文章之后都有所收獲,下面讓我們一起去探討吧!

一、配置OPENSSL
[root@test1 /]# rpm -qa|grep openssl
openssl-1.0.0-20.el6_2.5.i686
[root@test1 /]# cd /etc/pki/tls
[root@test1 tls]# ls
cert.pem  certs  misc  openssl.cnf  private
[root@test1 tls]# vim openssl.cnf
####################################################################
[ CA_default ]

dir             = /etc/pki/CA           # Where everything is kept  (CA中心的目錄)
certs           = $dir/certs            # Where the issued certs are kept (證書保存目錄)
crl_dir         = $dir/crl              # Where the issued crl are kept  (被吊銷證書的目錄)
database        = $dir/index.txt        # database index file.  (證書索引文件)
#unique_subject = no                    # Set to 'no' to allow creation of
                                        # several ctificates with same subject.
new_certs_dir   = $dir/newcerts         # default place for new certs.(經過CA中心簽名的證書備份目錄)

certificate     = $dir/my-ca.crt        # The CA certificate (CA的公鑰文件名)
serial          = $dir/serial           # The current serial number (CA中心的頒發證書序列號)
crlnumber       = $dir/crlnumber        # the current crl number (已吊銷證書序列號)
                                        # must be commented out to leave a V1 CRL
crl             = $dir/my-ca.crl        # The current CRL (證書吊銷列表)
private_key     = $dir/private/my-ca.key # The private key (CA私鑰文件)
RANDFILE        = $dir/private/.rand    # private random number file

x509_extensions = usr_cert              # The extentions to add to the cert

default_days    = 365                   # how long to certify for  (證書有效期)
default_crl_days= 30                    # how long before next CRL
default_md      = default               # use public key default MD
preserve        = no                    # keep passed DN ordering

[ policy_match ]       #此段為證書相關信息選項,其中match指定的項,要求被簽名證書一定要與CA的對應項一致。
countryName  = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName  = supplied
emailAddress  = optional

#
[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
countryName_default             = CN    (國家代碼需要自己修改)
countryName_min                 = 2
countryName_max                 = 2

stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default    = Hebei   (州或省名需要自己修改)

localityName                    = Locality Name (eg, city)
localityName_default    = Beijing    (地點名稱需要自己修改)

0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = Tianli Company    (組織或公司名需要自己修改)


[root@test1 tls]# cd ../CA/
[root@test1 CA]# ls
certs  crl  newcerts  private
注:需要有這幾個目錄,如果沒有可以自己新建
[root@test1 CA]# touch index.txt
[root@test1 CA]# echo "00"> serial
[root@test1 CA]# ls
certs  crl  index.txt  newcerts  private  serial

二、創建密鑰過程
創建私鑰
[root@test1 CA]#(umask 077;openssl genrsa -out private/my-ca.key -des3 2048)
Generating RSA private key, 2048 bit long modulus
............................................................+++
..........+++
e is 65537 (0x10001)
Enter pass phrase for private/my-ca.key:
Verifying - Enter pass phrase for private/my-ca.key:

由私鑰生成公鑰
[root@test1 CA]#openssl req -new -x509 -key private/my-ca.key -days 365 > my-ca.crt
Enter pass phrase for private/my-ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:CN
State or Province Name (full name) []:Hebei
Locality Name (eg, city) [Beijing]:Beijing
Organization Name (eg, company) [Default Company Ltd]:Tianli Company
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:test1
Email Address []:
[root@test1 CA]# ls
certs  crl  index.txt  my-ca.crt  newcerts  private  serial

三、客戶端驗證CA服務
主機端(192.168.1.130)上:
[root@test1 CA]#yum -y install httpd
[root@test1 CA]#service httpd start
[root@test1 CA]#mkdir -p /var/www/html/yum
[root@test1 CA]#cp my-ca.crt /var/www/html/yum   將my-ca.crt,即公鑰放到http服務器,供其他人下載


另外客戶端(192.168.1.117)上:
[root@test2 Desktop]#openssl genrsa 1024 > test2.key
Generating RSA private key, 1024 bit long modulus
.....................++++++
.......++++++
e is 65537 (0x10001)

[root@test2 Desktop]#openssl req -new -key test2.key -out dovecot.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Hebei
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:Tianli Company
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:test2
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

[root@test2 Desktop]# scp dovecot.csr root@192.168.1.130:/root/
root@192.168.1.130's password:
dovecot.csr                                   100%  668     0.7KB/s   00:00   


四、服務端簽發CA證書
在CA認證服務器上
[root@test1 ~]# openssl ca -in dovecot.csr -out dovecot.cst
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/my-ca.key:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Jan 22 10:44:36 2013 GMT
            Not After : Jan 22 10:44:36 2014 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = Hebei
            organizationName          = Tianli Company
            commonName                = test2
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                56:69:58:12:67:C7:FC:9E:AC:70:1D:2A:2C:56:A4:E1:61:97:B2:23
            X509v3 Authority Key Identifier:
                keyid:4C:45:25:5F:60:7F:F8:6E:6F:B4:53:C4:FB:BD:A3:C6:82:AE:2A:62

Certificate is to be certified until Jan 22 10:44:36 2014 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
最后簽發成功。


補充:在簽發證書的過程中容易出現的兩個問題
[root@test1 ~]# openssl ca -in dovecot.csr -out dovecot.cst
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/my-ca.key:
unable to load number from /etc/pki/CA/serial
error while loading serial number
3078239980:error:0D066096:asn1 encoding routines:a2i_ASN1_INTEGER:short line:f_int.c:215:
提示error while loading serial number,一般是因為serial文件中沒有賦初值
解決辦法
[root@test1 ~]#cd /etc/pki/CA
[root@test1 CA]# echo "00" >serial
[root@test1 CA]# cat serial
00


還有一個問題在CA簽名時,最后出現failed to update database錯誤
[root@test1 ~]#openssl ca -in dovecot.csr -out dovecot.crt
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/my-ca.key:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 2 (0x2)
        Validity
            Not Before: Jan 23 02:23:39 2013 GMT
            Not After : Jan 23 02:23:39 2014 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = Hebei
            organizationName          = Tianli Company
            commonName                = test2
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                96:86:28:B7:ED:2E:96:79:32:88:7E:C3:23:37:02:BC:43:1C:76:87
            X509v3 Authority Key Identifier:
                keyid:4C:45:25:5F:60:7F:F8:6E:6F:B4:53:C4:FB:BD:A3:C6:82:AE:2A:62

Certificate is to be certified until Jan 23 02:23:39 2014 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated


Certificate is to be certified until Jan 23 02:17:38 2014 GMT (365 days)
Sign the certificate? [y/n]:y
failed to update database
TXT_DB error number 2
遇到這個錯誤,只需要清空/etc/pki/CA/index.txt的內容再簽發就可以成功了。

吊銷證書:
[root@test1 ~]# openssl ca -revoke my-ca.crt
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/my-ca.key:
Adding Entry with serial number B443BCCFCD08C1CD to DB for /C=CN/ST=Hebei/L=Beijing/O=Default Company Ltd/CN=test1
Revoking Certificate B443BCCFCD08C1CD.
Data Base Updated

生成吊銷證書列表
[root@test1 ~]# openssl ca -gencrl -out my-ca.crl
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/my-ca.key:
unable to load number from /etc/pki/CA/crlnumber
error while loading CRL number
3079087852:error:0D066096:asn1 encoding routines:a2i_ASN1_INTEGER:short line:f_int.c:215:
出現error while loading CRL number,解決辦法給crlnumber賦值
[root@test1 ~]# echo "00" >/etc/pki/CA/crlnumber
[root@test1 ~]# openssl ca -gencrl -out my-ca.crl
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/my-ca.key:
[root@test1 ~]# ls
anaconda-ks.cfg  dovecot.csr  install.log         my-ca.crl  Public
dead.letter      dovecot.cst  install.log.syslog  my-ca.crt  Templates
Desktop          dovecot.pem  Music              test2.key
Documents        Downloads    Pictures   Videos
[root@test1 ~]# cat my-ca.crl
-----BEGIN X509 CRL-----
MIIB1DCBvQIBATANBgkqhkiG9w0BAQUFADBdMQswCQYDVQQGEwJDTjEOMAwGA1UE
CAwFSGViZWkxEDAOBgNVBAcMB0JlaWppbmcxHDAaBgNVBAoME0RlZmF1bHQgQ29t
cGFueSBMdGQxDjAMBgNVBAMMBXRlc3QxFw0xMzAxMjQwMzMyMzRaFw0xMzAyMjMw
MzMyMzRaMBwwGgIJALRDvM/NCMHNFw0xMzAxMjQwMzIzMDVaoA4wDDAKBgNVHRQE
AwIBADANBgkqhkiG9w0BAQUFAAOCAQEAhUevJlfn+W4VpX2SWn1RA9Y+qqEHB9i1
9rPSBDpC+NUpiKhF09n1eZRGqbInGQ+KVGxWF7iRAQ/znVV06wJiRU1i1/os3f9E
s2PiYYx8fltLOmaR027BhOB1ZO2mQmF/rvl+Soox+XH/YXD9T6wyD9STwm9jzFnD
iY86D+dgCRFCa3GWJyCFV1jr+79gY4q9rNV5Cmpozyxtz+szVgk8D+03X52KSg35
Ow7eCwK9W0rToq31+nR9+EQ3Cx7dUNrXftfzTCbFFhr87/b4w7iH+G9/3hfv91rt
zLuEriAlumiLVNAVk4gU0VJImAbArCOewaNmarzG8N8U9KYAcAWITw==
-----END X509 CRL-----

看完了這篇文章,相信你對“rhel6.3下如何使用openssl來生成CA證書并頒發證書”有了一定的了解,如果想了解更多相關知識,歡迎關注億速云行業資訊頻道,感謝各位的閱讀!

向AI問一下細節

免責聲明:本站發布的內容(圖片、視頻和文字)以原創、轉載和分享為主,文章觀點不代表本網站立場,如果涉及侵權請聯系站長郵箱:is@yisu.com進行舉報,并提供相關證據,一經查實,將立刻刪除涉嫌侵權內容。

AI

阿拉善盟| 朔州市| 东台市| 闵行区| 东阿县| 邵东县| 南阳市| 洪湖市| 双辽市| 兴义市| 江油市| 呼和浩特市| 伊宁县| 青田县| 正安县| 苏州市| 马山县| 志丹县| 德惠市| 贵溪市| 北流市| 南郑县| 红桥区| 宁化县| 永定县| 武陟县| 安溪县| 灯塔市| 霍州市| 兴和县| 吴忠市| 五指山市| 手游| 射洪县| 虞城县| 永年县| 皋兰县| 崇州市| 额济纳旗| 古浪县| 泌阳县|