使用centos+openssl搭建CA签发证书.docx

一、安装centos系统，如下图：二、使用openssl建立CA并颁发证书，使用root用户登录centos系统rootlocalhost # mkdir certsrootlocalhost # cd certsrootlocalhost certs# /etc/pki/tls/misc/CA -newcaCA certificate filename (or enter to create)Making CA certificate .Generating a 2048 bit RSA private key.+.+writing new private key to /etc/pki/CA/private/./cakey.pemEnter PEM pass phrase:设置CA密码Verifying - Enter PEM pass phrase:确认CA密码-You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter ., the field will be left blank.-Country Name (2 letter code) XX:CNState or Province Name (full name) :beijingLocality Name (eg, city) Default City:beijingOrganization Name (eg, company) Default Company Ltd:opzoonOrganizational Unit Name (eg, section) :opzoonCommon Name (eg, your name or your servers hostname) :Email Address :Please enter the following extra attributesto be sent with your certificate requestA challenge password :111111An optional company name :opzoonUsing configuration from /etc/pki/tls/fEnter pass phrase for /etc/pki/CA/private/./cakey.pem:输入上面设置的CA密码Check that the request matches the signatureSignature okCertificate Details: Serial Number: ec:01:11:fd:2f:3f:25:c1 Validity Not Before: Feb 1 21:21:43 2012 GMT Not After : Jan 31 21:21:43 2015 GMT Subject: countryName = CN stateOrProvinceName = beijing organizationName = opzoon organizationalUnitName = opzoon commonName = emailAddress = X509v3 extensions: X509v3 Subject Key Identifier: E2:BC:51:1B:2E:1E:74:AF:4E:93:0D:6E:D4:AC:E5:30:35:B4:50:32 X509v3 Authority Key Identifier: keyid:E2:BC:51:1B:2E:1E:74:AF:4E:93:0D:6E:D4:AC:E5:30:35:B4:50:32 X509v3 Basic Constraints: CA:TRUECertificate is to be certified until Jan 31 21:21:43 2015 GMT (1095 days)Write out database with 1 new entriesData Base Updatedrootlocalhost certs#rootlocalhost certs# cd /etc/pki/CA/rootlocalhost CA# openssl x509 -in cacert.pem -days 3650设置证书有效时间，单位为天 -out cacert.pem -signkey ./private/cakey.pemGetting Private keyEnter pass phrase for ./private/cakey.pem:输入上面设置的CA密码rootlocalhost CA#rootlocalhost CA# cd /root/certs/rootlocalhost certs# /etc/pki/tls/misc/CA -newreqGenerating a 2048 bit RSA private key.+.+writing new private key to newkey.pemEnter PEM pass phrase:设置证书密码Verifying - Enter PEM pass phrase:确认证书密码-You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter ., the field will be left blank.-Country Name (2 letter code) XX:CNState or Province Name (full name) :fujianLocality Name (eg, city) Default City:fuzhouOrganization Name (eg, company) Default Company Ltd:opzoonOrganizational Unit Name (eg, section) :opzoonCommon Name (eg, your name or your servers hostname) :Email Address :Please enter the following extra attributesto be sent with your certificate requestA challenge password :fuzhouAn optional company name :opzoonRequest is in newreq.pem, private key is in newkey.pemrootlocalhost certs#rootlocalhost certs# /etc/pki/tls/misc/CA -signUsing configuration from /etc/pki/tls/fEnter pass phrase for /etc/pki/CA/private/cakey.pem:输入CA密码Check that the request matches the signatureSignature okCertificate Details: Serial Number: ec:01:11:fd:2f:3f:25:c2 Validity Not Before: Feb 1 21:45:55 2012 GMT Not After : Jan 31 21:45:55 2013 GMT Subject: countryName = CN stateOrProvinceName = fujian localityName = fuzhou organizationName = opzoon organizationalUnitName = opzoon commonName = emailAddress = X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 32:5A:E6:00:EC:A5:88:C5:AB:73:17:77:F1:D3:08:A8:FE:2D:B3:EE X509v3 Authority Key Identifier: keyid:E2:BC:51:1B:2E:1E:74:AF:4E:93:0D:6E:D4:AC:E5:30:35:B4:50:32Certificate is to be certified until Jan 31 21:45:55 2013 GMT (365 days)Sign the certificate? y/n:y1 out of 1 certificate requests certified, commit? y/nyWrite out database with 1 new entriesData Base UpdatedCertificate: Data: Version: 3 (0x2) Serial Number: ec:01:11:fd:2f:3f:25:c2 Signature Algorithm: sha1WithRSAEncryption Issuer: C=CN, ST=beijing, O=opzoon, OU=opzoon, CN=/emailAddress= Validity Not Before: Feb 1 21:45:55 2012 GMT Not After : Jan 31 21:45:55 2013 GMT Subject: C=CN, ST=fujian, L=fuzhou, O=opzoon, OU=opzoon, CN=/emailAddress= Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:d8:29:e0:c8:fe:a7:fa:44:b0:1a:2b:72:f5:66: 1c:48:da:e8:7c:33:28:b0:7d:20:df:b5:24:1e:99: 51:78:aa:6e:87:cd:0d:e0:6e:ea:cd:52:30:1f:87: 67:98:1a:8a:37:f4:16:ad:22:60:05:18:5e:16:21: b1:48:31:29:7b:6d:ae:58:a1:5c:07:04:37:72:7b: 41:37:89:63:ec:af:35:9a:06:47:3f:2c:c6:53:db: 68:22:63:ad:85:a0:21:cc:0b:f3:05:a5:1d:26:07: c5:ec:1a:e3:06:88:18:52:e7:65:4a:1a:9d:c1:1e: cb:f6:db:f5:3f:0f:37:01:8f:8c:05:c7:bf:8f:eb: d2:32:71:ae:70:10:d7:ef:52:86:37:d2:6d:a9:05: 24:91:c1:b5:57:38:0e:83:8d:90:fb:16:9f:2c:a6: bc:d1:2e:ef:3e:f7:50:b3:54:cf:d9:98:ef:a2:12: ad:ba:c8:4e:ce:b6:ce:91:2d:8a:63:cd:e3:6e:8d: f0:72:b1:67:90:36:f1:e9:06:9f:45:73:08:2a:4a: 4d:a3:66:c5:00:59:fd:81:2e:57:da:8c:8d:c9:22: b1:f3:8d:77:0b:a2:e8:8f:54:2d:bc:8f:58:b3:3c: 2d:4b:1a:10:fa:3e:43:8b:20:3f:e0:24:fc:23:c0: 2d:5d Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 32:5A:E6:00:EC:A5:88:C5:AB:73:17:77:F1:D3:08:A8:FE:2D:B3:EE X509v3 Authority Key Identifier: keyid:E2:BC:51:1B:2E:1E:74:AF:4E:93:0D:6E:D4:AC:E5:30:35:B4:50:32 Signature Algorithm: sha1WithRSAEncryption a0:e3:bf:1e:3b:88:e0:86:15:ed:7b:17:80:88:c9:2f:c2:ce: ba:f4:c9:96:81:07:9e:42:51:ed:a8:47:0b:3a:c5:01:6b:1d: 2d:dc:6d:8a:8a:57:bc:c9:7a:a7:02:e3:35:eb:79:f4:f7:6f: 6b:fd:11:49:d8:4d:10:d8:bc:7c:31:7a:7d:0f:c9:92:2e:d6: 01:90:11:2b:96:f3:11:d9:ad:af:97:a5:53:c9:f2:cd:58:9b: 65:cd:52:d8:80:88:dc:c5:c3:5a:09:c5:87:46:81:57:e0:af: fe:16:9a:1c:50:a6:b3:ef:2a:ef:ab:ff:ec:a9:b3:42:e6:ec: c6:a5:70:43:bc:56:27:aa:e9:76:5b:02:84:2b:ea:96:e4:92: 4f:4e:90:cb:94:05:d8:d2:ca:b3:2d:91:4f:ee:a1:a3:4a:70: 91:cf:e4:1f:45:72:39:ca:f1:25:80:1a:4c:8a:ce:ec:bc:dd: 61:57:75:ff:06:84:16:5f:f1:03:9a:9e:56:14:18:a8:95:14: 2b:53:83:65:55:93:7c:59:0e:53:e0:c7:bd:99:2c:36:b7:57: f3:53:c8:e2:86:80:30:6f:31:5d:66:cf:19:91:68:9d:50:5c: 20:dc:8b:e6:61:9d:0c:56:a9:c7:3f:6f:13:26:06:0e:b9:51: d0:26:a4:ee-BEGIN CERTIFICATE-MIIEAjCCAuqgAwIBAgIJAOwBEf0vPyXCMA0GCSqGSIb3DQEBBQUAMHgxCzAJBgNVBAYTAkNOMRAwDgYDVQQIDAdiZWlqaW5nMQ8wDQYDVQQKDAZvcHpvb24xDzANBgNVBAsMBm9wem9vbjEWMBQGA1UEAwwNb3B6b29uLmNvbS5jbjEdMBsGCSqGSIb3DQEJARYOdGFjQG9wem9vbi5jb20wHhcNMTIwMjAxMjE0NTU1WhcNMTMwMTMxMjE0NTU1WjCBizELMAkGA1UEBhMCQ04xDzANBgNVBAgMBmZ1amlhbjEPMA0GA1UEBwwGZnV6aG91MQ8wDQYDVQQKDAZvcHpvb24xDzANBgNVBAsMBm9wem9vbjEWMBQGA1UEAwwNb3B6b29uLmNvbS5jbjEgMB4GCSqGSIb3DQEJARYRZnVqaWFuQG9wem9vbi5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDYKeDI/qf6RLAaK3L1ZhxI2uh8MyiwfSDftSQemVF4qm6HzQ3gburNUjAfh2eYGoo39BatImAFGF4WIbFIMSl7ba5YoVwHBDdye0E3iWPsrzWaBkc/LMZT22giY62FoCHMC/MFpR0mB8XsGuMGiBhS52VKGp3BHsv22/U/DzcBj4wFx7+P69Iyca5wENfvUoY30m2pBSSRwbVXOA6DjZD7Fp8sprzRLu8+91CzVM/ZmO+i