https证书配置
yum -y install openssl自动安装openssl
这里使用yum安装openssl,然后制作证书
1,生成根证书的私钥
$ openssl genrsa -out /home/zhangle/ca.key
2 利用私钥生成一个根证书的申请,一般证书的申请格式都是csr。所以私钥和csr一般需要保存好
$ openssl req -new -key /home/zhangle/ca.key -out /home/zhangle/ca.csr
3 自签名的方式签发我们之前的申请的证书,生成的证书为ca.crt。
openssl x509 -req -days 3650 -in /home/zhangle/ca.csr -signkey /home/zhangle/ca.key -out /home/zhangle/ca.crt
补充:3.1将ca证书格式转换为pfx的证书格式
openssl pkcs12 -export -clcerts -in /home/zhangle/ca.crt -inkey /home/zhangle/ca.key -out /home/zhangle/ca.pfx
4 为我们的证书建立第一个序列号,一般都是用4个字符,这个不影响之后的证书颁发等操作
最好在/etc/pki/目录下创建serial
echo FACE > /etc/pki/CA/serial
5 建立ca的证书库,不影响后面的操作,默认配置文件里也有存储的地方。
最好在/etc/pki/目录下创建index.txt
touch /etc/pki/CA/index.txt
6 建立证书回收列表保存失效的证书
openssl ca -gencrl -out /home/zhangle/ca.crl -crldays 7
---已上就完成了根证书的相关操作,下一步可以颁发证书了。
第二步
1,建立服务器验证证书的私钥
openssl genrsa -out /home/zhangleserver/server.key
2,生成证书申请文件
openssl req -new -key /home/zhangleserver/server.key -out /home/zhangleserver/server.csr
3,利用根证书签发服务器身份验证证书
openssl ca -in /home/zhangleserver/server.csr -cert /home/zhangle/ca.crt -keyfile /home/zhangle/ca.key -out /home/zhangleserver/server.crt
4,至此,服务器端身份认证证书已经完成,可以利用证书和私钥生成pfx格式的证书给微软使用,命令如下:
openssl pkcs12 -export -clcerts -in /home/zhangleserver/server.crt -inkey /home/zhangleserver/server.key -out /home/zhangleserver/server.pfx
第三步 签发客户端身份认证证书
注意:在签发客户端证书时需要修改index.txt.attr,修改为unique_subject = no,在使用CA证书签发客户端证书就不会报错
cd /etc/pki/CA/
[root@localhost zhangleclient]# cd /etc/pki/CA/
[root@localhost CA]# ls
certs crl index.txt index.txt.attr index.txt.old newcerts private serial serial.old
[root@localhost CA]# cat index.txt
V 180421030309Z FACE unknown /C=CN/ST=SHANGHAI/O=SPDB/OU=SPDB/CN=ZHANGLE/[email protected]
[root@localhost CA]# cat index.txt.attr
unique_subject = yes
[root@localhost CA]# vi index.txt.attr
unique_subject = no
1,生成私钥
openssl genrsa -des3 -out /home/zhangleclient/client.key 1024
2,生成证书请求文件
openssl req -new -key /home/zhangleclient/client.key -out /home/zhangleclient/client.csr
3,签发证书
openssl ca -in /home/zhangleclient/client.csr -cert /home/zhangle/ca.crt -keyfile /home/zhangle/ca.key -out /home/zhangleclient/client.crt
4,生成pfx格式
openssl pkcs12 -export -clcerts -in /home/zhangleclient/client.crt -inkey /home/zhangleclient/client.key -out /home/zhangleclient/client.p12
最好使用下面的client.pfx,不使用client.p12
openssl pkcs12 -export -clcerts -in /home/zhangleclient/client.crt -inkey /home/zhangleclient/client.key -out /home/zhangleclient/client.pfx
客户端证书完成,注意如果在web服务器上使用客户端证书,需要在web服务器上使用根证书对客户端进行验证,切记!
生成证书时基本信息需要保持一致。
根证书配置:
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:SHANGHAI
Locality Name (eg, city) [Default City]:SHANGHAI
Organization Name (eg, company) [Default Company Ltd]:SPDB
Organizational Unit Name (eg, section) []:SPDB
Common Name (eg, your name or your server's hostname) []:ZHANGLE
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:111111
An optional company name []:SPDB
service证书配置
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:SHANGHAI
Locality Name (eg, city) [Default City]:SHANGHAI
Organization Name (eg, company) [Default Company Ltd]:SPDB
Organizational Unit Name (eg, section) []:SPDB
Common Name (eg, your name or your server's hostname) []:ZHANGLE
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:111111
An optional company name []:SPDB
输出pfx文件密码都是:111111
Enter Export Password:111111
Verifying - Enter Export Password:111111
client证书配置
证书密码:111111
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:SHANGHAI
Locality Name (eg, city) [Default City]:SHANGHAI
Organization Name (eg, company) [Default Company Ltd]:SPDB
Organizational Unit Name (eg, section) []:SPDB
Common Name (eg, your name or your server's hostname) []:ZHANGLE
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:111111
输出pfx文件密码都是:111111
Enter pass phrase for /home/zhangleclient/client.key:
Enter Export Password:111111
Verifying - Enter Export Password:111111