CA实现

OPENSSL配置文件路径/etc/pki/tls/openssl.cnf
OPENSSL配置文件中CA配置项

[ CA_default ]
dir     = /etc/pki/CA       # Where everything is kept
certs       = $dir/certs        # Where the issued certs are kept
crl_dir     = $dir/crl      # Where the issued crl are kept
database    = $dir/index.txt    # database index file.
new_certs_dir   = $dir/newcerts     # default place for new certs.
certificate = $dir/cacert.pem   # The CA certificate
serial      = $dir/serial       # The current serial number
crlnumber   = $dir/crlnumber    # the current crl number                  
crl     = $dir/crl.pem      # The current CRL
private_key = $dir/private/cakey.pem

1. 建立CA

   cd /etc/pki/CA
   (umask 077;openssl genrsa -out private/cakey.pem 2048 )  #生成CA私钥
   openssl req -new -x509 -key  private/cakey.pem -out cacert.pem -days 3650  #生成CA自签名证书
   > index.txt #建立CA数据库（默认此文件不存在）
   echo 09 > serial #默认此文件不存在，编号数字为16进制

2. 申请证书

   (umask 066;openssl genrsa -out /test/app.key 1024)
   openssl req -new  -key  /test/app.key -out /test/app.csr #生成证书申请

3. 颁发证书

   openssl ca -in /test/app.csr  -out /etc/pki/CA/certs/app.crt -days 100

4. 吊销证书

   openssl ca -revoke newcerts/0B.pem
   openssl  ca -status 0B
   echo 09 > crlnumber
   openssl ca -gencrl -out /etc/pki/CA/crl.pem