Reprinted: http://rackie386.blog.51cto.com/11279229/1947999
Centos7.3 creates a CA and applies for a certificate
The configuration file of openssl: /etc/pki/tls/openssl.cnf
Important parameter configuration path
dir = /etc/pki/CA # Where everything is kept
certs = /etc/pki/CA/certs # Where the issued certs are kept
database = /etc/pki/CA/index.txt # database index file.
new_certs_dir = /etc/pki/CA/newcerts # default place for new certs.
certificate = /etc/pki/CA/cacert.pem # The CA certificate
serial = /etc/pki/CA/serial # The current serial number
private_key = /etc/pki/CA/private/cakey.pem # The private key
Three strategies: match, support and optional
Matching means that the information required to be filled in the application must be consistent with the CA setting information; Support means that the application information must be filled in; Optional means that it is optional
1. Create the required files
touch /etc/pki/CA/index.txt to generate certificate index database file
echo 01 > /etc/pki/CA/serial specifies the serial number of the first issued certificate, which must be a two-digit hexadecimal number, followed by 9A
2. CA self-signed certificate
Generate private key
cd /etc/pki/CA/
(umask 066;openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
Generate self-signed certificate
openssl req -new -x509 –key /etc/pki/CA/private/cakey.pem -days 7300 -out /etc/pki/CA/cacert.pem
-new: generate a new certificate signing request
-x509: Dedicated to CA to generate self-signed certificates
-key: The private key file used to generate the request
-days n: the validity period of the certificate
-out: path to save the certificate
Prompt to enter country, province, city, company name, department name, CA host name (issuer name)
View the generated self-signed certificate under linux
openssl x509 -in /etc/pki/CA/cacert.pem -noout -text
View the generated self-signed certificate under Windows
You need to change the suffix of the above file name to .cer to view
3. Issuing certificates
(1) Generate a certificate request on the host that needs to use the certificate
Generate private key for web server
(umask 066; openssl genrsa -out /app/service.key 2048)
Generate certificate application file
openssl req -new -key /app/service.key -out /app/service.csr
The same prompts to enter the country, province, city and other information. Note: The three items of country, province and company name must be consistent with CA. The host name must be the same as the website domain name, such as www.centos73.com. Or use a generic domain name, ie *.centos73.com, to match all.
(2) Transfer the certificate request file to the CA
scp /app/service.csr 192.168.10.15:/etc/pki/CA/csr/
(3) CA signs the certificate and issues the certificate to the requester
openssl ca -in /etc/pki/CA/csr/service.csr –out /etc/pki/CA/certs/service.crt -days 365
Generate certs/service.crt and newcerts/xx.pem files, both files are the same.
(4) View the information in the certificate :
openssl x509 -in certs/service.crt -noout -text|issuer|subject|serial|dates
cat serial
cat index.txt //V indicates that the status of the current certificate is normal
openssl ca -status SERIAL View the certificate status of the specified number
cat index.txt.attr //yes indicates that subjects information must be unique and cannot be applied repeatedly
4. Certificate revocation
(1) Obtain the serial of the certificate to be revoked on the client side
openssl x509 -in /etc/pki/CA/cacert.pem -noout -serial -subject
(2) On the CA, according to the serial and subject information submitted by the customer, check whether it is consistent with the information in the index.txt file, and revoke the certificate:
openssl ca -revoke /etc/pki/CA/newcerts/xx.pem
cat index.txt //R indicates that the certificate has expired
(3) Specify the number of the first revoked certificate
Note: It is only necessary to perform the first update of the certificate revocation list.
echo 01 > /etc/pki/CA/crlnumber
(4) Update the certificate revocation list :
openssl ca -gencrl -out /etc/pki/CA/crl.pem
View the crl file under linux:
openssl crl -in /etc/pki/CA/crl.pem -noout -text
To view the revocation list file under Windows, you need to change the file suffix to .crl
This article is from the " rackie " blog, please be sure to keep this source http://rackie386.blog.51cto.com/11279229/1947999
Centos7.3 creates a CA and applies for a certificate
Tags: create ca certificate request and revocation
Original address: http://rackie386.blog.51cto.com/11279229/1947999