Centos7 creates a CA and applies for a certificate

Others 2022-04-22 09:23:12 views: 0

Reprinted: http://rackie386.blog.51cto.com/11279229/1947999

 

Centos7.3 creates a CA and applies for a certificate

The configuration file of openssl: /etc/pki/tls/openssl.cnf

Important parameter configuration path

dir   = /etc/pki/CA                # Where everything is kept

certs   = /etc/pki/CA/certs            # Where the issued certs are kept

database    = /etc/pki/CA/index.txt        # database index file.

new_certs_dir    = /etc/pki/CA/newcerts         # default place for new certs.

certificate   = /etc/pki/CA/cacert.pem       # The CA certificate

serial    = /etc/pki/CA/serial           # The current serial number

private_key    = /etc/pki/CA/private/cakey.pem   # The private key

 

Three strategies: match, support and optional

Matching means that the information required to be filled in the application must be consistent with the CA setting information; Support means that the application information must be filled in; Optional means that it is optional

1. Create the required files

touch /etc/pki/CA/index.txt to generate certificate index database file

echo 01 > /etc/pki/CA/serial specifies the serial number of the first issued certificate, which must be a two-digit hexadecimal number, followed by 9A

2. CA self-signed certificate

Generate private key

cd /etc/pki/CA/

(umask 066;openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)

Generate self-signed certificate

openssl req -new -x509 –key /etc/pki/CA/private/cakey.pem -days 7300 -out /etc/pki/CA/cacert.pem

-new: generate a new certificate signing request

-x509: Dedicated to CA to generate self-signed certificates

-key: The private key file used to generate the request

-days n: the validity period of the certificate

-out: path to save the certificate

Prompt to enter country, province, city, company name, department name, CA host name (issuer name)

 

View the generated self-signed certificate under linux

openssl x509 -in /etc/pki/CA/cacert.pem -noout -text

View the generated self-signed certificate under Windows

You need to change the suffix of the above file name to .cer to view

 

3. Issuing certificates

(1) Generate a certificate request on the host that needs to use the certificate

Generate private key for web server

(umask 066; openssl genrsa -out /app/service.key 2048)

Generate certificate application file

openssl req -new -key /app/service.key -out /app/service.csr

The same prompts to enter the country, province, city and other information. Note: The three items of country, province and company name must be consistent with CA. The host name must be the same as the website domain name, such as www.centos73.com. Or use a generic domain name, ie *.centos73.com, to match all.

(2) Transfer the certificate request file to the CA

scp /app/service.csr 192.168.10.15:/etc/pki/CA/csr/

(3) CA signs the certificate and issues the certificate to the requester

openssl ca -in /etc/pki/CA/csr/service.csr –out /etc/pki/CA/certs/service.crt -days 365

Generate certs/service.crt and newcerts/xx.pem files, both files are the same.

(4) View the information in the certificate :

openssl x509 -in certs/service.crt -noout -text|issuer|subject|serial|dates

cat serial

cat index.txt //V indicates that the status of the current certificate is normal

openssl ca -status SERIAL View the certificate status of the specified number

cat index.txt.attr //yes indicates that subjects information must be unique and cannot be applied repeatedly

 

4. Certificate revocation

(1) Obtain the serial of the certificate to be revoked on the client side

openssl x509 -in /etc/pki/CA/cacert.pem -noout -serial -subject

(2) On the CA, according to the serial and subject information submitted by the customer, check whether it is consistent with the information in the index.txt file, and revoke the certificate:

openssl ca -revoke /etc/pki/CA/newcerts/xx.pem

cat index.txt //R indicates that the certificate has expired

(3) Specify the number of the first revoked certificate

Note: It is only necessary to perform the first update of the certificate revocation list.

echo 01 > /etc/pki/CA/crlnumber

(4) Update the certificate revocation list :

openssl ca -gencrl -out /etc/pki/CA/crl.pem

View the crl file under linux:

openssl crl -in /etc/pki/CA/crl.pem -noout -text

To view the revocation list file under Windows, you need to change the file suffix to .crl

This article is from the " rackie " blog, please be sure to keep this source http://rackie386.blog.51cto.com/11279229/1947999

Centos7.3 creates a CA and applies for a certificate

Tags: create ca    certificate request and revocation   

Original address: http://rackie386.blog.51cto.com/11279229/1947999

Guess you like

Origin http://43.154.161.224:23101/article/api/json?id=324942469&siteId=291194637
Recommended
The number of MaxKB GitHub Stars, an open source knowledge base question and answer system based on large language models, exceeded 5,000!
Ranking
Getting the basic concepts of ROS + catkin Profile
Spring Learning (2) --- Assembling Beans in the IoC Container
js to get the src attribute of the image regularly
STM32 is based on CubeIDE and HAL library basics entry study notes: Bluetooth WIFI STM32 connects to Alibaba Cloud
Short video learning - 3, pandas simple use of pivot_table
Print directory of project configuration log, output log
Understand the difference between vi and vim in Linux in 3 minutes
1 + x certificate Web front-end development HTML5 special exercises
mangodb save and insert the difference
7-1 Family tree processing (50 points) (binary tree solution)
Daily
More
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)

Code World

© 2018 codetd.com