1.証明書発行環境を整えます
運用および保守ホストhdss-1-200.host.com:
2.CFSSLをインストールします
証明書発行ツールCFSSL:R1.2
cfsslダウンロードアドレスhttps://pkg.cfssl.org/R1.2/cfssl_linux-amd64
cfssl-jsonダウンロードアドレスhttps://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
cfssl-certinfoダウンロードアドレスhttps://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
3.指定されたディレクトリにダウンロードします
[root@hdss-1-200 ~]# wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -O /usr/bin/cfssl
[root@hdss-1-200 ~]# wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -O /usr/bin/cfssl-json
[root@hdss-1-200 ~]# wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -O /usr/bin/cfssl-certinfo4.ファイルを表示し、実行権限を割り当てます
[root@hdss-1-200 bin]# ls -lrt cf*
-rw-r--r-- 1 root root 2277873 Feb 8 12:01 cfssl-json
-rw-r--r-- 1 root root 6595195 Feb 8 12:01 cfssl-certinfo
-rw-r--r-- 1 root root 10376657 Feb 8 12:01 cfssl
[root@hdss-1-200 bin]# chmod +x /usr/bin/cfssl*
[root@hdss-1-200 bin]# ls -lrt cf*
-rwxr-xr-x 1 root root 2277873 Feb 8 12:01 cfssl-json
-rwxr-xr-x 1 root root 6595195 Feb 8 12:01 cfssl-certinfo
-rwxr-xr-x 1 root root 10376657 Feb 8 12:01 cfssl
[root@hdss-1-200 bin]# which cfssl-certinfo
/usr/bin/cfssl-certinfo
[root@hdss-1-200 bin]# which cfssl
/usr/bin/cfssl
[root@hdss-1-200 bin]# which cfssl-json
/usr/bin/cfssl-json5.証明書を発行し、指定したディレクトリを作成します
[root@hdss-1-200 opt]# mkdir certs
[root@hdss-1-200 opt]# cd certs/
[root@hdss-1-200 certs]# 6. CA証明書署名要求(csr)を生成するJSON構成ファイルを作成します
[root@hdss-1-200 certs]# vi /opt/certs/ca-csr.json
{
"CN": "OldboyEdu", # 机构名称,浏览器使用该字段验证网站是否合法,一般写的是域名,非常重要,浏览器使用该字段验证网站是否合法
"hosts": [
],
"key": {
"algo": "rsa", # 算法
"size": 2048 # 长度
},
"names": [
{
"C": "CN", # C,国家
"ST": "beijing", # ST 州,省
"L": "beijing", # L 地区 城市
"O": "od", # O 组织名称,公司名称
"OU": "ops" # OU 组织单位名称,公司部门
}
],
"ca": {
"expiry": "175200h" # expiry 过期时间,任何证书都有过期时间.20年
}
}7.証明書の発行
[root@hdss-1-200 certs]# cfssl gencert -initca ca-csr.json
2021/02/08 12:13:54 [INFO] generating a new CA key and certificate from CSR
2021/02/08 12:13:54 [INFO] generate received request
2021/02/08 12:13:54 [INFO] received CSR
2021/02/08 12:13:54 [INFO] generating key: rsa-2048
2021/02/08 12:13:54 [INFO] encoded CSR
2021/02/08 12:13:54 [INFO] signed certificate with serial number 240189431803521968703357144322271086616848173037
{"cert":"-----BEGIN CERTIFICATE-----\nMIIDtDCCApygAwIBAgIUKhJ3dIfX4mYealjZtJhdi99hB+0wDQYJKoZIhvcNAQEL\nBQAwYDELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB2JlaWppbmcxEDAOBgNVBAcTB2Jl\naWppbmcxCzAJBgNVBAoTAm9kMQwwCgYDVQQLEwNvcHMxEjAQBgNVBAMTCU9sZGJv\neUVkdTAeFw0yMTAyMDgxNzA5MDBaFw00MTAyMDMxNzA5MDBaMGAxCzAJBgNVBAYT\nAkNOMRAwDgYDVQQIEwdiZWlqaW5nMRAwDgYDVQQHEwdiZWlqaW5nMQswCQYDVQQK\nEwJvZDEMMAoGA1UECxMDb3BzMRIwEAYDVQQDEwlPbGRib3lFZHUwggEiMA0GCSqG\nSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC/H+E5rO6Y3Z+RjTdyTY3JerrDignTHN3v\nyOsGFM9REVD2qLFtRZ4Koj92KxuTivJm20GOgTr5UC504AhtS1L5TK9oXMR6YPtK\n36tlJ6LjJABM3nEKOr/TSQedFz6bGZ8DIJgEDIUI4QpRs71ZSsvalHfeD4WZg8Iu\n46PLZC1ObovOqyBhB3lds7QKF3hnKcGoInA7P8ZcEdLhEfD8N4u9HIYHnyHyoQYi\nStjpAAGc9rr5yGCAm8wE+e2YkMbMbL47nIf7kZdHhBR2DfmItkJLvgeIBJVn5DmQ\nnPeWgCJg7QOa+KbxAgitBwuw8xWIjvKLdnx9vEVDjb9H3ae97uJHAgMBAAGjZjBk\nMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgECMB0GA1UdDgQWBBTm\n1AYuIz1AxW8jSdiNe9L1oOGY0TAfBgNVHSMEGDAWgBTm1AYuIz1AxW8jSdiNe9L1\noOGY0TANBgkqhkiG9w0BAQsFAAOCAQEAA6YdDer2KKc5iAQciZxAZWXOdpnFCnzi\nj+tOclgajoJzsX3EBEHszUY7RqXRDXIF5ZSEYESHd5HqxdwtZBdG0mvVNm07YoCv\n6eVFoICqTtoodyRJIrqtiE40Gx21/RMsgvrFFC5QhkWKGbWDtz+3uowRyd1aYfGJ\nvaCatl2dcDMc2gI0x++Bu5m7C3nftfeO1uVZPgq3aH2nMC+zrYCzubE6bFSBSQbT\nhz88p8TeZOZcBdTVhMG7LXApfSOCO5Fbw1EXnn1nGMAAm6WmRzsIDRdknzDpcQe3\nkKSlNeFtY8kY1BKhMnU4fHThcubNCK8CWzoObejwAsHQmH+8fMN/Qg==\n-----END CERTIFICATE-----\n","csr":"-----BEGIN CERTIFICATE REQUEST-----\nMIICpTCCAY0CAQAwYDELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB2JlaWppbmcxEDAO\nBgNVBAcTB2JlaWppbmcxCzAJBgNVBAoTAm9kMQwwCgYDVQQLEwNvcHMxEjAQBgNV\nBAMTCU9sZGJveUVkdTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL8f\n4Tms7pjdn5GNN3JNjcl6usOKCdMc3e/I6wYUz1ERUPaosW1FngqiP3YrG5OK8mbb\nQY6BOvlQLnTgCG1LUvlMr2hcxHpg+0rfq2UnouMkAEzecQo6v9NJB50XPpsZnwMg\nmAQMhQjhClGzvVlKy9qUd94PhZmDwi7jo8tkLU5ui86rIGEHeV2ztAoXeGcpwagi\ncDs/xlwR0uER8Pw3i70chgefIfKhBiJK2OkAAZz2uvnIYICbzAT57ZiQxsxsvjuc\nh/uRl0eEFHYN+Yi2Qku+B4gElWfkOZCc95aAImDtA5r4pvECCK0HC7DzFYiO8ot2\nfH28RUONv0fdp73u4kcCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQCh11nDWCUF\ne3qtBymlC38h02yOtXUmf7sUou2POQ6r12GiIdrY57qtjVIh5LqPMpjpJjUk+A3v\nbOGjipCIemGj5iKsKOt1AaA1/EhabJjEg+LxwWhIZ/jGsu4KIMBxZ7ZWFTRJDG9B\nDeREV//vcaaYZ6zdXTu1H8Ns5zC+0cx/7Yyq/pg8wfgEw1pV+5jIj3ryjmRYj5ow\nA/U7WYFKQ139jREpKOQAKECBByf7CNw0iHAbdyo4PNXz72YmArOronbcw4B9djeK\n/dGv1tVELUp/ZkXwBvtZFJSdyOD7xz76IIpguea8fLvUU2m5RrDfLrZwDB6nN3Io\nBSKLD/3tHUJk\n-----END CERTIFICATE REQUEST-----\n","key":"-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAAKCAQEAvx/hOazumN2fkY03ck2NyXq6w4oJ0xzd78jrBhTPURFQ9qix\nbUWeCqI/disbk4ryZttBjoE6+VAudOAIbUtS+UyvaFzEemD7St+rZSei4yQATN5x\nCjq/00kHnRc+mxmfAyCYBAyFCOEKUbO9WUrL2pR33g+FmYPCLuOjy2QtTm6Lzqsg\nYQd5XbO0Chd4ZynBqCJwOz/GXBHS4RHw/DeLvRyGB58h8qEGIkrY6QABnPa6+chg\ngJvMBPntmJDGzGy+O5yH+5GXR4QUdg35iLZCS74HiASVZ+Q5kJz3loAiYO0Dmvim\n8QIIrQcLsPMViI7yi3Z8fbxFQ42/R92nve7iRwIDAQABAoIBACV943ik68kg8IRk\n51OM0xuK78gb9AFt0DuRdkkjG+gTNYatYODGn1IGsdxEaIxw3UxABoQl5aOyjupu\naDjIZeZxnJckW4aGL8VoSv7034cfMM/jctlG3QpdcRjnzmguhnrekfN5YT90pcmR\nMLuraIHgTgNJmDOdHSKFlUP4yspvnWtn8BcbtI9joE3FOv4aciC0yP52cpOO1XL5\nFVPabEypnQDNs6C50oP6Va1Do3YtKdbAPZV/h35pgtPfUI3tLobfgT6tj9ZFLrg+\nM5eULW6RsDXBh7aqgSo5YPu94b3LZzC8sOarN855JLd+XSIGaoFuGCUzQiwLfydM\nuxteuQECgYEA/mPTnbaD7eZWOuj6IMcxV8h5SGxFrShxq/7YILdbXAz0ZTaNf5W/\ndXgXUU7ETtsVbjhIsrkUSWXkQAfRxcp62qdgfW2toVhtMurlQ48gUex16lWKsC9G\nxu/H6USRVUKRG41cHI7TuXRMs5Nt6/9aaI0+eaOYEn2UJXBNCASrmJcCgYEAwFWM\nP+/k9xfwW0/W6kbPyWSKiRP3Xp4r1zI5pfSTioJRrFFpzMTMJ2jKW1L/oGa/DKNZ\nXBobFbL6QNBD7w+wpTX3YReNVFMIIDNxwSuch6fIN8/VOfdqeWJVtXx9RK6VyyMK\nRIq4nWfc2XTqi9F1SQAeVPykcyVI3sO76AuWCdECgYBrfmlUUmRrKZK0b/AJ28H4\n8wh01vOWWOm3oQdYw8ICIqM/BY9DI1b031sTC3KeU6s5mOT3SIfPABQ0DlnQ9190\nd5epSKg+7muuQV3Bb4BbvcyRybXB/ygsNfRGmKfE3E0O1Gvg0WWcDw2+MAUZ3Rwp\n481LfxpqbdAlBdA3HCoaXwKBgQCrzX7rOfHP2n1kQ2wZd0lyfzHUgpZL2YQVxRKD\nsHX+mqwz/cFBHWWzqkJf00LuV/k+Y8eVougguPAb5y1XpS9IVG12OCCRe13dzbZG\nNButfW02lZrFHcHpTbJ73AjVyhGaE+G/Gh8Q088OHAbLAD4BCG8PwWFwTZTLEBKQ\nk5DhkQKBgQDkXHYPgFI95olQiSnpsW2VGSjuFRR1vtrgT+o/8OuySrJDiJSTajVp\ndjPhFRMklLWwjngi2Ah9I803zBPD2IkVvyeM++8yIoCrwrt289DBiUdC4Gqae/eX\n3Sbgz4N6kF8gnGRZhCp0NUA94d84mxOO8SiapWz0IhfKjI9JNeSvoA==\n-----END RSA PRIVATE KEY-----\n"}8.無記名証明書を作成します
[root@hdss-1-200 certs]# ls
ca-csr.json
[root@hdss-1-200 certs]# cfssl gencert -initca ca-csr.json | cfssl-json -bare ca
2021/02/09 15:30:09 [INFO] generating a new CA key and certificate from CSR
2021/02/09 15:30:09 [INFO] generate received request
2021/02/09 15:30:09 [INFO] received CSR
2021/02/09 15:30:09 [INFO] generating key: rsa-2048
2021/02/09 15:30:10 [INFO] encoded CSR
2021/02/09 15:30:10 [INFO] signed certificate with serial number 80946315882407051316915181916096221469731026792
[root@hdss-1-200 certs]# ll
total 16
-rw-r--r-- 1 root root 993 Feb 9 15:30 ca.csr
-rw-r--r-- 1 root root 346 Feb 9 15:29 ca-csr.json
-rw------- 1 root root 1675 Feb 9 15:30 ca-key.pem
-rw-r--r-- 1 root root 1346 Feb 9 15:30 ca.pem
[root@hdss-1-200 certs]# 9.証明書を表示する
[root@hdss-1-200 certs]# cat ca.csr
-----BEGIN CERTIFICATE REQUEST-----
MIICpTCCAY0CAQAwYDELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB2JlaWppbmcxEDAO
BgNVBAcTB2JlaWppbmcxCzAJBgNVBAoTAm9kMQwwCgYDVQQLEwNvcHMxEjAQBgNV
BAMTCU9sZGJveUVkdTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMly
Swes0sjLmU7KGG3ZDiOjggopHFawF5MRbNjjpbBBIr+uscPr5TNHls6S9lYOnUF9
RCFukDxZvf7xXJDeCWovCuiowVxA/N0nt0n8ESlh3OOS/eVnoeO6k2jG7LZxFjmB
9lQHVR1Lluc6yDd+36wvCVw/xjhcrAkAAFcwbRZm7PDzuzeXbWWbxhD1hg1vC7s8
qRd24mWIPoEUV4ZxAZWtpcZRa0etstVBjrF2LR/vpFCp6AYwe7Bykx0Sz1iIz05x
xEkkIp+aKw/pwau4lKa4UzN9OcHw2y41wUQ7pWSsYTByWTJW+NEQrC5azB1YCI6M
zwyz3A8MxGLl1AG2LhsCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQA25mT5mJHR
+BDs8jq12qQjRljuVHJwDSIrLDHMOGGhIUzOBIe94Nj/tSXJ8Y7gQ+VeJIR+Yhjg
eW/8dpqOz0wqv8npXsUfmwrMWtYJu5YyuA7GLs03AwWyQIfycqAHfT1zp20YMr2j
bZkTCPiggk9Nb3k5fqyQyu7kdpvxQfS+d5Ygp5PHsU/pHzvxPhHbbIRwMGFgrrIr
6wMekRl2ruUnB2zt/RcPNcUYUnePIJLT8BakmPHyKsVouOEsqO/c470QN/KJvk3C
oxMF84qkPF1zBhS1ElMTpzXCbMQtyO0yMINvvAyPlM6NJ/4w+FO9AQG9X4f0tmrq
pPvaYwOqTV6w
-----END CERTIFICATE REQUEST-----
[root@hdss-1-200 certs]#