Shulou(Shulou.com)06/03 Report--

Private CA establishment and certificate request

CA has a specified format when it is created. For more information, please refer to / etc/pki/tls/openssl.cnf. This file stores some configuration information related to CA.

Here are two more important related configurations:

1. This section is the detailed catalog structure of CA

# [ca] default_ca = CA_default # The default ca section## # # [CA_default] dir = / etc/pki/CA # Where everything is keptcerts = $dir/certs # Where the issued certs are keptcrl_dir = $dir/crl # Where the issued crl are keptdatabase = $dir/ Index.txt # database index file.#unique_subject = no # Set to 'no' to allow creation of # several ctificates with same subject.new_certs_dir = $dir/newcerts # default place for new certs.certificate = $dir/cacert.pem # The CA certificateserial = $dir/serial # The current serial numbercrlnumber = $dir/crlnumber # the current crlnumber # must be commented out to leave a V1 CRLcrl = $dir/crl.pem # The current CRLprivate_key = $dir/private/cakey.pem# The private keyRANDFILE = $dir/private/.rand # private random number filex509_extensions = usr_cert # The extentions to add to the cert

two。 This paragraph is the relevant rule for certificate signing, in which the part marked match indicates that the client must submit the same part as CA when submitting the certificate signing request. You can also modify the policy rules if you want to be different.

# A few difference way of specifying how similar the request should look# For type CA, the listed attributes must be the same, and the optional# and supplied fields are just that: -) policy = policy_match # here if it is changed to policy_anything, it can be signed by different countryName, stateOrProvinceName, organizationName and CA when the client applies for a certificate. # For the CA policy [policy_match] countryName = matchstateOrProvinceName = matchorganizationName = matchorganizationalUnitName = optionalcommonName = suppliedemailAddress = optional# For the 'anything' policy# At this point in time, you must list all acceptable' object'# types. [policy_anything] countryName = optionalstateOrProvinceName = optionallocalityName = optionalorganizationName = optionalorganizationalUnitName = optionalcommonName = suppliedemailAddress = optional I, create private CA

1. Generate certificate index database file

[root@centos7 CA] # touch index.txt

two。 Specify the certificate issuance serial number

[root@centos7 CA] # echo 01 > serial

3. Generate a private key

The private key must be stored under / etc/pki/CA/private and named cakey.pem

[root@centos7 CA] # (umask 066 / OpenSSL genrsa-out private/cakey.pem 4096) # generates a private key with a specified length of 4096 bits Generating RSA private key, 4096 bit long modulus..++.++e is 65537 (0x10001)

4. Generate self-signed certificate

There are also regulations on the location and naming of self-signed certificates, which must be stored under / etc/pki/CA/ and named cacert.pem.

[root@centos7 CA] # openssl req-new-x509-key private/cakey.pem-out cacert.pem-days 3650 # generate self-signed certificate Specify a valid duration of 3650 days You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name ora DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter'.', the field will be left blank.-Country Name (2 letter code) [XX]: CNState or Province Name (full name) []: beijing Locality Name (eg, city) [Default City]: beijingOrganization Name (eg) Company) [Default Company Ltd]: mageduOrganizational Unit Name (eg, section) []: opsCommon Name (eg, your name or your server's hostname) []: ca.magedu.comEmail Address []: II. Client applies for certificate

1. Generate a private key file on the client

The private key of the client is generally generated under the application that needs to generate the private key.

[root@centos7 data] # (umask 066 Openssl genrsa-out test.key 1024) Generating RSA private key 1024 bit long modulus.+.+e is 65537 (0x10001)

two。 Generate a certificate signing request using a private key

Country Name, State or Provice Name, Organization Name must be the same in the signing request.

[root@centos7 data] # openssl req-new-key test.key-out test.csrYou are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name ora DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter'., the field will be left blank.-Country Name (2 letter code) [XX]: CNState or Province Name (full name) []: beijingLocality Name (eg) City) [Default City]: beijingOrganization Name (eg, company) [Default Company Ltd]: mageduOrganizational Unit Name (eg, section) []: opsCommon Name (eg, your name or your server's hostname) []: www.mylinuxops.comEmail Address []: Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []: An optional company name []:

3. Send the certificate signing request to CA

[root@centos7 data] # scp test.csr 192.168.73.132:/tmpThe authenticity of host '192.168.73.132 (192.168.73.132)' can't be established.ECDSA key fingerprint is SHA256:YNlH0VBV0kp4lAClVvfMWVx/bHcbKKHXQwyd13d+MME.ECDSA key fingerprint is MD5:8a:1c:3d:c2:04:b1:be:05:95:33:9e:16:e8:ad:6c:25.Are you sure you want to continue connecting (yes/no)? YesWarning: Permanently added '192.168.73.132' (ECDSA) to the list of known hosts.root@192.168.73.132's password: test.csr 100% 660 220.9KB/s 00:00 3, CA server signed certificate

When signing a certificate, the CA server needs to specify how long the certificate is valid

[root@centos7 CA] # openssl ca-in / tmp/test.csr-out certs/test.crt-days 365Using configuration from / etc/pki/tls/openssl.cnfCheck that the request matches the signatureSignature okCertificate Details: Serial Number: 1 (0x1) Validity Not Before: Apr 15 22:42:33 2019 GMT Not After: Apr 14 22:42:33 2020 GMT Subject: countryName = CN StateOrProvinceName = beijing organizationName = magedu organizationalUnitName = ops commonName = www.mylinuxops.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 6F:FE:2A: 6D:CA:54:71:43:EC:58:54:8B:94:8E:92:BC:04:9B:6D:91 X509v3 Authority Key Identifier: keyid:EE:25:E6:80:F8:8A:68:3F:E5:5E:C4:38:FB:1C:B9:93:C9:2B:5B:ADCertificate is to be certified until Apr 14 22:42:33 2020 GMT (days) Sign the certificate? [y/n]: y1 out of 1 certificate requests certified, commit? YWrite out database with 1 new entriesData Base Updated IV, others

1. View the information in the certificate:

[root@centos7 CA] # openssl x509-in certs/test.crt-noout-textCertificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, ST=beijing, L=beijing, O=magedu, OU=ops, CN=ca.magedu.com Validity Not Before: Apr 15 22:42:33 2019 GMT Not After: Apr 14 22:42:33 2020 GMT Subject: C=CN, ST=beijing, O=magedu, OU=ops CN=www.mylinuxops.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:d1:ab:99:29:51:31:e8:2d:69:e6:04:25:89:61: 2d:81:71:c6:cf:b0:a2:a2:8a:94: 6f:b3:ab:40:fa: 1f:da:40:33:7b:46:0f:f7:61:21:18:be:3b:5d:b8: 18:a2:8a:9e:99:66:9c:9c:7c:68:2e:ab:73:00:87: 3a:91:aa:b5:a0:f0:2c:ec:d0:f2: 44:15:86:74:2a: 39:d0:64:42:a8:d5:69:ca:c2:79:a1:5a:e3:c9:dc: 6e:9e:1e:ab:89:cf:47:62:57:67:17:d3:9f:09:4f: 0d:ed:f3:b7:d1:99:b0:49:95:99: 25:0b:70:30:ef: a2:72:8d:42:90:8b:51:bb:41 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 6F:FE:2A : 6D:CA:54:71:43:EC:58:54:8B:94:8E:92:BC:04:9B:6D:91 X509v3 Authority Key Identifier: keyid:EE:25:E6:80:F8:8A:68:3F:E5:5E:C4:38:FB:1C:B9:93:C9:2B:5B:AD Signature Algorithm: sha256WithRSAEncryption a0:b9:ac:ef:a6:cb:9c:af:99: 5b:f8:f2:dd:f4:0b:dc:63:51: 99:16:3d:b9:53:91:5e:e5:61:f0:9d:85:cb:57:19:b8:fd:fd: 6e:3a:9c:f2:2a:d0:69:90:89:ff:75:90:20:f6:25:d0:d2:f9: 4f:23:34:fd:b7:3c:25:00:7c: A3:7f:f3:14:2b:54:54:3e:cf: 19:fa:80:48:b2:f3:3a:c7:cf:20:7a:91:3e:43:6f:88:2d:36: 9a:50:23:12:d1:0c:fa:78:c3:3a:7e:90:85:b1:ba:a8:4a:f0: c9:a1:6c:e9:7c:ff:e5:8a:f1: 30:8d:36:33:1c:22:03:5b:37: 73:95:a8:6f:2d:68:42:5d:78:e2:9c:24:c4:b2:f7:59:37:1e: af:90:ea:1e:bc:73:d7:95:83:42:64:f5:e1:fb:45:e6:9c:e3: 2b:04:6f:de:d0:de:01:d9:dc: Af:9c:47:2d:31:5e:c3:71:6d: 23:a6:f3:e0:77:65:c9:a3:39:c0:f2:c5:d2:21:df:84:64:cd: 0f:4b:19:ea:b4:d5:75:2a:52:54:38:e4:d6:6a:e0:9e:61:c6: 3a:04:21:cb:d5:2f:c9:f3:21: 15:a6:bf:48:ea:06:f4:a8:20: 43:49:e9:e5:d5:c6:74:06:6a:53:c6:31:48:08:89:6f:af:9a: aa:d7:62:e3:9b:60:f2:55:1e:0d:e0:e2:ab:02:76:ab:f0:2f: c5:39:fe:11:e3:1d:51:19:96: 2d:57:6b:a6:d1:97:8d:fb:cb: 4f:08:b5:29:af:c8:b8:c7:c9:32:7d:a6:30:ee:ad:c7:13:af: d9:9f:c4:09:f1:57:6b:aa:66:de:ad:28:c9:ea:a3:52:26:9b: 29:e2:0a:14:30:c5:fb:06:70: 89:69:f2:5a:de:49:bd:4a:f3: af:20:f0:b6:c5:97:37:9a:b4:35:03:5e:75:6c:a0:82:1e:bb: 0c:68:fe:f4:ee:06:3b:0a:2e:e1:72:0c:b1:32:f4:f3:0f:c0: ee:66:1e:5b:9b:e5:02:72:8a: F4:f8:94:3b:c3:85:5f:53:38: 47:b4:47:61:1a:a1:fd:36:9d:40:81:0a:65:37:47:ad:9e:d5: a3:0f:58:87:d5:2f:7f:b5:bc:15:e8:cc:f4:16:c0:67:fa:a2: b6:f1:2b:4e:5d:ac:8f:fe:c5: 20:3a:b5:49:18:5d:be:29:01: 67:5f:2f:e9:77:31:34:5c:e2:12:78:1c:a2:c8:3a:67:d1:90: 3b:24:ed:49:68:5d:c4:f3:f7:8f:4c:bf:02:88:15:3b:11:90: 9e:f0:fc:d2:41:48:8b:6c:53: 22:8d:b0:1b:53:67:05:dc:f5: 72:37:19:1b:05:24:4b:3b

two。 View the certificate status of the specified number

[root@centos7 CA] # openssl ca-status 01Using configuration from / etc/pki/tls/openssl.cnf01=Valid (V) CA certificate revocation 1. Check the serial and revot [root @ centos7 certs] # openssl x509-in test.crt-noout-serial-subjectserial=01subject= / C=CN/ST=beijing/O=magedu/OU=ops/CN=www.mylinuxops.com on the client, based on the information submitted by the client. Compare the information in index.txt on the CA server side [root@centos7 CA] # cat index.txtV 200414224233Z 01 unknown / C=CN/ST=beijing/O=magedu/OU=ops/CN=www.mylinuxops.com III, revocation certificate [root@centos7 CA] # openssl ca-revoke / etc/pki/CA/newcerts/01.pem Using configuration from / etc/pki/tls/openssl.cnfRevoking Certificate 01.Data Base Updated IV, Specify the number of the first certificate revocation (this step is required for the first revocation) [root@centos7 CA] # echo 01 > / etc/pki/CA/crlnumber V, generate a certificate revocation list [root@centos7 CA] # openssl ca-gencrl-out / etc/pki/CA/crl.pemUsing configuration from / etc/pki/tls/ openssl.cnf VI, View the certificate revocation list [root@centos7 CA] # openssl crl-in crl.pem-noout-textCertificate Revocation List (CRL): Version 2 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: / C=CN/ST=beijing/L=beijing/O=magedu/OU=ops/CN=ca.magedu.com Last Update: Apr 16 08:41:46 2019 GMT Next Update: May 16 08:41:46 2019 GMT CRL extensions: X509v3 CRL Number: 1Revoked Certificates: Serial Number: 01 Revocation Date: Apr 16 08:38:37 2019 GMT Signature Algorithm: sha256WithRSAEncryption a3:07:8f:b4:a8:ec:76:fb:d1:6c:88:f6:1d:ba:e6:79:5e:19: 59:3a:38:8d:26:d0:15:d2:22:b1:2f:a5:b0:b0:fc:49:11:00: 0a:2a: 93:22:8d:44:ec:18:c9:5d:ad:66:60:32:36:8a:55:77: 03:9e:fb:51:b4:8e:9d:b7:d8:3b:d1:da:64:9e:ae:9f:5a:04: 19:69:f6:e9:de:94:75:92:f4:f4:33:b6:2b:e9:8e:27:dd:40: 9f:90: 11:0f:36:d4:4a:ef:af:55:08:ec:87:81:c6:7c:38:02: fb:e2:d9:77:61:dc:2a:2c:61:c5:36:aa:6e:34:59:77:fe:47: 81:6d:02:15:e5:4b:f2:1f:ae:b3:e0:2e:5e:49:9d:c1:51:f9: 2e:69: D5:5f:9b:26:25:20:d9:88:ac:30:94:e2:25:e5:ee:17: f4:62:ca:ea:be:af:aa:7a:07:e7:e5:91:24:80:cc:52:9b:30: e2:3e:59:66:2a:77:28:7b:6a:10:99:a3:a3:27:30:17:a1:94: 49:bb: Ae:eb:7f:53:d9:07:a5:0c:8f:b0:97:0a:cb:42:d8:37: 22:d9:0b:48:5e:a9:a0:13:78:0d:71:5b:76:25:11:f2:62:7b: e7:a5:f5:52:03:a6:25:ea:3a:da:d6:37:5a:55:ed:89:3e:67: 6f:b7: D7:a9:75:94:e8:17:af:cc:87:ed:bb:4d:19:3c:ee:af: a5:4d:fe:5e:f9:80:7a:16:4d:8c:99:36:77:75:e7:81:03:05: 92:91:01:5c:5e:d7:d0:d3:2b:ef:62:cd:20:5b:1b:40:30:29: 41:83: C6:7b:cc:29:2a:c3:6c:76:88:ed:a8:ac:be:83:00:7b: 56:c6:de:97:cf:6a:a5:bd:38:1e:84:b1:00:37:e5:85:15:eb: 86:51:f8:51:f6:e4:7e:2e:25:e2:8b:10:7d:3e:a6:4d:e5:bd: cb:8b: 1e:2f:71:60:83:e5:75:1b:91:87:90:39:4a:67:88:87: 51:d3:b9:ff:0a:f6:36:3c:ba:a0:ae:32:6d:48:d7:e0:3d:20: 06:b5:ae:05:74:ab:13:84:49:dc:d7:91:c3:48:38:2d:b3:e9: b7:f0: 13:9d:54:44:f1:5c:52:35:95:f5:da:9c:85:62:3f:28: 3a:c1:8a:32:e9:f6:f6:93:d2:40:7f:8a:71:20:6e:04:2f:2f: 33:2b:ac:2a:bb:33:b1:09:4d:4b:67:69:a9:48:a7:a7:a4:cb: 7e:61: Fb:3e:85:dd:1f:99:8b:35:d6:7d:75:9d:34:61:84:8e: 46:39:e7:4b:09:e3:00:44:69:24:73:ac:37:82:73:1b:42:0d: 1f:60:5a:e7:47:6c:5f:a6

Create a private CA using a script

#! / bin/bashPS3= "plese choose a nember:" select menu in creates CA to apply for certificate issuance certificate exit; do case $menu in creates CA) cd / etc/pki/CA touch serial echo 01 > index.txt (umask 066 Openssl genrsa-out private/cakey.pem 4096) openssl req-new-x509-key private/cakey.pem-out cacert.pem-days 3650 Apply for certificate) read-p "please input your need crt appdir:" APPDIR read-p "please input your need crt app name:" NAME read-p "please input CA server ip:" IP cd $APPDIR (unmask 066) Openssl genrsa-out $NAME.key 2048) openssl req-new-key ${NAME} .key-out ${NAME} .csr scp ${NAME} .csr ${IP}: / tmp unset IP;; issue certificate) read-p "please input client ip:" IP NAME= `cd / tmp Ls * .csr` openssl ca-in / tmp/$ {NAME} .csr-out / etc/pki/CA/certs/$ {NAME} .crt rm-rf / tmp/*.csr scp / etc/pki/CA/certs/$ {NAME} .crt $IP:/tmp unset IP;; exit) break Esacdone~

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.