Shulou(Shulou.com)06/02 Report--

Build CA certificate on Centos8

To implement a self-built CA certificate on centos8, take advantage of openssl, first look at the openssl configuration file

[root@Centos8 data] # vim / etc/pki/tls/openssl.cnf [CA_default] dir = / etc/pki/CA # Where everything is keptcerts = $dir/certs # Where the issued certs are keptcrl_dir = $dir/crl # Where the issued crl are keptdatabase = $dir/index.txt # database index file.#unique_subject = no # Set to 'no' to allow creation of # several certs with same subject.new_certs_dir = $dir/newcerts # default place for new certs.certificate = $dir/cacert.pem # The CA certificateserial = $dir/serial # The current serial numbercrlnumber = $dir/crlnumber # the current crlnumber # must be commented out to leave a V1 CRLcrl = $dir/crl.pem # The current CRLprivate_key = $dir/private/cakey.pem# The private keyRANDFILE = $dir/private/.rand # private random number filex509_extensions = usr_cert # The extensions to add to the cert

This configuration represents the directory structure of CA and gives some explanations for what files are placed in each directory and what they do.

Because the CA-related directory on centos7 is included with the system, but there is only CA home directory on centos8, that is, / etc/pki/CA, this directory, so refer to the directory structure on centos7 to create a new CA-related directory.

Directory structure on centos7:

[root@centos7 ~] # cd / etc/pki/CA/ [root@centos7 CA] # tree. ├── certs ├── crl ├── newcerts └── private4 directories, 0 files

Run on centos8:

[root@Centos8 data] mkdir-p / etc/pki/CA/ {certs,crl,newcerts,private}

Cd private/

Generate the private key:

(umask 077; openssl genrsa-out cakey.pem 4096)

Generate a self-signed CA certificate:

Openssl req-new-x509-key private/cakey.pem-out cacert.pem-days 3650

[root@Centos8 CA] # openssl req-new-x509-key private/cakey.pem-out cacert.pem-days 3650 You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name ora DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter'., the field will be left blank.-Country Name (2 letter code) [XX]: CNState or Province Name (full name) []: beijingLocality Name (eg) City) [Default City]: beijing Organization Name (eg, company) [Default Company Ltd]: wj02Organizational Unit Name (eg, section) []: M39 Common Name (eg, your name or your server's hostname) []: www.wj02.comEmail Address []: [root@Centos8 CA] #

The contents to enter are as follows:

Enter: (country code) CN

Enter: (province) beijing

Enter: (city) beijing

Enter: (company name) wj02

Enter: (Department name) M39

Enter: (username or hostname) www.wj02.com

Enter: (email address) can be left blank and enter directly.

According to the prompt, you can enter the appropriate information.

View self-signed certificate details command:

[root@Centos8 CA] # openssl x509-in cacert.pem-noout-textCertificate: Data: Version: 3 (0x2) Serial Number: 43:cf:75:6e:3a:94:cc:98:38:c1:48:c7:d9:37:70:e3:fb:71:19:e6 Signature Algorithm: sha256WithRSAEncryption Issuer: C = CN, ST = beijing, L = beijing, O = wj02, OU = M39 CN = www.wj02.com Validity Not Before: Nov 12 06:50:53 2019 GMT Not After: Nov 9 06:50:53 2029 GMT Subject: C = CN, ST = beijing, L = beijing, O = wj02, OU = M39, CN = www.wj02.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (4096 bit) Modulus:

You can see the details of the certificate

Then on another machine, you need at least two machines because you want to regenerate the private key.

Generate the private key:

(umask 077; openssl genrsa-out app.key 1024)

Generate a ca certificate request file:

Openssl req-new-key app.key-out app.csr

It is worth noting that there are three items, that is, the country, the province, and the company name must be consistent with the self-signed certificate.

Because it is stipulated in the configuration file:

Policy = policy_match# For the CA policy [policy_match] countryName = matchstateOrProvinceName = matchorganizationName = matchorganizationalUnitName = optionalcommonName = suppliedemailAddress = optional

These three items are forced to be the same, of course, you can also modify the configuration file.

Send the cs request file to server using scp

Scp test.csr 192.168.38.120:/etc/pki/CA

Next, server signs the certificate to test.csr:

[root@Centos8 CA] # openssl ca-in test.csr-out test.crt-days 365Using configuration from / etc/pki/tls/openssl.cnf140011092936512:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:72:fopen ('/ etc/pki/CA/index.txt','r') 140011092936512:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:79: [root @ Centos8 CA] #

Uh, wrong report? Don't panic, this is caused by the lack of files. The error message can be seen that we lack the file / etc/pki/CA/index.txt.

Touch / etc/pki/CA/index.txt

Run again:

[root@Centos8 CA] # openssl ca-in test.csr-out test.crt-days 365Using configuration from / etc/pki/tls/openssl.cnfCan't open / etc/pki/CA/index.txt.attr for reading, No such file or directory140275620157248:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:72:fopen ('/ etc/pki/CA/index.txt.attr' 'r') 140275620157248:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:79:/etc/pki/CA/serial: No such file or directoryerror while loading serial number140275620157248:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:72:fopen ('/ etc/pki/CA/serial') 'r') 140275620157248:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:79: [root @ Centos8 CA] #

Still wrong? The / etc/pki/CA/serial file is missing, but it can't be empty, it has something in it.

Looking at the configuration file, we find that this file records the serial number of the certificate, so

[root@Centos8 CA] # echo 01 > / etc/pki/CA/serial

Let's just give him a serial number.

Run again

[root@Centos8 CA] # openssl ca-in test.csr-out test.crt-days 365Using configuration from / etc/pki/tls/openssl.cnfCan't open / etc/pki/CA/index.txt.attr for reading, No such file or directory140145607882560:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:72:fopen ('/ etc/pki/CA/index.txt.attr' 'r') 140145607882560:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:79:Check that the request matches the signatureSignature okCertificate Details: Serial Number: 1 (0x1) Validity Not Before: Nov 12 07:26:38 2019 GMT Not After: Nov 11 07:26:38 2020 GMT Subject: countryName = CN StateOrProvinceName = beijing organizationName = wj02 organizationalUnitName = M39 commonName = www.wj02.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: A2:A8:2B:77:95 4C:E8:80:0C:50:DF:0E:89:ED:17:94:4E:DF:AC:71 X509v3 Authority Key Identifier: keyid:D8:E4:A8:09:2A:2D:13:39:29:63:83:5E:CF:8D:EA:99:A6:79:0B:67Certificate is to be certified until Nov 11 07:26:38 2020 GMT (365days) Sign the certificate? [y/n]: y1 out of 1 certificate requests certified, commit? [y/n] yWrite out database with 1 new entriesData Base Updated [root@Centos8 CA] #

Success. Well, remember to type y twice

At this point, the self-built CA certificate is generated and ready to use.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.