Centos搭建简单的证书机构,CA证书服务器
CA认证:
CA认证,即电子认证服务 [1] ,是指为电子签名相关各方提供真实性、可靠性验证的活动。
证书颁发机构(CA, Certificate Authority)即颁发数字证书的机构。是负责发放和管理数字证书的权威机构,并作为电子商务交易中受信任的第三方,承担公钥体系中公钥的合法性检验的责任。
1、配置证书服务器
安装openssl
yum install -y openssl*
首先在配置文件里面查看CA证书需要哪些文件和哪些目录
vim /etc/pki/tls/openssl.cnf
54 ####################################################################
55 [ ca ]
56 default_ca = CA_default # The default ca section
57
58 ####################################################################
59 [ CA_default ]
60
61 dir = /etc/pki/CA # Where everything is kept 所有东西保存的位置
62 certs = $dir/certs # Where the issued certs are kept 已发出证书存放与何处
63 crl_dir = $dir/crl # Where the issued crl are kept 已签发的crl保存位置
64 database = $dir/index.txt # database index file. 数据库索引文件
65 #unique_subject = no # Set to 'no' to allow creation of 设置为no以允许创建
66 # several certs with same subject. 几个相同科目的证书
67 new_certs_dir = $dir/newcerts # default place for new certs. 新证书默认位置
68
69 certificate = $dir/cacert.pem # The CA certificate CA证书
70 serial = $dir/serial # The current serial number 当前序列号
71 crlnumber = $dir/crlnumber # the current crl number 当前crl编号
72 # must be commented out to leave a V1 CRL 必须注释掉以留下V1 CRL
73 crl = $dir/crl.pem # The current CRL 当前CRL
74 private_key = $dir/private/cakey.pem# The private key 私钥
查看配置文件后发现需要在 /etc/pki/CA 下创建CA文件夹
在CA文件夹的private下创建一个私钥cakey.pem
[root@CA ~]# cd /etc/pki/CA/
[root@CA CA]# openssl genrsa -out private/cakey.pem
在CA文件夹下创建CA根证书
[root@CA CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijin
Organization Name (eg, company) [Default Company Ltd]:skills
Organizational Unit Name (eg, section) []:system
Common Name (eg, your name or your server's hostname) []:CA.skills.com
Email Address []:
在CA文件下创建 数据库索引文件和当前序列号
[root@CA CA]# touch /etc/pki/CA/index.txt
[root@CA CA]# echo 00 > /etc/pki/CA/serial
证书机构就配置好了
2、签署证书
创建私钥
openssl genrsa -out nginx.key
创建证书请求文件
openssl req -new -key nginx.key -out nginx.csr #需要注意的是国家,所在省,公司名称这三项一定要和证书服务器一致
签署证书
[root@CA ssl]# openssl ca -in nginx.csr -out nginx.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Mar 8 14:55:29 2022 GMT
Not After : Mar 8 14:55:29 2023 GMT
Subject:
countryName = CN
stateOrProvinceName = Beijing
organizationName = skills
organizationalUnitName = system
commonName = nginx
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
30:05:71:33:2A:C2:97:2B:2C:5F:A4:5A:F6:3E:BB:00:13:88:8F:F2
X509v3 Authority Key Identifier:
keyid:7E:D2:9B:80:D2:FA:13:3C:9E:E3:13:DA:B5:6E:68:BB:51:0D:D7:AACertificate is to be certified until Mar 8 14:55:29 2023 GMT (365 days)
Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
查看证书信息
[root@CA ssl]# openssl x509 -in nginx.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CN, ST = Beijing, L = Beijin, O = skills, OU = system, CN = CA.skills.com
Validity
Not Before: Mar 8 14:55:29 2022 GMT
Not After : Mar 8 14:55:29 2023 GMT
Subject: C = CN, ST = Beijing, O = skills, OU = system, CN = nginx
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:be:ca:d8:96:33:d6:6f:be:78:06:0f:93:c3:43:
a1:6f:d9:69:31:70:c7:a0:60:a6:b9:7f:10:35:b3:
11:be:4e:c9:13:53:2a:49:23:64:4c:ce:ae:00:e1:
2d:8a:f3:70:d0:27:28:dd:da:13:4b:06:06:63:8d:
ad:7b:c8:8c:47:e8:2e:8f:a0:2d:c9:29:45:b7:7c:
c4:e6:9c:21:65:85:38:ac:56:32:70:4b:c2:94:c8:
d3:c5:67:21:6c:b2:5c:f3:68:ab:14:28:a2:d5:a1:
bc:b0:25:1d:03:d5:31:a0:bf:a1:f9:8e:9f:5c:d6:
fb:21:7b:11:ab:52:c0:13:ae:3d:ab:86:4e:f4:42:
74:52:7d:61:2f:a8:98:2e:79:10:ef:d2:60:ba:42:
75:12:d2:e1:31:1c:2c:fd:1b:b7:79:38:e9:a1:a9:
d2:77:df:03:e2:df:07:bc:8a:47:b6:86:71:1d:46:
d9:06:eb:77:ca:4e:b8:c2:2a:2f:27:b3:7c:74:54:
a2:16:c0:3d:90:70:47:06:6f:d8:76:2e:97:32:43:
ad:08:20:7e:8f:83:6b:bc:7b:57:76:88:f8:6d:de:
ce:9b:b8:23:63:47:03:a8:0f:9a:74:e6:a6:be:e1:
dd:cf:0d:b6:2a:bf:f4:7f:e2:1e:74:f2:68:4b:32:
24:c9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
30:05:71:33:2A:C2:97:2B:2C:5F:A4:5A:F6:3E:BB:00:13:88:8F:F2
X509v3 Authority Key Identifier:
keyid:7E:D2:9B:80:D2:FA:13:3C:9E:E3:13:DA:B5:6E:68:BB:51:0D:D7:AASignature Algorithm: sha256WithRSAEncryption
47:5e:ca:af:7f:0b:79:99:d0:3a:74:46:38:aa:75:ef:8a:52:
eb:41:e2:81:6c:9e:47:5f:64:50:ab:b3:b0:42:6e:e3:0f:05:
55:3a:86:f6:88:79:80:89:d6:4b:d6:70:ad:db:50:0a:36:eb:
4c:d9:35:90:e5:79:4c:e5:27:13:59:dc:91:b8:ef:75:35:c8:
2b:25:94:ad:2f:20:97:f6:90:49:7c:e7:24:42:f8:59:3d:3a:
1d:c3:d2:34:43:0f:19:c1:a7:e1:0c:79:78:e0:e9:3d:19:d4:
88:12:c5:91:cb:b6:c4:fd:82:5d:b7:9c:35:16:86:c5:a3:b3:
19:f8:07:58:2d:e6:89:0a:a0:10:e3:af:44:93:5d:f8:4b:64:
6b:55:49:cb:3b:a9:de:87:c6:96:00:83:63:a4:9e:0e:1f:a6:
6c:50:30:71:b4:d2:aa:41:62:52:a9:21:34:42:60:fe:d8:da:
f0:58:df:ea:3a:1c:df:56:40:94:ca:0f:76:f6:87:3d:c3:bb:
01:06:b5:76:11:bb:29:e2:dd:55:32:22:70:76:c4:00:76:00:
c5:f7:79:b3:a1:a4:ab:1a:89:cd:7b:37:55:64:c7:cc:0d:2d:
73:5d:78:96:61:d9:81:d0:2b:05:41:9e:88:81:cc:99:ed:31:
22:a7:c2:a0
Centos搭建简单的证书机构,CA证书服务器相关推荐
- 基于 OpenSSL 生成自签名证书,数字签名,泛域名证书,ca证书,PKI等
基于 OpenSSL 生成自签名证书_qhh0205-CSDN博客_openssl自签名证书 windows 下 nginx 双向认证自签名证书配置 windows 下 nginx 双向认证自签名证书 ...
- 服务器证书和CA证书一样吗?
什么是服务器证书?服务器证书和CA证书一不一样?服务器证书有什么用?本文将主要为大家介绍服务器证书的相关知识. 一.服务器证书是什么意思? 服务器证书是SSL数字证书的一种形式,意指通过提交数字证书来 ...
- Autosar之自签名证书与CA证书
文章目录 一.安全传输 1.框架 2.如何实现传输安全? 3. 对称加密和非对称加密的区别? 4.伪随机数和真随机数 5.数字签名 -- 验证完整性 & 认证数据来源 6.为什么使用摘要算法的 ...
- ROOT证书、CA证书和使用CA签发的X.509证书
简介 日常开发中,我们程序员不怎么会接触证书相关的问题,对信息安全领域相关的内容知之甚少.因为平时主要实现的业务很少要直接面向底层的通信,也就很少关注这证书这样的知识.在一般情况下,我们仅仅只是在使用 ...
- 【计算机网络】网络安全 : 公钥分配 ( 公钥使用者 | 公钥分配 | CA 证书格式 | CA 证书吊销 )
文章目录 一.公钥使用者 二.公钥分配 三.CA 证书格式 四.CA 证书吊销 一.公钥使用者 公钥密码体质中 , 用户的公钥也不能随意的公布 , 公钥无法防止伪造 , 欺骗 , 接收者无法确认公钥使 ...
- fiddler证书生成ca证书命令及抓包配置
fiddler证书生成ca证书命令 下载OpenSSL fiddler配置https fiddler导出证书 将文件直接放到openssl的bin目录下 执行cmd命令生成ca证书 将证书放到andr ...
- 微信企业支付 服务器根证书,微信支付服务器证书根ca证书有什么用
随着现如今网络的不断发展,我们的生活跟网络密不可分,现在到处充斥着手机消费,只要你手机上有微信.支付宝不管到哪里都可以买你想买的东西,钱包已经在家里闲置多时.手机支付给我们的生活带来便利的同时也会伴随 ...
- 使用docker部署nginx搭建简单的idea-2019 jrebel插件激活服务器
使用docker部署nginx搭建简单的idea-2019 jrebel插件激活服务器 前言 之前用的jrebel激活方式一直都是用的 *lanyus* 大神的 [jrebel激活](http://i ...
- eap wifi 证书_用openssl为EAP-TLS生成证书(CA证书,服务器证书,用户证书)
我用的是openssl-1.0.2k. 脚本支持生成RSA,ECC证书. 运行时带参数指定类型. -->开始.按以下路径建立文件,脚本.ssl_create-cert-v0.4.7z ssl_c ...
最新文章
- Windows Phone DataBound ListBox中针对UIElement的事件绑定(Button)
- python apktool_【转】利用apktool反编译apk,并且重新签名打包
- 华南理工大学和浙大计算机学院,浙江大学和华南理工大学的办学实力比较
- jmeter 做ip欺骗遇到的坑
- QML笔记-JavaScript在QML中的使用(直接调用和间接调用)
- 《JavaScript高效图形编程(修订版)》——6.7 画布绘制基础
- sqlserver安装介质上文件的长路径名称失败_SQL Server 2012 软件安装教程
- 平方矩阵——3种思路
- java做校园一卡通技术_java写的简单校园卡管理系统
- ASP.net网页导出Excel中文乱码解决方案
- php excel自适应列宽,PHPExcel自动调整列宽
- 华为OD机考:0025-0028:黑板报数字涂色-十进制数字最低位排序-最大n个数和最小n个数之和
- Redhat下小企鹅输入法的安装
- 计划任务和周期任务mail,at,batch,atq, atrm, cron, crontab
- win10 企业版 2016长期服务版激活
- 小微企业实施数字化转型的困境
- 申报市级瞪羚企业应具备的基本条件
- 软工系列之--数据流图(DFD图)
- java morse电码,摩斯电码morse code软件下载-摩斯电码morse code手机版下载v3.80 安卓版-2265安卓网...
- 通过winapi获取MD5值