创建私有CA

局域网或内网内部自建CA颁发证书

openssl配置文件详解

[root@centos8 ~]#vim /etc/pki/tls/openssl.cnf[ ca ]
default_ca  = CA_default        # The default ca section 指定默认的ca####################################################################
[ CA_default ]#默认CA配置
dir     = /etc/pki/CA       # Where everything is kept 变量 存放和CA相关文件的总目录 centos8默认此文件夹不存在
certs       = $dir/certs        # Where the issued certs are kept  颁发证书存放地
crl_dir     = $dir/crl      # Where the issued crl are kept 证书吊销列表
database    = $dir/index.txt    # database index file.  所有用户颁发证书的索引数据库 证书编号 功能 说明 文件默认不存在
#unique_subject = no            # Set to 'no' to allow creation of# several certs with same subject.
new_certs_dir   = $dir/newcerts     # default place for new certs.  新颁发证书的存放地certificate = $dir/cacert.pem   # The CA certificate CA的自签名证书
serial      = $dir/serial       # The current serial number 每个证书的编号 序列号存放的将要颁发的证书的编号 需要赋予初始值
crlnumber   = $dir/crlnumber    # the current crl number 证书吊销列表的编号# must be commented out to leave a V1 CRL
crl     = $dir/crl.pem      # The current CRL 证书吊销列表的文件
private_key = $dir/private/cakey.pem# The private key CA的私钥x509_extensions = usr_cert      # The extensions to add to the cert# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt    = ca_default        # Subject Name options
cert_opt    = ca_default        # Certificate field options# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions    = crl_extdefault_days    = 365           # how long to certify for 证书的默认有效期
default_crl_days= 30            # how long before next CRL 证书吊销列表的有效期
default_md  = sha256        # use SHA-256 by default
preserve    = no            # keep passed DN ordering# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy      = policy_match# For the CA policy证书的匹配策略
[ policy_match ]
countryName     = match #国家
stateOrProvinceName = match #省份
organizationName    = match #组织
organizationalUnitName  = optional #部门
commonName      = supplied #哪个组织 通用名
emailAddress        = optional #邮箱可选# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName     = optional
stateOrProvinceName = optional
localityName        = optional
organizationName    = optional
organizationalUnitName  = optional
commonName      = supplied
emailAddress        = optional####################################################################
[ req ]
default_bits        = 2048
default_md      = sha256
default_keyfile     = privkey.pem
distinguished_name  = req_distinguished_name
attributes      = req_attributes
x509_extensions = v3_ca # The extensions to add to the self signed cert

创建CentOS8中默认不存在的CA相关文件夹

[root@centos8 CA]#mkdir -p /etc/pki/CA/{cert,crl,newcerts,private}
[root@centos8 CA]#tree -d .
.
├── certs
├── crl
├── newcerts
└── private4 directories

生成证书索引数据库文件

[root@centos8 CA]#touch /etc/pki/CA/index.txt

指定第一个颁发证书的序列号 格式为01 02

[root@centos8 CA]#echo 01 > /etc/pki/CA/serial

生成CA私钥

[root@centos8 ~]#cd /etc/pki/CA
#安全考虑,在子shell中修改umask权限,不影响当前环境
[root@centos8 CA]#(umask 066;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
..........................+++
..........+++
e is 65537 (0x10001)

生成CA自签名证书

[root@centos8 CA]#openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:henan
Locality Name (eg, city) [Default City]:zhengzhou
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:ca.magedu.org
Email Address []:admin@magedu.org

选项说明:
-new: 生成新证书签署请求
-x509: 专用于CA生成自签证书 x509证书格式
-key: 生成请求时用到的私钥文件
-days n: 证书的有效期限
-out /PATH/TO/SOMECERTFILE: 证书的保存路径

查看生成的证书文件
文件默认使用base64编码的

[root@centos8 CA]#cat cacert.pem
-----BEGIN CERTIFICATE-----
MIID8zCCAtugAwIBAgIUCyLsJSaKyaCS4thJMU/22MYCNU4wDQYJKoZIhvcNAQEL
BQAwgYgxCzAJBgNVBAYTAkNOMQ4wDAYDVQQIDAVoZW5hbjESMBAGA1UEBwwJemhl
bmd6aG91MQ8wDQYDVQQKDAZtYWdlZHUxCzAJBgNVBAsMAml0MRYwFAYDVQQDDA1j
YS5tYWdlZHUub3JnMR8wHQYJKoZIhvcNAQkBFhBhZG1pbkBtYWdlZHUub3JnMB4X
DTIxMDgyMzAxNTQwOVoXDTMxMDgyMTAxNTQwOVowgYgxCzAJBgNVBAYTAkNOMQ4w
DAYDVQQIDAVoZW5hbjESMBAGA1UEBwwJemhlbmd6aG91MQ8wDQYDVQQKDAZtYWdl
ZHUxCzAJBgNVBAsMAml0MRYwFAYDVQQDDA1jYS5tYWdlZHUub3JnMR8wHQYJKoZI
hvcNAQkBFhBhZG1pbkBtYWdlZHUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEA2VofJk/6yATmrL5W82fKwcbLbYlZeLacB+ow2QdRxSdcGK9vE2mP
ebSbNTtbBlrvbZ3zJUDSfhJWBdSRvs6l54a8t9qnbEyeCMu/0XLQQacGPMBxRBMt
7MSJiwqxU45czuk2Y/amqJYbKfP/OfjB3+yCVdkkwTRjIZPKKLoWkB4/iSJsSQX7
MVAQm/MZ5oOU/n6hth69Nwp0m5qtaQ9PNNLiEBqNAQNnYV/1S7F3r7B/GFsamdad
aeZqvolZ0zB5STPxlllrfuiTGYo4dzMA1XsNmZLFx+eyULRVaIjUmd6fFnYk0sdj
j1Idzi83qV0yiYjY/JgduoCmEGT9WuP2rQIDAQABo1MwUTAdBgNVHQ4EFgQU+liD
ISl8igIe4x6Ecls966fXwZIwHwYDVR0jBBgwFoAU+liDISl8igIe4x6Ecls966fX
wZIwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEACLq30buDJFaj
gxK8jsvhz2PZdkfPVM+w7tD4gXAp/MNLgxNUGOopfs2LypsUK7QNiQzFgsaHiItV
Ds83azOKEythw+gR/aRGo1lPhBpCBp/GLXNMEyBm8wacYjmSO1xQZFqoaQJfavWF
ITLk73efTrYKBk/vunihV+JDtJC4DeB70aVWWMLYVu7u6CVFXhlTHqNZ8B6ABOYv
znqdOYxQpSJPiN2MhFji5XAihamVVwfo69TQ7iOeExrTaRpfz2opQnGyWaWAsm/7
TC/rY2i5NzY7dBOeVmGyR354wplEwsp5yn9i+aQDry3cir+vBnxcYOOe6vUeKS1u
pH2lD16zYg==
-----END CERTIFICATE-----#解码查看证书文件
[root@centos8 CA]#openssl x509 -in cacert.pem -noout -text
Certificate:Data:Version: 3 (0x2)Serial Number:0b:22:ec:25:26:8a:c9:a0:92:e2:d8:49:31:4f:f6:d8:c6:02:35:4eSignature Algorithm: sha256WithRSAEncryptionIssuer: C = CN, ST = henan, L = zhengzhou, O = magedu, OU = it, CN = ca.magedu.org, emailAddress = admin@magedu.orgValidityNot Before: Aug 23 01:54:09 2021 GMTNot After : Aug 21 01:54:09 2031 GMTSubject: C = CN, ST = henan, L = zhengzhou, O = magedu, OU = it, CN = ca.magedu.org, emailAddress = admin@magedu.orgSubject Public Key Info:Public Key Algorithm: rsaEncryptionRSA Public-Key: (2048 bit)Modulus:
#指定查看证书属性 日期  属性
[root@centos8 CA]#openssl x509 -in cacert.pem -noout -dates
notBefore=Aug 23 01:54:09 2021 GMT
notAfter=Aug 21 01:54:09 2031 GMT
[root@centos8 CA]#openssl x509 -in cacert.pem -noout -subject
subject=C = CN, ST = henan, L = zhengzhou, O = magedu, OU = it, CN = ca.magedu.org, emailAddress = admin@magedu.org#下载到Windows查看
[root@centos8 CA]#yum install lrzsz -y; sz cacert.pem
更改后缀 .cer 就可以正常查看了

非交互式对某个应用生成自签名证书

[root@centos8 CA]#openssl req -utf8 -newkey rsa:1024 -subj "/CN=www.magedu.org" -keyout app.key -nodes -x509 -out app.crt
Generating a RSA private key
................+++++
.......................................................................................+++++
writing new private key to 'app.key'
-----
[root@centos8 CA]#ls app*
app.crt  app.key
[root@centos8 CA]#mkdir /data/cert ;mv app.* /data/cert/#查看证书内容
[root@centos8 CA]#cd /data/cert/
[root@centos8 cert]#ls
app.crt  app.key
[root@centos8 cert]#openssl x509 -in app.crt -noout -text
Certificate:Data:Version: 3 (0x2)Serial Number:78:1a:c8:de:52:3a:bd:10:a4:cf:ef:1d:04:75:41:e2:6e:2b:df:75Signature Algorithm: sha256WithRSAEncryptionIssuer: CN = www.magedu.orgValidityNot Before: Sep 20 06:33:06 2021 GMTNot After : Oct 20 06:33:06 2021 GMTSubject: CN = www.magedu.orgSubject Public Key Info:Public Key Algorithm: rsaEncryptionRSA Public-Key: (1024 bit)Modulus:00:b4:5c:90:f7:e9:82:32:47:df:98:d5:3d:3a:bd:c1:c4:a7:54:d1:83:eb:c3:89:22:c8:84:24:99:da:73:17:da:2d:8d:41:92:6c:47:ec:6a:dc:ab:27:34:76:d3:8b:bd:2a:c8:ad:eb:55:41:40:9d:fe:a9:7d:ec:ef:1a:c1:ef:db:32:28:66:9c:d6:5c:a3:b2:56:43:e4:ec:40:ee:dc:ea:05:3f:7b:5f:e0:65:63:e3:92:ee:a3:5b:bd:d5:d9:4d:96:b8:d6:e2:db:7d:6c:39:f5:cf:fe:5c:7e:de:ce:35:08:f5:f2:72:fa:61:e3:91:da:f8:60:1c:e5:73:8fExponent: 65537 (0x10001)X509v3 extensions:X509v3 Subject Key Identifier:F6:18:4C:7C:88:9E:ED:5F:09:96:7F:E8:22:97:67:40:A0:8C:51:A8X509v3 Authority Key Identifier:keyid:F6:18:4C:7C:88:9E:ED:5F:09:96:7F:E8:22:97:67:40:A0:8C:51:A8X509v3 Basic Constraints: criticalCA:TRUESignature Algorithm: sha256WithRSAEncryption6c:67:e5:f1:40:d8:72:e2:9e:87:a1:17:ce:2f:ed:04:4a:9b:99:25:8a:18:31:22:35:5f:8b:33:77:50:8a:0e:17:64:f0:fd:be:ce:fb:b5:bb:a8:52:47:db:5b:6b:b9:8e:62:57:d2:19:a7:48:4c:e6:2c:ca:23:b9:94:b9:b6:8d:cb:eb:dd:98:0d:dd:d4:4d:3f:84:64:b3:aa:38:79:53:5c:23:16:66:fb:01:51:2e:be:ed:cf:5e:f6:2f:fc:90:9f:14:34:60:c3:68:6c:18:27:99:71:7e:d1:ea:e1:53:19:85:a5:e0:9f:9f:9c:21:0f:27:3e:8a:2a:95:51

CentOS7中可以使用make命令为httpd服务生成证书,而CentOS8中默认没有。
若想在CentOS8中使用,可以将Makefile文件拷贝到CentOS8中

[root@localhost certs]# pwd
/etc/pki/tls/certs
[root@localhost certs]# ls
ca-bundle.crt  ca-bundle.trust.crt  make-dummy-cert  Makefile  renew-dummy-cert
[root@localhost certs]# make /data/httpd.crt
umask 77 ; \
/usr/bin/openssl genrsa -aes128 2048 > /data/httpd.key
Generating RSA private key, 2048 bit long modulus
..............+++
.........................................................................................................................................................................................................................................................................+++
e is 65537 (0x10001)
Enter pass phrase:
Verifying - Enter pass phrase:
umask 77 ; \
/usr/bin/openssl req -utf8 -new -key /data/httpd.key -x509 -days 365 -out /data/httpd.crt
Enter pass phrase for /data/httpd.key: #输入加密私钥的密码
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:www.magedu.org
Email Address []:[root@localhost certs]# ls /data/htt*
/data/httpd.crt  /data/httpd.key
#查看帮助
[root@localhost certs]# make
This makefile allows you to create:o public/private key pairso SSL certificate signing requests (CSRs)o self-signed SSL test certificatesTo create a key pair, run "make SOMETHING.key".
To create a CSR, run "make SOMETHING.csr".
To create a test certificate, run "make SOMETHING.crt".
To create a key and a test certificate in one file, run "make SOMETHING.pem".To create a key for use with Apache, run "make genkey".
To create a CSR for use with Apache, run "make certreq".
To create a test certificate for use with Apache, run "make testcert".To create a test certificate with serial number other than random, add SERIAL=num
You can also specify key length with KEYLEN=n and expiration in days with DAYS=n
Any additional options can be passed to openssl req via EXTRA_FLAGSExamples:make server.keymake server.csrmake server.crtmake stunnel.pemmake genkeymake certreqmake testcertmake server.crt SERIAL=1make stunnel.pem EXTRA_FLAGS=-sha384make testcert DAYS=600
#查看Makefile文件内容
[root@localhost certs]# cat Makefile
UTF8 := $(shell locale -c LC_CTYPE -k | grep -q charmap.*UTF-8 && echo -utf8)
DAYS=365
KEYLEN=2048
TYPE=rsa:$(KEYLEN)
EXTRA_FLAGS=
ifdef SERIALEXTRA_FLAGS+=-set_serial $(SERIAL)
endif.PHONY: usage
.SUFFIXES: .key .csr .crt .pem
.PRECIOUS: %.key %.csr %.crt %.pem
................................................................................................................................

为用户生成证书

[root@centos8 data]#mkdir /data/app1
#生成app1的私钥文件
[root@centos8 data]#(umask 066; openssl genrsa -out /data/app1/app1.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
..................................+++++
....+++++
e is 65537 (0x010001)#用私钥创建证书申请文件
#注意:国家、省份、公司这三项要和生成的自签名证书证书保持一致
[root@centos8 data]#openssl req -new -key /data/app1/app1.key -out /data/app1/app1.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:henan
Locality Name (eg, city) [Default City]:luoyang
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:sale
Common Name (eg, your name or your server's hostname) []:www.magedu.org
Email Address []:sale@magedu.orgPlease enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

为用户颁发颁发证书

[root@centos8 ~]#openssl ca -in /data/app1/app1.csr -out /etc/pki/CA/certs/app1.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:Serial Number: 18 (0x12)ValidityNot Before: Sep 20 07:43:05 2021 GMTNot After : Jun 16 07:43:05 2024 GMTSubject:countryName               = CNstateOrProvinceName       = henanlocalityName              = luoyangorganizationName          = mageduorganizationalUnitName    = salecommonName                = www.magedu.orgemailAddress              = sale@magedu.orgX509v3 extensions:X509v3 Basic Constraints:CA:FALSENetscape Comment:OpenSSL Generated CertificateX509v3 Subject Key Identifier:44:7D:CC:52:9D:5A:75:95:C5:F1:BE:67:64:07:C9:D9:D2:63:D4:02X509v3 Authority Key Identifier:keyid:FA:58:83:21:29:7C:8A:02:1E:E3:1E:84:72:5B:3D:EB:A7:D7:C1:92Certificate is to be certified until Jun 16 07:43:05 2024 GMT (1000 days)
Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
#颁发完成

报错

缺少数据库文件

若颁发证书过程中有报错如下

[root@centos8 CA]# openssl ca -in /data/app1/app1.csr -out /etc/pki/CA/certs/app1.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
140198580492096:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:69:fopen('/etc/pki/CA/index.txt','r')
140198580492096:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:76:

解决方法:
创建证书索引数据库文件;创建证书序列号文件

[root@centos8 CA]# touch /etc/pki/CA/index.txt
[root@centos8 CA]# echo 0F > /etc/pki/CA/serial

查看目录结构

[root@centos8 CA]# tree /etc/pki/CA
/etc/pki/CA
├── cacert.pem
├── certs
│   └── app1.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts #类似于备份文件夹
│   └── 0F.pem  #0F就是serial序列号中的序号
├── private
│   └── cakey.pem
├── serial
└── serial.old4 directories, 9 files

参数错误

颁发证书报错:省份不一致

[root@centos8 CA]# openssl ca -in /data/app2/app2.csr -out /etc/pki/CA/certs/app2.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
The countryName field is different between
CA certificate (CN) and the request (US)

更改颁发策略

vim /etc/pki/tls/openssl.cnf
policy      = policy_anything

再次颁发

[root@centos8 ~]# openssl ca -in /data/app2/app2.csr -out /etc/pki/CA/certs/app2.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:Serial Number: 17 (0x11)ValidityNot Before: Aug 23 04:44:02 2021 GMTNot After : Aug 23 04:44:02 2022 GMTSubject:countryName               = USstateOrProvinceName       = newyorklocalityName              = newyorkorganizationName          = testorganizationalUnitName    = devopscommonName                = www.test.orgX509v3 extensions:X509v3 Basic Constraints:CA:FALSENetscape Comment:OpenSSL Generated CertificateX509v3 Subject Key Identifier:5C:67:CC:F2:45:F9:2D:81:38:5B:93:C7:E8:01:8B:90:B3:DC:55:63X509v3 Authority Key Identifier:keyid:FA:58:83:21:29:7C:8A:02:1E:E3:1E:84:72:5B:3D:EB:A7:D7:C1:92Certificate is to be certified until Aug 23 04:44:02 2022 GMT (365 days)
Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

验证

[root@centos8 ~]# tree /etc/pki/CA
/etc/pki/CA
├── cacert.pem
├── certs
│   ├── app1.crt
│   ├── app1-new.crt
│   └── app2.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── newcerts
│   ├── 0F.pem
│   ├── 10.pem
│   └── 11.pem
├── private
│   └── cakey.pem
├── serial
└── serial.old4 directories, 14 files

证书管理

查看

查看颁发证书的数据库文件

[root@centos8 ~]#cat /etc/pki/CA/index.txt
V   240519030457Z       0F  unknown /C=CN/ST=henan/O=magedu/OU=sale/CN=www.magedu.org/emailAddress=sale@magedu.org

验证证书有效性

[root@centos8 CA]# openssl ca -status 0F
Using configuration from /etc/pki/tls/openssl.cnf
0F=Valid (V)

serial 查看下一个证书的证书编号

[root@centos8 CA]# cat /etc/pki/CA/serial
10

[root@centos8 CA]# openssl ca -in /data/app1/app1.csr -out /etc/pki/CA/certs/app1-new.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
ERROR:There is already a certificate for /C=CN/ST=henan/O=magedu/OU=sale/CN=www.magedu.org/emailAddress=sale@magedu.org
The matching entry has the following details
Type          :Valid
Expires on    :240519030457Z
Serial Number :0F
File name     :unknown
Subject Name  :/C=CN/ST=henan/O=magedu/OU=sale/CN=www.magedu.org/emailAddress=sale@magedu.org

使同一个证书申请文件可以申请多个证书

默认同一个证书申请文件不能申请多个证书

[root@centos8 CA]# vim /etc/pki/CA/index.txt.attr
#unique_subject = yes
unique_subject = no
或
[root@centos8 CA]# sed -i 's#yes#no#' /etc/pki/CA/index.txt.attr

测试

[root@centos8 CA]# openssl ca -in /data/app1/app1.csr -out /etc/pki/CA/certs/app1-new.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:Serial Number: 16 (0x10)ValidityNot Before: Aug 23 04:03:42 2021 GMTNot After : May 19 04:03:42 2024 GMTSubject:countryName               = CNstateOrProvinceName       = henanorganizationName          = mageduorganizationalUnitName    = salecommonName                = www.magedu.orgemailAddress              = sale@magedu.orgX509v3 extensions:X509v3 Basic Constraints:CA:FALSENetscape Comment:OpenSSL Generated CertificateX509v3 Subject Key Identifier:50:0E:22:E0:A2:31:A9:31:68:96:61:11:79:06:AE:C6:65:C0:B5:39X509v3 Authority Key Identifier:keyid:FA:58:83:21:29:7C:8A:02:1E:E3:1E:84:72:5B:3D:EB:A7:D7:C1:92Certificate is to be certified until May 19 04:03:42 2024 GMT (1000 days)
Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
#申请完成

如何吊销证书

吊销10证书

[root@centos8 ~]# openssl ca -revoke /etc/pki/CA/newcerts/10.pem
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 10.
Data Base Updated
#查看状态
[root@centos8 ~]# openssl ca -status 10
Using configuration from /etc/pki/tls/openssl.cnf
10=Revoked (R)[root@centos8 ~]# cat /etc/pki/CA/index.txt
V   240519030457Z       0F  unknown /C=CN/ST=henan/O=magedu/OU=sale/CN=www.magedu.org/emailAddress=sale@magedu.org
R   240519040342Z   210823054437Z   10  unknown /C=CN/ST=henan/O=magedu/OU=sale/CN=www.magedu.org/emailAddress=sale@magedu.org
V   220823044402Z       11  unknown /C=US/ST=newyork/L=newyork/O=test/OU=devops/CN=www.test.org

生成吊销列表crl文件

[root@centos8 ~]# openssl ca -gencrl -out /etc/pki/CA/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf
/etc/pki/CA/crlnumber: No such file or directory
error while loading CRL number
140020628682560:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:69:fopen('/etc/pki/CA/crlnumber','r')
140020628682560:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:76:

缺少吊销证书的序列

[root@centos8 ~]# echo 01 > /etc/pki/CA/crlnumber
[root@centos8 ~]# openssl ca -gencrl -out /etc/pki/CA/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf
[root@centos8 ~]# ll /etc/pki/CA/crl.pem
-rw-r--r-- 1 root root 739 Aug 23 13:49 /etc/pki/CA/crl.pem

吊销11号证书

[root@centos8 ~]# openssl ca -revoke /etc/pki/CA/newcerts/11.pem
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 11.
Data Base Updated
[root@centos8 ~]# cat /etc/pki/CA/index.txt
V   240519030457Z       0F  unknown /C=CN/ST=henan/O=magedu/OU=sale/CN=www.magedu.org/emailAddress=sale@magedu.org
R   240519040342Z   210823054437Z   10  unknown /C=CN/ST=henan/O=magedu/OU=sale/CN=www.magedu.org/emailAddress=sale@magedu.org
R   220823044402Z   210823055158Z   11  unknown /C=US/ST=newyork/L=newyork/O=test/OU=devops/CN=www.test.org
[root@centos8 ~]# openssl ca -gencrl -out /etc/pki/CA/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf

Loading…

CentOS8_CA相关推荐

最新文章

  1. 解决Intellij IDEA部署JavaWeb项目 404问题
  2. 有趣的网页注释代码,保护我方源码
  3. 大型软件公司.Net面试题(二)
  4. websocket binary 数据解析_WebSocket实现原理相关知识点
  5. [vue] vue项目有使用过npm run build --report吗?
  6. ROS入门笔记(十):编写与测试简单的消息发布器和订阅器(C++)
  7. mysql字段自动计算_MySQL创建计算字段
  8. Linux命令篇之history命令和alias命令
  9. [leetcode] 117. 填充同一层的兄弟节点 II
  10. OpenGL可编程管线
  11. mysql64官网下教程_最新版MySQL 8.0.22下载安装超详细教程(Windows 64位)
  12. 【Unity实战100例】Unity制作脑图编辑工具(全网第一首发)
  13. Windows10 磁盘活动时间百分之百导致系统卡顿解决方法
  14. Mac双系统Win10系统安装MySQL的坑
  15. 怎么用显卡计算_会议租车价格多少钱,上海会议租车费用怎么计算?
  16. [李宏毅 机器学习笔记] Gradient Descent
  17. mysql score表_Mysql数据库练习题student,score表
  18. java彩票机选生成
  19. modprobe命令介绍
  20. super_status_bar与status_bar的关系

热门文章

  1. 如何选购计算机硬件,如何选购电脑硬件 选购电脑硬件技巧【详细介绍】
  2. VUE :class 动态class方法
  3. 【C语言】之实现多达50位数相乘的运算
  4. matlab中Cci,MATLAB量化交易策略之 CCI择时
  5. 受iPhone订单下滑影响 富士康大幅削减工人薪水福利
  6. 国与国之间通讯都是依托海底光缆!
  7. Java获取指定日期的本月,上月,下月的最后一天
  8. 借助工具规划并定义Skype For Business的网络需求
  9. 'static_cast': cannot convert from 'double' to 'pcl::visualization::LookUpTableRepresentationPropert
  10. html5标签不区分大小写对错,html5 不区分大小写、标记结束符及属性是否加引号?...