OpenSSL生成並使用CA根證書籤名Keytool生成的證書請求
阿新 • • 發佈:2018-12-20
-
生成私鑰[帶密碼]
[root@node00 security]# openssl genrsa [-des3] -out ca.key 2048 Generating RSA private key, 2048 bit long modulus ..............................................+++ ...................+++ e is 65537 (0x10001) Enter pass phrase for ca.key: Verifying - Enter pass phrase for ca.key: [root@node00
-
生成證書請求檔案
[root@node00 security]# openssl req -new -key ca.key -out ca.csr Enter pass phrase for ca.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default
-
用自己的私鑰給自己簽發根證書
[[email protected] security]# openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt Signature ok subject=/C=CN/ST=GuangDong/L=ShenZhen/O=Hinabian/OU=data/CN=node00 Getting Private key Enter pass phrase for ca.key: [[email protected] security]#
-
用CA根證書來簽名伺服器端的證書請求檔案
4.1 建立 /etc/pki/CA/index.txt檔案
[root@node00 security]# openssl ca -days 3650 -keyfile ca.key -cert ca.crt -in pki/node00.csr -out node00.pem Using configuration from /etc/pki/tls/openssl.cnf Enter pass phrase for ca.key: /etc/pki/CA/index.txt: No such file or directory unable to open '/etc/pki/CA/index.txt' 140358162147216:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/pki/CA/index.txt','r') 140358162147216:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:
用來跟蹤已經頒發的證書。
[root@node00 CA]# touch /etc/pki/CA/index.txt
4.2 建立 /etc/pki/CA/index.txt檔案
[root@node00 security]# openssl ca -days 3650 -keyfile ca.key -cert ca.crt -in pki/node00.csr -out node00.pem Using configuration from /etc/pki/tls/openssl.cnf Enter pass phrase for ca.key: /etc/pki/CA/serial: No such file or directory error while loading serial number 140017638942608:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/pki/CA/serial','r') 140017638942608:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404: [root@node00 security]#
用來跟蹤最後一次頒發的證書的序列號。
[root@node00 CA]# echo "01" > /etc/pki/CA/serial [root@node00 CA]#
4.3 用CA根證書來簽名伺服器端的證書請求檔案
[root@node00 security]# openssl ca -days 3650 -keyfile ca.key -cert ca.crt -in pki/node00.csr -out node00.pem Using configuration from /etc/pki/tls/openssl.cnf Enter pass phrase for ca.key: Check that the request matches the signature Signature ok The stateOrProvinceName field needed to be the same in the CA certificate (GuangDong) and the request (GuangDong) [root@node00 security]# ll total 12 -rw-r--r-- 1 root root 1200 Oct 24 16:42 ca.crt -rw-r--r-- 1 root root 1005 Oct 24 16:42 ca.csr -rw-r--r-- 1 root root 1743 Oct 24 16:37 ca.key -rw-r--r-- 1 root root 0 Oct 24 16:45 node00.pem drwxr-xr-x 2 root root 42 Oct 24 16:45 pki [root@node00 security]#
問題:
The stateOrProvinceName field needed to be the same in the CA certificate (GuangDong) and the request (GuangDong)
解決方案: 修改 /etc/pki/tls/openssl.cnf 檔案
# A few difference way of specifying how similar the request should look # For type CA, the listed attributes must be the same, and the optional # and supplied fields are just that :-) policy = policy_match # For the CA policy [ policy_match ] countryName = match #stateOrProvinceName = match (將 match 改為 optional ) #organizationName = match (將 match 改為 optional ) stateOrProvinceName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional
再次執行:
[root@node00 security]# openssl ca -days 3650 -keyfile ca.key -cert ca.crt -in pki/node00.csr -out node00.pem Using configuration from /etc/pki/tls/openssl.cnf Enter pass phrase for ca.key: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Oct 24 08:54:57 2018 GMT Not After : Oct 21 08:54:57 2028 GMT Subject: countryName = CN stateOrProvinceName = GuangDong organizationName = Hinabian organizationalUnitName = data commonName = node00 X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 58:30:7D:B3:7E:85:D4:39:22:2F:B3:96:55:A3:38:68:FE:7F:03:88 X509v3 Authority Key Identifier: DirName:/C=CN/ST=GuangDong/L=ShenZhen/O=Hinabian/OU=data/CN=node00 serial:E1:40:B9:DB:A9:83:F9:C3 Certificate is to be certified until Oct 21 08:54:57 2028 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated [root@node00 security]# ll total 20 -rw-r--r-- 1 root root 1200 Oct 24 16:42 ca.crt -rw-r--r-- 1 root root 1005 Oct 24 16:42 ca.csr -rw-r--r-- 1 root root 1743 Oct 24 16:37 ca.key -rw-r--r-- 1 root root 4632 Oct 24 16:55 node00.pem drwxr-xr-x 2 root root 42 Oct 24 16:45 pki [root@node00 security]#
成功生成證書籤名node00.pem!