Linux-centos8实现私有CA和证书申请

创建CA相关目录，centos8不存在这些目录，需手动建立

[root@centos8-liyj ~]#mkdir -pv /etc/pki/CA/{certs,cr1,newcerts,private}
mkdir: created directory '/etc/pki/CA'
mkdir: created directory '/etc/pki/CA/certs'
mkdir: created directory '/etc/pki/CA/cr1'
mkdir: created directory '/etc/pki/CA/newcerts'
mkdir: created directory '/etc/pki/CA/private'

创建CA所需的文件

[root@centos8-liyj ~]#touch /etc/pki/CA/index.txt
[root@centos8-liyj ~]#echo 0F > /etc/pki/CA/serial
[root@centos8-liyj ~]#

index.txt和serial文件在颁发证书时需要使用，如果不存在，会出现以下错误提示

[root@centos8 ~]#openssl ca -in /data/app1/app1.csr -out
/etc/pki/CA/certs/app1.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
140040142845760:error:02001002:system library:fopen:No such file or
directory:crypto/bio/bss_file.c:72:fopen('/etc/pki/CA/index.txt','r')
140040142845760:error:2006D080:BIO routines:BIO_new_file:no such
file:crypto/bio/bss_file.c:79:
[root@centos8 ~]#openssl ca -in /data/app1/app1.csr -out
/etc/pki/CA/certs/app1.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
/etc/pki/CA/serial: No such file or directory
error while loading serial number
140240559408960:error:02001002:system library:fopen:No such file or
directory:crypto/bio/bss_file.c:72:fopen('/etc/pki/CA/serial','r')
140240559408960:error:2006D080:BIO routines:BIO_new_file:no such
file:crypto/bio/bss_file.c:79:

颁发是错误提示

创建CA的钥匙

[root@centos8-liyj /etc/pki/CA]#(umask 066; openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
.......................................................................................................................................+++++
.........................................................+++++
e is 65537 (0x010001)
[root@centos8-liyj /etc/pki/CA]#tree
.
├── certs
├── cr1
├── index.txt
├── newcerts
├── private
│   └── cakey.pem
└── serial

4 directories, 3 files

[root@centos8-liyj /etc/pki/CA]#cat private/cakey.pem
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAr3HOBkZaaoNFUKcoxk/qBnA2jqyJBhcnZ0SmhztvuY0R/euy
OYQ8T9o6aJtE5Of0suOXPutmuQd/fNpAiQvFDq7EK7bxnhVqObEnFR2uTXS8fHPQ
9EIEmCu0Yq8WQnsjX4T0na0F5XcsvBYPTe35bQKcsTtvRNFtidLVT1HsozJxZ/M1
ggpnGv7gA0X5DqMvGavprWsnpS5y1uVwFt+WN6KdF/nypHut3A5FVFHRH725VzJc
jTfoAUIUxDqIjvAXhCih7FOHva/Iic6AMoR0w4idt05nWpRCUjaHgQ+KJeFIHMC9
UHqaGeIr+ZoU7CadLl8hlqJR6WHjV88G24cqyQIDAQABAoIBAQCVFtTJKEf1c5AX
tbVEsOxihEEYhS376vklHIWXLb8HowXDDePqVKEcCorQEgI9s4+R5S3F3izw15pS
8vUcgM/4ZjN2IoS4neIjHJPlsc9JKwZxi8nph6B338vugHMeE54/sbBdvYbhNKDj
RKvEwZHQPQQC6Erp5D59fJigSzIYi4ATe9vxfBvltuB+q4494rdLW+98bSEZOKBV
SBahCFCKIAv3TLiHbVNMJK00j/O+oiDN5Hoxy6Fr+/G9pDw5DiPOCItmJMKW4UfR
SbB6ebmqXeaH7gVXaADWUAyPmKJXyFE87GE/ydXqIdMR7G4pRquwC/3C8FLkyoL+
Ja7JXKsxAoGBAON6vB2TEZAkSo87lAL+a90I4+TyR0lA7VOJUdRv8jgiq2Dc1g/Z
jJllzgpMq3xT/BsIUMd0Kll2dk37z7Gvd7QCjI6PQINR1/xzzr8GIkIxoTXgGYWS
QQbXieCjAlmzpBb7N2nnpgooekH/5R9j5aWNt6kN3hL0oX6OmJcDBUS7AoGBAMVw
8FfzRjk7pGtOHwJk8DHhCMOMSaDXDcwmIoeDaKAr34GzEwtaeLFjCWnILEvdzbgy
W3foUcaM3hA/2WQPPy7rS66JQdOpOAWDvkCmCggwFoIy75zmGwqBH8bq0yt62ajE
uwiqjJHpGKSMQJahQY0eVGi+r4P5os9tOFz8N5hLAoGAdRrYALmXTwb/wyC+n5Pu
X0mWWGRJQnLEOj70+1Ht9ewTIbhOErbB5K4+FZtGpKhvnlL3ktZAfvG3EYpSb3yP
OQIe7bzdTz0w3WuYwUodFMqL3TpSqSqTgzwuZJBGQ3txO8tzyXdRSOVxmsxrXW+F
52Y/aC4VZti80nQCJauOaMUCgYAZfLbJ47GQ+c4DvBXsrTMEfVQwSg/HH3u8er/C
VohPBNrZV1CCCq/B1lMEwL5XHM7NlFKSa/8CbnTMDDH35K/3UpB2e2lv9UwyCgup
NMXewLZnIEQmMN4UwQ5lEzMnTbiDPMIYIEv9GeYAd8pup2pa2St0SglGNBd8R1Eb
T8OteQKBgQCBCjX3iLJhRGKvXvU1JeERlCVA1rAuaq1EqtUTxq7tGJuWZRzB3baW
LPVR85DR+Hthpwj8rbQdy8NLSYmLk7/yEFS7kdoczD6HAfAX7Ou/q4L20g/I2QSr
mPQm5fKQvKVYFSlAPEL0Kwele16RK4CFKWRN5sQ1ia5U+EYykmBy5w==
-----END RSA PRIVATE KEY-----

私钥内容

给CA颁发自签名证书

[root@centos8-liyj /etc/pki/CA]#openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Jiangsu
Locality Name (eg, city) [Default City]:SuQ
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:ca.lyj.com
Email Address []:
[root@centos8-liyj /etc/pki/CA]#tree /etc/pki/CA
/etc/pki/CA
├── cacert.pem
├── certs
├── cr1
├── index.txt
├── newcerts
├── private
│   └── cakey.pem
└── serial

4 directories, 4 files

[root@centos8-liyj /etc/pki/CA]#openssl x509 -in /etc/pki/CA/cacert.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            50:eb:c9:9e:03:22:1c:57:f7:ad:e8:08:88:2a:1b:83:b9:6f:86:75
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = CN, ST = Jiangsu, L = SuQ, O = magedu, OU = IT, CN = ca.lyj.com
        Validity
            Not Before: Apr 29 09:22:27 2022 GMT
            Not After : Apr 26 09:22:27 2032 GMT
        Subject: C = CN, ST = Jiangsu, L = SuQ, O = magedu, OU = IT, CN = ca.lyj.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:af:71:ce:06:46:5a:6a:83:45:50:a7:28:c6:4f:
                    ea:06:70:36:8e:ac:89:06:17:27:67:44:a6:87:3b:
                    6f:b9:8d:11:fd:eb:b2:39:84:3c:4f:da:3a:68:9b:
                    44:e4:e7:f4:b2:e3:97:3e:eb:66:b9:07:7f:7c:da:
                    40:89:0b:c5:0e:ae:c4:2b:b6:f1:9e:15:6a:39:b1:
                    27:15:1d:ae:4d:74:bc:7c:73:d0:f4:42:04:98:2b:
                    b4:62:af:16:42:7b:23:5f:84:f4:9d:ad:05:e5:77:
                    2c:bc:16:0f:4d:ed:f9:6d:02:9c:b1:3b:6f:44:d1:
                    6d:89:d2:d5:4f:51:ec:a3:32:71:67:f3:35:82:0a:
                    67:1a:fe:e0:03:45:f9:0e:a3:2f:19:ab:e9:ad:6b:
                    27:a5:2e:72:d6:e5:70:16:df:96:37:a2:9d:17:f9:
                    f2:a4:7b:ad:dc:0e:45:54:51:d1:1f:bd:b9:57:32:
                    5c:8d:37:e8:01:42:14:c4:3a:88:8e:f0:17:84:28:
                    a1:ec:53:87:bd:af:c8:89:ce:80:32:84:74:c3:88:
                    9d:b7:4e:67:5a:94:42:52:36:87:81:0f:8a:25:e1:
                    48:1c:c0:bd:50:7a:9a:19:e2:2b:f9:9a:14:ec:26:
                    9d:2e:5f:21:96:a2:51:e9:61:e3:57:cf:06:db:87:
                    2a:c9
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                72:BB:3C:5D:02:61:98:FD:12:91:B0:9E:60:47:94:46:25:17:33:D3
            X509v3 Authority Key Identifier:
                keyid:72:BB:3C:5D:02:61:98:FD:12:91:B0:9E:60:47:94:46:25:17:33:D3

            X509v3 Basic Constraints: critical
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         07:09:f1:78:56:86:f7:39:85:b9:a3:8b:b9:84:c5:cc:99:a6:
         7a:e4:5e:22:70:eb:97:9d:f2:f7:32:4d:ea:d2:aa:b1:c7:a0:
         3c:5e:42:eb:14:bd:5a:17:f9:08:e6:3f:f3:f0:c1:b4:06:15:
         4f:5a:8b:4f:53:42:0a:6c:b8:b0:20:36:79:3b:45:2e:ae:35:
         45:d5:18:21:76:5d:37:39:d6:e8:8c:13:3b:5d:61:12:3b:3e:
         a1:76:42:f0:90:c3:b9:7c:4c:3f:8f:b2:82:55:1a:92:00:61:
         fd:bc:45:c0:e4:e2:ff:f1:34:92:22:1c:78:87:16:01:77:f4:
         e3:a7:25:9e:ad:d9:15:1a:a9:52:54:4d:fc:34:74:81:f2:14:
         68:28:bb:54:42:1a:e7:26:e5:a0:ac:2c:6d:15:5c:89:c5:4b:
         b2:5e:96:8b:64:8f:cb:1a:20:05:d2:bf:68:dd:5a:14:61:df:
         4c:bc:47:01:2f:45:ef:68:36:5e:53:1f:01:43:04:d3:d3:3b:
         9e:14:e2:47:b3:ea:47:e6:8d:d5:03:a0:c6:49:4b:34:21:bf:
         92:ae:e4:7d:94:5e:2a:54:f9:43:bd:78:d3:b3:13:25:19:7b:
         9e:6b:47:be:c2:2d:14:ba:1e:68:92:71:94:87:b7:8a:84:da:
         45:53:22:8b

查看证书中的信息：