创建CA相关目录,centos8不存在这些目录,需手动建立

[root@centos8-liyj ~]#mkdir -pv /etc/pki/CA/{certs,cr1,newcerts,private}

mkdir: created directory '/etc/pki/CA'

mkdir: created directory '/etc/pki/CA/certs'

mkdir: created directory '/etc/pki/CA/cr1'

mkdir: created directory '/etc/pki/CA/newcerts'

mkdir: created directory '/etc/pki/CA/private'

创建CA所需的文件

[root@centos8-liyj ~]#touch /etc/pki/CA/index.txt

[root@centos8-liyj ~]#echo 0F > /etc/pki/CA/serial

[root@centos8-liyj ~]#

index.txt和serial文件在颁发证书时需要使用,如果不存在,会出现以下错误提示

[root@centos8 ~]#openssl ca -in /data/app1/app1.csr -out

/etc/pki/CA/certs/app1.crt -days 1000

Using configuration from /etc/pki/tls/openssl.cnf

140040142845760:error:02001002:system library:fopen:No such file or

directory:crypto/bio/bss_file.c:72:fopen('/etc/pki/CA/index.txt','r')

140040142845760:error:2006D080:BIO routines:BIO_new_file:no such

file:crypto/bio/bss_file.c:79:

[root@centos8 ~]#openssl ca -in /data/app1/app1.csr -out

/etc/pki/CA/certs/app1.crt -days 1000

Using configuration from /etc/pki/tls/openssl.cnf

/etc/pki/CA/serial: No such file or directory

error while loading serial number

140240559408960:error:02001002:system library:fopen:No such file or

directory:crypto/bio/bss_file.c:72:fopen('/etc/pki/CA/serial','r')

140240559408960:error:2006D080:BIO routines:BIO_new_file:no such

file:crypto/bio/bss_file.c:79:

颁发是错误提示

创建CA的钥匙

[root@centos8-liyj /etc/pki/CA]#(umask 066; openssl genrsa -out private/cakey.pem 2048)

Generating RSA private key, 2048 bit long modulus (2 primes)

.......................................................................................................................................+++++

.........................................................+++++

e is 65537 (0x010001)

[root@centos8-liyj /etc/pki/CA]#tree

.

├── certs

├── cr1

├── index.txt

├── newcerts

├── private

│   └── cakey.pem

└── serial

4 directories, 3 files

[root@centos8-liyj /etc/pki/CA]#cat private/cakey.pem

-----BEGIN RSA PRIVATE KEY-----

MIIEpAIBAAKCAQEAr3HOBkZaaoNFUKcoxk/qBnA2jqyJBhcnZ0SmhztvuY0R/euy

OYQ8T9o6aJtE5Of0suOXPutmuQd/fNpAiQvFDq7EK7bxnhVqObEnFR2uTXS8fHPQ

9EIEmCu0Yq8WQnsjX4T0na0F5XcsvBYPTe35bQKcsTtvRNFtidLVT1HsozJxZ/M1

ggpnGv7gA0X5DqMvGavprWsnpS5y1uVwFt+WN6KdF/nypHut3A5FVFHRH725VzJc

jTfoAUIUxDqIjvAXhCih7FOHva/Iic6AMoR0w4idt05nWpRCUjaHgQ+KJeFIHMC9

UHqaGeIr+ZoU7CadLl8hlqJR6WHjV88G24cqyQIDAQABAoIBAQCVFtTJKEf1c5AX

tbVEsOxihEEYhS376vklHIWXLb8HowXDDePqVKEcCorQEgI9s4+R5S3F3izw15pS

8vUcgM/4ZjN2IoS4neIjHJPlsc9JKwZxi8nph6B338vugHMeE54/sbBdvYbhNKDj

RKvEwZHQPQQC6Erp5D59fJigSzIYi4ATe9vxfBvltuB+q4494rdLW+98bSEZOKBV

SBahCFCKIAv3TLiHbVNMJK00j/O+oiDN5Hoxy6Fr+/G9pDw5DiPOCItmJMKW4UfR

SbB6ebmqXeaH7gVXaADWUAyPmKJXyFE87GE/ydXqIdMR7G4pRquwC/3C8FLkyoL+

Ja7JXKsxAoGBAON6vB2TEZAkSo87lAL+a90I4+TyR0lA7VOJUdRv8jgiq2Dc1g/Z

jJllzgpMq3xT/BsIUMd0Kll2dk37z7Gvd7QCjI6PQINR1/xzzr8GIkIxoTXgGYWS

QQbXieCjAlmzpBb7N2nnpgooekH/5R9j5aWNt6kN3hL0oX6OmJcDBUS7AoGBAMVw

8FfzRjk7pGtOHwJk8DHhCMOMSaDXDcwmIoeDaKAr34GzEwtaeLFjCWnILEvdzbgy

W3foUcaM3hA/2WQPPy7rS66JQdOpOAWDvkCmCggwFoIy75zmGwqBH8bq0yt62ajE

uwiqjJHpGKSMQJahQY0eVGi+r4P5os9tOFz8N5hLAoGAdRrYALmXTwb/wyC+n5Pu

X0mWWGRJQnLEOj70+1Ht9ewTIbhOErbB5K4+FZtGpKhvnlL3ktZAfvG3EYpSb3yP

OQIe7bzdTz0w3WuYwUodFMqL3TpSqSqTgzwuZJBGQ3txO8tzyXdRSOVxmsxrXW+F

52Y/aC4VZti80nQCJauOaMUCgYAZfLbJ47GQ+c4DvBXsrTMEfVQwSg/HH3u8er/C

VohPBNrZV1CCCq/B1lMEwL5XHM7NlFKSa/8CbnTMDDH35K/3UpB2e2lv9UwyCgup

NMXewLZnIEQmMN4UwQ5lEzMnTbiDPMIYIEv9GeYAd8pup2pa2St0SglGNBd8R1Eb

T8OteQKBgQCBCjX3iLJhRGKvXvU1JeERlCVA1rAuaq1EqtUTxq7tGJuWZRzB3baW

LPVR85DR+Hthpwj8rbQdy8NLSYmLk7/yEFS7kdoczD6HAfAX7Ou/q4L20g/I2QSr

mPQm5fKQvKVYFSlAPEL0Kwele16RK4CFKWRN5sQ1ia5U+EYykmBy5w==

-----END RSA PRIVATE KEY-----

私钥内容

给CA颁发自签名证书

[root@centos8-liyj /etc/pki/CA]#openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:Jiangsu

Locality Name (eg, city) [Default City]:SuQ

Organization Name (eg, company) [Default Company Ltd]:magedu

Organizational Unit Name (eg, section) []:IT

Common Name (eg, your name or your server's hostname) []:ca.lyj.com

Email Address []:

[root@centos8-liyj /etc/pki/CA]#tree /etc/pki/CA

/etc/pki/CA

├── cacert.pem

├── certs

├── cr1

├── index.txt

├── newcerts

├── private

│   └── cakey.pem

└── serial

4 directories, 4 files

[root@centos8-liyj /etc/pki/CA]#openssl x509 -in /etc/pki/CA/cacert.pem -noout -text

Certificate:

    Data:

        Version: 3 (0x2)

        Serial Number:

            50:eb:c9:9e:03:22:1c:57:f7:ad:e8:08:88:2a:1b:83:b9:6f:86:75

        Signature Algorithm: sha256WithRSAEncryption

        Issuer: C = CN, ST = Jiangsu, L = SuQ, O = magedu, OU = IT, CN = ca.lyj.com

        Validity

            Not Before: Apr 29 09:22:27 2022 GMT

            Not After : Apr 26 09:22:27 2032 GMT

        Subject: C = CN, ST = Jiangsu, L = SuQ, O = magedu, OU = IT, CN = ca.lyj.com

        Subject Public Key Info:

            Public Key Algorithm: rsaEncryption

                RSA Public-Key: (2048 bit)

                Modulus:

                    00:af:71:ce:06:46:5a:6a:83:45:50:a7:28:c6:4f:

                    ea:06:70:36:8e:ac:89:06:17:27:67:44:a6:87:3b:

                    6f:b9:8d:11:fd:eb:b2:39:84:3c:4f:da:3a:68:9b:

                    44:e4:e7:f4:b2:e3:97:3e:eb:66:b9:07:7f:7c:da:

                    40:89:0b:c5:0e:ae:c4:2b:b6:f1:9e:15:6a:39:b1:

                    27:15:1d:ae:4d:74:bc:7c:73:d0:f4:42:04:98:2b:

                    b4:62:af:16:42:7b:23:5f:84:f4:9d:ad:05:e5:77:

                    2c:bc:16:0f:4d:ed:f9:6d:02:9c:b1:3b:6f:44:d1:

                    6d:89:d2:d5:4f:51:ec:a3:32:71:67:f3:35:82:0a:

                    67:1a:fe:e0:03:45:f9:0e:a3:2f:19:ab:e9:ad:6b:

                    27:a5:2e:72:d6:e5:70:16:df:96:37:a2:9d:17:f9:

                    f2:a4:7b:ad:dc:0e:45:54:51:d1:1f:bd:b9:57:32:

                    5c:8d:37:e8:01:42:14:c4:3a:88:8e:f0:17:84:28:

                    a1:ec:53:87:bd:af:c8:89:ce:80:32:84:74:c3:88:

                    9d:b7:4e:67:5a:94:42:52:36:87:81:0f:8a:25:e1:

                    48:1c:c0:bd:50:7a:9a:19:e2:2b:f9:9a:14:ec:26:

                    9d:2e:5f:21:96:a2:51:e9:61:e3:57:cf:06:db:87:

                    2a:c9

                Exponent: 65537 (0x10001)

        X509v3 extensions:

            X509v3 Subject Key Identifier:

                72:BB:3C:5D:02:61:98:FD:12:91:B0:9E:60:47:94:46:25:17:33:D3

            X509v3 Authority Key Identifier:

                keyid:72:BB:3C:5D:02:61:98:FD:12:91:B0:9E:60:47:94:46:25:17:33:D3

            X509v3 Basic Constraints: critical

                CA:TRUE

    Signature Algorithm: sha256WithRSAEncryption

         07:09:f1:78:56:86:f7:39:85:b9:a3:8b:b9:84:c5:cc:99:a6:

         7a:e4:5e:22:70:eb:97:9d:f2:f7:32:4d:ea:d2:aa:b1:c7:a0:

         3c:5e:42:eb:14:bd:5a:17:f9:08:e6:3f:f3:f0:c1:b4:06:15:

         4f:5a:8b:4f:53:42:0a:6c:b8:b0:20:36:79:3b:45:2e:ae:35:

         45:d5:18:21:76:5d:37:39:d6:e8:8c:13:3b:5d:61:12:3b:3e:

         a1:76:42:f0:90:c3:b9:7c:4c:3f:8f:b2:82:55:1a:92:00:61:

         fd:bc:45:c0:e4:e2:ff:f1:34:92:22:1c:78:87:16:01:77:f4:

         e3:a7:25:9e:ad:d9:15:1a:a9:52:54:4d:fc:34:74:81:f2:14:

         68:28:bb:54:42:1a:e7:26:e5:a0:ac:2c:6d:15:5c:89:c5:4b:

         b2:5e:96:8b:64:8f:cb:1a:20:05:d2:bf:68:dd:5a:14:61:df:

         4c:bc:47:01:2f:45:ef:68:36:5e:53:1f:01:43:04:d3:d3:3b:

         9e:14:e2:47:b3:ea:47:e6:8d:d5:03:a0:c6:49:4b:34:21:bf:

         92:ae:e4:7d:94:5e:2a:54:f9:43:bd:78:d3:b3:13:25:19:7b:

         9e:6b:47:be:c2:2d:14:ba:1e:68:92:71:94:87:b7:8a:84:da:

         45:53:22:8b

查看证书中的信息:

Linux-centos8实现私有CA和证书申请的更多相关文章

  1. Linux系统搭建私有CA证书服务器

    一.CA简介 CA是什么?CA是Certificate Authority的简写,从字面意思翻译过来是凭证管理中心,认证授权.它有点类似我们生活中的身份证颁发机构,这里的CA就相当于生活中颁发身份证的 ...

  2. 私有CA和证书

    证书类型 证书授权机构的证书 服务器 用户证书 获取证书两种方法 使用证书授权机构: 生成签名请求(csr ) 将csr发送给CA 从CA处接收签名 自签名的证书: 自已签发自己的公钥 openSSL ...

  3. shell脚本实现openss自建CA和证书申请

    #!/bin/bash # #******************************************************************** #Author: Ma Xue ...

  4. Windows2008下RDP采用私有CA服务器证书搭建文档

    在中小型公司建立企业根证书颁发机构 (CA) http://www.microsoft.com/china/smb/issues/sgc/articles/build_ent_root_ca.mspx ...

  5. Linux 加密安全和私有CA的搭建方法

    常用安全技术 3A: 认证:身份确认 授权:权限分配 审计:监控做了什么 安全通信 加密算法和协议 对称加密: 非对称加密 单向加密:哈希(hash)加密 认证协议 对称加密: 加密和解密使用的是同一 ...

  6. Openssl与私有CA搭建

    转自:http://www.tuicool.com/articles/aURnim 随着网络技术的发展.internet的全球化,信息共享程度被进一步提高,各种基于互联网的应用如电子政务.电子商务日益 ...

  7. PKI/CA与证书服务

    目录 PKI CA RA LDAP目录服务 CRL证书作废系统 数字证书 证书验证 证书撤销 证书更新 PKI系统的构成 PKI PKI(Public Key Infrastructure)公钥基础设 ...

  8. [转帖] Linux 创建一个简单的私有CA、发证、吊销证书

    原创帖子地址:   https://blog.csdn.net/mr_rsq/article/details/71001810 Linux 创建一个简单的私有CA.发证.吊销证书 2017年04月30 ...

  9. Linux操作系统安全-局域网私有CA(Certificate Authority)证书服务器实战篇

    Linux操作系统安全-局域网私有CA(Certificate Authority)证书服务器实战篇 作者:尹正杰 版权声明:原创作品,谢绝转载!否则将追究法律责任. 一.试验架构说明 node101 ...

随机推荐

  1. Kafka 与传统 MQ 消息系统之间有三个关键区别?

    (1).Kafka 持久化日志,这些日志可以被重复读取和无限期保留 (2).Kafka 是一个分布式系统:它以集群的方式运行,可以灵活伸缩,在内部通过 复制数据提升容错能力和高可用性 (3).Kafk ...

  2. Redis6.0配置文件翻译(Google手动翻译)

    原文链接(一般情况下你打不开这个网页):https://raw.githubusercontent.com/redis/redis/6.0/redis.conf Redis配置文件 请注意,为了读取配 ...

  3. memcached 的 cache 机制是怎样的?

    Memcached 主要的 cache 机制是 LRU(最近最少用)算法+超时失效.当您存 数据到 memcached 中,可以指定该数据在缓存中可以呆多久 Which is forever, or ...

  4. 学习GlusterFS(三)

    glusterfs,GNU cluster file system,创始人Anand Babu Periasamy,目标:代替开源Lustre和商业产品GPFS,glusterfs是什么: cloud ...

  5. UP9616移动电源快充案例

    第一版的UP9616快充(地址在此 ),从选料到线路板的布局走线都还算不错,实现了当初定下的设计目标,但也有一点小小的遗憾,就是在输出滤波电容这里有点随便了,为了弥补这个遗憾,秉着工程师的" ...

  6. 安装Prettier

    安装Prettier Prettier是优化代码格式的工具,可优化JavaScript.TypeScript.JSON等代码及配置文件. 使用命令yarn add -D --exact prettie ...

  7. CSS: 给表格的第一列和最后一列不同的样式

    table td:first-child { width:160px; height:20px; border:solid 1px Black; padding:5px; text-align:cen ...

  8. 深入理解ES6之《块级作用域绑定》

    众所周知,js中的var声明存在变量提升机制,因此ESMAScript 6引用了块级作用域来强化对变量生命周期的控制let const 声明不会被提升,有几个需要注意的点1.不能被重复声明 假设作用域 ...

  9. 前端文件上传-javascript-ajax

    书写是为了更好的记忆. 方案一:form表单上传 该方案优点是支持好,缺点刷新页面. <form action="url" method="post" e ...

  10. java中接口到底是干什么的,怎么用,深入剖析

    6.总结性深一层次综合剖析接口概念[新手可忽略不影响继续学习] 通过以上的学习, 我们知道,所有定义在接口中的常量都默认为public.static和final.所有定义在接口中的方法默认为publi ...