创建CA相关目录,centos8不存在这些目录,需手动建立

[root@centos8-liyj ~]#mkdir -pv /etc/pki/CA/{certs,cr1,newcerts,private}

mkdir: created directory '/etc/pki/CA'

mkdir: created directory '/etc/pki/CA/certs'

mkdir: created directory '/etc/pki/CA/cr1'

mkdir: created directory '/etc/pki/CA/newcerts'

mkdir: created directory '/etc/pki/CA/private'

创建CA所需的文件

[root@centos8-liyj ~]#touch /etc/pki/CA/index.txt

[root@centos8-liyj ~]#echo 0F > /etc/pki/CA/serial

[root@centos8-liyj ~]#

index.txt和serial文件在颁发证书时需要使用,如果不存在,会出现以下错误提示

[root@centos8 ~]#openssl ca -in /data/app1/app1.csr -out

/etc/pki/CA/certs/app1.crt -days 1000

Using configuration from /etc/pki/tls/openssl.cnf

140040142845760:error:02001002:system library:fopen:No such file or

directory:crypto/bio/bss_file.c:72:fopen('/etc/pki/CA/index.txt','r')

140040142845760:error:2006D080:BIO routines:BIO_new_file:no such

file:crypto/bio/bss_file.c:79:

[root@centos8 ~]#openssl ca -in /data/app1/app1.csr -out

/etc/pki/CA/certs/app1.crt -days 1000

Using configuration from /etc/pki/tls/openssl.cnf

/etc/pki/CA/serial: No such file or directory

error while loading serial number

140240559408960:error:02001002:system library:fopen:No such file or

directory:crypto/bio/bss_file.c:72:fopen('/etc/pki/CA/serial','r')

140240559408960:error:2006D080:BIO routines:BIO_new_file:no such

file:crypto/bio/bss_file.c:79:

颁发是错误提示

创建CA的钥匙

[root@centos8-liyj /etc/pki/CA]#(umask 066; openssl genrsa -out private/cakey.pem 2048)

Generating RSA private key, 2048 bit long modulus (2 primes)

.......................................................................................................................................+++++

.........................................................+++++

e is 65537 (0x010001)

[root@centos8-liyj /etc/pki/CA]#tree

.

├── certs

├── cr1

├── index.txt

├── newcerts

├── private

│   └── cakey.pem

└── serial

4 directories, 3 files

[root@centos8-liyj /etc/pki/CA]#cat private/cakey.pem

-----BEGIN RSA PRIVATE KEY-----

MIIEpAIBAAKCAQEAr3HOBkZaaoNFUKcoxk/qBnA2jqyJBhcnZ0SmhztvuY0R/euy

OYQ8T9o6aJtE5Of0suOXPutmuQd/fNpAiQvFDq7EK7bxnhVqObEnFR2uTXS8fHPQ

9EIEmCu0Yq8WQnsjX4T0na0F5XcsvBYPTe35bQKcsTtvRNFtidLVT1HsozJxZ/M1

ggpnGv7gA0X5DqMvGavprWsnpS5y1uVwFt+WN6KdF/nypHut3A5FVFHRH725VzJc

jTfoAUIUxDqIjvAXhCih7FOHva/Iic6AMoR0w4idt05nWpRCUjaHgQ+KJeFIHMC9

UHqaGeIr+ZoU7CadLl8hlqJR6WHjV88G24cqyQIDAQABAoIBAQCVFtTJKEf1c5AX

tbVEsOxihEEYhS376vklHIWXLb8HowXDDePqVKEcCorQEgI9s4+R5S3F3izw15pS

8vUcgM/4ZjN2IoS4neIjHJPlsc9JKwZxi8nph6B338vugHMeE54/sbBdvYbhNKDj

RKvEwZHQPQQC6Erp5D59fJigSzIYi4ATe9vxfBvltuB+q4494rdLW+98bSEZOKBV

SBahCFCKIAv3TLiHbVNMJK00j/O+oiDN5Hoxy6Fr+/G9pDw5DiPOCItmJMKW4UfR

SbB6ebmqXeaH7gVXaADWUAyPmKJXyFE87GE/ydXqIdMR7G4pRquwC/3C8FLkyoL+

Ja7JXKsxAoGBAON6vB2TEZAkSo87lAL+a90I4+TyR0lA7VOJUdRv8jgiq2Dc1g/Z

jJllzgpMq3xT/BsIUMd0Kll2dk37z7Gvd7QCjI6PQINR1/xzzr8GIkIxoTXgGYWS

QQbXieCjAlmzpBb7N2nnpgooekH/5R9j5aWNt6kN3hL0oX6OmJcDBUS7AoGBAMVw

8FfzRjk7pGtOHwJk8DHhCMOMSaDXDcwmIoeDaKAr34GzEwtaeLFjCWnILEvdzbgy

W3foUcaM3hA/2WQPPy7rS66JQdOpOAWDvkCmCggwFoIy75zmGwqBH8bq0yt62ajE

uwiqjJHpGKSMQJahQY0eVGi+r4P5os9tOFz8N5hLAoGAdRrYALmXTwb/wyC+n5Pu

X0mWWGRJQnLEOj70+1Ht9ewTIbhOErbB5K4+FZtGpKhvnlL3ktZAfvG3EYpSb3yP

OQIe7bzdTz0w3WuYwUodFMqL3TpSqSqTgzwuZJBGQ3txO8tzyXdRSOVxmsxrXW+F

52Y/aC4VZti80nQCJauOaMUCgYAZfLbJ47GQ+c4DvBXsrTMEfVQwSg/HH3u8er/C

VohPBNrZV1CCCq/B1lMEwL5XHM7NlFKSa/8CbnTMDDH35K/3UpB2e2lv9UwyCgup

NMXewLZnIEQmMN4UwQ5lEzMnTbiDPMIYIEv9GeYAd8pup2pa2St0SglGNBd8R1Eb

T8OteQKBgQCBCjX3iLJhRGKvXvU1JeERlCVA1rAuaq1EqtUTxq7tGJuWZRzB3baW

LPVR85DR+Hthpwj8rbQdy8NLSYmLk7/yEFS7kdoczD6HAfAX7Ou/q4L20g/I2QSr

mPQm5fKQvKVYFSlAPEL0Kwele16RK4CFKWRN5sQ1ia5U+EYykmBy5w==

-----END RSA PRIVATE KEY-----

私钥内容

给CA颁发自签名证书

[root@centos8-liyj /etc/pki/CA]#openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:Jiangsu

Locality Name (eg, city) [Default City]:SuQ

Organization Name (eg, company) [Default Company Ltd]:magedu

Organizational Unit Name (eg, section) []:IT

Common Name (eg, your name or your server's hostname) []:ca.lyj.com

Email Address []:

[root@centos8-liyj /etc/pki/CA]#tree /etc/pki/CA

/etc/pki/CA

├── cacert.pem

├── certs

├── cr1

├── index.txt

├── newcerts

├── private

│   └── cakey.pem

└── serial

4 directories, 4 files

[root@centos8-liyj /etc/pki/CA]#openssl x509 -in /etc/pki/CA/cacert.pem -noout -text

Certificate:

    Data:

        Version: 3 (0x2)

        Serial Number:

            50:eb:c9:9e:03:22:1c:57:f7:ad:e8:08:88:2a:1b:83:b9:6f:86:75

        Signature Algorithm: sha256WithRSAEncryption

        Issuer: C = CN, ST = Jiangsu, L = SuQ, O = magedu, OU = IT, CN = ca.lyj.com

        Validity

            Not Before: Apr 29 09:22:27 2022 GMT

            Not After : Apr 26 09:22:27 2032 GMT

        Subject: C = CN, ST = Jiangsu, L = SuQ, O = magedu, OU = IT, CN = ca.lyj.com

        Subject Public Key Info:

            Public Key Algorithm: rsaEncryption

                RSA Public-Key: (2048 bit)

                Modulus:

                    00:af:71:ce:06:46:5a:6a:83:45:50:a7:28:c6:4f:

                    ea:06:70:36:8e:ac:89:06:17:27:67:44:a6:87:3b:

                    6f:b9:8d:11:fd:eb:b2:39:84:3c:4f:da:3a:68:9b:

                    44:e4:e7:f4:b2:e3:97:3e:eb:66:b9:07:7f:7c:da:

                    40:89:0b:c5:0e:ae:c4:2b:b6:f1:9e:15:6a:39:b1:

                    27:15:1d:ae:4d:74:bc:7c:73:d0:f4:42:04:98:2b:

                    b4:62:af:16:42:7b:23:5f:84:f4:9d:ad:05:e5:77:

                    2c:bc:16:0f:4d:ed:f9:6d:02:9c:b1:3b:6f:44:d1:

                    6d:89:d2:d5:4f:51:ec:a3:32:71:67:f3:35:82:0a:

                    67:1a:fe:e0:03:45:f9:0e:a3:2f:19:ab:e9:ad:6b:

                    27:a5:2e:72:d6:e5:70:16:df:96:37:a2:9d:17:f9:

                    f2:a4:7b:ad:dc:0e:45:54:51:d1:1f:bd:b9:57:32:

                    5c:8d:37:e8:01:42:14:c4:3a:88:8e:f0:17:84:28:

                    a1:ec:53:87:bd:af:c8:89:ce:80:32:84:74:c3:88:

                    9d:b7:4e:67:5a:94:42:52:36:87:81:0f:8a:25:e1:

                    48:1c:c0:bd:50:7a:9a:19:e2:2b:f9:9a:14:ec:26:

                    9d:2e:5f:21:96:a2:51:e9:61:e3:57:cf:06:db:87:

                    2a:c9

                Exponent: 65537 (0x10001)

        X509v3 extensions:

            X509v3 Subject Key Identifier:

                72:BB:3C:5D:02:61:98:FD:12:91:B0:9E:60:47:94:46:25:17:33:D3

            X509v3 Authority Key Identifier:

                keyid:72:BB:3C:5D:02:61:98:FD:12:91:B0:9E:60:47:94:46:25:17:33:D3

            X509v3 Basic Constraints: critical

                CA:TRUE

    Signature Algorithm: sha256WithRSAEncryption

         07:09:f1:78:56:86:f7:39:85:b9:a3:8b:b9:84:c5:cc:99:a6:

         7a:e4:5e:22:70:eb:97:9d:f2:f7:32:4d:ea:d2:aa:b1:c7:a0:

         3c:5e:42:eb:14:bd:5a:17:f9:08:e6:3f:f3:f0:c1:b4:06:15:

         4f:5a:8b:4f:53:42:0a:6c:b8:b0:20:36:79:3b:45:2e:ae:35:

         45:d5:18:21:76:5d:37:39:d6:e8:8c:13:3b:5d:61:12:3b:3e:

         a1:76:42:f0:90:c3:b9:7c:4c:3f:8f:b2:82:55:1a:92:00:61:

         fd:bc:45:c0:e4:e2:ff:f1:34:92:22:1c:78:87:16:01:77:f4:

         e3:a7:25:9e:ad:d9:15:1a:a9:52:54:4d:fc:34:74:81:f2:14:

         68:28:bb:54:42:1a:e7:26:e5:a0:ac:2c:6d:15:5c:89:c5:4b:

         b2:5e:96:8b:64:8f:cb:1a:20:05:d2:bf:68:dd:5a:14:61:df:

         4c:bc:47:01:2f:45:ef:68:36:5e:53:1f:01:43:04:d3:d3:3b:

         9e:14:e2:47:b3:ea:47:e6:8d:d5:03:a0:c6:49:4b:34:21:bf:

         92:ae:e4:7d:94:5e:2a:54:f9:43:bd:78:d3:b3:13:25:19:7b:

         9e:6b:47:be:c2:2d:14:ba:1e:68:92:71:94:87:b7:8a:84:da:

         45:53:22:8b

查看证书中的信息:

Linux-centos8实现私有CA和证书申请的更多相关文章

  1. Linux系统搭建私有CA证书服务器

    一.CA简介 CA是什么?CA是Certificate Authority的简写,从字面意思翻译过来是凭证管理中心,认证授权.它有点类似我们生活中的身份证颁发机构,这里的CA就相当于生活中颁发身份证的 ...

  2. 私有CA和证书

    证书类型 证书授权机构的证书 服务器 用户证书 获取证书两种方法 使用证书授权机构: 生成签名请求(csr ) 将csr发送给CA 从CA处接收签名 自签名的证书: 自已签发自己的公钥 openSSL ...

  3. shell脚本实现openss自建CA和证书申请

    #!/bin/bash # #******************************************************************** #Author: Ma Xue ...

  4. Windows2008下RDP采用私有CA服务器证书搭建文档

    在中小型公司建立企业根证书颁发机构 (CA) http://www.microsoft.com/china/smb/issues/sgc/articles/build_ent_root_ca.mspx ...

  5. Linux 加密安全和私有CA的搭建方法

    常用安全技术 3A: 认证:身份确认 授权:权限分配 审计:监控做了什么 安全通信 加密算法和协议 对称加密: 非对称加密 单向加密:哈希(hash)加密 认证协议 对称加密: 加密和解密使用的是同一 ...

  6. Openssl与私有CA搭建

    转自:http://www.tuicool.com/articles/aURnim 随着网络技术的发展.internet的全球化,信息共享程度被进一步提高,各种基于互联网的应用如电子政务.电子商务日益 ...

  7. PKI/CA与证书服务

    目录 PKI CA RA LDAP目录服务 CRL证书作废系统 数字证书 证书验证 证书撤销 证书更新 PKI系统的构成 PKI PKI(Public Key Infrastructure)公钥基础设 ...

  8. [转帖] Linux 创建一个简单的私有CA、发证、吊销证书

    原创帖子地址:   https://blog.csdn.net/mr_rsq/article/details/71001810 Linux 创建一个简单的私有CA.发证.吊销证书 2017年04月30 ...

  9. Linux操作系统安全-局域网私有CA(Certificate Authority)证书服务器实战篇

    Linux操作系统安全-局域网私有CA(Certificate Authority)证书服务器实战篇 作者:尹正杰 版权声明:原创作品,谢绝转载!否则将追究法律责任. 一.试验架构说明 node101 ...

随机推荐

  1. kafka的message格式是什么样的?

    一个Kafka的Message由一个固定长度的header和一个变长的消息体body组成 header部分由一个字节的magic(文件格式)和四个字节的CRC32(用于判断body消息体是否正常)构成 ...

  2. elasticsearch 是如何实现 master 选举的 ?

    想了解 ES 集群的底层原理,不再只关注业务层面了. 前置前提: 1.只有候选主节点(master:true)的节点才能成为主节点. 2.最小主节点数(min_master_nodes)的目的是防止脑 ...

  3. Azure DevOps (八) 通过流水线编译Docker镜像

    上一篇文章我们完成了最简单的传统部署:上传应用到服务器上使用守护进程进行应用的部署. 本篇文章我们开始研究容器化和流水线的协作. 在开始操作之前,我们首先需要准备一下我们的dockerfile,这里我 ...

  4. 前端性能优化(JavaScript篇)

    正巧看到在送书,于是乎找了找自己博客上记录过的一些东西来及其无耻的蹭书了~~~ 小广告:更多内容可以看我的博客 优化循环 如果现在有个一个data[]数组,需要对其进行遍历,应当怎么做?最简单的代码是 ...

  5. 【wepy入门教程】48小时开发看美女微信小程序,万花阁

    说明:本文只做小程序的开发过程记录:小程序仅供学习参考,严禁用于商业及非法用途 准备 不管是做网站还是做小程序,只要是To C,就少不了做内容,因此第一步依然是数据准备,从网上找到两个网站: http ...

  6. h5 ios输入框与键盘 兼容性优化

    起因 h5的输入框引起键盘导致体验不好,目前就算微信.知乎.百度等产品也没有很好的技术方案实现,尤其底部固定位置的输入框各种方案都用的前提下体验也并没有很好,这个问题也是老大难问题了.目前在准备一套与 ...

  7. EF框架基础

    ORM概述: ORM全称是"对象 - 关系映射" . ORM是将关系数据库中的数据用对象的形式表现出来,并通过面向对象的方式将这些对象组织起来,实现系统业务逻辑的过程. Entit ...

  8. oracle数据库存储过程中的select语句的位置

    导读:在oracle数据库存储过程中如果用了select语句,要么使用"select into 变量"语句要么使用游标,oracle不支持单独的select语句. 先看下这个存储过 ...

  9. executeFind()方法和execute()方法区别

    返回类型不同:executeFind()方法返回集合,execute()方法返回对象 executeFind @Override public List<TCpContact> getCp ...

  10. 浅谈arguments属性callee

    1.首先 arguments 是一个对应于传递给函数的参数的类数组对象 2. arguments.callee 属性包含当前正在执行的函数. 描述 callee 是 arguments 对象的一个属性 ...