配置Linux为CA服务器,并颁发证书
配置Linux为CA服务器,并颁发证书
安装openssl
yum install -y openssl*
创建目录
mkdir /etc/pki/CA
mkdir /etc/pki/CA/{certs,crl,newcersts,private}
创建所需要的文件(用户申请证书时需要的文件)
touch /etc/pki/CA/index.txt
touch /etc/pki/CA/serial
ehco 01 >> /etc/pki/CA/serial #颁发证书的开始编号
生成私钥
openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048
给CA颁发自签名证书
openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem
#生成的证书要和配置文件中的certificate = $dir/cacert.pem 中的路径文件名对应
-x509 证书格式
-key 生成 请求时使用的私钥
-days 证书的使用时限
-out 证书保存路径
[root@localhost pki]# openssl req -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN #国家
State or Province Name (full name) []:Beijing #省
Locality Name (eg, city) [Default City]:Beijing #城市
Organization Name (eg, company) [Default Company Ltd]:skills #组织
Organizational Unit Name (eg, section) []:system #组织单位
Common Name (eg, your name or your server's hostname) []:linux1.skills.com #公用名
Email Address []: #邮箱可以空
[root@localhost pki]# ls /etc/pki/CA
cacert.pem certs crl index.txt newcerts private
颁发证书
#生成私钥
openssl genrsa -out skills.key 2048
#生成证书请求文件
openssl req -new -key skills.key -out skills.csr
#颁发证书
openssl ca -in skills.csr -out skills.crt -days 3650
#将证书文件发给需要证书的服务器
scp skills.key root@linux2.skills.com:/etc/ssl
scp skills.crt root@linux2.skills.com:/etc/ssl
scp /etc/pki/CA/cacert.pem root@linux2.skills.com:/etc/ssl
#将Linux1的根证书添加到linux2,切换到linux2
cd /etc/ssl
cat cacert.pem >> certs/ca-bundle.crt
评论
匿名评论
隐私政策
你无需删除空行,直接评论以获取最佳展示效果