1.创建生成目录
# mkdir -p ./demoCA/{private,newcerts}
# touch ./demoCA/index.txt
# echo 01 > ./demoCA/serial2.创建CA证书密钥对及生成CA证书
# openssl req -new -x509 -days 365 -key ./demoCA/private/cakey.pem -out ./demoCA/cacert.pem参数说明:
req:请求生成证书
-new:请求生成新的证书
-x509:生成一份协议为x.509的证书
-days:从证书生成起,证书的有效期,单位为天
-key:指定使用的密钥对
-out:指定证书输出目录及文件名
产生的日志如下:
# openssl req -new -x509 -days 365 -key ./demoCA/private/cakey.pem -out ./demoCA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN #国家
State or Province Name (full name) [Some-State]:guangdong #省份
Locality Name (eg, city) []:guangzhou #城市
Organization Name (eg, company) [Internet Widgits Pty Ltd]:test # 公司或组织名
Organizational Unit Name (eg, section) []: test # 所属部门
Common Name (e.g. server FQDN or YOUR name) []: e-mail #项目名
Email Address []:123@gmail.com # 邮箱到此步我们已经获得了私有CA证书及CA密钥对,接下来就可以签发证书了。
此处我们以签发SMTP服务器所用的证书为例:
3.生成私钥及CSR证书签发请求文件
该步骤跟步骤2差不多,都是发起请求文件
# openssl req -new -nodes -keyout mailkey.pem -out mailreq.pem -days 365参数说明:
req:请求生成证书
-new:请求生成新的证书
-days:证书自生成起的有效期,单位天
-keyout:密钥对输出位置及名字
-out:证书请求文件的输出位置及名字
-nodes:不加密证书
产生日志如下:
# openssl req -new -nodes -keyout mailkey.pem -out mailreq.pem -days 365
Ignoring -days; not generating a certificate
Generating a RSA private key
.......+++++
...............................................+++++
writing new private key to 'mailkey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:guangdong
Locality Name (eg, city) []:guangzhou
Organization Name (eg, company) [Internet Widgits Pty Ltd]:test
Organizational Unit Name (eg, section) []:test
Common Name (e.g. server FQDN or YOUR name) []:mail
Email Address []:123@gmail.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:4.签署CSR文件
# openssl ca -out mailcert.pem -infiles mailreq.pem参数说明:
ca:指定CA相关操作集
-out:证书输出目录
-infiles:指定证书请求文件
注意:
- 签署CSR文件操作时,openssl会使用demoCA中的文件,如之前生成的CA密钥、证书文件。如果在运行当前指令时提示缺少文件,请删除demoCA文件夹并回到步骤1重新执行。
- 生成的密钥、请求文件不得修改文件名,会导致验证失败。如需修改请仔细检查指令中的生成文件名并重新生成。
# openssl ca -out mailcert.pem -infiles mailreq.pem
Using configuration from /usr/lib/ssl/openssl.cnf # 使用默认生成配置
Check that the request matches the signature
Signature ok
Certificate Details: # 读取CA证书文件概述、比对密钥
Serial Number: 1 (0x1)
Validity
Not Before: Apr 6 02:57:15 2023 GMT
Not After : Apr 5 02:57:15 2024 GMT
Subject:
countryName = CN
stateOrProvinceName = guangdong
organizationName = test
organizationalUnitName = test
commonName = mail
emailAddress = 123@gmail.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
FC:F8:E2:7C:79:43:27:6A:D0:A6:C6:28:CA:94:F5:99:D0:78:59:DD
X509v3 Authority Key Identifier:
keyid:31:62:47:CF:15:08:62:AA:97:74:9F:79:8F:B3:A0:C4:10:BE:BD:77
Certificate is to be certified until Apr 5 02:57:15 2024 GMT (365 days)
Sign the certificate? [y/n]:Y
# CA证书将签发证书,有效期365天,请确认
1 out of 1 certificate requests certified, commit? [y/n]Y
# 在已有的证书请求中有1个认证成功,请确认是否提交签发
Write out database with 1 new entries
Data Base Updated到此已经完成了CA证书及其余TLS证书的签发,使用ls查看当前目录所生成文件:
demoCA # 存放密钥生成的相关依赖、文件的目录
├── cacert.pem # CA证书公钥
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│ └── 01.pem
├── private
│ └── cakey.pem # CA证书私钥
├── serial
└── serial.old
mailcert.pem # TLS公钥
mailkey.pem # TLS私钥
mailreq.pem #CSR文件
发表回复