Linux_CA三种申请证书的方法

最新推荐文章于 2025-05-22 16:24:30 发布

原创最新推荐文章于 2025-05-22 16:24:30 发布 · 3.9k 阅读

16 ·

CC 4.0 BY-SA版权

文章标签：

#linux #运维 #服务器

Linux 专栏收录该内容

12 篇文章

订阅专栏

第一种：

申请私钥

[root@cs1 ~]# openssl genrsa  -out ca.key 4096
Generating RSA private key, 4096 bit long modulus (2 primes)
...............................................................++++
....................................................................................................................................++++
e is 65537 (0x010001)

直接生成证书

[root@cs1 ~]# openssl req -new -x509 -key ca.key -out ca.crt
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HN
Locality Name (eg, city) [Default City]:ZZ     
Organization Name (eg, company) [Default Company Ltd]:skills
Organizational Unit Name (eg, section) []:system
Common Name (eg, your name or your server's hostname) []:skills.com
Email Address []:

第二种

申请证书请求文件

 openssl req -new -key ca.key -out ca.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HN
Locality Name (eg, city) [Default City]:ZZ
Organization Name (eg, company) [Default Company Ltd]:skills
Organizational Unit Name (eg, section) []:system
Common Name (eg, your name or your server's hostname) []:skills.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

生成证书

[root@cs1 ~]# openssl x509  -req -in ca.csr -sginkey ca.key -out apache.cert
x509: Unrecognized flag sginkey
x509: Use -help for summary.
[root@cs1 ~]# openssl x509  -req -in ca.csr -signkey ca.key -out apache.cert
Signature ok
subject=C = CN, ST = HN, L = ZZ, O = skills, OU = system, CN = skills.com
Getting Private key

第三种：

创建ca必要的文件夹

mkdir /etc/pki/CA/{certs,newcerts,crl,private} -p

创建引索文件和证书序列号

touch index.txt
echo 01 > serial

创建cakey.pem私钥

cd /etc/pki/CA
genrsa -out private/cakey.pem 4096
Generating RSA private key, 4096 bit long modulus (2 primes)
..................++++
.....................................................................................................................++++
e is 65537 (0x010001)

创建证书请求文件

 openssl req -new -key private/cakey.pem -out ca.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HN
Locality Name (eg, city) [Default City]:ZZ   
Organization Name (eg, company) [Default Company Ltd]:skills
Organizational Unit Name (eg, section) []:system
Common Name (eg, your name or your server's hostname) []:skills.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

创建cacert.pem证书名字要正确

[root@cs1 CA]# openssl x509 -req -in ca.csr -signkey private/cakey.pem -out cacert.pem
Signature ok
subject=C = CN, ST = HN, L = ZZ, O = skills, OU = system, CN = skills.com
Getting Private key

ca 颁发证书

 openssl ca -in ca.csr -out ca.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Mar 16 11:19:33 2022 GMT
            Not After : Mar 16 11:19:33 2023 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = HN
            organizationName          = skills
            organizationalUnitName    = system
            commonName                = skills.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                B5:26:B1:E7:25:19:13:E7:3A:61:9A:0F:CC:8B:60:94:D6:4C:2E:2E
            X509v3 Authority Key Identifier: 
                DirName:/C=CN/ST=HN/L=ZZ/O=skills/OU=system/CN=skills.com
                serial:55:AE:60:2F:5D:B8:17:FB:94:55:0F:3D:C9:B7:08:A2:7D:F7:B1:F6

Certificate is to be certified until Mar 16 11:19:33 2023 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

查看证书

 openssl x509 -in ca.crt -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = CN, ST = HN, L = ZZ, O = skills, OU = system, CN = skills.com
        Validity
            Not Before: Mar 16 11:19:33 2022 GMT
            Not After : Mar 16 11:19:33 2023 GMT
        Subject: C = CN, ST = HN, O = skills, OU = system, CN = skills.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (4096 bit)
                Modulus:
                    00:a5:d0:47:69:8e:ca:8a:c7:cb:72:90:74:ff:1d:
                    a8:13:27:85:47:77:73:63:2f:83:41:71:78:5f:8a:
                    ae:84:59:87:4a:9d:14:7e:46:e5:ea:3e:49:0f:dc:
                    5c:ab:47:b9:89:2e:88:d7:58:94:3a:d1:5a:04:93:
                    df:64:92:22:f7:fd:44:7f:ae:93:7b:3e:5b:78:e2:
                    e6:80:f7:c6:c9:95:14:36:c1:ec:28:cb:58:e6:19:
                    d6:ad:7b:62:2b:4e:2a:22:77:20:de:c6:6c:49:a3:
                    04:ba:1b:17:32:53:7b:41:b9:da:b3:2d:b2:db:c5:
                    28:5d:cf:5a:c7:a1:2e:f2:79:01:cb:6a:d6:1b:ff:
                    a3:48:df:a0:45:fe:55:d6:1e:73:2f:e6:e1:d3:d0:
                    32:2d:42:da:28:4a:94:1d:ae:fd:0c:ec:c2:55:13:
                    dc:70:3e:24:67:dd:9c:6e:7e:7d:53:13:49:ab:f2:
                    6c:4f:5a:d9:31:4e:da:d3:18:62:47:e6:8b:46:ce:
                    97:d5:fe:9d:c7:ea:50:73:44:62:52:71:08:be:78:
                    72:6a:32:13:8e:c4:73:63:52:b2:88:74:e4:a0:57:
                    68:d3:4d:c2:71:24:24:8c:22:57:7e:7e:22:d3:be:
                    0a:a1:38:3e:94:7a:fa:4c:ed:9b:ee:a9:b7:c1:f1:
                    ad:4e:25:e9:d0:85:13:6a:09:b1:28:3a:d2:95:d7:
                    85:e6:ba:3f:58:45:04:31:45:9f:d2:c1:cf:2b:03:
                    1c:dd:73:1f:8e:05:0f:a0:22:08:9c:38:84:1d:1f:
                    ae:49:65:a5:59:f1:d5:43:0b:42:80:35:63:64:c3:
                    7f:01:2b:8d:ce:46:6f:4f:5e:d3:ab:ef:33:03:b0:
                    19:34:2e:b9:82:fe:2a:cd:3c:ea:84:d9:51:c2:07:
                    d0:49:51:6c:3d:19:31:e9:33:6f:0d:9c:a4:aa:19:
                    fd:1d:8a:62:e7:1a:b2:41:a1:87:0b:2e:d9:34:aa:
                    e8:6a:5a:ce:eb:0f:1b:96:52:59:d3:8d:41:60:b5:
                    01:29:18:66:d4:0c:12:7a:86:ae:b9:15:50:84:ab:
                    80:11:38:5d:47:89:e3:db:40:03:dd:27:7f:d9:98:
                    4d:c4:e2:9c:a6:ac:3d:97:7b:ff:fb:84:20:a8:af:
                    83:62:de:e1:28:41:c1:06:ea:83:7b:82:ec:58:3c:
                    7b:00:8a:2f:48:b3:07:e3:06:db:48:79:f9:84:61:
                    8a:a3:88:09:da:32:28:63:91:7c:ae:5b:d0:53:92:
                    3c:ab:3d:c5:ac:d7:3e:42:d3:1a:d5:c8:8e:96:00:
                    54:4e:38:ac:a0:a0:3d:85:e5:77:0c:8f:c8:0d:d3:
                    b0:a1:6f
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                B5:26:B1:E7:25:19:13:E7:3A:61:9A:0F:CC:8B:60:94:D6:4C:2E:2E
            X509v3 Authority Key Identifier: 
                DirName:/C=CN/ST=HN/L=ZZ/O=skills/OU=system/CN=skills.com
                serial:55:AE:60:2F:5D:B8:17:FB:94:55:0F:3D:C9:B7:08:A2:7D:F7:B1:F6

    Signature Algorithm: sha256WithRSAEncryption
         58:41:af:de:68:8a:5c:90:62:ba:81:67:80:ca:f6:13:e8:71:
         33:fa:19:bb:ed:4c:50:7a:71:64:9a:5b:0a:12:13:0f:4f:f5:
         a8:75:73:89:a2:06:ff:3a:db:19:77:07:e1:25:e5:b1:ad:a8:
         3b:14:03:17:60:9f:24:b0:47:58:74:e6:bc:1d:1c:54:f5:82:
         97:06:16:49:77:f5:ed:bc:7c:6e:11:0b:35:3e:9a:fb:6d:a1:
         5d:b0:68:46:dc:04:36:09:39:d9:bd:39:c1:b8:b1:53:ac:51:
         97:87:12:b5:5e:63:e2:52:fc:7f:5d:2a:3d:53:b7:fe:1f:49:
         81:43:b3:77:56:7c:14:b9:79:8f:85:a2:85:61:c3:27:44:23:
         56:34:f9:61:fb:15:a6:37:57:2b:cc:0c:15:3c:6d:fb:99:f8:
         e6:55:8d:53:fc:32:3b:1c:e3:69:07:bc:3e:d2:8b:6d:d7:9d:
         e6:03:79:3f:76:d1:05:f8:42:87:74:6c:42:ae:18:eb:4f:5d:
         6d:10:61:0a:5c:24:2b:7e:f4:59:4b:be:e0:a0:87:9c:ad:aa:
         2f:9b:52:0a:dc:c8:74:47:48:5c:e3:d8:64:dc:0c:1a:cf:f2:
         55:95:a7:3e:0e:03:da:4e:a3:74:f7:be:16:56:49:79:48:07:
         8d:66:1c:98:49:42:fb:e7:51:a7:7b:87:5a:d6:d2:8a:90:bc:
         fe:12:ea:95:9f:05:b6:50:03:eb:4e:23:6e:d5:ec:37:2f:9a:
         d9:c5:bc:4a:ae:c7:b4:ae:8a:ad:44:88:72:a4:b6:94:f1:67:
         67:a7:16:b3:71:e8:db:91:d1:cf:02:1b:ad:f0:ab:93:05:dd:
         b0:df:76:56:40:d5:b6:f0:e7:c8:72:4f:8f:5d:d8:f1:ed:dc:
         68:3d:62:aa:3d:35:94:55:d1:b9:1f:67:9f:3c:96:97:15:0d:
         b2:00:13:7e:41:cc:e2:63:f2:51:dc:0d:9b:0c:d8:1c:ed:db:
         14:98:cd:26:4e:ff:cf:21:67:99:08:28:55:de:63:ce:0e:dc:
         90:ca:bf:80:bd:43:7d:d4:e1:01:03:66:79:ef:d6:d2:e3:28:
         67:ff:60:32:a4:95:11:fb:0c:28:58:7d:8c:35:c1:a0:7e:1d:
         fd:d1:3c:5b:44:a6:49:9b:a8:81:66:8e:cb:d6:24:d9:31:e2:
         6a:78:30:cb:14:af:4e:87:ad:00:0e:ef:8b:09:57:ae:62:a7:
         c9:c6:de:eb:5b:fc:3e:89:89:ca:41:72:9f:6f:03:cd:8d:dc:
         cf:96:68:d9:5b:67:cd:43:e4:89:69:98:10:d5:1c:fc:07:57:
         ff:69:01:c8:1b:b4:c0:b3

然后就可以给其他的客户端颁发证书了