设为首页 收藏本站
云服务器等爆品抢先购,低至4.2元/月
查看: 2733|回复: 0

[经验分享] openssl创建CA、申请证书及其给web服务颁发证书

[复制链接]
累计签到:1 天
连续签到:1 天
发表于 2016-9-26 10:21:54 | 显示全部楼层 |阅读模式
一、创建私有的CA  
1)查看openssl的配置文件:/etc/pki/tls/openssl.cnf  

wKiom1fmDR-x_qsqAABbhmr_3bU145.jpg
2)创建所需的文件
touch /etc/pki/CA/index.txt   echo 01 >/etc/pki/CA/serial  

3)CA自签证书生成私钥
cd /etc/pki/CA
(umask 066;openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)

4)生成自签名证书   
openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 7300 -out /etc/pki/CA/cacert.pem  

-new:生成新的证书签署请求     
-x509:专用CA生成自签证书
-key:生成请求时用到的私钥文件
-days n:证书的有限期
-out /path/to/somecertfile:证书的保存路径


代码演示:


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
[iyunv@centos6 ~]# ls /etc/pki/CA/
certs  crl  newcerts  private
[iyunv@centos6 ~]# touch /etc/pki/CA/index.txt
[iyunv@centos6 ~]# ll /etc/pki/CA/
total 16
drwxr-xr-x. 2 root root 4096 May  9 22:56 certs
drwxr-xr-x. 2 root root 4096 May  9 22:56 crl
-rw-r--r--. 1 root root    0 Sep 23 07:08 index.txt
drwxr-xr-x. 2 root root 4096 May  9 22:56 newcerts
drwx------. 2 root root 4096 May  9 22:56 private
[iyunv@centos6 ~]# echo 01 > /etc/pki/CA/serial
[iyunv@centos6 ~]# ll /etc/pki/CA/
total 20
drwxr-xr-x. 2 root root 4096 May  9 22:56 certs
drwxr-xr-x. 2 root root 4096 May  9 22:56 crl
-rw-r--r--. 1 root root    0 Sep 23 07:08 index.txt
drwxr-xr-x. 2 root root 4096 May  9 22:56 newcerts
drwx------. 2 root root 4096 May  9 22:56 private
-rw-r--r--. 1 root root    3 Sep 23 07:09 serial
[iyunv@centos6 ~]# cd /etc/pki/CA
[iyunv@centos6 CA]# ls
certs  crl  index.txt  newcerts  private  serial
[iyunv@centos6 CA]# (nmask 066;openssl genrsa -out private/cakey.pem 2048)
-bash: nmask: command not found
Generating RSA private key, 2048 bit long modulus
..................................+++
.............................+++
e is 65537 (0x10001)
[iyunv@centos6 CA]# cd private/
[iyunv@centos6 private]# cat cakey.pem
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAyvOMUreRADORN9F0bk08d4n/xASELShJzW6V2K57ma/lmB7e
PBrOWrGCWhZR9tF8+Ewk/OCeQLukAHLgeLlte7au7uXf6RjFwi/XXemKzEUDEcOl
+CKTU7wio7if86rzX8xOPmP2+l4pItqqAKp7Kx9TOuAhT7gcQKKr5iU6lTvS/EJf
xBLtwoTRIIUdYxLI7XFZe7Lm5uOiYDHIhF70TQC3s0/1lnGEsWmAZ+uOCFy6bKck
v6orwDu2UfjhSqkiIJBFSvZQJqh6s3kt5dN+MyAkG1wJ6daJS87FKuguLI+ISxIJ
Z7tXXCQqZFle5Iu1LuwRDAoieWfwO868WI+HmQIDAQABAoIBAFaVwXAo0Lv9RB9E
RSAp43o8bdn680kwvwvd+iAPkLvox1M3GCkcZp1azfoRO7bJeT+VfNJGIj4Lz9RB
LnNS6Nq2/br+Z6DS6MwIDSIL2SN87epORiiu15wJz915jwQuEtb0Gw2TKHN4aKRu
Fcli8llba+7aYFvaeHM684ukpnGz6bRYwRDrEgUvMksFvPA2dqzvP/OjEIqvvf/l
d+rhOQGlB18E2oQ3048PJpgPHyceKLuuFkvFGsHofI8a5hLqD3PJ4AjHuPPF/Yqz
ZQwxmncV+YM9nJ/s8J5PJQ+3hPkA6pbhpM1eXHSPajnnkWiMV1RkUBltkHdJGPT9
h4t2o2ECgYEA5z/8HvbnXlAHC8+5mKO0rkBifxUyG9FVYmGOPKJwoK16eRxWuQgo
VboVZm5mK4LCtsMzUXobSXtgsb941O6U7lxrogflcYEQkvWL7JNg8vdIMwHs75zF
vXnoyCF9ZoDFr0juTP94AI4WW8GTfSo3caL+T8pnQalu5y3JvBQIRVcCgYEA4Kw1
8VAGix+QYWK9h1R35cKcnZQb0eq0ChZ8XFd7leLImPCpv7t1R86mvwIvZkYMIqD3
btUXk8G2ezyoufntEP5KGv9QbsQS8vFDw0RSsYkwWJZBeIUV6yPdUHniIWT6Ozwv
pD6hJwVSAv7m4tNTwJLH2Ebbs22Di05q/kfqFI8CgYEA4SVD0+Xx57ok0hQhkAI7
BLh87Vv2mGzcI9f1gwVogJfGOSolKStPEgAFm9/6q3w5FXXBfh9Td9yejRBtlWrg
J55l0LC9bCALwfk9jU0ERCoL6lWCmNvbDhomUMuCaw0O6xUnpmHINUohbJ5weZlj
t8jIr2jR1XUgHAZRdkNOtisCgYAfOU+13b1LEHPsVOCqMh8Hm2hQrgi/v7KNxFo8
KxxN1Fq0hp3Qu6is9hdObGtR92IwXdaFXLAOJNnLfr6kOgusVOrPnbP78NwBT25v
cMtdSQejCB7JNRW6vB1B1e6LXZE5MkAcv2d+GMsxB2PnGh+Fn+COOirGYO3rKlbM
SApMGQKBgQCaAaZzscT3KnnZEFi3e2IrlJMxY09zCm2xRle70m0lK0BHZsoxvcAl
bf19tZsoD2wPcvB6j+SLhB5jdG5iJ6SCp+vx+p/XFORlU+3V5gD/+P9I2LZfVZ+z
7YvRfXzuEiZi0h4ljBb4Oh8Di/0ytKnBzbWs00Trj7ariZ/WfgmTDw==
-----END RSA PRIVATE KEY-----
[iyunv@centos6 private]# ll
total 4
-rw-r--r--. 1 root root 1679 Sep 23 07:10 cakey.pem
[iyunv@centos6 private]# openssl req -new -x509 -key cakey.pem  -days 7300 -out ../ca
cert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:bj
Organization Name (eg, company) [Default Company Ltd]:chen.com
Organizational Unit Name (eg, section) []:alren_1
Common Name (eg, your name or your server's hostname) []:centos6.localdomain
Email Address []:alren@163.com
[iyunv@centos6 private]# cd ../
[iyunv@centos6 CA]# cat cacert.pem
-----BEGIN CERTIFICATE-----
MIID7zCCAtegAwIBAgIJANEOQWU3qHpeMA0GCSqGSIb3DQEBBQUAMIGNMQswCQYD
VQQGEwJDTjEQMA4GA1UECAwHYmVpamluZzELMAkGA1UEBwwCYmoxETAPBgNVBAoM
CGNoZW4uY29tMRAwDgYDVQQLDAdhbHJlbl8xMRwwGgYDVQQDDBNjZW50b3M2Lmxv
Y2FsZG9tYWluMRwwGgYJKoZIhvcNAQkBFg1hbHJlbkAxNjMuY29tMB4XDTE2MDky
MjIzMTc1MFoXDTM2MDkxNzIzMTc1MFowgY0xCzAJBgNVBAYTAkNOMRAwDgYDVQQI
DAdiZWlqaW5nMQswCQYDVQQHDAJiajERMA8GA1UECgwIY2hlbi5jb20xEDAOBgNV
BAsMB2FscmVuXzExHDAaBgNVBAMME2NlbnRvczYubG9jYWxkb21haW4xHDAaBgkq
hkiG9w0BCQEWDWFscmVuQDE2My5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQDK84xSt5EAM5E30XRuTTx3if/EBIQtKEnNbpXYrnuZr+WYHt48Gs5a
sYJaFlH20Xz4TCT84J5Au6QAcuB4uW17tq7u5d/pGMXCL9dd6YrMRQMRw6X4IpNT
vCKjuJ/zqvNfzE4+Y/b6Xiki2qoAqnsrH1M64CFPuBxAoqvmJTqVO9L8Ql/EEu3C
hNEghR1jEsjtcVl7subm46JgMciEXvRNALezT/WWcYSxaYBn644IXLpspyS/qivA
O7ZR+OFKqSIgkEVK9lAmqHqzeS3l034zICQbXAnp1olLzsUq6C4sj4hLEglnu1dc
JCpkWV7ki7Uu7BEMCiJ5Z/A7zrxYj4eZAgMBAAGjUDBOMB0GA1UdDgQWBBQmophw
H4o7o6EFDot5NMVm+rmm2TAfBgNVHSMEGDAWgBQmophwH4o7o6EFDot5NMVm+rmm
2TAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQBkZgymfLYgWOK4RPv+
Vzs2eW+AaYNcNBcot/Ju6rByEZ/Sa4nWxNBVge/0ffSDUsmkSlUdS8oYUbLQU5Kq
pqDaQ0jbwqoMkR+YEau0Q8R+N9WtTOWew3xprRu9BvY9jTjBG5pyFp4pqOEcOTm3
YQyzv8C+0KUS2HDi13nBRet6PjYnt7zgiI2qjAuWaz70ntwFduvNDC7biX18CyJe
ydLnQDGot2dXWqGo/p4eDtIPxpsaH8UCz4SHDKnKZvVOg2r85Wv4F8If0puGGl7m
qhe40zy/s+F1V0lWeJ3nbk2vBSETdoZViUWuRz6acy0at6znlgcMLnwjum8jcp8K
IOnK
-----END CERTIFICATE-----
[iyunv@centos6 CA]# openssl x509 -in cacert.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 15064049706582178398 (0xd10e416537a87a5e)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=CN, ST=beijing, L=bj, O=chen.com, OU=alren_1, CN=centos6.localdomain/emailAddress=alren@163.com
        Validity
            Not Before: Sep 22 23:17:50 2016 GMT
            Not After : Sep 17 23:17:50 2036 GMT
        Subject: C=CN, ST=beijing, L=bj, O=chen.com, OU=alren_1, CN=centos6.localdomain/emailAddress=alren@163.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:ca:f3:8c:52:b7:91:00:33:91:37:d1:74:6e:4d:
                    3c:77:89:ff:c4:04:84:2d:28:49:cd:6e:95:d8:ae:
                    7b:99:af:e5:98:1e:de:3c:1a:ce:5a:b1:82:5a:16:
                    51:f6:d1:7c:f8:4c:24:fc:e0:9e:40:bb:a4:00:72:
                    e0:78:b9:6d:7b:b6:ae:ee:e5:df:e9:18:c5:c2:2f:
                    d7:5d:e9:8a:cc:45:03:11:c3:a5:f8:22:93:53:bc:
                    22:a3:b8:9f:f3:aa:f3:5f:cc:4e:3e:63:f6:fa:5e:
                    29:22:da:aa:00:aa:7b:2b:1f:53:3a:e0:21:4f:b8:
                    1c:40:a2:ab:e6:25:3a:95:3b:d2:fc:42:5f:c4:12:
                    ed:c2:84:d1:20:85:1d:63:12:c8:ed:71:59:7b:b2:
                    e6:e6:e3:a2:60:31:c8:84:5e:f4:4d:00:b7:b3:4f:
                    f5:96:71:84:b1:69:80:67:eb:8e:08:5c:ba:6c:a7:
                    24:bf:aa:2b:c0:3b:b6:51:f8:e1:4a:a9:22:20:90:
                    45:4a:f6:50:26:a8:7a:b3:79:2d:e5:d3:7e:33:20:
                    24:1b:5c:09:e9:d6:89:4b:ce:c5:2a:e8:2e:2c:8f:
                    88:4b:12:09:67:bb:57:5c:24:2a:64:59:5e:e4:8b:
                    b5:2e:ec:11:0c:0a:22:79:67:f0:3b:ce:bc:58:8f:
                    87:99
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                26:A2:98:70:1F:8A:3B:A3:A1:05:0E:8B:79:34:C5:66:FA:B9:A6:D9
            X509v3 Authority Key Identifier:
                keyid:26:A2:98:70:1F:8A:3B:A3:A1:05:0E:8B:79:34:C5:66:FA:B9:A6:D9
            X509v3 Basic Constraints:
                CA:TRUE
    Signature Algorithm: sha1WithRSAEncryption
         64:66:0c:a6:7c:b6:20:58:e2:b8:44:fb:fe:57:3b:36:79:6f:
         80:69:83:5c:34:17:28:b7:f2:6e:ea:b0:72:11:9f:d2:6b:89:
         d6:c4:d0:55:81:ef:f4:7d:f4:83:52:c9:a4:4a:55:1d:4b:ca:
         18:51:b2:d0:53:92:aa:a6:a0:da:43:48:db:c2:aa:0c:91:1f:
         98:11:ab:b4:43:c4:7e:37:d5:ad:4c:e5:9e:c3:7c:69:ad:1b:
         bd:06:f6:3d:8d:38:c1:1b:9a:72:16:9e:29:a8:e1:1c:39:39:
         b7:61:0c:b3:bf:c0:be:d0:a5:12:d8:70:e2:d7:79:c1:45:eb:
         7a:3e:36:27:b7:bc:e0:88:8d:aa:8c:0b:96:6b:3e:f4:9e:dc:
         05:76:eb:cd:0c:2e:db:89:7d:7c:0b:22:5e:c9:d2:e7:40:31:
         a8:b7:67:57:5a:a1:a8:fe:9e:1e:0e:d2:0f:c6:9b:1a:1f:c5:
         02:cf:84:87:0c:a9:ca:66:f5:4e:83:6a:fc:e5:6b:f8:17:c2:
         1f:d2:9b:86:1a:5e:e6:aa:17:b8:d3:3c:bf:b3:e1:75:57:49:
         56:78:9d:e7:6e:4d:af:05:21:13:76:86:55:89:45:ae:47:3e:
         9a:73:2d:1a:b7:ac:e7:96:07:0c:2e:7c:23:ba:6f:23:72:9f:
         0a:20:e9:ca
[iyunv@centos6 CA]# openssl x509 -in cacert.pem -noout -dates
notBefore=Sep 22 23:17:50 2016 GMT
notAfter=Sep 17 23:17:50 2036 GMT




二、颁发及其吊销证书  

1)颁发证书,在需要使用证书的主机生成证书请求,给web服务器生成私钥(本实验在另一台主机上)

(umask 066;openssl genrsa -out /etc/httpd/ssl/httpd.key 2048)

2)生成证书申请文件
openssl req -new-key /etc/httpd/ssl/httpd.key -days 365 -out /etc/httpd/ssl/httpd.csr

3)将证书文件传给CA,CA签署证书并将证书颁发给请求者,注意:默认国家、省和公司必须和CA一致
openssl ca -in /tmp/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365

4)查看证书中的信息
opessl x509 -in /path/from/cert_file -noout -text|sbuject|serial|dates

5)吊销证书,在客户端获取要吊销的证书的serial
openssl x509 -in /PATH/FROM/CERT_FILE -noout -serial -subject

6)在CA上,根据客户提交的serial与subject信息,对比检验 是否与index.txt文件中的信息一致吊销证书
openssl ca -revoke /etc/pki/CA/newcerts/ SERIAL.pem
7)生成吊销证书的编号(第一次吊销一个证书时才需要执行)
echo 01 > /etc/pki/CA/crlnumber

8)更新证书吊销列表,查看crl文件
openssl ca -gencrl -out /etc/pki/CA/crl/ca.crl
openssl crl -in /etc/pki/CA/crl/ca.crl -noout -text



代码演示:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
[iyunv@chen ~]# (umask 066;openssl genrsa -out /etc/pki/tls/private/httpd.key 2048)
Generating RSA private key, 2048 bit long modulus
..................+++
.....................+++
e is 65537 (0x10001)
[iyunv@chen ~]# cd /etc/pki/tls/private/
[iyunv@chen private]# cat httpd.key
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAydNdaHEea6lQpeMOof1bARNbNjerS+CG6bZWxYp3FVIEsqnQ
5dGZ9uvWFcN3XWAb3nTQR0cEjULIkLQS/RnoQA3t9uy83+PmL7imXnB6eDhBXOhb
QYXjAyShhR/Y+OHBJT6HhDZYxqNPoKIxi7ObJVmG6ovuE8P5SQJl5bX21/YB+CmJ
PpoY37WVd4lJagECSK2NjIuMCdMnmIKZIZgCU3XKnw1kDsG8DJXj7ZVuiimxgspM
wyXFI94vHDVxQ7mEJiIBT3F9rn95+Fy35p+fHBcXS4Iw+gJaa4GZeOuYaNxdwI9l
9nLwx9hW69UJ0wcuJQGc8kyN8AFul/sh2aWExQIDAQABAoIBAQC4snRN6w9CyVzj
oqm2dsv8bQFQ2ZsqQhxU7yfzeWbHHRrtgdiJKMq0nFh77DhlPFnkt5QPVp+EwrQX
MKQb+cSAMf8utLGYVtBFpb6iuF5rfFfctUsl6Ge6baBe2qlOAhMmiVWtGasehT+O
qj+bME9v28FLDalfbz3HoakskdyG/ptb6MEh/8Z4bAFovyYfI+IY+P3dzDd018Sv
V6wgj+A11wmhNUyete++DoO/JJtQJZuh0LeN4eg2W51M9vnnH7hrosyRwHfcYioU
SUoKEWs4Md78zVL7IeFcRwV3mSgm356u9SKl2gs+X9Qpb9Uyt5zs1q2jxGxwoe5s
ige9ERbVAoGBAPBIoELS4Cvdr1McaYbvnU6XfCVuWti0ZFDKcEaK2XUz2xMaCeBV
WPfNHq0PiC52RG8h0f9cqSt6m3rB8/5HjTuf9fyv2C6rnpUxfzqZ0P3euMBPIMHM
e2nBwr6hOMNeQwxs6YfXILlcRzMub4c4jqxNGESrWoQTogFe4TEINoe/AoGBANcG
yXsZRwI76lPEm5Z8eyFiHqKAq+QazyZoH1xXW6ByqtDA6toqHGOtuzhUIwR2HfiG
O2I3CWYVnIxWcnBMvdJ4XwIORVzfG9sh6fBqCRbYd2LhD6xTXPqq6dfssT/qI2ql
Cy5PNc0Q2XDFdar0dpIjbjcYuxGPlPPlDtdwALR7AoGBAJtZKRvrAHn72nVuYh+W
XWrJb783iM6gWlcNeudwr8UhoJrJ8+aw51NWr2WOLCp11irPf9iMjOcKXulP6jLV
Cc+pzLzw52DNHjsxBCPb/I2V6HaU8gW58XRfjEv5KhzNnaWz6IwlnweYTIQfmoWf
IEbvlSgYbO4FT3F5aThtKew7AoGADojo6adFw4LlThBGLB/x+sm1JGrqM5sUUZZM
OGO3T9swbLf9qA2cqag+tYoKa+zIDdqU/QiXXA0t7daSGcE2O5njYjIwwhxat69N
LvEb+C1dtJNeCdoAuPkAoZXgTV+4USci4Fh+XIQ9DoBqecnYkfxPIO5NBtzbxri/
DhUGFy0CgYB6Q0T2w3e8SkgF6FSgqIe4u5vio6RCsPIVhHuuZacOgeyzAqCEwQJg
b3SDZIexAUyPAnhNtkllnAYSKdFa97fXyGUdLNh0otj74C9Na6yLrUQ8zdEC1o3u
VOJyOO57bfBykghXYi9JN+29sBB0YOj9uDE0nOUImR95eiwKsP5QXg==
-----END RSA PRIVATE KEY-----
[iyunv@chen private]# openssl req -new -key /etc/pki/tls/private/httpd.key  -days 365 -out  httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:bj
Organization Name (eg, company) [Default Company Ltd]:chen.com
Organizational Unit Name (eg, section) []:alren_1
Common Name (eg, your name or your server's hostname) []:www.alren.com
Email Address []:admin@chen.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[iyunv@chen private]# ls
httpd.csr  httpd.key
[iyunv@chen private]# scp httpd.csr 10.1.249.94:
[iyunv@centos6 CA]# cp /root/httpd.csr  .
[iyunv@centos6 CA]# ls
cacert.pem  certs  crl  httpd.csr  index.txt  newcerts  private  serial
[iyunv@centos6 CA]# openssl ca -in httpd.csr  -out  certs/httpd.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Sep 22 23:43:02 2016 GMT
            Not After : Sep 22 23:43:02 2017 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = beijing
            organizationName          = chen.com
            organizationalUnitName    = alren_1
            commonName                = www.alren.com
            emailAddress              = admin@chen.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                CA:82:B2:CF:4A:A2:49:9B:1D:46:84:04:F8:C6:F6:0D:E0:49:B7:A4
            X509v3 Authority Key Identifier:
                keyid:26:A2:98:70:1F:8A:3B:A3:A1:05:0E:8B:79:34:C5:66:FA:B9:A6:D9

Certificate is to be certified until Sep 22 23:43:02 2017 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[iyunv@centos6 CA]# ls
cacert.pem  crl        index.txt       index.txt.old  private  serial.old
certs       httpd.csr  index.txt.attr  newcerts       serial
[iyunv@centos6 CA]# cat index.txt.attr
unique_subject = yes
[iyunv@centos6 CA]# cat index.txt
V   170922234302Z       01  unknown /C=CN/ST=beijing/O=chen.com/OU=alren_1/CN=www.alren.com/emailAddress=admin@chen.com
[iyunv@centos6 CA]# cat serial
02
[iyunv@centos6 CA]# cd certs/
[iyunv@centos6 certs]# ls
httpd.crt
[iyunv@centos6 certs]# openssl x509 -in httpd.crt  -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=CN, ST=beijing, L=bj, O=chen.com, OU=alren_1, CN=centos6.localdomain/emailAddress=alren@163.com
        Validity
            Not Before: Sep 22 23:43:02 2016 GMT
            Not After : Sep 22 23:43:02 2017 GMT
        Subject: C=CN, ST=beijing, O=chen.com, OU=alren_1, CN=www.alren.com/emailAddress=admin@chen.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c9:d3:5d:68:71:1e:6b:a9:50:a5:e3:0e:a1:fd:
                    5b:01:13:5b:36:37:ab:4b:e0:86:e9:b6:56:c5:8a:
                    77:15:52:04:b2:a9:d0:e5:d1:99:f6:eb:d6:15:c3:
                    77:5d:60:1b:de:74:d0:47:47:04:8d:42:c8:90:b4:
                    12:fd:19:e8:40:0d:ed:f6:ec:bc:df:e3:e6:2f:b8:
                    a6:5e:70:7a:78:38:41:5c:e8:5b:41:85:e3:03:24:
                    a1:85:1f:d8:f8:e1:c1:25:3e:87:84:36:58:c6:a3:
                    4f:a0:a2:31:8b:b3:9b:25:59:86:ea:8b:ee:13:c3:
                    f9:49:02:65:e5:b5:f6:d7:f6:01:f8:29:89:3e:9a:
                    18:df:b5:95:77:89:49:6a:01:02:48:ad:8d:8c:8b:
                    8c:09:d3:27:98:82:99:21:98:02:53:75:ca:9f:0d:
                    64:0e:c1:bc:0c:95:e3:ed:95:6e:8a:29:b1:82:ca:
                    4c:c3:25:c5:23:de:2f:1c:35:71:43:b9:84:26:22:
                    01:4f:71:7d:ae:7f:79:f8:5c:b7:e6:9f:9f:1c:17:
                    17:4b:82:30:fa:02:5a:6b:81:99:78:eb:98:68:dc:
                    5d:c0:8f:65:f6:72:f0:c7:d8:56:eb:d5:09:d3:07:
                    2e:25:01:9c:f2:4c:8d:f0:01:6e:97:fb:21:d9:a5:
                    84:c5
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                CA:82:B2:CF:4A:A2:49:9B:1D:46:84:04:F8:C6:F6:0D:E0:49:B7:A4
            X509v3 Authority Key Identifier:
                keyid:26:A2:98:70:1F:8A:3B:A3:A1:05:0E:8B:79:34:C5:66:FA:B9:A6:D9

    Signature Algorithm: sha1WithRSAEncryption
         5f:b8:37:e2:e5:e0:5e:65:99:60:9f:2f:5a:81:7e:55:e7:dc:
         85:94:bc:d0:ae:82:db:c0:cd:bb:0c:7c:7d:6e:97:41:35:94:
         71:d9:bc:a4:3e:76:d1:4e:09:3d:a2:a9:5e:a2:24:9c:98:f3:
         ac:7d:ea:f0:f2:ff:17:0d:47:fb:47:04:d6:29:7f:d8:3a:08:
         df:33:45:8c:15:2a:a0:be:03:dc:4e:9c:91:ef:a1:99:a8:6d:
         f2:4c:10:1d:9c:7b:23:28:0a:17:bd:cf:c4:2d:c6:07:d1:73:
         48:2c:f9:a0:0f:2a:21:d0:f7:a4:9c:85:d5:75:02:c0:09:19:
         97:b8:aa:1d:e0:e3:8a:39:29:f5:4c:d7:69:01:e8:e6:50:91:
         fe:75:8a:3d:75:1c:df:94:36:01:32:43:4e:9c:49:f4:4c:f2:
         d9:85:9d:45:89:7f:6d:47:a9:48:48:bc:b3:8b:ed:06:34:f5:
         30:6e:c9:8f:a9:54:f6:6d:e7:2d:ce:03:9d:2f:ea:fa:47:fa:
         ee:13:f2:26:3b:a8:7a:e8:fd:66:ae:c6:97:37:03:a7:e8:c7:
         ad:c3:d9:e1:b1:b9:b0:61:ba:34:ea:80:6b:42:e4:d9:b7:38:
         0d:49:13:b1:89:2f:ca:a0:aa:69:e5:95:c0:c0:e3:ba:af:9f:
         68:80:5a:4f
[iyunv@centos6 certs]#
[iyunv@centos6 certs]#
[iyunv@centos6 certs]# openssl ca  -revoke httpd.crt
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 01.
Data Base Updated
[iyunv@centos6 certs]# cd ../
[iyunv@centos6 CA]# ls
cacert.pem  crl        index.txt       index.txt.attr.old  newcerts  serial
certs       httpd.csr  index.txt.attr  index.txt.old       private   serial.old
[iyunv@centos6 CA]# cat index.txt
R   170922234302Z   160922234706Z   01  unknown /C=CN/ST=beijing/O=chen.com/OU=alren_1/CN=www.alren.com/emailAddress=admin@chen.com
[iyunv@centos6 CA]# echo 01 > crlnumber
[iyunv@centos6 CA]# openssl ca -gencrl -out crl
crl/       crlnumber
[iyunv@centos6 CA]# openssl ca -gencrl -out crl/ca.rcl
Using configuration from /etc/pki/tls/openssl.cnf
[iyunv@centos6 CA]# cat crl/ca.rcl
-----BEGIN X509 CRL-----
MIIB/TCB5gIBATANBgkqhkiG9w0BAQUFADCBjTELMAkGA1UEBhMCQ04xEDAOBgNV
BAgMB2JlaWppbmcxCzAJBgNVBAcMAmJqMREwDwYDVQQKDAhjaGVuLmNvbTEQMA4G
A1UECwwHYWxyZW5fMTEcMBoGA1UEAwwTY2VudG9zNi5sb2NhbGRvbWFpbjEcMBoG
CSqGSIb3DQEJARYNYWxyZW5AMTYzLmNvbRcNMTYwOTIyMjM1MDU0WhcNMTYxMDIy
MjM1MDU0WjAUMBICAQEXDTE2MDkyMjIzNDcwNlqgDjAMMAoGA1UdFAQDAgEBMA0G
CSqGSIb3DQEBBQUAA4IBAQADo6PBGbyqpM+noDuaDZxy349jgqcmRLCPDYKRZ4L+
1PyRTVhuIZztSUu2u5x7ZEYx3jyR7rFY8tpHRYT4ZnJe9ol4pTUb8INNx0lIZ4r1
hGlKWKQSDS3WVrQnCswBhWcAccd9wU2+YTj4m7f1drTbu6d5elfaZR1yKsTLnZdV
ESKmr4MXjcD0F80Q8Dc0hpKVKt71JiDwJt0WuHI6XPz90ta8EAN7Ry87Aj8f9/HD
LDnOWEEA50F7JgUQgFKI72wvekQoZ9Cj/KeFbOov+wde7+uCGNqRcPLznnTxVz8a
e0/e9HGQaDLGKDoN/vxVXCRQ030fZrPzag810yqSxxgZ
-----END X509 CRL-----
[iyunv@centos6 CA]# openssl crl -in crl/ca.rcl  -noout -text
Certificate Revocation List (CRL):
        Version 2 (0x1)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: /C=CN/ST=beijing/L=bj/O=chen.com/OU=alren_1/CN=centos6.localdomain/emailAddress=alren@163.com
        Last Update: Sep 22 23:50:54 2016 GMT
        Next Update: Oct 22 23:50:54 2016 GMT
        CRL extensions:
            X509v3 CRL Number:
                1
Revoked Certificates:
    Serial Number: 01
        Revocation Date: Sep 22 23:47:06 2016 GMT
    Signature Algorithm: sha1WithRSAEncryption
         03:a3:a3:c1:19:bc:aa:a4:cf:a7:a0:3b:9a:0d:9c:72:df:8f:
         63:82:a7:26:44:b0:8f:0d:82:91:67:82:fe:d4:fc:91:4d:58:
         6e:21:9c:ed:49:4b:b6:bb:9c:7b:64:46:31:de:3c:91:ee:b1:
         58:f2:da:47:45:84:f8:66:72:5e:f6:89:78:a5:35:1b:f0:83:
         4d:c7:49:48:67:8a:f5:84:69:4a:58:a4:12:0d:2d:d6:56:b4:
         27:0a:cc:01:85:67:00:71:c7:7d:c1:4d:be:61:38:f8:9b:b7:
         f5:76:b4:db:bb:a7:79:7a:57:da:65:1d:72:2a:c4:cb:9d:97:
         55:11:22:a6:af:83:17:8d:c0:f4:17:cd:10:f0:37:34:86:92:
         95:2a:de:f5:26:20:f0:26:dd:16:b8:72:3a:5c:fc:fd:d2:d6:
         bc:10:03:7b:47:2f:3b:02:3f:1f:f7:f1:c3:2c:39:ce:58:41:
         00:e7:41:7b:26:05:10:80:52:88:ef:6c:2f:7a:44:28:67:d0:
         a3:fc:a7:85:6c:ea:2f:fb:07:5e:ef:eb:82:18:da:91:70:f2:
         f3:9e:74:f1:57:3f:1a:7b:4f:de:f4:71:90:68:32:c6:28:3a:
         0d:fe:fc:55:5c:24:50:d3:7d:1f:66:b3:f3:6a:0f:35:d3:2a:
         92:c7:18:19
[iyunv@centos6 CA]#




不同主机之间拷贝文件小技巧:
在使用ssh远程登录时提示:remote host indentification has changed!则需清除~/.ssh/known_hosts文件即可,因为系统检测出rsa钥匙发生了改变。清除此配置文件重连。


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
[iyunv@centos6 ~]# ssh  10.1.229.40
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
3d:bb:7b:99:51:b3:9f:b8:81:4e:fd:6e:b5:ac:92:02.
Please contact your system administrator.
Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Offending key in /root/.ssh/known_hosts:1
RSA host key for 10.1.229.40 has changed and you have requested strict checking.
Host key verification failed.

[iyunv@centos6 .ssh]#
[iyunv@centos6 .ssh]# ssh root@10.1.229.93
The authenticity of host '10.1.249.93 (10.1.249.93)' can't be established.
RSA key fingerprint is d3:e3:99:1d:b6:00:fe:18:26:58:a5:7d:eb:14:c3:57.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.1.229.93' (RSA) to the list of known hosts.
root@10.1.249.93's password:










运维网声明 1、欢迎大家加入本站运维交流群:群②:261659950 群⑤:202807635 群⑦870801961 群⑧679858003
2、本站所有主题由该帖子作者发表,该帖子作者与运维网享有帖子相关版权
3、所有作品的著作权均归原作者享有,请您和我们一样尊重他人的著作权等合法权益。如果您对作品感到满意,请购买正版
4、禁止制作、复制、发布和传播具有反动、淫秽、色情、暴力、凶杀等内容的信息,一经发现立即删除。若您因此触犯法律,一切后果自负,我们对此不承担任何责任
5、所有资源均系网友上传或者通过网络收集,我们仅提供一个展示、介绍、观摩学习的平台,我们不对其内容的准确性、可靠性、正当性、安全性、合法性等负责,亦不承担任何法律责任
6、所有作品仅供您个人学习、研究或欣赏,不得用于商业或者其他用途,否则,一切后果均由您自己承担,我们对此不承担任何法律责任
7、如涉及侵犯版权等问题,请您及时通知我们,我们将立即采取措施予以解决
8、联系人Email:admin@iyunv.com 网址:www.yunweiku.com

所有资源均系网友上传或者通过网络收集,我们仅提供一个展示、介绍、观摩学习的平台,我们不对其承担任何法律责任,如涉及侵犯版权等问题,请您及时通知我们,我们将立即处理,联系人Email:kefu@iyunv.com,QQ:1061981298 本贴地址:https://www.yunweiku.com/thread-277627-1-1.html 上篇帖子: 高性能Web服务之varnish应用详解及实战应用 下篇帖子: 创建私有CA及dropbear的编译安装 证书
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

扫码加入运维网微信交流群X

扫码加入运维网微信交流群

扫描二维码加入运维网微信交流群,最新一手资源尽在官方微信交流群!快快加入我们吧...

扫描微信二维码查看详情

客服E-mail:kefu@iyunv.com 客服QQ:1061981298


QQ群⑦:运维网交流群⑦ QQ群⑧:运维网交流群⑧ k8s群:运维网kubernetes交流群


提醒:禁止发布任何违反国家法律、法规的言论与图片等内容;本站内容均来自个人观点与网络等信息,非本站认同之观点.


本站大部分资源是网友从网上搜集分享而来,其版权均归原作者及其网站所有,我们尊重他人的合法权益,如有内容侵犯您的合法权益,请及时与我们联系进行核实删除!



合作伙伴: 青云cloud

快速回复 返回顶部 返回列表