客户端 [root@localhost keyes]# openssl genrsa 2048 > siyao.keys (创建私钥)
Generating RSA private key, 2048 bit long modulus
...............................................................................+++
.+++
e is 65537 (0x10001)
[root@localhost keyes]# chmod 400 siyao.keys (给予最小权限)
[root@localhost keyes]# openssl req -new -key siyao.keys -out siyao.csr (创建证书办法请求)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN (国家)
State or Province Name (full name) []:shanghai (省份)
Locality Name (eg, city) [Default City]:shanghai (市区)
Organization Name (eg, company) [Default Company Ltd]:boke (公司名)
Organizational Unit Name (eg, section) []:boke - cainiao (部门)
Common Name (eg, your name or your server's hostname) []:www.abc.com (要加密的RUL)
Email Address []:boke@boke.com (邮箱)
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: (这里不要写密码,CA哪里一会解不开密码,自签名。。)
An optional company name []: (这里也跳过)
[root@localhost keyes]# ls
siyao.csr siyao.keys (生成一份.csr的文件)
[root@localhost keyes]# scp siyao.csr 192.168.1.115:/root (在我使用scp传输文件时,碰到了问题,因为之前做过NAT。网关上
把icmp阻塞了,并且用的策略是block return,所以返回一个目标不可到达的包给你。)
ssh: connect to host 192.168.1.115 port 22: No route to host
[root@localhost keyes]# scp siyao.csr 192.168.1.115:/root (传过去了)
The authenticity of host '192.168.1.115 (192.168.1.115)' can't be established.
RSA key fingerprint is ce:73:07:c4:4c:f3:2b:1b:21:c7:92:31:27:53:be:cf.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.115' (RSA) to the list of known hosts.
root@192.168.1.115's password:
siyao.csr
# CA端
[root@localhost ~]# openssl genrsa -des3 -out ca.key 4096 (生成公私钥,做自签名)
Generating RSA private key, 4096 bit long modulus
............................++
.......................++
e is 65537 (0x10001)
Enter pass phrase for ca.key: (自签名密码要记住,一会自签名过程要用到)
Verifying - Enter pass phrase for ca.key:
[root@localhost ~]# ls
anaconda-ks.cfg ca.key siyao.csr
[root@localhost ~]# openssl req -new -x509 -days 365 -key ca.key -out ca.crt (自签名)
Enter pass phrase for ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:shanghai
Locality Name (eg, city) [Default City]:shanghai
Organization Name (eg, company) [Default Company Ltd]:NSA
Organizational Unit Name (eg, section) []:FBI
Common Name (eg, your name or your server's hostname) []:www.boke.com
Email Address []:
[root@localhost ~]# ls
anaconda-ks.cfg ca.crt ca.key siyao.csr
[root@localhost ~]# openssl x509 -req -days 365 -in siyao.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out siyao.crt (
给客户端颁发证书)
Signature ok
subject=/C=CN/ST=shanghai/L=shanghai/O=boke/OU=boke - cainiao/CN=www.abc.com/emailAddress=boke@boke.com
Getting CA Private Key
Enter pass phrase for ca.key:
[root@localhost ~]# ls
anaconda-ks.cfg ca.crt ca.key siyao.crt siyao.csr
[root@localhost ~]# scp siyao.crt 192.168.1.3:/etc/pki/CA/keyes (回传给客户端)
The authenticity of host '192.168.1.3 (192.168.1.3)' can't be established.
RSA key fingerprint is bd:4d:15:99:19:a7:d7:fb:6e:0a:91:b0:b7:62:04:73.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.3' (RSA) to the list of known hosts.
root@192.168.1.3's password:
siyao.crt 100% 1590 1.6KB/s
00:00
[root@localhost ~]# ls
anaconda-ks.cfg ca.crt ca.key siyao.crt siyao.csr
客户端keyes目下要有私钥,公钥,证书
[root@localhost keyes]# ls
siyao.crt siyao.csr siyao.keys
[root@localhost keyes]# pwd
/etc/pki/CA/keyes
QQ群⑧:
窥视卡
雷达卡
发表于 2018-11-8 11:51:55
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡