搭建CA认证服务器；

Centos搭建简单的证书机构，CA证书服务器：
CA认证，即电子认证服务 [1] ，是指为电子签名相关各方提供真实性、可靠性验证的活动。
证书颁发机构（CA, Certificate Authority）即颁发数字证书的机构。是负责发放和管理数字证书的权威机构，并作为电子商务交易中受信任的第三方，承担公钥体系中公钥的合法性检验的责任。
1、配置证书服务器
安装openssl
yum install -y openssl*
首先在配置文件里面查看CA证书需要哪些文件和哪些目录

vim /etc/pki/tls/openssl.cnf

  54 ####################################################################
 55 [ ca ]
 56 default_ca      = CA_default            # The default ca section
 57 
 58 ####################################################################
 59 [ CA_default ]
 60 
 61 dir             = /etc/pki/CA           # Where everything is kept  所有东西保存的位置
 62 certs           = $dir/certs            # Where the issued certs are kept  已发出证书存放与何处
 63 crl_dir         = $dir/crl              # Where the issued crl are kept  已签发的crl保存位置 
 64 database        = $dir/index.txt        # database index file.  数据库索引文件
 65 #unique_subject = no                    # Set to 'no' to allow creation of  设置为no以允许创建
 66                                         # several certs with same subject.  几个相同科目的证书
 67 new_certs_dir   = $dir/newcerts         # default place for new certs.  新证书默认位置
 68 
 69 certificate     = $dir/cacert.pem       # The CA certificate  CA证书
 70 serial          = $dir/serial           # The current serial number  当前序列号
 71 crlnumber       = $dir/crlnumber        # the current crl number  当前crl编号
 72                                         # must be commented out to leave a V1 CRL  必须注释掉以留下V1 CRL
 73 crl             = $dir/crl.pem          # The current CRL 当前CRL
 74 private_key     = $dir/private/cakey.pem# The private key  私钥
其中，certs：存放已颁发的证书；newcerts：存放CA指令生成的新证书；private：存放私钥；crl：存放已吊销的整数；index.txt：penSSL定义的已签发证书的文本数据库文件，这个文件通常在初始化的时候是空的；serial：证书签发时使用的序列号参考文件，该文件的序列号是以16进制格式进行存放的，该文件必须提供并且包含一个有效的序列号。

查看配置文件后发现需要在 /etc/pki/CA 下创建CA文件夹

在CA文件夹的private下创建一个私钥cakey.pem

[root@CA ~]# cd /etc/pki/CA/
[root@CA CA]# openssl genrsa -out private/cakey.pem

在CA文件夹下创建CA根证书

[root@hadoop103 CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:JM
Locality Name (eg, city) [Default City]:JH
Organization Name (eg, company) [Default Company Ltd]:WG
Organizational Unit Name (eg, section) []:system
Common Name (eg, your name or your server's hostname) []:domain.com # 网站域名
#Email Address []:
Email Address []:123@domain.com								# 邮箱
A challenge password []:									# 私钥保护密码,可直接回车
An optional company name []:								# 一个可选公司名称,可直接回车


Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

在CA文件下创建 数据库索引文件和当前序列号 ：

[root@CA CA]# touch /etc/pki/CA/index.txt
[root@CA CA]# echo 00 > /etc/pki/CA/serial 

证书机构就配置好了：
2、签署证书
创建私钥
openssl genrsa -out nginx.key
创建证书请求文件
openssl req -new -key nginx.key -out nginx.csr #需要注意的是国家，所在省，公司名称这三项一定要和证书服务器一致
签署证书

[root@localhost CA]# openssl ca -in nginx.csr -out nginx.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 0 (0x0)
        Validity
            Not Before: Aug 12 01:21:01 2022 GMT
            Not After : Aug 12 01:21:01 2023 GMT
        Subject:
            countryName               = cn
            stateOrProvinceName       = gd
            organizationName          = ht
            organizationalUnitName    = system
            commonName                = 50
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                64:E5:D7:D5:21:A2:6B:C6:A0:71:E1:28:51:22:85:CA:16:1E:BA:38
            X509v3 Authority Key Identifier: 
                keyid:49:A5:6B:C0:73:F0:6E:EC:A4:40:83:15:CD:59:7F:E3:FD:FC:FD:26

Certificate is to be certified until Aug 12 01:21:01 2023 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

查看证书信息

[root@localhost CA]# openssl x509 -in nginx.crt -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 0 (0x0)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=cn, ST=gd, L=jm, O=ht, OU=system, CN=50
        Validity
            Not Before: Aug 12 01:21:01 2022 GMT
            Not After : Aug 12 01:21:01 2023 GMT
        Subject: C=cn, ST=gd, O=ht, OU=system, CN=50
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:ae:c6:35:9f:33:6c:28:2b:81:83:24:c2:f3:e8:
                    b1:15:66:45:d8:e2:f9:27:5e:69:4c:34:60:c8:36:
                    b3:d3:1c:7e:5a:81:92:e7:72:a3:d7:c8:bb:1d:80:
                    d8:78:9e:1f:24:c3:08:cf:e1:52:e4:d0:ae:78:bb:
                    9a:50:e4:92:14:30:de:b4:7c:b7:71:d6:8e:8d:9c:
                    14:b0:7c:6d:28:a5:c2:73:34:af:94:8c:51:41:41:
                    94:2b:5e:a9:d1:54:27:1a:42:9a:c7:e3:c7:ec:f3:
                    77:62:2b:70:3c:f9:bc:bd:51:8e:11:a2:5e:1c:ae:
                    6d:46:67:46:c5:3b:87:18:ff:5e:6f:5c:6a:23:67:
                    54:5f:21:79:7e:82:7a:a0:43:90:8d:77:23:f6:b3:
                    88:fd:b5:20:93:43:74:dc:e9:24:c2:eb:7f:3d:30:
                    8b:20:c4:64:16:13:a8:e1:99:27:02:db:58:9c:39:
                    15:45:7b:1d:99:56:b6:0e:d9:90:ae:96:5c:b0:8d:
                    d9:2d:87:ba:be:26:c6:d1:63:7e:99:7d:6c:8b:99:
                    a7:2a:46:1d:94:a7:51:31:72:5e:3a:4d:9a:fa:04:
                    0c:54:14:34:0a:5b:61:06:7e:28:f3:2a:c3:f8:91:
                    78:c0:92:78:1d:fb:27:c8:4c:15:e0:27:1f:06:00:
                    49:21
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                64:E5:D7:D5:21:A2:6B:C6:A0:71:E1:28:51:22:85:CA:16:1E:BA:38
            X509v3 Authority Key Identifier: 
                keyid:49:A5:6B:C0:73:F0:6E:EC:A4:40:83:15:CD:59:7F:E3:FD:FC:FD:26

    Signature Algorithm: sha256WithRSAEncryption
         af:ef:b1:33:47:15:a9:57:62:a9:97:76:bd:c4:67:60:e0:eb:
         d8:93:b2:cb:e6:00:1b:a5:36:68:4a:2e:ae:b1:f2:40:62:d6:
         22:44:f1:79:b5:c0:b1:ac:44:72:08:cc:69:52:24:ae:6a:71:
         41:fb:dd:f8:5c:2a:2c:e9:93:f2:ab:c4:ce:f3:d8:3b:07:84:
         e0:58:99:72:21:f9:bc:e0:d4:76:7d:c5:3b:3d:17:52:98:10:
         08:73:c1:31:a5:5d:82:e6:97:f7:34:36:d7:e6:99:af:f1:d8:
         c8:d3:9e:e3:e8:20:f6:ce:7d:08:a8:f6:ab:b7:70:a6:23:98:
         f0:e8:1d:ba:2d:83:36:5f:f8:af:d2:6e:77:65:5b:e7:d4:b2:
         a3:b7:41:b9:f2:78:d9:87:cd:da:55:15:46:80:d6:c2:bf:91:
         c9:c7:28:9d:fa:8d:79:45:42:26:a7:6a:0b:a6:83:9c:27:c2:
         3f:99:f5:6b:16:90:75:02:50:94:47:4a:1b:53:90:ba:52:b2:
         43:25:39:29:3d:f2:f7:8b:57:59:8a:bd:63:44:ea:15:0b:56:
         33:a0:8e:d2:61:08:24:d1:20:0b:da:f0:db:2d:48:a6:50:d2:
         6f:74:5e:83:87:6e:3d:4e:65:bb:fc:c9:2f:2a:c6:e7:75:22:
         23:69:d3:e5