OpenSSL生成并使用CA根证书签名Keytool生成的证书请求
1,生成私钥[带密码]
[root@node00 security]# openssl genrsa [-des3] -out ca.key 2048
Generating RSA private key, 2048 bit long modulus
..............................................+++
...................+++
e is 65537 (0x10001)
Enter pass phrase for ca.key:
Verifying - Enter pass phrase for ca.key:
[root@node00 security]#
2,生成证书请求文件
[root@node00 security]# openssl req -new -key ca.key -out ca.csr
Enter pass phrase for ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:GuangDong
Locality Name (eg, city) [Default City]:ShenZhen
Organization Name (eg, company) [Default Company Ltd]:Hinabian
Organizational Unit Name (eg, section) []:data
Common Name (eg, your name or your server's hostname) []:node00
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@node00 security]#
3,用自己的私钥给自己签发根证书
[root@node00 security]# openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
Signature ok
subject=/C=CN/ST=GuangDong/L=ShenZhen/O=Hinabian/OU=data/CN=node00
Getting Private key
Enter pass phrase for ca.key:
[root@node00 security]#
4,用CA根证书来签名服务器端的证书请求文件
4.1 创建 /etc/pki/CA/index.txt文件
[root@node00 security]# openssl ca -days 3650 -keyfile ca.key -cert ca.crt -in pki/node00.csr -out node00.pem
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ca.key:
/etc/pki/CA/index.txt: No such file or directory
unable to open '/etc/pki/CA/index.txt'
140358162147216:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/pki/CA/index.txt','r')
140358162147216:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:
4.2 创建 /etc/pki/CA/index.txt文件
[root@node00 security]# openssl ca -days 3650 -keyfile ca.key -cert ca.crt -in pki/node00.csr -out node00.pem
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ca.key:
/etc/pki/CA/serial: No such file or directory
error while loading serial number
140017638942608:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/pki/CA/serial','r')
140017638942608:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:
[root@node00 security]#
用来跟踪最后一次颁发的证书的序列号。
[root@node00 CA]# echo "01" > /etc/pki/CA/serial
[root@node00 CA]#
4.3 用CA根证书来签名服务器端的证书请求文件
[root@node00 security]# openssl ca -days 3650 -keyfile ca.key -cert ca.crt -in pki/node00.csr -out node00.pem
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ca.key:
Check that the request matches the signature
Signature ok
The stateOrProvinceName field needed to be the same in the
CA certificate (GuangDong) and the request (GuangDong)
[root@node00 security]# ll
total 12
-rw-r--r-- 1 root root 1200 Oct 24 16:42 ca.crt
-rw-r--r-- 1 root root 1005 Oct 24 16:42 ca.csr
-rw-r--r-- 1 root root 1743 Oct 24 16:37 ca.key
-rw-r--r-- 1 root root 0 Oct 24 16:45 node00.pem
drwxr-xr-x 2 root root 42 Oct 24 16:45 pki
[root@node00 security]#
问题:
The stateOrProvinceName field needed to be the same in the
CA certificate (GuangDong) and the request (GuangDong)
解决方案: 修改 /etc/pki/tls/openssl.cnf 文件
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match
# For the CA policy
[ policy_match ]
countryName = match
#stateOrProvinceName = match (将 match 改为 optional )
#organizationName = match (将 match 改为 optional )
stateOrProvinceName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
再次执行:
[root@node00 security]# openssl ca -days 3650 -keyfile ca.key -cert ca.crt -in pki/node00.csr -out node00.pem
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ca.key:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Oct 24 08:54:57 2018 GMT
Not After : Oct 21 08:54:57 2028 GMT
Subject:
countryName = CN
stateOrProvinceName = GuangDong
organizationName = Hinabian
organizationalUnitName = data
commonName = node00
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
58:30:7D:B3:7E:85:D4:39:22:2F:B3:96:55:A3:38:68:FE:7F:03:88
X509v3 Authority Key Identifier:
DirName:/C=CN/ST=GuangDong/L=ShenZhen/O=Hinabian/OU=data/CN=node00
serial:E1:40:B9:DB:A9:83:F9:C3
Certificate is to be certified until Oct 21 08:54:57 2028 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@node00 security]# ll
total 20
-rw-r--r-- 1 root root 1200 Oct 24 16:42 ca.crt
-rw-r--r-- 1 root root 1005 Oct 24 16:42 ca.csr
-rw-r--r-- 1 root root 1743 Oct 24 16:37 ca.key
-rw-r--r-- 1 root root 4632 Oct 24 16:55 node00.pem
drwxr-xr-x 2 root root 42 Oct 24 16:45 pki
[root@node00 security]#
成功生成证书签名node00.pem!