创建CA相关目录,centos8不存在这些目录,需手动建立

[root@centos8-liyj ~]#mkdir -pv /etc/pki/CA/{certs,cr1,newcerts,private}

mkdir: created directory '/etc/pki/CA'

mkdir: created directory '/etc/pki/CA/certs'

mkdir: created directory '/etc/pki/CA/cr1'

mkdir: created directory '/etc/pki/CA/newcerts'

mkdir: created directory '/etc/pki/CA/private'

创建CA所需的文件

[root@centos8-liyj ~]#touch /etc/pki/CA/index.txt

[root@centos8-liyj ~]#echo 0F > /etc/pki/CA/serial

[root@centos8-liyj ~]#

index.txt和serial文件在颁发证书时需要使用,如果不存在,会出现以下错误提示

[root@centos8 ~]#openssl ca -in /data/app1/app1.csr -out

/etc/pki/CA/certs/app1.crt -days 1000

Using configuration from /etc/pki/tls/openssl.cnf

140040142845760:error:02001002:system library:fopen:No such file or

directory:crypto/bio/bss_file.c:72:fopen('/etc/pki/CA/index.txt','r')

140040142845760:error:2006D080:BIO routines:BIO_new_file:no such

file:crypto/bio/bss_file.c:79:

[root@centos8 ~]#openssl ca -in /data/app1/app1.csr -out

/etc/pki/CA/certs/app1.crt -days 1000

Using configuration from /etc/pki/tls/openssl.cnf

/etc/pki/CA/serial: No such file or directory

error while loading serial number

140240559408960:error:02001002:system library:fopen:No such file or

directory:crypto/bio/bss_file.c:72:fopen('/etc/pki/CA/serial','r')

140240559408960:error:2006D080:BIO routines:BIO_new_file:no such

file:crypto/bio/bss_file.c:79:

颁发是错误提示

创建CA的钥匙

[root@centos8-liyj /etc/pki/CA]#(umask 066; openssl genrsa -out private/cakey.pem 2048)

Generating RSA private key, 2048 bit long modulus (2 primes)

.......................................................................................................................................+++++

.........................................................+++++

e is 65537 (0x010001)

[root@centos8-liyj /etc/pki/CA]#tree

.

├── certs

├── cr1

├── index.txt

├── newcerts

├── private

│   └── cakey.pem

└── serial

4 directories, 3 files

[root@centos8-liyj /etc/pki/CA]#cat private/cakey.pem

-----BEGIN RSA PRIVATE KEY-----

MIIEpAIBAAKCAQEAr3HOBkZaaoNFUKcoxk/qBnA2jqyJBhcnZ0SmhztvuY0R/euy

OYQ8T9o6aJtE5Of0suOXPutmuQd/fNpAiQvFDq7EK7bxnhVqObEnFR2uTXS8fHPQ

9EIEmCu0Yq8WQnsjX4T0na0F5XcsvBYPTe35bQKcsTtvRNFtidLVT1HsozJxZ/M1

ggpnGv7gA0X5DqMvGavprWsnpS5y1uVwFt+WN6KdF/nypHut3A5FVFHRH725VzJc

jTfoAUIUxDqIjvAXhCih7FOHva/Iic6AMoR0w4idt05nWpRCUjaHgQ+KJeFIHMC9

UHqaGeIr+ZoU7CadLl8hlqJR6WHjV88G24cqyQIDAQABAoIBAQCVFtTJKEf1c5AX

tbVEsOxihEEYhS376vklHIWXLb8HowXDDePqVKEcCorQEgI9s4+R5S3F3izw15pS

8vUcgM/4ZjN2IoS4neIjHJPlsc9JKwZxi8nph6B338vugHMeE54/sbBdvYbhNKDj

RKvEwZHQPQQC6Erp5D59fJigSzIYi4ATe9vxfBvltuB+q4494rdLW+98bSEZOKBV

SBahCFCKIAv3TLiHbVNMJK00j/O+oiDN5Hoxy6Fr+/G9pDw5DiPOCItmJMKW4UfR

SbB6ebmqXeaH7gVXaADWUAyPmKJXyFE87GE/ydXqIdMR7G4pRquwC/3C8FLkyoL+

Ja7JXKsxAoGBAON6vB2TEZAkSo87lAL+a90I4+TyR0lA7VOJUdRv8jgiq2Dc1g/Z

jJllzgpMq3xT/BsIUMd0Kll2dk37z7Gvd7QCjI6PQINR1/xzzr8GIkIxoTXgGYWS

QQbXieCjAlmzpBb7N2nnpgooekH/5R9j5aWNt6kN3hL0oX6OmJcDBUS7AoGBAMVw

8FfzRjk7pGtOHwJk8DHhCMOMSaDXDcwmIoeDaKAr34GzEwtaeLFjCWnILEvdzbgy

W3foUcaM3hA/2WQPPy7rS66JQdOpOAWDvkCmCggwFoIy75zmGwqBH8bq0yt62ajE

uwiqjJHpGKSMQJahQY0eVGi+r4P5os9tOFz8N5hLAoGAdRrYALmXTwb/wyC+n5Pu

X0mWWGRJQnLEOj70+1Ht9ewTIbhOErbB5K4+FZtGpKhvnlL3ktZAfvG3EYpSb3yP

OQIe7bzdTz0w3WuYwUodFMqL3TpSqSqTgzwuZJBGQ3txO8tzyXdRSOVxmsxrXW+F

52Y/aC4VZti80nQCJauOaMUCgYAZfLbJ47GQ+c4DvBXsrTMEfVQwSg/HH3u8er/C

VohPBNrZV1CCCq/B1lMEwL5XHM7NlFKSa/8CbnTMDDH35K/3UpB2e2lv9UwyCgup

NMXewLZnIEQmMN4UwQ5lEzMnTbiDPMIYIEv9GeYAd8pup2pa2St0SglGNBd8R1Eb

T8OteQKBgQCBCjX3iLJhRGKvXvU1JeERlCVA1rAuaq1EqtUTxq7tGJuWZRzB3baW

LPVR85DR+Hthpwj8rbQdy8NLSYmLk7/yEFS7kdoczD6HAfAX7Ou/q4L20g/I2QSr

mPQm5fKQvKVYFSlAPEL0Kwele16RK4CFKWRN5sQ1ia5U+EYykmBy5w==

-----END RSA PRIVATE KEY-----

私钥内容

给CA颁发自签名证书

[root@centos8-liyj /etc/pki/CA]#openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:Jiangsu

Locality Name (eg, city) [Default City]:SuQ

Organization Name (eg, company) [Default Company Ltd]:magedu

Organizational Unit Name (eg, section) []:IT

Common Name (eg, your name or your server's hostname) []:ca.lyj.com

Email Address []:

[root@centos8-liyj /etc/pki/CA]#tree /etc/pki/CA

/etc/pki/CA

├── cacert.pem

├── certs

├── cr1

├── index.txt

├── newcerts

├── private

│   └── cakey.pem

└── serial

4 directories, 4 files

[root@centos8-liyj /etc/pki/CA]#openssl x509 -in /etc/pki/CA/cacert.pem -noout -text

Certificate:

    Data:

        Version: 3 (0x2)

        Serial Number:

            50:eb:c9:9e:03:22:1c:57:f7:ad:e8:08:88:2a:1b:83:b9:6f:86:75

        Signature Algorithm: sha256WithRSAEncryption

        Issuer: C = CN, ST = Jiangsu, L = SuQ, O = magedu, OU = IT, CN = ca.lyj.com

        Validity

            Not Before: Apr 29 09:22:27 2022 GMT

            Not After : Apr 26 09:22:27 2032 GMT

        Subject: C = CN, ST = Jiangsu, L = SuQ, O = magedu, OU = IT, CN = ca.lyj.com

        Subject Public Key Info:

            Public Key Algorithm: rsaEncryption

                RSA Public-Key: (2048 bit)

                Modulus:

                    00:af:71:ce:06:46:5a:6a:83:45:50:a7:28:c6:4f:

                    ea:06:70:36:8e:ac:89:06:17:27:67:44:a6:87:3b:

                    6f:b9:8d:11:fd:eb:b2:39:84:3c:4f:da:3a:68:9b:

                    44:e4:e7:f4:b2:e3:97:3e:eb:66:b9:07:7f:7c:da:

                    40:89:0b:c5:0e:ae:c4:2b:b6:f1:9e:15:6a:39:b1:

                    27:15:1d:ae:4d:74:bc:7c:73:d0:f4:42:04:98:2b:

                    b4:62:af:16:42:7b:23:5f:84:f4:9d:ad:05:e5:77:

                    2c:bc:16:0f:4d:ed:f9:6d:02:9c:b1:3b:6f:44:d1:

                    6d:89:d2:d5:4f:51:ec:a3:32:71:67:f3:35:82:0a:

                    67:1a:fe:e0:03:45:f9:0e:a3:2f:19:ab:e9:ad:6b:

                    27:a5:2e:72:d6:e5:70:16:df:96:37:a2:9d:17:f9:

                    f2:a4:7b:ad:dc:0e:45:54:51:d1:1f:bd:b9:57:32:

                    5c:8d:37:e8:01:42:14:c4:3a:88:8e:f0:17:84:28:

                    a1:ec:53:87:bd:af:c8:89:ce:80:32:84:74:c3:88:

                    9d:b7:4e:67:5a:94:42:52:36:87:81:0f:8a:25:e1:

                    48:1c:c0:bd:50:7a:9a:19:e2:2b:f9:9a:14:ec:26:

                    9d:2e:5f:21:96:a2:51:e9:61:e3:57:cf:06:db:87:

                    2a:c9

                Exponent: 65537 (0x10001)

        X509v3 extensions:

            X509v3 Subject Key Identifier:

                72:BB:3C:5D:02:61:98:FD:12:91:B0:9E:60:47:94:46:25:17:33:D3

            X509v3 Authority Key Identifier:

                keyid:72:BB:3C:5D:02:61:98:FD:12:91:B0:9E:60:47:94:46:25:17:33:D3

            X509v3 Basic Constraints: critical

                CA:TRUE

    Signature Algorithm: sha256WithRSAEncryption

         07:09:f1:78:56:86:f7:39:85:b9:a3:8b:b9:84:c5:cc:99:a6:

         7a:e4:5e:22:70:eb:97:9d:f2:f7:32:4d:ea:d2:aa:b1:c7:a0:

         3c:5e:42:eb:14:bd:5a:17:f9:08:e6:3f:f3:f0:c1:b4:06:15:

         4f:5a:8b:4f:53:42:0a:6c:b8:b0:20:36:79:3b:45:2e:ae:35:

         45:d5:18:21:76:5d:37:39:d6:e8:8c:13:3b:5d:61:12:3b:3e:

         a1:76:42:f0:90:c3:b9:7c:4c:3f:8f:b2:82:55:1a:92:00:61:

         fd:bc:45:c0:e4:e2:ff:f1:34:92:22:1c:78:87:16:01:77:f4:

         e3:a7:25:9e:ad:d9:15:1a:a9:52:54:4d:fc:34:74:81:f2:14:

         68:28:bb:54:42:1a:e7:26:e5:a0:ac:2c:6d:15:5c:89:c5:4b:

         b2:5e:96:8b:64:8f:cb:1a:20:05:d2:bf:68:dd:5a:14:61:df:

         4c:bc:47:01:2f:45:ef:68:36:5e:53:1f:01:43:04:d3:d3:3b:

         9e:14:e2:47:b3:ea:47:e6:8d:d5:03:a0:c6:49:4b:34:21:bf:

         92:ae:e4:7d:94:5e:2a:54:f9:43:bd:78:d3:b3:13:25:19:7b:

         9e:6b:47:be:c2:2d:14:ba:1e:68:92:71:94:87:b7:8a:84:da:

         45:53:22:8b

查看证书中的信息:

Linux-centos8实现私有CA和证书申请的更多相关文章

  1. Linux系统搭建私有CA证书服务器

    一.CA简介 CA是什么?CA是Certificate Authority的简写,从字面意思翻译过来是凭证管理中心,认证授权.它有点类似我们生活中的身份证颁发机构,这里的CA就相当于生活中颁发身份证的 ...

  2. 私有CA和证书

    证书类型 证书授权机构的证书 服务器 用户证书 获取证书两种方法 使用证书授权机构: 生成签名请求(csr ) 将csr发送给CA 从CA处接收签名 自签名的证书: 自已签发自己的公钥 openSSL ...

  3. shell脚本实现openss自建CA和证书申请

    #!/bin/bash # #******************************************************************** #Author: Ma Xue ...

  4. Windows2008下RDP采用私有CA服务器证书搭建文档

    在中小型公司建立企业根证书颁发机构 (CA) http://www.microsoft.com/china/smb/issues/sgc/articles/build_ent_root_ca.mspx ...

  5. Linux 加密安全和私有CA的搭建方法

    常用安全技术 3A: 认证:身份确认 授权:权限分配 审计:监控做了什么 安全通信 加密算法和协议 对称加密: 非对称加密 单向加密:哈希(hash)加密 认证协议 对称加密: 加密和解密使用的是同一 ...

  6. Openssl与私有CA搭建

    转自:http://www.tuicool.com/articles/aURnim 随着网络技术的发展.internet的全球化,信息共享程度被进一步提高,各种基于互联网的应用如电子政务.电子商务日益 ...

  7. PKI/CA与证书服务

    目录 PKI CA RA LDAP目录服务 CRL证书作废系统 数字证书 证书验证 证书撤销 证书更新 PKI系统的构成 PKI PKI(Public Key Infrastructure)公钥基础设 ...

  8. [转帖] Linux 创建一个简单的私有CA、发证、吊销证书

    原创帖子地址:   https://blog.csdn.net/mr_rsq/article/details/71001810 Linux 创建一个简单的私有CA.发证.吊销证书 2017年04月30 ...

  9. Linux操作系统安全-局域网私有CA(Certificate Authority)证书服务器实战篇

    Linux操作系统安全-局域网私有CA(Certificate Authority)证书服务器实战篇 作者:尹正杰 版权声明:原创作品,谢绝转载!否则将追究法律责任. 一.试验架构说明 node101 ...

随机推荐

  1. SQL 语言包括哪几部分?每部分都有哪些操作关键字?

    SQL 语言包括数据定义(DDL).数据操纵(DML),数据控制(DCL)和数据查询(DQL) 四个部分. 数据定义:Create Table,Alter Table,Drop Table, Crae ...

  2. 什么是原子操作?在 Java Concurrency API 中有哪些原 子类(atomic classes)?

    原子操作(atomic operation)意为"不可被中断的一个或一系列操作" . 处理器使用基于对缓存加锁或总线加锁的方式来实现多处理器之间的原子操作. 在 Java 中可以通 ...

  3. 转载:TCP协议如何保证可靠传输

    转载至:https://www.cnblogs.com/xiaokang01/p/10033267.html TCP协议如何保证可靠传输 概述: TCP协议保证数据传输可靠性的方式主要有: (校 序  ...

  4. HTML 5中不同的新表单元素类型是什么?

    HTML 5推出了10个重要的新的表单元素: Color. Date Datetime-local Email Time Url Range Telephone Number Search

  5. Centos6 编译安装Python3.6

    1. 安装依赖 yum install gcc openssl-devel bzip2-devel 2. 下载Python3.6 cd /usr/src wget https://www.python ...

  6. 前后端分离项目部署到Linux虚拟机

    最近做了一个springboot+vue的前后端分离项目,把它部署到Linux虚拟机上.下面是我的步骤和遇到的问题,需要的朋友可以看下(看的时候注意要全部看完到底部,因为我习惯是把我遇到的问题放到最后 ...

  7. mplab使用小知识

    选择Debugger->Select Tool->MPLAB SIM可以使用MPALB中的软件调试 StopWatch可以观察程序运行时间 注意:在测试时需要注意红圈内晶振是不是和单片机上 ...

  8. JavaScript读取剪贴板中的表格生成图片

    原文 JavaScript读取剪贴板中的表格生成图片 演示地址 你可以访问下面的地址体验每个demo https://fairyever.github.io/excel-to-image-demo/ ...

  9. 前端面试题整理——HTML/CSS

    如何理解语义化: 对应的内容是用相应意思的标签,增加开发者和机器爬虫对代码的可读性. 块状元素和内联元素: 块状元素有:display:block/table:有div h1 h2 table ul  ...

  10. java中为什么接口中的属性和方法都默认为public?

    4)为什么接口中的属性和方法都默认为public?Sun公司当初为什么要把java的接口设计发明成这样? [新手可忽略不影响继续学习]答:如上所述,马克-to-win:既然接口强于抽象类能胜任作为和外 ...