dir = /etc/pki/CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
# Extension copying option: use with caution.
# copy_extensions = copy
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = sha256 # use SHA-256 by default
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ req ]
default_bits = 2048
default_md = sha256
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret
# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString (PKIX recommendation before 2004)
# utf8only: only UTF8Strings (PKIX recommendation after 2004).
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
string_mask = utf8only
# req_extensions = v3_req # The extensions to add to a certificate request
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = XX
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
#stateOrProvinceName_default = Default Province
localityName = Locality Name (eg, city)
localityName_default = Default City
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Default Company Ltd
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
commonName = Common Name (eg, your name or your server\'s hostname)
commonName_max = 64
[iyunv@localhost CA]# (umask 077; openssl genrsa -out private/cakey.pem 4096)
Generating RSA private key, 4096 bit long modulus
...........................................................++
.......................................................................++
e is 65537 (0x10001)
生成自签证书
[iyunv@localhost CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:Magedu
Organizational Unit Name (eg, section) []:devops
Common Name (eg, your name or your server's hostname) []:devops.magedu.com
Email Address []:twoyang@magedu.com
[iyunv@localhost ~]# openssl req -new -key www.magedu.com.key -out www.magedu.com.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Beijing]:
Locality Name (eg, city) [Beijing]:
Organization Name (eg, company) [Magedu]:
Organizational Unit Name (eg, section) []:dev
Common Name (eg, your name or your server's hostname) []:www.magedu.com
Email Address []:admin@magedu.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
客户端将发证请求文件通过可靠渠道交给CA
CA签发证书
[iyunv@localhost ~]# openssl ca -in www.magedu.com.csr -out www.magedu.com.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Mar 17 13:58:20 2016 GMT
Not After : Mar 17 13:58:20 2017 GMT
Subject:
countryName = CN
stateOrProvinceName = Beijing
organizationName = Magedu
organizationalUnitName = dev
commonName = www.magedu.com
emailAddress = admin@magedu.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
5F:BE:24:09:C8:BB:7D:25:70:03:1B:D1:59:D9:1C:50:61:61:4B:CF
X509v3 Authority Key Identifier:
keyid:1F:0B:D4:ED:89:8A:97:E7:4D:D3:5C:30:F6:95:70:9B:E7:B7:58:25
Certificate is to be certified until Mar 17 13:58:20 2017 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[iyunv@localhost ~]# cat /etc/pki/CA/index.txt
V 170317135820Z 01 unknown /C=CN/ST=Beijing/O=Magedu/OU=dev/CN=www.magedu.com/emailAddress=admin@magedu.com
[iyunv@localhost ~]# openssl ca -revoke /etc/pki/CA/newcerts/01.pem
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 01.
Data Base Updated
生成证书吊销列表
[iyunv@localhost ~]# openssl ca -gencrl -out /etc/pki/CA/crl/thisca.crl
Using configuration from /etc/pki/tls/openssl.cnf
[iyunv@localhost ~]# ls /etc/pki/CA/crl/thisca.crl -al
-rw-r--r-- 1 root root 1097 Mar 17 22:12 /etc/pki/CA/crl/thisca.crl
[iyunv@localhost ~]# cat /etc/pki/CA/index.txt
R 170317135820Z 160317141000Z 01 unknown /C=CN/ST=Beijing/O=Magedu/OU=dev/CN=www.magedu.com/emailAddress=admin@magedu.com
[iyunv@localhost ~]# openssl crl -in /etc/pki/CA/crl/thisca.crl -text -noout
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: /C=CN/ST=Beijing/L=Beijing/O=Magedu/OU=devops/CN=devops.magedu.com/emailAddress=twoyang@magedu.com
Last Update: Mar 17 14:12:18 2016 GMT
Next Update: Apr 16 14:12:18 2016 GMT
CRL extensions:
X509v3 CRL Number:
1
Revoked Certificates:
Serial Number: 01
Revocation Date: Mar 17 14:10:00 2016 GMT
Signature Algorithm: sha256WithRSAEncryption
1b:f6:cc:f9:d4:fb:ed:d4:32:fc:82:aa:a6:9f:36:55:ca:01:
90:6c:db:b0:06:af:39:de:42:e3:ff:0b:29:c4:1c:87:f1:2c:
d7:90:7c:62:2f:7d:8a:98:8d:4a:37:60:ea:fb:45:25:d2:bd:
89:ea:44:92:a0:68:f5:b8:aa:0a:0a:c8:bf:88:18:e2:88:75:
f5:9c:6b:72:22:a0:66:6f:62:ad:59:fb:49:90:8a:1f:db:bf:
63:aa:f9:bd:4f:35:53:1e:b1:f1:7b:c4:89:29:09:fc:c9:51:
85:5c:fc:7e:c2:0b:0f:28:c5:a3:e4:08:c1:d6:06:29:79:ea:
d7:37:64:d2:b2:4c:b1:2c:54:ef:b1:98:f7:2b:df:e6:8a:26:
95:a7:fb:4c:5f:52:cc:da:d6:07:c6:a3:b4:4a:38:3c:8c:2c:
0d:c6:72:a4:64:ed:e6:89:1a:e1:92:65:e4:7c:64:ec:3a:a8:
ba:1e:67:2d:3c:18:fd:cb:37:88:a5:76:39:8d:04:ed:ba:78:
c6:a4:db:84:31:6b:32:a5:7d:a5:6c:65:17:2e:bc:d0:4b:da:
a3:ad:c3:9a:3f:b9:a9:bf:e1:56:27:38:79:af:e6:25:65:f4:
52:d7:24:13:e2:85:90:3a:1a:88:b3:6d:36:ac:37:44:30:0c:
16:c5:df:29:40:74:66:33:74:47:5a:a8:15:73:fe:da:23:e3:
29:ba:1f:e8:3c:25:ba:a6:63:69:9c:95:71:15:b9:fc:49:08:
43:d4:a5:77:c1:d6:75:e0:d5:e7:9b:f6:6f:e2:ee:47:1c:19:
f4:3c:0f:7c:f4:b6:cb:fe:25:90:68:53:60:bb:5c:68:35:8b:
3a:74:d1:85:d5:22:19:9e:f4:ff:90:d3:b4:e8:69:dd:f2:9f:
5d:51:ee:33:d6:a0:e2:92:05:b1:02:d6:f7:fd:6c:9c:ab:88:
50:c7:3f:c8:77:91:ad:70:62:68:b8:32:a3:ce:e6:60:91:d8:
b6:0c:3b:0b:21:3e:3e:b4:6b:af:03:e3:55:12:ac:a7:95:c9:
5a:c1:02:a2:5e:f9:e0:95:6d:be:cb:45:af:0b:0c:99:19:2e:
5b:9b:e3:b7:cf:f6:d3:bb:87:c4:24:7f:18:4a:4d:eb:89:a8:
69:88:08:fc:fa:ef:c7:aa:4a:ff:b2:34:f2:a3:98:4d:8e:6f:
57:69:76:bb:c9:09:4f:1c:e3:a4:41:69:bb:3c:5c:1c:c3:3a:
73:6c:63:40:78:55:98:18:01:72:bb:f3:ba:7e:be:be:0b:31:
17:15:f3:34:32:03:a6:91:54:86:b8:32:b9:ee:6c:4d:cb:72:
c5:e7:ae:a1:56:b6:bc:cf
QQ群⑧:
窥视卡
雷达卡
发表于 2016-4-8 14:11:54
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡