一、創建私有CA根證書

1、創建CA目錄

root@DESKTOP-JP3S3AN:/home/wsl/openssl_pro# mkdir -pv /etc/pki/CA/{private,certs,crl,newcerts} mkdir: created directory '/etc/pki/CA' mkdir: created directory '/etc/pki/CA/private' mkdir: created directory '/etc/pki/CA/certs' mkdir: created directory '/etc/pki/CA/crl' mkdir: created directory '/etc/pki/CA/newcerts'

2、新建數據庫文件并初始化

root@DESKTOP-JP3S3AN:/home/wsl/openssl_pro# touch /etc/pki/CA/{serial,index.txt} root@DESKTOP-JP3S3AN:/home/wsl/openssl_pro# echo 01 > /etc/pki/CA/serial

3、創建CA私鑰

root@DESKTOP-JP3S3AN:/home/wsl/openssl_pro# openssl genrsa -out /etc/pki/CA/private/cakey.pem 4096 Generating RSA private key, 4096 bit long modulus (2 primes) ........................................++++ ....................................................................................................................................................................................................................................................................++++ e is 65537 (0x010001)

4、創建自簽CA根證書

root@DESKTOP-JP3S3AN:/home/wsl/openssl_pro# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3655 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:CN State or Province Name (full name) [Some-State]:sc Locality Name (eg, city) []:cd Organization Name (eg, company) [Internet Widgits Pty Ltd]:tsinghua-eiri Organizational Unit Name (eg, section) []:xxxx Common Name (e.g. server FQDN or YOUR name) []:xxxxxx Email Address []:

二、簽發證書

1、創建客戶私鑰

root@DESKTOP-JP3S3AN:/home/wsl/openssl_pro/client# openssl genrsa -out client0001.key 2048 Generating RSA private key, 2048 bit long modulus (2 primes) ....+++++ ....+++++ e is 65537 (0x010001)

2、提取客戶公鑰（備用）

root@DESKTOP-JP3S3AN:/home/wsl/openssl_pro/client# openssl rsa -in client0001.key -pubout -out client0001.pub writing RSA key

3、生成客戶證書請求

root@DESKTOP-JP3S3AN:/home/wsl/openssl_pro/client# openssl req -new -key client0001.key -out client0001.csr -days 3650 Ignoring -days; not generating a certificate You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:CN State or Province Name (full name) [Some-State]:sc Locality Name (eg, city) []:cd Organization Name (eg, company) [Internet Widgits Pty Ltd]:tsinghua-eiri Organizational Unit Name (eg, section) []:scu Common Name (e.g. server FQDN or YOUR name) []:jackwang Email Address []:Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:

4、簽發客戶請求

root@DESKTOP-JP3S3AN:/home/wsl/openssl_pro/client# openssl ca -in client0001.csr -out /etc/pki/CA/certs/client0001.crt -days 3650 Using configuration from /usr/lib/ssl/openssl.cnf Check that the request matches the signature Signature ok Certificate Details:Serial Number: 1 (0x1)ValidityNot Before: Feb 16 09:03:43 2022 GMTNot After : Feb 14 09:03:43 2032 GMTSubject:countryName = CNstateOrProvinceName = scorganizationName = tsinghua-eiriorganizationalUnitName = scucommonName = jackwangX509v3 extensions:X509v3 Basic Constraints:CA:FALSENetscape Comment:OpenSSL Generated CertificateX509v3 Subject Key Identifier:D3:38:BA:C9:C5:50:C9:51:14:E0:1A:F2:7C:42:70:50:70:F5:92:81X509v3 Authority Key Identifier:keyid:4D:1E:75:EE:8A:DD:69:3E:6C:FE:FB:D2:AA:34:2D:91:48:8D:D7:55Certificate is to be certified until Feb 14 09:03:43 2032 GMT (3650 days) Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated

5、查看證書信息

root@DESKTOP-JP3S3AN:/home/wsl/openssl_pro/client# openssl x509 -in client0001.crt -noout -text Certificate:Data:Version: 3 (0x2)Serial Number: 1 (0x1)Signature Algorithm: sha256WithRSAEncryptionIssuer: C = CN, ST = sichuan, L = cd, O = tsinghua-eiri, OU = eiri-iot, CN = rootValidityNot Before: Feb 16 09:03:43 2022 GMTNot After : Feb 14 09:03:43 2032 GMTSubject: C = CN, ST = sc, O = tsinghua-eiri, OU = scu, CN = jackwangSubject Public Key Info:Public Key Algorithm: rsaEncryptionRSA Public-Key: (2048 bit)Modulus:00:94:c6:ca:08:6e:08:26:47:39:6d:78:92:d6:a5:6f:3e:3b:cc:b7:0d:fa:9c:eb:dd:5f:12:87:40:0f:ad:c1:21:83:fe:7e:b8:c0:6c:a6:30:d4:e9:03:99:4a:03:b5:88:59:11:12:ef:8b:f1:62:f1:f1:ee:d0:f8:f2:03:35:12:16:b9:44:14:bb:69:89:83:c3:44:9d:17:49:32:de:10:43:49:cb:70:2e:89:33:07:57:f7:ed:da:06:1d:25:45:dc:ad:b9:da:55:30:05:02:9f:e1:63:51:8a:cb:39:30:a1:71:86:5a:8e:a3:b3:c7:71:50:19:74:f8:93:da:1b:9d:0a:b5:de:27:c8:55:14:f8:e6:9b:02:2c:ea:75:bf:44:d6:08:49:3c:9b:a1:b4:97:1e:a8:88:cf:23:83:eb:03:b6:6d:e6:be:74:60:f8:88:29:0e:a7:7f:1a:ec:2e:c4:ff:4d:2f:f2:6b:53:0e:a9:35:99:d1:0f:cc:ed:ef:41:eb:a8:b2:27:7a:4c:d1:e9:b7:1c:1b:29:80:a6:b2:b8:9f:1f:3a:35:e0:05:05:f6:a9:77:a0:bd:98:51:e2:0b:38:9d:ca:3c:48:c2:02:5d:7b:ba:01:cd:5c:48:8b:ef:38:03:f2:ed:ee:90:c5:31:b8:dd:40:49:c4:ce:79Exponent: 65537 (0x10001)X509v3 extensions:X509v3 Basic Constraints:CA:FALSENetscape Comment:OpenSSL Generated CertificateX509v3 Subject Key Identifier:D3:38:BA:C9:C5:50:C9:51:14:E0:8A:F2:7C:45:70:50:70:F5:92:81X509v3 Authority Key Identifier:keyid:4D:BE:75:EE:8A:DD:69:3E:6C:FE:FB:D2:AA:34:2D:91:48:8D:D7:55Signature Algorithm: sha256WithRSAEncryption45:1c:29:cd:ad:18:10:6d:9f:50:f6:2c:08:1e:22:3a:90:fd:36:36:c3:fa:ea:01:89:34:e3:c5:2b:e0:04:3f:39:c2:62:87:a7:29:24:9a:40:47:d6:77:b3:49:53:c8:3f:1e:6c:b1:a0:0a:26:36:d5:df:f7:f6:97:54:46:75:6b:97:2e:f5:7c:60:2f:96:af:1c:65:94:58:30:22:3f:b5:31:30:f4:76:10:57:a6:12:51:96:f7:ab:88:18:07:44:b7:d4:7a:4e:d7:bd:35:ec:4f:ec:00:45:50:57:75:8c:1a:d1:9b:fb:81:9c:f0:d3:13:f6:75:06:1a:65:b9:1e:51:8d:ec:d1:52:b2:e2:07:b7:6c:66:b2:66:e9:79:3a:fc:eb:11:7d:c8:23:2c:c4:d6:f6:62:c4:a9:c3:87:a7:fa:68:a1:1c:d4:28:d6:e1:bd:fa:7e:f0:00:f4:40:6d:45:7f:d7:66:32:06:16:22:16:61:84:f4:a1:90:8e:29:2a:c7:07:7f:4f:73:09:6b:da:d9:0a:80:bd:da:ba:a2:77:b9:c4:2a:3c:fd:69:b3:0b:ac:d9:16:12:a3:f1:cd:3d:2f:21:3f:ca:78:d3:f0:9d:7b:ac:80:51:0f:c3:2a:9b:80:73:ef:ab:e3:98:d4:c8:e3:e2:a8:ff:dc:15:c9:00:ef:74:83:ca:68:71:e8:a4:62:dc:6c:3d:32:95:aa:ac:f2:d8:a6:ae:3a:23:35:a6:df:95:ed:d6:05:0e:03:e6:7b:d0:bf:c5:c2:0b:5f:b9:53:83:be:83:87:af:86:4b:b1:a7:c5:36:17:29:d8:9f:9f:5e:4d:ff:05:4b:75:0d:fe:e5:fe:cf:33:cd:8f:37:4a:c3:01:1c:22:11:e0:7c:f4:ae:5c:42:5f:b2:69:b3:14:d1:f2:d2:5e:7f:77:53:1f:96:b2:df:e7:cd:10:79:5b:2c:d9:1c:af:95:a3:bf:dc:6b:ea:21:c2:4f:d4:5c:ff:df:3c:8a:6b:ce:9b:0b:c6:3f:2b:02:a6:5a:78:a5:4d:14:c1:fa:1a:0e:3c:91:bd:de:c0:09:e4:5d:19:1c:c1:b6:3d:aa:e5:ea:41:fb:ea:67:ed:14:ae:52:76:95:cd:d3:da:6a:9b:ce:e7:4f:f5:3f:de:4f:e9:7c:48:f9:8d:18:ff:8a:16:a2:1c:3f:a5:48:d9:81:ad:a4:2f:ae:d4:a9:8b:4a:a5:8d:83:2d:92:b9:90:f3:0f:23:f0:62:5c:00:26:cd:b7:72:7c:98:c4:6b:98:bc:ab:13:a6:3c:d7:c8:34:bf:9c:e2:06:26:ca:62:ec:dc:c9:49:4a:58:db:07:c0:80:46:6d

三、目錄結構

root@DESKTOP-JP3S3AN:/home/wsl/openssl_pro/client# tree /etc/pki/CA /etc/pki/CA ├── cacert.pem ├── certs │ └── client0001.crt ├── crl ├── index.txt ├── index.txt.attr ├── index.txt.old ├── newcerts │ └── 01.pem ├── private │ └── cakey.pem ├── serial └── serial.old4 directories, 9 files

總結

以上是生活随笔為你收集整理的openssl创建CA并签发证书的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。