网络系统管理Linux环境——AppSrv之CA

2024-09-14 13:55:59 浏览数 (2)

题目要求

服务器AppSrv上的工作任务

6.  CA(证书颁发机构)

CA根证书路径/csk-rootca/csk-ca.pem;

签发数字证书,颁发者信息:(仅包含如下信息)

    C = CN

    ST = China

    L = BeiJing

    O = skills

    OU = Operations Departments

    CN = CSK Global Root CA

项目实施

修改证书配置文件:

代码语言:javascript复制
[root@appsrv ~]# vim /etc/pki/tls/openssl.cnf
#修改42行,dir = /csk-rootca
#修改84行到90行,将mastch、supplied更改为optional
#底行模式替换 - :85,88s/mastch/optional
#将98行复制到87行  yy复制   p粘贴

创建证书必要文件:

代码语言:javascript复制
[root@appsrv ~]# mkdir /csk-rootca
[root@appsrv ~]# cd /csk-rootca/
[root@appsrv csk-rootca]# mkdir private newcerts
[root@appsrv csk-rootca]# touch index.txt
[root@appsrv csk-rootca]# echo 01 > serial
[root@appsrv csk-rootca]#

生成密钥:

代码语言:javascript复制
[root@appsrv csk-rootca]# openssl genrsa -out private/cakey.pem
Generating RSA private key, 2048 bit long modulus
............................................................................................................................   
......   
e is 65537 (0x10001)
[root@appsrv csk-rootca]#

生成根证书:

代码语言:javascript复制
[root@appsrv csk-rootca]# openssl req -new -x509 -key private/cakey.pem -out csk-ca.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:China
Locality Name (eg, city) [Default City]:BeiJing
Organization Name (eg, company) [Default Company Ltd]:skills
Organizational Unit Name (eg, section) []:Operations Departments
Common Name (eg, your name or your server's hostname) []:CSK Global Root CA
Email Address []:
[root@appsrv csk-rootca]#

生成web的密钥:

代码语言:javascript复制
[root@appsrv CA]# openssl genrsa -out httpd.key
Generating RSA private key, 2048 bit long modulus
..............   
.............................................................................   
e is 65537 (0x10001)
[root@appsrv CA]#

生成web证书;

代码语言:javascript复制
[root@appsrv CA]# openssl req -new -key httpd.key -out  httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:China
Locality Name (eg, city) [Default City]:BeiJing
Organization Name (eg, company) [Default Company Ltd]:skills
Organizational Unit Name (eg, section) []:Operations Departments
Common Name (eg, your name or your server's hostname) []:*.www.chinaskills.cn
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@appsrv CA]#

web证书与根证书绑定:

代码语言:javascript复制
[root@appsrv CA]# openssl ca -keyfile private/cakey.pem -cert csk-ca.pem -in httpd.csr  -out httpd.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Apr 14 09:38:23 2022 GMT
            Not After : Apr 14 09:38:23 2023 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = China
            localityName              = BeiJing
            organizationName          = skills
            organizationalUnitName    = Operations Departments
            commonName                = *.chinaskills.cn
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                41:5E:AE:2B:9F:5B:5D:8E:FF:8F:BC:93:3E:0D:50:C9:63:E5:AC:EE
            X509v3 Authority Key Identifier: 
                keyid:03:AD:1B:0E:37:5D:70:71:0A:61:01:8A:E2:9B:FB:7D:48:8B:E4:8A

Certificate is to be certified until Apr 14 09:38:23 2023 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

0 人点赞