3月 212020
创建根CA证书签发目录结构
[root@ip-172-31-2-174 ~]# mkdir -p ca/{certs,crl,newcerts,private} [root@ip-172-31-2-174 ~]# chmod 700 ca/private [root@ip-172-31-2-174 ~]# touch ca/index.txt [root@ip-172-31-2-174 ~]# echo 1000 > ca/serial
准备根CA配置文件
[root@ip-172-31-2-174 ~]# cd ca/ [root@ip-172-31-2-174 ca]# vi openssl.cnf
生成根CA证书私钥
[root@ip-172-31-2-174 ca]# openssl genrsa -aes256 -out private/ca.key.pem 4096 Generating RSA private key, 4096 bit long modulus ..............................................................++ ..............................................................................++ e is 65537 (0x10001) Enter pass phrase for private/ca.key.pem: Verifying - Enter pass phrase for private/ca.key.pem: [root@ip-172-31-2-174 ca]# chmod 400 private/ca.key.pem [root@ip-172-31-2-174 ca]#
生成根CA证书
openssl req -config openssl.cnf \ -key private/ca.key.pem \ -new -x509 -days 7300 -sha256 -extensions v3_ca \ -out certs/ca.cert.pem [root@ip-172-31-2-174 ca]# openssl req -config openssl.cnf \ > -key private/ca.key.pem \ > -new -x509 -days 7300 -sha256 -extensions v3_ca \ > -out certs/ca.cert.pem Enter pass phrase for private/ca.key.pem: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:CN State or Province Name [England]:Guangdong Locality Name []:Shenzhen Organization Name [Alice Ltd]:YSWM Organizational Unit Name []:YSWM Certificate Authority Common Name []:YSWM ROOT CA Email Address []: [root@ip-172-31-2-174 ca]# chmod 444 certs/ca.cert.pem [root@ip-172-31-2-174 ca]#
验证根CA证书信息(20年)
[root@ip-172-31-2-174 ca]# openssl x509 -in certs/ca.cert.pem -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: b4:3b:48:9b:76:69:bf:60 Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, ST=Guangdong, L=Shenzhen, O=YSWM, OU=YSWM Certificate Authority, CN=YSWM ROOT CA Validity Not Before: Mar 21 05:47:53 2020 GMT Not After : Mar 16 05:47:53 2040 GMT Subject: C=CN, ST=Guangdong, L=Shenzhen, O=YSWM, OU=YSWM Certificate Authority, CN=YSWM ROOT CA Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit) Modulus: 00:a1:41:53:36:5b:8c:73:e7:da:90:c2:85:2b:48: 47:c1:8b:fb:b9:c0:a9:c1:d5:a8:a7:37:de:41:b3: 6b:cb:41:72:ad:e9:99:76:85:37:79:76:6c:54:8b: d3:24:2f:18:6e:37:d2:b4:fb:f8:07:d9:45:7b:71: 5c:a2:1a:c1:ea:99:e0:28:53:ab:14:e2:73:5d:54: 01:16:fc:1e:27:3d:98:e9:3c:d6:b4:69:df:45:9e: 18:ac:8b:4c:ca:10:ff:3b:7d:c5:63:c0:8d:be:e3: 31:d7:64:4d:3c:94:32:d1:43:bd:37:87:66:11:b8: 24:a5:ab:61:ca:bc:8c:1e:05:78:da:9d:5b:3b:66: ea:b3:a7:6d:b0:f5:1a:8a:72:4e:aa:f3:66:f8:f5: 4d:c0:58:b7:11:8f:64:21:ce:8d:5e:d9:e5:79:a9: 6a:d3:8f:50:34:f1:e6:2b:73:ce:df:57:9c:2d:fe: a1:17:df:74:d9:0c:f4:4a:a5:a3:9c:6a:64:fd:93: f9:92:18:9b:98:ba:0e:78:06:dc:88:37:0f:17:73: ea:3c:b7:20:fb:10:63:b9:b8:08:55:82:15:84:38: 41:9d:e4:e3:31:a9:e5:f5:47:e2:5b:71:15:ac:b6: ec:47:4f:5e:ef:f5:78:44:0c:b1:1d:6a:81:d0:0e: 66:b8:bc:a5:10:f0:e0:cc:56:f6:52:86:83:9c:ce: 0c:1a:92:42:a3:10:02:92:af:65:0e:1e:1e:d1:bf: 3e:9c:c6:59:d1:ae:87:1c:7c:5d:03:0c:b1:1d:0d: 73:2f:d1:a7:b3:1c:6e:bf:50:fc:a1:cd:61:e0:e5: 20:81:b6:05:2e:89:7a:98:8e:d8:05:a3:14:80:b6: 63:cc:c5:0e:26:64:45:93:b0:9c:ac:cd:71:4d:71: 19:9a:b7:60:f3:ce:be:e5:0b:78:43:48:d5:70:ad: 7a:2c:33:d5:48:85:2e:b8:4a:b3:31:52:70:74:14: ca:26:ce:a1:01:9c:ab:f8:cc:8f:87:f1:8c:20:48: c6:38:aa:e5:57:71:e8:c4:28:41:32:3e:10:4e:16: 2d:85:57:d2:a2:46:4c:d4:b7:31:c2:43:41:14:98: b5:5b:f2:19:87:62:fd:72:1b:b4:1c:9f:fc:b7:c3: db:90:f1:15:c4:d0:19:0d:9f:eb:16:b0:d0:47:b8: 94:11:29:28:33:f8:ed:7c:0a:09:73:91:bf:5b:ca: 48:a8:4f:03:72:82:c2:ab:1b:18:0d:1f:40:e5:6a: a9:64:ef:25:13:2a:9e:6e:c6:46:b5:9b:01:7c:b2: 80:40:1a:84:01:71:55:7c:fe:bb:19:bf:4c:53:1a: f2:92:93 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 9A:A7:2A:30:06:3C:68:D4:92:6F:59:91:59:6B:E6:EC:E0:34:36:1F X509v3 Authority Key Identifier: keyid:9A:A7:2A:30:06:3C:68:D4:92:6F:59:91:59:6B:E6:EC:E0:34:36:1F X509v3 Basic Constraints: critical CA:TRUE X509v3 Key Usage: critical Digital Signature, Certificate Sign, CRL Sign Signature Algorithm: sha256WithRSAEncryption 01:6d:de:25:86:9e:73:82:21:bd:fe:e2:13:39:2d:da:06:aa: 34:82:9c:62:06:93:a9:bc:f1:23:85:a5:3e:bc:b9:b8:d0:1f: 78:09:db:8e:82:ab:0e:44:1e:58:44:6b:da:b3:f6:94:a7:62: 35:85:07:6a:45:90:91:a3:e7:a4:50:25:b3:bc:dd:58:55:f5: bd:13:82:1f:2c:3f:13:f9:3d:de:95:9e:7b:34:ad:9d:29:67: 71:12:cb:bf:87:47:e2:a0:cf:ff:b4:9d:7f:12:40:ed:d1:3a: 65:ca:ae:d2:3e:f7:94:85:9c:7f:16:b0:78:72:5d:ff:2e:3b: 13:47:9c:b2:bc:72:2b:90:9c:2b:0e:79:4d:e4:8c:d3:e5:d7: 98:1b:09:0a:88:f8:63:74:a1:af:56:04:71:4b:b0:1a:d0:75: 7e:53:5f:5a:5f:fd:73:53:72:12:69:79:5e:d6:88:ad:40:50: c4:6d:1a:c7:e8:ac:dc:7c:6a:f5:f0:b7:5f:5a:95:da:a1:6e: b3:98:ea:49:40:49:19:39:6d:f2:7d:bb:0b:4a:d4:31:6a:e0: 2c:20:02:bc:00:f6:74:e6:b0:b0:d3:05:df:dd:6a:1f:db:50: ff:43:bf:dd:3b:10:a6:1a:b9:bf:39:5a:c4:09:b0:10:b7:8e: 76:fc:64:cf:76:2f:a9:08:24:b2:92:3c:37:04:ba:2b:63:98: 1c:6e:f8:9d:3d:fa:b1:56:49:7c:46:35:7e:2d:ff:43:fe:6c: cb:e3:91:66:2a:3e:31:f3:45:b9:c2:96:34:ac:f4:16:e4:6a: cd:f0:86:f9:bd:19:19:1e:19:eb:1e:f8:74:71:8a:fb:3b:37: 4b:45:59:b9:90:30:bc:67:85:de:e0:d9:36:b5:5d:e5:06:d8: e1:0a:d3:86:b3:02:d2:a8:c5:43:ca:b9:70:d6:32:a8:c0:4d: 39:5a:be:bf:7d:3b:66:60:d1:c8:1f:66:a8:57:de:9f:7f:e1: 2a:4f:89:1c:78:5d:25:9f:69:dc:b5:2e:59:97:99:65:a1:a1: ef:78:78:f1:26:5f:fc:ae:1e:72:00:70:ed:25:d2:91:55:8a: 1c:34:e6:d3:bf:02:1f:9c:4d:dd:a2:b9:12:fa:5a:f3:22:a4: 05:24:35:e1:56:76:ab:fe:33:65:46:86:56:f6:d6:ca:f7:4c: 96:15:0b:16:16:b1:f6:49:64:f9:fe:38:42:dd:2c:b3:db:97: 41:62:ce:b7:62:66:a9:7a:e3:8d:54:8c:89:23:7a:ac:a5:89: df:85:b4:dc:b1:dd:82:67:12:49:05:9e:fb:c0:c8:c9:16:66: d1:af:ad:a5:9e:75:14:9b [root@ip-172-31-2-174 ca]#