首页 > 系统相关 >网络系统管理Linux环境——13.AppSrv之CA

网络系统管理Linux环境——13.AppSrv之CA

时间:2023-03-19 16:32:38浏览次数:55  
标签:13 Name csk CA appsrv rootca AppSrv root

题目要求

服务器AppSrv上的工作任务

6.  CA(证书颁发机构)

CA根证书路径/csk-rootca/csk-ca.pem;

签发数字证书,颁发者信息:(仅包含如下信息)

    C = CN

    ST = China

    L = BeiJing

    O = skills

    OU = Operations Departments

    CN = CSK Global Root CA

项目实施

修改证书配置文件:

[root@appsrv ~]# vim /etc/pki/tls/openssl.cnf
#修改42行,dir = /csk-rootca
#修改84行到90行,将mastch、supplied更改为optional
#底行模式替换 - :85,88s/mastch/optional
#将98行复制到87行 yy复制 p粘贴

创建证书必要文件:

[root@appsrv ~]# mkdir /csk-rootca
[root@appsrv ~]# cd /csk-rootca/
[root@appsrv csk-rootca]# mkdir private newcerts
[root@appsrv csk-rootca]# touch index.txt
[root@appsrv csk-rootca]# echo 01 > serial
[root@appsrv csk-rootca]#

生成密钥:

[root@appsrv csk-rootca]# openssl genrsa -out private/cakey.pem
Generating RSA private key, 2048 bit long modulus
............................................................................................................................+++
......+++
e is 65537 (0x10001)
[root@appsrv csk-rootca]#

生成根证书:

[root@appsrv csk-rootca]# openssl req -new -x509 -key private/cakey.pem -out csk-ca.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:China
Locality Name (eg, city) [Default City]:BeiJing
Organization Name (eg, company) [Default Company Ltd]:skills
Organizational Unit Name (eg, section) []:Operations Departments
Common Name (eg, your name or your server's hostname) []:CSK Global Root CA
Email Address []:
[root@appsrv csk-rootca]#

生成web的密钥:

[root@appsrv CA]# openssl genrsa -out httpd.key
Generating RSA private key, 2048 bit long modulus
..............+++
.............................................................................+++
e is 65537 (0x10001)
[root@appsrv CA]#

生成web证书;

[root@appsrv CA]# openssl req -new -key httpd.key -out  httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:China
Locality Name (eg, city) [Default City]:BeiJing
Organization Name (eg, company) [Default Company Ltd]:skills
Organizational Unit Name (eg, section) []:Operations Departments
Common Name (eg, your name or your server's hostname) []:*.www.chinaskills.cn
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@appsrv CA]#

web证书与根证书绑定:

[root@appsrv CA]# openssl ca -keyfile private/cakey.pem -cert csk-ca.pem -in httpd.csr  -out httpd.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Apr 14 09:38:23 2022 GMT
Not After : Apr 14 09:38:23 2023 GMT
Subject:
countryName = CN
stateOrProvinceName = China
localityName = BeiJing
organizationName = skills
organizationalUnitName = Operations Departments
commonName = *.chinaskills.cn
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
41:5E:AE:2B:9F:5B:5D:8E:FF:8F:BC:93:3E:0D:50:C9:63:E5:AC:EE
X509v3 Authority Key Identifier:
keyid:03:AD:1B:0E:37:5D:70:71:0A:61:01:8A:E2:9B:FB:7D:48:8B:E4:8A

Certificate is to be certified until Apr 14 09:38:23 2023 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

标签:13,Name,csk,CA,appsrv,rootca,AppSrv,root
From: https://blog.51cto.com/lyx888/6131273

相关文章