案例
- CA根证书路径/csk-rootca/csk-ca.pem;
- 签发数字证书,颁发者信息:(仅包含如下信息)
C = CN
ST = China
L = BeiJing
O = skills
OU = Operations Departments
CN = CSK Global Root CA
配置
创建目录及文件
mkdir /csk-rootca
cd /csk-rootca
mkdir private # 密钥存放位置
mkdir newcerts # 新申请的证书位置
touch index.txt # 数据库索引文件
echo 01 > serial # 序列号记录文件,证书授权时会以此为起始号码
修改配置文件
vim /etc/pki/tls/openssl.cnf
...
[CA_default]
dir = /csk-rootca
certificate = /$dir/csk-ca.pem
...
policy = policy_anything
生成私钥、根证书
cd /csk-rootca
openssl genrsa -out private/cakey.pem 4096
openssl req -new -x509 -key private/cakey.pem -out csk-ca.pem -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN # C 国家
State or Province Name (full name) []:China # ST 城市
Locality Name (eg, city) [Default City]:BeiJing # L 组织
Organization Name (eg, company) [Default Company Ltd]:skills # O 组织
Organizational Unit Name (eg, section) []:Operations Departments # OU 组织单位
Common Name (eg, your name or your server's hostname) []:CSK Global Root CA # CN 公用名
Email Address []: # 电子邮箱
查看根证书信息
[root@localhost csk-rootca]# openssl x509 -in csk-ca.pem -noout -text | grep Subject
Subject: C=CN, ST=China, L=BeiJing, O=skills, OU=Operations Departments, CN=CSK Global Root CA
Subject Public Key Info:
X509v3 Subject Key Identifier:
[root@localhost csk-rootca]#
标签:Name,rootca,csk,CN,CA,Centos7,pem,搭建
From: https://www.cnblogs.com/frost-descent/p/16751951.html