OpenSSL生成并使用CA根证书签名Keytool生成的证书请求

1,生成私钥[带密码]

[root@node00 security]# openssl genrsa [-des3] -out ca.key 2048
Generating RSA private key, 2048 bit long modulus
..............................................+++
...................+++
e is 65537 (0x10001)
Enter pass phrase for ca.key:
Verifying - Enter pass phrase for ca.key:
[root@node00 security]#

2,生成证书请求文件

[root@node00 security]# openssl req -new -key ca.key -out ca.csr
Enter pass phrase for ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:GuangDong
Locality Name (eg, city) [Default City]:ShenZhen
Organization Name (eg, company) [Default Company Ltd]:Hinabian
Organizational Unit Name (eg, section) []:data
Common Name (eg, your name or your server's hostname) []:node00
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@node00 security]#

3,用自己的私钥给自己签发根证书

[root@node00 security]# openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
Signature ok
subject=/C=CN/ST=GuangDong/L=ShenZhen/O=Hinabian/OU=data/CN=node00
Getting Private key
Enter pass phrase for ca.key:
[root@node00 security]#

4,用CA根证书来签名服务器端的证书请求文件

4.1 创建 /etc/pki/CA/index.txt文件

[root@node00 security]# openssl ca -days 3650 -keyfile ca.key -cert ca.crt -in pki/node00.csr -out node00.pem
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ca.key:
/etc/pki/CA/index.txt: No such file or directory
unable to open '/etc/pki/CA/index.txt'
140358162147216:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/pki/CA/index.txt','r')
140358162147216:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:
4.2 创建 /etc/pki/CA/index.txt文件

[root@node00 security]# openssl ca -days 3650 -keyfile ca.key -cert ca.crt -in pki/node00.csr -out node00.pem
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ca.key:
/etc/pki/CA/serial: No such file or directory
error while loading serial number
140017638942608:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/pki/CA/serial','r')
140017638942608:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:
[root@node00 security]#

用来跟踪最后一次颁发的证书的序列号。

[root@node00 CA]# echo "01" > /etc/pki/CA/serial
[root@node00 CA]#

4.3 用CA根证书来签名服务器端的证书请求文件

[root@node00 security]# openssl ca -days 3650 -keyfile ca.key -cert ca.crt -in pki/node00.csr -out node00.pem
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ca.key:
Check that the request matches the signature
Signature ok
The stateOrProvinceName field needed to be the same in the
CA certificate (GuangDong) and the request (GuangDong)
[root@node00 security]# ll
total 12
-rw-r--r-- 1 root root 1200 Oct 24 16:42 ca.crt
-rw-r--r-- 1 root root 1005 Oct 24 16:42 ca.csr
-rw-r--r-- 1 root root 1743 Oct 24 16:37 ca.key
-rw-r--r-- 1 root root    0 Oct 24 16:45 node00.pem
drwxr-xr-x 2 root root   42 Oct 24 16:45 pki
[root@node00 security]#

问题：

The stateOrProvinceName field needed to be the same in the
CA certificate (GuangDong) and the request (GuangDong)

解决方案： 修改 /etc/pki/tls/openssl.cnf 文件

# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy          = policy_match

# For the CA policy
[ policy_match ]
countryName             = match
#stateOrProvinceName    = match      (将 match 改为 optional )
#organizationName       = match        (将 match 改为 optional )
stateOrProvinceName     = optional
organizationName        = optional        
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

再次执行：

[root@node00 security]# openssl ca -days 3650 -keyfile ca.key -cert ca.crt -in pki/node00.csr -out node00.pem
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ca.key:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Oct 24 08:54:57 2018 GMT
            Not After : Oct 21 08:54:57 2028 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = GuangDong
            organizationName          = Hinabian
            organizationalUnitName    = data
            commonName                = node00
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                58:30:7D:B3:7E:85:D4:39:22:2F:B3:96:55:A3:38:68:FE:7F:03:88
            X509v3 Authority Key Identifier:
                DirName:/C=CN/ST=GuangDong/L=ShenZhen/O=Hinabian/OU=data/CN=node00
                serial:E1:40:B9:DB:A9:83:F9:C3

Certificate is to be certified until Oct 21 08:54:57 2028 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@node00 security]# ll
total 20
-rw-r--r-- 1 root root 1200 Oct 24 16:42 ca.crt
-rw-r--r-- 1 root root 1005 Oct 24 16:42 ca.csr
-rw-r--r-- 1 root root 1743 Oct 24 16:37 ca.key
-rw-r--r-- 1 root root 4632 Oct 24 16:55 node00.pem
drwxr-xr-x 2 root root   42 Oct 24 16:45 pki
[root@node00 security]#

成功生成证书签名node00.pem！