openssl实现私有CA

只在内网使用，无法连接外网 CA的配置文件：/etc/pki/tls/openssl.cnf

创建CA目录

 [root@node2 ~]#  mkdir /etc/pki/CA
 [root@node2 ~]# cd /etc/pki/CA
 [root@node2 ~]# ls /etc/pki/
 CA  ca-trust  java  rpm-gpg  rsyslog  tls
 [root@node2 ~]# cd /etc/pki/CA
 [root@node2 CA]# 

CA生成一对密钥

 [root@node2 CA]# mkdir -p /etc/pki/CA/private
 #生成密钥，括号必须要
 [root@node2 CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048) 
 Generating RSA private key, 2048 bit long modulus (2 primes)
 .......................+++++
 ...............+++++
 e is 65537 (0x010001)
 [root@node2 CA]# ls
 private
 [root@node2 CA]# ll private/
 total 4
 -rw------- 1 root root 1675 Dec 26 21:01 cakey.pem
 [root@node2 CA]# openssl rsa -in private/cakey.pem -pubout  #提取公钥
 writing RSA key
 -----BEGIN PUBLIC KEY-----
 MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvpEaOB5/BqfUtRlCfrdG
 V1x0BiZAOzXYH4DyMzAeFqOO391iH8DNnc2836SpDjmuzQHqCn/KjkFdLab8p3ro
 Dnnfd0FJ5/dXOnR2QLKK1nsGVL7T2BWUWuBzBqQOsSYVjzCBCpl1Dhmd7jDyrSlw
 Kxiha0OvY5BEQ+c5AOHTLN6rue/k3AdOqklc1wRcR3KtfAdSPCKXz1BQ89ZTjMz5
 lPu90LVyPxEA+w4fvTT60wEXI00oFGnlybf10OoSMJIl2A8n0ryxv948M20TAsWz
 JfTzqjNHDbKZpRzVtaOCz9QIGQJ9MY1nSIVdOYxmXye6okRo226gxGXOny5fDo34
 1wIDAQAB
 -----END PUBLIC KEY-----
 [root@node2 CA]# 

CA生成自签署证书

 [root@node2 CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
 You are about to be asked to enter information that will be incorporated
 into your certificate request.
 What you are about to enter is what is called a Distinguished Name or a DN.
 There are quite a few fields but you can leave some blank
 For some fields there will be a default value,
 If you enter '.', the field will be left blank.
 -----
 Country Name (2 letter code) [XX]:CN    #两个字母表示国家
 State or Province Name (full name) []:HB #省份
 Locality Name (eg, city) [Default City]:WH #城市
 Organization Name (eg, company) [Default Company Ltd]:runtime #公司
 Organizational Unit Name (eg, section) []:runtime #组织单元名
 Common Name (eg, your name or your server's hostname) []:www.mashuangle.com #域名
 Email Address []:[email protected] #邮箱
 [root@node2 CA]# ls
 cacert.pem  private
 [root@node2 CA]# 

创建空目录和文件

 [root@node2 CA]# mkdir certs newcerts crl
 [root@node2 CA]# touch index.txt && echo 01 > serial
 [root@node2 CA]# cat serial 
 01
 [root@node2 CA]# 

创建目录来放置证书

 [root@node2 CA]# mkdir -p /usr/local/apache/conf/ssl
 [root@node2 CA]# cd /usr/local/apache/conf
 [root@node2 conf]# ls
 extra  httpd.conf  magic  mime.types  original  ssl
 [root@node2 conf]# cd ssl
 [root@node2 ssl]# 

客户端（例如httpd服务器)生成密钥

 [root@node2 ssl]# (umask 077;openssl genrsa -out httpd.key 2048)
 Generating RSA private key, 2048 bit long modulus (2 primes)
 ...............+++++
 .............................................................................................+++++
 e is 65537 (0x010001)
 [root@node2 ssl]# ls
 httpd.key
 [root@node2 ssl]# 

客户端生成证书签署请求

 [root@node2 ssl]# openssl req -new -key httpd.key -days 365 -out httpd.csr
 Ignoring -days; not generating a certificate
 You are about to be asked to enter information that will be incorporated
 into your certificate request.
 What you are about to enter is what is called a Distinguished Name or a DN.
 There are quite a few fields but you can leave some blank
 For some fields there will be a default value,
 If you enter '.', the field will be left blank.
 -----
 Country Name (2 letter code) [XX]:CN
 State or Province Name (full name) []:HB
 Locality Name (eg, city) [Default City]:WH
 Organization Name (eg, company) [Default Company Ltd]:runtime
 Organizational Unit Name (eg, section) []:runtime
 Common Name (eg, your name or your server's hostname) []:www.mashuangle.com
 Email Address []:[email protected]
 ​
 Please enter the following 'extra' attributes
 to be sent with your certificate request
 A challenge password []:
 An optional company name []:
 [root@node2 ssl]# 

CA签署证书

 [root@node2 ssl]# openssl ca -in httpd.csr -out httpd.crt -days 365
 Using configuration from /etc/pki/tls/openssl.cnf
 Check that the request matches the signature
 Signature ok
 Certificate Details:
         Serial Number: 1 (0x1)
         Validity
             Not Before: Dec 26 13:19:21 2022 GMT
             Not After : Dec 26 13:19:21 2023 GMT
         Subject:
             countryName               = CN
             stateOrProvinceName       = HB
             organizationName          = runtime
             organizationalUnitName    = runtime
             commonName                = www.mashuangle.com
             emailAddress              = [email protected]
         X509v3 extensions:
             X509v3 Basic Constraints: 
                 CA:FALSE
             Netscape Comment: 
                 OpenSSL Generated Certificate
             X509v3 Subject Key Identifier: 
                 6E:6E:78:93:92:14:AE:6B:BE:2E:10:88:2C:57:01:3E:88:13:06:41
             X509v3 Authority Key Identifier: 
                 keyid:55:65:36:B9:38:18:32:72:F2:37:69:0E:5E:F2:44:1F:59:6D:25:27
 ​
 Certificate is to be certified until Dec 26 13:19:21 2023 GMT (365 days)
 Sign the certificate? [y/n]:y
 ​
 ​
 1 out of 1 certificate requests certified, commit? [y/n]y
 Write out database with 1 new entries
 Data Base Updated
 [root@node2 ssl]# ls
 httpd.crt  httpd.csr  httpd.key
 [root@node2 ssl]#