openssl实现私有CA

创建CA目录

[root@liu ~]#  mkdir /etc/pki/CA
[root@liu ~]# ls /etc/pki/
CA  ca-trust  java  rpm-gpg  rsyslog  tls

CA生成一对密钥

[root@liu ~]# cd /etc/pki/CA
[root@liu CA]# mkdir -p /etc/pki/CA/private
#生成秘钥
[root@liu CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048) 
Generating RSA private key, 2048 bit long modulus (2 primes)
.............................................................+++++
.+++++
e is 65537 (0x010001)
#提取公钥
[root@liu CA]# openssl rsa -in private/cakey.pem -pubout
writing RSA key
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsz6uUoE5Mqmy6RNrZZ0t
tNEasF9IiDgFMQOHfn8d7w+/A6bLSOx6kGJd8Y4uRjW5ISSxn5XNi0gLlhxdQdLv
ZBwZukWTV9qarcyJ1npU8mD+u6V/McfUy38GOHC5EcCm4RjMXkpMPjn6ioukI6TX
ND/k3JX5IXlnHb8SDDdk+mm0QMyVwNGnpi7Q0lC6aw+VlO9559DQjagapcPtKTVi
6iKXYhIA0okuK0Ec8c2fqy1xyndL6ETMTCgWsEjhQdOkw+V/yhEXaaK0mdkEkreo
fQ7SqCpSFOr7hbnPhsSr/BbKxCAiAPlv+2mAjOf9LQRoyidSZW0Z/EGjzsSPY3nY
uwIDAQAB
-----END PUBLIC KEY-----

CA生成自签署证书

[root@liu CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
#输入国家
Country Name (2 letter code) [XX]:cn
#输入省份
State or Province Name (full name) []:hb
#输入城市
Locality Name (eg, city) [Default City]:wh
#输入公司
Organization Name (eg, company) [Default Company Ltd]:rt
#组织单元名称
Organizational Unit Name (eg, section) []:rt
#输入域名
Common Name (eg, your name or your server's hostname) []:www.liu.com
#输入邮箱
Email Address []:[email protected]

创建目录和文件

[root@liu CA]# mkdir certs newcerts crl
[root@liu CA]# touch index.txt && echo 01 > serial
[root@liu CA]# cat serial 
01
[root@liu CA]#
#创建目录来放置证书
[root@liu CA]# mkdir -p /usr/local/apache/conf/ssl
[root@liu CA]# cd /usr/local/apache/conf
[root@liu conf]# ls
extra  httpd.conf  magic  mime.types  original  ssl
[root@liu conf]# cd ssl/
[root@liu ssl]# 

客户端（例如httpd服务器）生成密钥

[root@liu conf]# cd ssl/
[root@liu ssl]# (umask 077;openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
..+++++
............................+++++
e is 65537 (0x010001)
[root@liu ssl]#

客户端生成证书签署请求

[root@liu ssl]# openssl req -new -key httpd.key -days 365 -out httpd.csr
Ignoring -days; not generating a certificate
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
#再次输入上面相同的国家，省份，城市等信息
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:hb
Locality Name (eg, city) [Default City]:wh
Organization Name (eg, company) [Default Company Ltd]:rt
Organizational Unit Name (eg, section) []:rt
Common Name (eg, your name or your server's hostname) []:www.liu.com
Email Address []:[email protected]
#按两下回车
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

CA签署证书

[root@liu ssl]# openssl ca -in httpd.csr -out httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Dec 26 15:05:30 2022 GMT
            Not After : Dec 26 15:05:30 2023 GMT
        Subject:
            countryName               = cn
            stateOrProvinceName       = hb
            organizationName          = rt
            organizationalUnitName    = rt
            commonName                = www.liu.com
            emailAddress              = [email protected]
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                30:36:03:CF:54:C8:7C:3B:B5:D7:2A:B2:F4:FD:8E:D6:1C:B8:46:B8
            X509v3 Authority Key Identifier: 
                keyid:DC:12:B6:C4:FD:6A:BF:F7:F2:B3:D4:7F:FB:CC:8D:6D:9B:B8:85:3F

Certificate is to be certified until Dec 26 15:05:30 2023 GMT (365 days)
Sign the certificate? [y/n]:y
#核对信息是否一致全选择y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@liu ssl]#
[root@liu ssl]# ls
httpd.crt  httpd.csr  httpd.key
[root@liu ssl]#