OpenSSL生成并使用CA根证书签名Keytool生成的证书请求()

1,生成私钥[带密码]

[root@node00 security]# openssl genrsa [-des3] -out ca.key 2048Generating RSA private key, 2048 bit long modulus……………………………………….+++……………….+++e is 65537 (0x10001)Enter pass phrase for ca.key:Verifying – Enter pass phrase for ca.key:[root@node00 security]#

2,生成证书请求文件

[root@node00 security]# openssl req -new -key ca.key -out ca.csrEnter pass phrase for ca.key:You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter ‘.’, the field will be left blank.—–Country Name (2 letter code) [XX]:CNState or Province Name (full name) []:GuangDongLocality Name (eg, city) [Default City]:ShenZhenOrganization Name (eg, company) [Default Company Ltd]:HinabianOrganizational Unit Name (eg, section) []:dataCommon Name (eg, your name or your server’s hostname) []:node00Email Address []:Please enter the following ‘extra’ attributesto be sent with your certificate requestA challenge password []:An optional company name []:[root@node00 security]#

3,用自己的私钥给自己签发根证书

[root@node00 security]# openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crtSignature oksubject=/C=CN/ST=GuangDong/L=ShenZhen/O=Hinabian/OU=data/CN=node00Getting Private keyEnter pass phrase for ca.key:[root@node00 security]#

4,用CA根证书来签名服务器端的证书请求文件

4.1 创建 /etc/pki/CA/index.txt文件

[root@node00 security]# openssl ca -days 3650 -keyfile ca.key -cert ca.crt -in pki/node00.csr -out node00.pemUsing configuration from /etc/pki/tls/openssl.cnfEnter pass phrase for ca.key:/etc/pki/CA/index.txt: No such file or directoryunable to open ‘/etc/pki/CA/index.txt’140358162147216:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen(‘/etc/pki/CA/index.txt’,’r’)140358162147216:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:4.2 创建 /etc/pki/CA/index.txt文件

[root@node00 security]# openssl ca -days 3650 -keyfile ca.key -cert ca.crt -in pki/node00.csr -out node00.pemUsing configuration from /etc/pki/tls/openssl.cnfEnter pass phrase for ca.key:/etc/pki/CA/serial: No such file or directoryerror while loading serial number140017638942608:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen(‘/etc/pki/CA/serial’,’r’)140017638942608:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:[root@node00 security]#

用来跟踪最后一次颁发的证书的序列号。

[root@node00 CA]# echo “01” > /etc/pki/CA/serial[root@node00 CA]#

4.3 用CA根证书来签名服务器端的证书请求文件

[root@node00 security]# openssl ca -days 3650 -keyfile ca.key -cert ca.crt -in pki/node00.csr -out node00.pemUsing configuration from /etc/pki/tls/openssl.cnfEnter pass phrase for ca.key:Check that the request matches the signatureSignature okThe stateOrProvinceName field needed to be the same in theCA certificate (GuangDong) and the request (GuangDong)[root@node00 security]# lltotal 12-rw-r–r– 1 root root 1200 Oct 24 16:42 ca.crt-rw-r–r– 1 root root 1005 Oct 24 16:42 ca.csr-rw-r–r– 1 root root 1743 Oct 24 16:37 ca.key-rw-r–r– 1 root root    0 Oct 24 16:45 node00.pemdrwxr-xr-x 2 root root   42 Oct 24 16:45 pki[root@node00 security]#

问题:

The stateOrProvinceName field needed to be the same in theCA certificate (GuangDong) and the request (GuangDong)

解决方案: 修改 /etc/pki/tls/openssl.cnf 文件

# A few difference way of specifying how similar the request should look# For type CA, the listed attributes must be the same, and the optional# and supplied fields are just that :-)policy          = policy_match# For the CA policy[ policy_match ]countryName             = match#stateOrProvinceName    = match      (将 match 改为 optional )#organizationName       = match        (将 match 改为 optional )stateOrProvinceName     = optionalorganizationName        = optional        organizationalUnitName  = optionalcommonName              = suppliedemailAddress            = optional

再次执行:

[root@node00 security]# openssl ca -days 3650 -keyfile ca.key -cert ca.crt -in pki/node00.csr -out node00.pemUsing configuration from /etc/pki/tls/openssl.cnfEnter pass phrase for ca.key:Check that the request matches the signatureSignature okCertificate Details:        Serial Number: 1 (0x1)        Validity            Not Before: Oct 24 08:54:57 2018 GMT            Not After : Oct 21 08:54:57 2028 GMT        Subject:            countryName               = CN            stateOrProvinceName       = GuangDong            organizationName          = Hinabian            organizationalUnitName    = data            commonName                = node00        X509v3 extensions:            X509v3 Basic Constraints:                 CA:FALSE            Netscape Comment:                 OpenSSL Generated Certificate            X509v3 Subject Key Identifier:                 58:30:7D:B3:7E:85:D4:39:22:2F:B3:96:55:A3:38:68:FE:7F:03:88            X509v3 Authority Key Identifier:                 DirName:/C=CN/ST=GuangDong/L=ShenZhen/O=Hinabian/OU=data/CN=node00                serial:E1:40:B9:DB:A9:83:F9:C3Certificate is to be certified until Oct 21 08:54:57 2028 GMT (3650 days)Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base Updated[root@node00 security]# lltotal 20-rw-r–r– 1 root root 1200 Oct 24 16:42 ca.crt-rw-r–r– 1 root root 1005 Oct 24 16:42 ca.csr-rw-r–r– 1 root root 1743 Oct 24 16:37 ca.key-rw-r–r– 1 root root 4632 Oct 24 16:55 node00.pemdrwxr-xr-x 2 root root   42 Oct 24 16:45 pki[root@node00 security]#

成功生成证书签名node00.pem!

————————

1,生成私钥[带密码]

[root@node00 security]# openssl genrsa [-des3] -out ca.key 2048Generating RSA private key, 2048 bit long modulus……………………………………….+++……………….+++e is 65537 (0x10001)Enter pass phrase for ca.key:Verifying – Enter pass phrase for ca.key:[root@node00 security]#

2,生成证书请求文件

[root@node00 security]# openssl req -new -key ca.key -out ca.csrEnter pass phrase for ca.key:You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter ‘.’, the field will be left blank.—–Country Name (2 letter code) [XX]:CNState or Province Name (full name) []:GuangDongLocality Name (eg, city) [Default City]:ShenZhenOrganization Name (eg, company) [Default Company Ltd]:HinabianOrganizational Unit Name (eg, section) []:dataCommon Name (eg, your name or your server’s hostname) []:node00Email Address []:Please enter the following ‘extra’ attributesto be sent with your certificate requestA challenge password []:An optional company name []:[root@node00 security]#

3,用自己的私钥给自己签发根证书

[root@node00 security]# openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crtSignature oksubject=/C=CN/ST=GuangDong/L=ShenZhen/O=Hinabian/OU=data/CN=node00Getting Private keyEnter pass phrase for ca.key:[root@node00 security]#

4,用CA根证书来签名服务器端的证书请求文件

4.1 创建 /etc/pki/CA/index.txt文件

[root@node00 security]# openssl ca -days 3650 -keyfile ca.key -cert ca.crt -in pki/node00.csr -out node00.pemUsing configuration from /etc/pki/tls/openssl.cnfEnter pass phrase for ca.key:/etc/pki/CA/index.txt: No such file or directoryunable to open ‘/etc/pki/CA/index.txt’140358162147216:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen(‘/etc/pki/CA/index.txt’,’r’)140358162147216:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:4.2 创建 /etc/pki/CA/index.txt文件

[root@node00 security]# openssl ca -days 3650 -keyfile ca.key -cert ca.crt -in pki/node00.csr -out node00.pemUsing configuration from /etc/pki/tls/openssl.cnfEnter pass phrase for ca.key:/etc/pki/CA/serial: No such file or directoryerror while loading serial number140017638942608:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen(‘/etc/pki/CA/serial’,’r’)140017638942608:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:[root@node00 security]#

用来跟踪最后一次颁发的证书的序列号。

[root@node00 CA]# echo “01” > /etc/pki/CA/serial[root@node00 CA]#

4.3 用CA根证书来签名服务器端的证书请求文件

[root@node00 security]# openssl ca -days 3650 -keyfile ca.key -cert ca.crt -in pki/node00.csr -out node00.pemUsing configuration from /etc/pki/tls/openssl.cnfEnter pass phrase for ca.key:Check that the request matches the signatureSignature okThe stateOrProvinceName field needed to be the same in theCA certificate (GuangDong) and the request (GuangDong)[root@node00 security]# lltotal 12-rw-r–r– 1 root root 1200 Oct 24 16:42 ca.crt-rw-r–r– 1 root root 1005 Oct 24 16:42 ca.csr-rw-r–r– 1 root root 1743 Oct 24 16:37 ca.key-rw-r–r– 1 root root    0 Oct 24 16:45 node00.pemdrwxr-xr-x 2 root root   42 Oct 24 16:45 pki[root@node00 security]#

问题:

The stateOrProvinceName field needed to be the same in theCA certificate (GuangDong) and the request (GuangDong)

解决方案: 修改 /etc/pki/tls/openssl.cnf 文件

# A few difference way of specifying how similar the request should look# For type CA, the listed attributes must be the same, and the optional# and supplied fields are just that :-)policy          = policy_match# For the CA policy[ policy_match ]countryName             = match#stateOrProvinceName    = match      (将 match 改为 optional )#organizationName       = match        (将 match 改为 optional )stateOrProvinceName     = optionalorganizationName        = optional        organizationalUnitName  = optionalcommonName              = suppliedemailAddress            = optional

再次执行:

[root@node00 security]# openssl ca -days 3650 -keyfile ca.key -cert ca.crt -in pki/node00.csr -out node00.pemUsing configuration from /etc/pki/tls/openssl.cnfEnter pass phrase for ca.key:Check that the request matches the signatureSignature okCertificate Details:        Serial Number: 1 (0x1)        Validity            Not Before: Oct 24 08:54:57 2018 GMT            Not After : Oct 21 08:54:57 2028 GMT        Subject:            countryName               = CN            stateOrProvinceName       = GuangDong            organizationName          = Hinabian            organizationalUnitName    = data            commonName                = node00        X509v3 extensions:            X509v3 Basic Constraints:                 CA:FALSE            Netscape Comment:                 OpenSSL Generated Certificate            X509v3 Subject Key Identifier:                 58:30:7D:B3:7E:85:D4:39:22:2F:B3:96:55:A3:38:68:FE:7F:03:88            X509v3 Authority Key Identifier:                 DirName:/C=CN/ST=GuangDong/L=ShenZhen/O=Hinabian/OU=data/CN=node00                serial:E1:40:B9:DB:A9:83:F9:C3Certificate is to be certified until Oct 21 08:54:57 2028 GMT (3650 days)Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base Updated[root@node00 security]# lltotal 20-rw-r–r– 1 root root 1200 Oct 24 16:42 ca.crt-rw-r–r– 1 root root 1005 Oct 24 16:42 ca.csr-rw-r–r– 1 root root 1743 Oct 24 16:37 ca.key-rw-r–r– 1 root root 4632 Oct 24 16:55 node00.pemdrwxr-xr-x 2 root root   42 Oct 24 16:45 pki[root@node00 security]#

成功生成证书签名node00.pem!