Centos8上搭建CA证书

Centos8上搭建CA证书

要在centos8上实现自建CA证书要利用openssl，首先查看openssl配置文件

[root@Centos8 data]#vim /etc/pki/tls/openssl.cnf [ CA_default ] dir = /etc/pki/CA # Where everything is kept certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. #unique_subject = no # Set to 'no' to allow creation of # several certs with same subject. new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/cacert.pem # The CA certificate serial = $dir/serial # The current serial number crlnumber = $dir/crlnumber # the current crl number # must be commented out to leave a V1 CRL crl = $dir/crl.pem # The current CRL private_key = $dir/private/cakey.pem# The private key RANDFILE = $dir/private/.rand # private random number file x509_extensions = usr_cert # The extensions to add to the cert 

这段配置代表了CA的目录结构，和每个目录是放置什么文件，有什么作用，做出了一些解释。
因为centos7上CA相关的目录是系统自带的，但是centos8上只有CA家目录，也就是 /etc/pki/CA，这个目录，所以参考centos7上的目录结构来新建CA相关目录
centos7上目录结构：

[root@centos7 ~]#cd /etc/pki/CA/ [root@centos7 CA]#tree . ├── certs ├── crl ├── newcerts └── private 4 directories, 0 files

在centos8上运行：

[root@Centos8 data]mkdir -p /etc/pki/CA/{certs,crl,newcerts,private}

cd private/
生成私钥：

(umask 077; openssl genrsa -out cakey.pem 4096)

生成自签的CA证书：

openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650

[root@Centos8 CA]#openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:beijing Locality Name (eg, city) [Default City]:beijing Organization Name (eg, company) [Default Company Ltd]:wj02 Organizational Unit Name (eg, section) []:M39 Common Name (eg, your name or your server's hostname) []:www.wj02.com Email Address []: [root@Centos8 CA]#

要输入的内容依次为:

输入：（国家代码）CN
输入：（所在省份）beijing
输入：（所在城市）beijing
输入：（公司名称）wj02
输入：（部门名称）M39
输入：（用户名或主机名）www.wj02.com
输入：（邮箱地址）可留空，直接回车
根据提示，输入相应信息即可。

查看自签证书详细内容命令：

[root@Centos8 CA]#openssl x509 -in cacert.pem -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 43:cf:75:6e:3a:94:cc:98:38:c1:48:c7:d9:37:70:e3:fb:71:19:e6 Signature Algorithm: sha256WithRSAEncryption Issuer: C = CN, ST = beijing, L = beijing, O = wj02, OU = M39, CN = www.wj02.com Validity Not Before: Nov 12 06:50:53 2019 GMT Not After : Nov 9 06:50:53 2029 GMT Subject: C = CN, ST = beijing, L = beijing, O = wj02, OU = M39, CN = www.wj02.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (4096 bit) Modulus:

可以看到证书的详细信息
然后在另一台机器，因为要重新生成私钥，所以要至少两台机器。
生成私钥：

(umask 077; openssl genrsa -out app.key 1024)

生成ca证书请求文件：

openssl req -new -key app.key -out app.csr

值得注意的是，有三项，就是国家，所在省，公司名称这三项一定要和自签证书一致
因为在配置文件里有规定：

policy = policy_match # For the CA policy [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional

这三项是强制一样的，当然也可以修改配置文件
利用scp将cs请求文件发送到server

scp test.csr 192.168.38.120:/etc/pki/CA

接下来就是server给test.csr签署证书：

[root@Centos8 CA]#openssl ca -in test.csr -out test.crt -days 365 Using configuration from /etc/pki/tls/openssl.cnf 140011092936512:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:72:fopen('/etc/pki/CA/index.txt','r') 140011092936512:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:79: [root@Centos8 CA]#

额，报错了？莫慌，这个是因为缺少文件导致的，报错信息可以看到，我们缺少/etc/pki/CA/index.txt这个文件

touch /etc/pki/CA/index.txt

再次运行：

[root@Centos8 CA]#openssl ca -in test.csr -out test.crt -days 365 Using configuration from /etc/pki/tls/openssl.cnf Can't open /etc/pki/CA/index.txt.attr for reading, No such file or directory 140275620157248:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:72:fopen('/etc/pki/CA/index.txt.attr','r') 140275620157248:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:79: /etc/pki/CA/serial: No such file or directory error while loading serial number 140275620157248:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:72:fopen('/etc/pki/CA/serial','r') 140275620157248:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:79: [root@Centos8 CA]#

还错？现在是缺少/etc/pki/CA/serial这个文件，但是这个文件不能是空文件，它里面是有东西的。
查看配置文件我们发现这个文件是记录证书序列号的，所以，，，，

[root@Centos8 CA]#echo 01 > /etc/pki/CA/serial

我们给他指定一个序列号不就好啦
再次运行

[root@Centos8 CA]#openssl ca -in test.csr -out test.crt -days 365 Using configuration from /etc/pki/tls/openssl.cnf Can't open /etc/pki/CA/index.txt.attr for reading, No such file or directory 140145607882560:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:72:fopen('/etc/pki/CA/index.txt.attr','r') 140145607882560:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:79: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Nov 12 07:26:38 2019 GMT Not After : Nov 11 07:26:38 2020 GMT Subject: countryName = CN stateOrProvinceName = beijing organizationName = wj02 organizationalUnitName = M39 commonName = www.wj02.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: A2:A8:2B:77:95:4C:E8:80:0C:50:DF:0E:89:ED:17:94:4E:DF:AC:71 X509v3 Authority Key Identifier: keyid:D8:E4:A8:09:2A:2D:13:39:29:63:83:5E:CF:8D:EA:99:A6:79:0B:67 Certificate is to be certified until Nov 11 07:26:38 2020 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated [root@Centos8 CA]#

成功。嗯，记得输入两次y
到此，自建CA证书生成完成，可以使用了。