文章目录
一、Intermediate CA目录
1、创建一个intermediate目录存放CA
mkdir -p /root/ca/intermediate/
[root@cdh-cm-v01 ca]# mkdir -p /root/ca/intermediate/
2、创建Intermediate CA目录
cd /root/ca/intermediate
mkdir certs crl csr newcerts private
chmod 700 private
touch index.txt
echo 1000 > serial
echo 1000 > /root/ca/intermediate/crlnumber
[root@cdh-cm-v01 ca]# cd /root/ca/intermediate
[root@cdh-cm-v01 intermediate]# mkdir certs crl csr newcerts private
[root@cdh-cm-v01 intermediate]# chmod 700 private
[root@cdh-cm-v01 intermediate]# touch index.txt
[root@cdh-cm-v01 intermediate]# echo 1000 > serial
[root@cdh-cm-v01 intermediate]# echo 1000 > /root/ca/intermediate/crlnumber
3、配置openssl.cnf文件
vi /root/ca/intermediate/openssl.cnf
[root@cdh-cm-v01 intermediate]# vi /root/ca/intermediate/openssl.cnf
[ ca ]
# `man ca`
default_ca = CA_default
[ CA_default ]
# Directory and file locations.
dir = /root/ca/intermediate
certs = $dir/certs
crl_dir = $dir/crl
new_certs_dir = $dir/newcerts
database = $dir/index.txt
serial = $dir/serial
RANDFILE = $dir/private/.rand
# The root key and root certificate.
private_key = $dir/private/intermediate.key.pem
certificate = $dir/certs/intermediate.cert.pem
# For certificate revocation lists.
crlnumber = $dir/crlnumber
crl = $dir/crl/intermediate.crl.pem
crl_extensions = crl_ext
default_crl_days = 30
# SHA-1 is deprecated, so use SHA-2 instead.
default_md = sha256
name_opt = ca_default
cert_opt = ca_default
default_days = 375
preserve = no
policy = policy_loose
[ policy_strict ]
# The root CA should only sign intermediate certificates that match.
# See the POLICY FORMAT section of `man ca`.
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_loose ]
# Allow the intermediate CA to sign a more diverse range of certificates.
# See the POLICY FORMAT section of the `ca` man page.
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
# Options for the `req` tool (`man req`).
default_bits = 2048
distinguished_name = req_distinguished_name
string_mask = utf8only
# SHA-1 is deprecated, so use SHA-2 instead.
default_md = sha256
# Extension to add when the -x509 option is used.
x509_extensions = v3_ca
[ req_distinguished_name ]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name
localityName = Locality Name
0.organizationName = Organization Name
organizationalUnitName = Organizational Unit Name
commonName = Common Name
emailAddress = Email Address
# Optionally, specify some defaults.
countryName_default = GB
stateOrProvinceName_default = England
localityName_default =
0.organizationName_default = Alice Ltd
organizationalUnitName_default =
emailAddress_default =
[ v3_ca ]
# Extensions for a typical CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ v3_intermediate_ca ]
# Extensions for a typical intermediate CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ usr_cert ]
# Extensions for client certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection
[ server_cert ]
# Extensions for server certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = server,client
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
[ crl_ext ]
# Extension for CRLs (`man x509v3_config`).
authorityKeyIdentifier=keyid:always
[ ocsp ]
# Extension for OCSP signing certificates (`man ocsp`).
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, OCSPSigning
4、创建 intermediate钥匙
cd /root/ca
openssl genrsa -aes256
-out intermediate/private/intermediate.key.pem 4096
[root@cdh-cm-v01 ca]# openssl genrsa -aes256 \
> -out intermediate/private/intermediate.key.pem 4096
Generating RSA private key, 4096 bit long modulus
.....chmod 400 intermediate/private/intermediate.key.pem................++
.........................................................................................................................++
e is 65537 (0x10001)
Enter pass phrase for intermediate/private/intermediate.key.pem: tianlingqun
Verifying - Enter pass phrase for intermediate/private/intermediate.key.pem: tianlingqun
Verify failure
User interface error
140692343179152:error:0906906F:PEM routines:PEM_ASN1_write_bio:read key:pem_lib.c:385:
5、创建intermediate证书签名
cd /root/ca
openssl req -config intermediate/openssl.cnf -new -sha256
-key intermediate/private/intermediate.key.pem
-out intermediate/csr/intermediate.csr.pem
chmod 400 intermediate/private/intermediate.key.pem
[root@cdh-cm-v01 ca]# cd /root/ca
[root@cdh-cm-v01 ca]# openssl req -config intermediate/openssl.cnf -new -sha256 \
> -key intermediate/private/intermediate.key.pem \
> -out intermediate/csr/intermediate.csr.pem
Enter pass phrase for intermediate/private/intermediate.key.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:zh
State or Province Name [England]:gd
Locality Name []:sz
Organization Name [Alice Ltd]:yunes
Organizational Unit Name []:yunes
Common Name []:yunes
Email Address []:gsxxx@163.com
[root@cdh-cm-v01 ca]# chmod 400 intermediate/private/intermediate.key.pem
6、创建intermediate证书
cd /root/ca
openssl ca -config openssl.cnf -extensions v3_intermediate_ca
-days 3650 -notext -md sha256
-in intermediate/csr/intermediate.csr.pem
-out intermediate/certs/intermediate.cert.pem
[root@cdh-cm-v01 ca]# cd /root/ca
[root@cdh-cm-v01 ca]# openssl ca -config openssl.cnf -extensions v3_intermediate_ca \
> -days 3650 -notext -md sha256 \
> -in intermediate/csr/intermediate.csr.pem \
> -out intermediate/certs/intermediate.cert.pem
Using configuration from openssl.cnf
Enter pass phrase for /root/ca/private/ca.key.pem: tianlingqun
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 4096 (0x1000)
Validity
Not Before: Sep 24 14:55:27 2022 GMT
Not After : Sep 21 14:55:27 2032 GMT
Subject:
countryName = zh
stateOrProvinceName = gd
organizationName = yunes
organizationalUnitName = yunes
commonName = yunes
emailAddress = gsxxx@163.com
X509v3 extensions:
X509v3 Subject Key Identifier:
AC:52:5E:07:72:71:85:56:01:CF:53:1F:5A:60:A4:1B:82:F4:6B:F1
X509v3 Authority Key Identifier:
keyid:52:2D:7C:48:AE:04:3B:71:50:53:38:61:5B:11:04:39:63:CD:83:8A
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
Certificate is to be certified until Sep 21 14:55:27 2032 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
7、验证intermediate证书
openssl x509 -noout -text
-in intermediate/certs/intermediate.cert.pem
[root@cdh-cm-v01 ca]# openssl x509 -noout -text \
> -in intermediate/certs/intermediate.cert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4096 (0x1000)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=zh, ST=gd, L=sz, O=yunes, OU=yunes, CN=yunes/emailAddress=gsxxx@163.com
Validity
Not Before: Sep 24 14:55:27 2022 GMT
Not After : Sep 21 14:55:27 2032 GMT
Subject: C=zh, ST=gd, O=yunes, OU=yunes, CN=yunes/emailAddress=gsxxx@163.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:c3:08:1f:47:5d:2e:31:54:6e:e4:30:db:3b:d4:
30:5c:5b:5f:62:4d:a7:f7:3a:21:8e:f3:ad:c2:57:
32:6b:bd:56:11:5e:38:bc:6a:3f:8e:96:56:16:b1:
63:75:bf:84:d0:2e:b4:64:da:87:78:76:92:b2:85:
67:6f:4e:97:13:3a:c6:d3:12:8c:0c:e1:d0:32:1b:
67:7f:e3:bf:fe:06:34:92:e9:7f:db:d9:d9:e1:2f:
8c:39:b7:0b:0b:8e:63:a4:96:b3:9e:a6:8c:61:63:
71:ed:be:bd:bb:ee:bf:e4:4b:18:ab:22:61:64:42:
2d:35:b5:b8:25:64:51:5e:8e:66:fd:4e:a1:04:92:
4f:d0:ae:db:14:17:fe:96:4c:08:61:77:68:66:ae:
9b:30:c1:c6:4b:c7:0f:c7:0a:e3:99:3e:a2:76:a2:
b7:c4:4e:fd:67:c3:96:21:69:ae:84:da:4d:10:4b:
bc:82:fb:cc:ba:a5:9f:83:00:36:0e:2c:4a:8a:3d:
58:d4:b6:e4:a4:a4:01:d7:8b:ff:bc:10:39:27:9f:
55:ed:2b:69:5b:a9:2e:55:f1:7d:4d:9c:de:af:76:
6c:c3:87:f5:55:c2:ff:2c:a5:9b:fa:e8:75:cd:5a:
b9:5b:00:7d:fe:b9:6a:ef:16:22:15:10:f1:8e:4f:
be:83:9f:d9:1f:99:2f:27:34:de:a6:97:3c:b1:5a:
08:6d:91:85:70:53:ae:9b:31:56:17:e5:50:3c:e2:
3f:e6:22:6a:7e:6c:34:e2:3f:cf:40:50:d6:27:56:
32:f8:c9:33:cd:c5:8c:06:db:14:0e:04:13:d7:03:
9d:0f:95:c2:d2:a5:80:4d:dc:67:fc:a5:ba:f5:09:
b2:f2:e9:f1:40:27:74:f7:05:ca:51:82:03:3b:90:
41:86:d9:3f:c3:51:d7:ef:14:bd:f1:90:d9:42:d5:
0b:76:6e:67:b8:a2:32:fa:95:e3:9d:4a:45:60:c6:
86:f6:1a:a4:7f:36:91:13:b4:15:bf:d3:a0:4b:3b:
ca:8a:08:e4:29:0d:b6:1d:eb:08:71:d2:0a:9a:42:
0f:af:24:f2:da:fb:52:ad:fe:3c:55:db:0e:22:c7:
3f:53:cb:3d:89:48:43:40:06:2d:26:8a:53:0f:b4:
70:fa:dd:4d:78:f3:25:36:47:41:ed:97:9d:2b:29:
78:ca:02:f3:5c:2c:f8:b4:92:e4:dd:8f:c0:46:0f:
1e:d4:b4:48:eb:8f:67:1b:99:7f:5b:3f:8f:34:e3:
51:96:f4:bd:b4:6a:41:b7:7c:1c:3d:f9:6d:05:15:
fb:c6:f3:21:de:fd:74:c4:a4:50:a7:9e:2c:94:cc:
2f:50:db
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
AC:52:5E:07:72:71:85:56:01:CF:53:1F:5A:60:A4:1B:82:F4:6B:F1
X509v3 Authority Key Identifier:
keyid:52:2D:7C:48:AE:04:3B:71:50:53:38:61:5B:11:04:39:63:CD:83:8A
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
Signature Algorithm: sha256WithRSAEncryption
72:53:fb:4e:44:38:37:15:10:d2:25:1c:a9:7b:53:4c:7d:20:
72:28:f2:86:7c:5c:36:90:62:12:60:ec:b8:44:dc:27:57:08:
cd:a5:68:6d:0f:0e:e6:6d:33:11:ee:8b:0a:b0:d1:b2:ed:56:
10:49:eb:88:62:1d:ee:38:e0:e5:35:c2:37:d5:7e:ca:73:b8:
8b:59:7f:af:c6:1c:96:5e:b8:bb:b8:93:70:3f:2c:65:3d:55:
0d:6f:e0:e4:1f:70:8b:91:31:07:43:aa:45:0c:39:20:f0:32:
f1:d8:93:67:2b:82:e0:51:8a:1c:9c:49:e9:db:d6:b6:4a:ee:
8d:a4:8c:48:52:15:f9:85:a7:1c:63:55:f3:23:64:a2:27:7e:
67:af:2b:a4:a8:ba:a5:70:8d:b1:6a:19:17:75:71:f0:fe:37:
59:ab:53:9a:93:1d:cd:94:65:c7:84:0b:bd:d6:96:88:16:e2:
b5:71:c8:46:7d:4e:69:7d:c9:a4:99:d3:61:98:24:2f:cc:c0:
30:da:98:9e:49:c7:e1:88:9a:1c:cb:58:04:21:8d:8e:a0:dc:
ea:fd:e2:7e:ab:58:cd:d8:52:37:c6:12:5c:ad:e6:d4:28:39:
60:91:7b:66:9c:22:f2:1c:1b:56:a1:56:d5:84:a6:c5:53:58:
ea:37:51:f1:ee:2c:3f:f7:4f:55:ba:63:4f:6a:ec:6b:45:36:
a2:30:95:4a:d9:82:91:b9:02:e2:a0:20:fc:73:28:d8:c0:98:
b9:45:a3:c0:11:cf:b7:9c:ff:ec:27:d5:b3:7d:2c:ce:ae:78:
b9:f9:3e:69:34:66:4a:df:e1:1f:da:73:17:66:3e:96:3a:2f:
05:10:aa:45:77:bb:72:8c:17:23:2b:d9:67:36:33:22:3b:10:
be:a5:fd:55:4d:a9:7a:bc:f1:fa:50:e5:9b:d1:1e:fa:f6:bb:
c9:9d:3f:63:60:36:d8:9f:d0:3c:d4:a0:ba:02:ed:08:a0:f1:
e2:d9:d3:77:99:3d:eb:7c:48:f7:60:9a:22:e6:b6:fb:7e:30:
8d:b5:5b:f3:ff:4a:83:db:69:fc:c4:e0:33:04:ff:be:af:2c:
c9:c4:a7:84:86:be:f7:f1:64:13:4c:e5:2b:75:ea:90:e2:08:
28:a6:7a:f4:22:ef:54:3b:d6:89:7d:5e:1a:6b:d8:6c:b0:9b:
91:f0:27:de:78:d7:fd:f9:28:b4:7d:27:33:71:48:4b:1a:09:
c5:f3:19:20:bd:35:03:35:d7:ac:a3:e7:3e:4f:93:df:e8:af:
cb:03:e2:a7:1e:58:f3:f4:c7:a7:d0:f7:17:6a:3f:dd:de:65:
d7:28:a0:89:f5:2a:e2:8d
8、验证intermediate证书,验证通过返回OK
openssl verify -CAfile certs/ca.cert.pem
intermediate/certs/intermediate.cert.pem
[root@cdh-cm-v01 ca]# openssl verify -CAfile certs/ca.cert.pem \
> intermediate/certs/intermediate.cert.pem
intermediate/certs/intermediate.cert.pem: OK
9、创建证书链文件
cat intermediate/certs/intermediate.cert.pem
certs/ca.cert.pem > intermediate/certs/ca-chain.cert.pem
chmod 400 intermediate/certs/ca-chain.cert.pem
[root@cdh-cm-v01 ca]# cat intermediate/certs/intermediate.cert.pem \
> certs/ca.cert.pem > intermediate/certs/ca-chain.cert.pem
[root@cdh-cm-v01 ca]# cat intermediate/certs/intermediate.cert.pem
-----BEGIN CERTIFICATE-----
MIIFvzCCA6egAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwdTELMAkGA1UEBhMCemgx
CzAJBgNVBAgMAmdkMQswCQYDVQQHDAJzejEOMAwGA1UECgwFeXVuZXMxDjAMBgNV
BAsMBXl1bmVzMQ4wDAYDVQQDDAV5dW5lczEcMBoGCSqGSIb3DQEJARYNZ3N4eHhA
MTYzLmNvbTAeFw0yMjA5MjQxNDU1MjdaFw0zMjA5MjExNDU1MjdaMGgxCzAJBgNV
BAYTAnpoMQswCQYDVQQIDAJnZDEOMAwGA1UECgwFeXVuZXMxDjAMBgNVBAsMBXl1
bmVzMQ4wDAYDVQQDDAV5dW5lczEcMBoGCSqGSIb3DQEJARYNZ3N4eHhAMTYzLmNv
bTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMMIH0ddLjFUbuQw2zvU
MFxbX2JNp/c6IY7zrcJXMmu9VhFeOLxqP46WVhaxY3W/hNAutGTah3h2krKFZ29O
lxM6xtMSjAzh0DIbZ3/jv/4GNJLpf9vZ2eEvjDm3CwuOY6SWs56mjGFjce2+vbvu
v+RLGKsiYWRCLTW1uCVkUV6OZv1OoQSST9Cu2xQX/pZMCGF3aGaumzDBxkvHD8cK
45k+onait8RO/WfDliFproTaTRBLvIL7zLqln4MANg4sSoo9WNS25KSkAdeL/7wQ
OSefVe0raVupLlXxfU2c3q92bMOH9VXC/yylm/rodc1auVsAff65au8WIhUQ8Y5P
voOf2R+ZLyc03qaXPLFaCG2RhXBTrpsxVhflUDziP+Yian5sNOI/z0BQ1idWMvjJ
M83FjAbbFA4EE9cDnQ+VwtKlgE3cZ/yluvUJsvLp8UAndPcFylGCAzuQQYbZP8NR
1+8UvfGQ2ULVC3ZuZ7iiMvqV451KRWDGhvYapH82kRO0Fb/ToEs7yooI5CkNth3r
CHHSCppCD68k8tr7Uq3+PFXbDiLHP1PLPYlIQ0AGLSaKUw+0cPrdTXjzJTZHQe2X
nSspeMoC81ws+LSS5N2PwEYPHtS0SOuPZxuZf1s/jzTjUZb0vbRqQbd8HD35bQUV
+8bzId79dMSkUKeeLJTML1DbAgMBAAGjZjBkMB0GA1UdDgQWBBSsUl4HcnGFVgHP
Ux9aYKQbgvRr8TAfBgNVHSMEGDAWgBRSLXxIrgQ7cVBTOGFbEQQ5Y82DijASBgNV
HRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsFAAOC
AgEAclP7TkQ4NxUQ0iUcqXtTTH0gcijyhnxcNpBiEmDsuETcJ1cIzaVobQ8O5m0z
Ee6LCrDRsu1WEEnriGId7jjg5TXCN9V+ynO4i1l/r8Ycll64u7iTcD8sZT1VDW/g
5B9wi5ExB0OqRQw5IPAy8diTZyuC4FGKHJxJ6dvWtkrujaSMSFIV+YWnHGNV8yNk
oid+Z68rpKi6pXCNsWoZF3Vx8P43WatTmpMdzZRlx4QLvdaWiBbitXHIRn1OaX3J
pJnTYZgkL8zAMNqYnknH4YiaHMtYBCGNjqDc6v3ifqtYzdhSN8YSXK3m1Cg5YJF7
Zpwi8hwbVqFW1YSmxVNY6jdR8e4sP/dPVbpjT2rsa0U2ojCVStmCkbkC4qAg/HMo
2MCYuUWjwBHPt5z/7CfVs30szq54ufk+aTRmSt/hH9pzF2Y+ljovBRCqRXe7cowX
IyvZZzYzIjsQvqX9VU2perzx+lDlm9Ee+va7yZ0/Y2A22J/QPNSgugLtCKDx4tnT
d5k963xI92CaIua2+34wjbVb8/9Kg9tp/MTgMwT/vq8sycSnhIa+9/FkE0zlK3Xq
kOIIKKZ69CLvVDvWiX1eGmvYbLCbkfAn3njX/fkotH0nM3FISxoJxfMZIL01AzXX
rKPnPk+T3+ivywPipx5Y8/THp9D3F2o/3d5l1yigifUq4o0=
-----END CERTIFICATE-----
[root@cdh-cm-v01 ca]# ls -l intermediate/certs/ca-chain.cert.pem
-rw-r--r-- 1 root root 4131 Sep 25 17:10 intermediate/certs/ca-chain.cert.pem
[root@cdh-cm-v01 ca]# chmod 400 intermediate/certs/ca-chain.cert.pem
[root@cdh-cm-v01 ca]# ls -l intermediate/certs/ca-chain.cert.pem
-r-------- 1 root root 4131 Sep 25 17:10 intermediate/certs/ca-chain.cert.pem