创建CA和证书
创建私有CA:
openssl的配置文件:/etc/pki/tls/openssl.cnf
三种策略:match匹配、optional可选、supplied提供
**match:要求申请填写的信息跟CA设置信息必须一致
optional:可有可无,跟CA设置信息可不一致
supplied:必须填写这项申请信息**,
1、创建所需要的文件
touch /etc/pki/CA/index.txt 生成证书索引数据库文件
echo 01 > /etc/pki/CA/serial 指定第一个颁发证书的序列号
2.CA自签证书
生成私钥
cd /etc/pki/CA/
(umask 066; openssl genrsa -out private/cakey.pem 2048)
3.生成自签名证书
openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem-days 3650 -out /etc/pki/CA/cacert.pem
选项说明:
-new:生成新证书签署请求
-x509:专用于CA生成自签证书
-key:生成请求时用到的私钥文件
-days n:证书的有效期限
-out /PATH/TO/SOMECERTFILE: 证书的保存路径
4.颁发证书
在需要使用证书的主机生成证书请求
给web服务器生成私钥
(umask 066; openssl genrsa –out /data/test.key 2048)
生成证书申请文件
openssl req -new -key /data/test.key -out /data/test.csr
将证书请求文件传输给CA
CA签署证书,并将证书颁发给请求者
openssl ca -in /tmp/test.csr –out /etc/pki/CA/certs/test.crt -days 100
**注意:默认要求 国家,省,公司名称三项必须和CA一致**
查看证书中的信息:
openssl x509 -in /PATH/FROM/CERT_FILE -noout -text|issuer|subject|serial|dates
openssl ca -status SERIAL 查看指定编号的证书状态
4、吊销证书
在客户端获取要吊销的证书的serial
openssl x509 -in /PATH/FROM/CERT_FILE -noout -serial -subject
在CA上,根据客户提交的serial与subject信息,对比检验是否与index.txt文件中的信息一致,吊销证书:
openssl ca -revoke /etc/pki/CA/newcerts/SERIAL.pem
指定第一个吊销证书的编号,注意:第一次更新证书吊销列表前,才需要执行
echo 01 > /etc/pki/CA/crlnumber
更新证书吊销列表
openssl ca -gencrl -out /etc/pki/CA/crl.pem
查看crl文件:
openssl crl -in /etc/pki/CA/crl.pem -noout -text
SHELL脚本实现OPENSS自建CA和证书申请
转自https://www.cnblogs.com/maxuebin/p/11071847.html
#!/bin/bash
#
#********************************************************************
#Author: Ma Xue Bin
#QQ: 316428921
#Date: 2019-06-22
#为客户端申请证书
client(){
rpm -q expect &> /dev/null || yum install expect -y
expect <<EOF
set timeout 10
spawn ssh $user@$ip
expect {
"yes/no" {send "yes\n";exp_continue}
"password" {send "centos\n"}
}
expect "]#" {send "yum install expect -y \n"}
expect "~]#" {send "(umask 077;openssl genrsa -out /data/$key 1024)\n"}
expect "]#" {send "openssl req -new -in /data/$key -out /data/$csr\n"}
expect "Enter PEM pass phrase:" {send "maxuebin\n"}
expect "Verifying - Enter PEM pass phrase:" {send "maxuebin\n"}
expect ":" {send "CN\n"}
expect ":" {send "beijing\n"}
expect ":" {send "beijing\n"}
expect ":" {send "magedu\n"}
expect ":" {send "devops\n"}
expect ":" {send "www.magedu.com\n"}
expect ":" {send "[email protected]\n"}
expect ":" {send "\n"}
expect ":" {send "\n"}
expect "~]#" {send "scp /data/$csr root@$IP:/data/\n"}
expect {
"yes/no" {send "yes\n";exp_continue}
"password" {send "centos\n"}
}
expect "#" {send "exit\n"}
expect eof
EOF
}
#服务器端自建CA
MKCA(){
rpm -q expect &> /dev/null || yum install expect -y
(umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 4096)
expect <<EOF
spawn openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3650
expect ":" {send "CN\n"}
expect ":" {send "beijing\n"}
expect ":" {send "beijing\n"}
expect ":" {send "magedu\n"}
expect ":" {send "devops\n"}
expect ":" {send "ca.magedu.com\n"}
expect ":" {send "[email protected]\n"}
expect eof
EOF
[ -f /etc/pki/CA/index.txt ] || touch /etc/pki/CA/index.txt
[ -f /etc/pki/CA/serial ] || echo 01 > /etc/pki/CA/serial
}
#服务器端签署证书
certificate(){
if [ -f /data/$csr ];then
cer=`echo $csr |cut -d. -f1`
expect <<EOF
spawn openssl ca -in /data/$csr -out /etc/pki/CA/certs/$cer.crt -days 100
expect "]:" {send "y\n"}
expect "]" {send "y\n"}
expect eof
EOF
fi
}
user=root
ip=192.168.1.110
IP=192.168.1.108
key=app.key
csr=app.csr
while true;do
cat <<EOF
自建CA
签署证书
为客户端申请证书
自动化自建CA并让客户端申请证书并签证
退出
EOF
read -p "plese input number: " number
case $number in
1)
MKCA
;;
2)
certificate
;;
3)
client
;;
4)
client
MKCA
certificate
;;
5)
exit
;;
*)
echo "please input a valid arguments"
;;
esac
done