静思田园

Appearance

https

CA搭建命令

sh
cd /etc/pki/CA/ 

# 在private 下生成密钥
(umask 077; openssl genrsa -out private/cakey.pem 1024)

# 此步需要提供国家代码,省份,区域,组织机构,部门,主机名,邮箱等信息
openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365

# index.txt存放证书相关信息,serial初始化证书序列号
touch index.txt serial

# 输入起始值
echo 5001 > serial

# 存放需要签发的请求
mkdir csr

向组织结构申请证书

组织结构申请证书

sh
mkdir /opt/nginx/https -pv

cd /opt/nginx/https

(umask 077; openssl genrsa -out dotohi.com.key 1024)

openssl req -new -key dotohi.com.key -out dotohi.com.csr

scp dotohi.com.csr root@172.17.0.2:/etc/pki/CA/csr

CA签署组织机构发过来的证书

sh
cd /etc/pki/CA/

openssl ca -in cspwdr/dotohi.com.csr -out dotohi.com.crt -days 365

# 不匹配结果
[root@7b7f17ce1a4e CA]# openssl ca -in csr/dotohi.com.csr -out dotohi.com.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
The organizationName field needed to be the same in the
CA certificate (imooc) and the request (dotohi.com)

# 需要修改 openssl.cnf的匹配策略
 83 # For the CA policy
 84 [ policy_match ]
 85 countryName             = match
 86 stateOrProvinceName     = optional
 87 organizationName        = optional
 88 organizationalUnitName  = optional
 89 commonName              = supplied
 90 emailAddress            = optional

# 签发成功后的结果 生成XX.XX.crt文件,并写入index.txt,最后将证书发动给申请客户
[root@7b7f17ce1a4e CA]# openssl ca -in csr/dotohi.com.csr -out dotohi.com.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 20481 (0x5001)
        Validity
            Not Before: Mar 15 04:39:02 2025 GMT
            Not After : Mar 15 04:39:02 2026 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = Beijing
            organizationName          = dotohi.com
            organizationalUnitName    = IT
            commonName                = www.dotohi.com
            emailAddress              = admin@dothi.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                C9:A2:C5:5B:46:8A:A4:FB:4C:F7:CE:77:07:21:A1:25:F6:5A:FB:4F
            X509v3 Authority Key Identifier:
                keyid:75:1A:4E:71:A1:D8:22:BB:CC:27:AA:64:ED:85:FB:B6:2A:80:CB:7C

Certificate is to be certified until Mar 15 04:39:02 2026 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated