openssl证书相关操作
准备工作
mkdir cert
mkdir private
mkdir crl
touch index.txt根证书
a).生成根证书私钥(pem文件)
openssl genrsa -aes256 -out private/ca.pem 1024b).生成根证书签发申请文件(csr文件)
openssl req -new -key private/ca.pem -out private/ca.csr -subj \
"/C=CN/ST=myprovince/L=mycity/O=myorganization/OU=mygroup/CN=myname"
openssl req -new -key private/ca.pem -out private/ca.csr -subj \
"/C=CN/ST=Fujian/L=Fuzhou/O=LD/CN=GKLP"c).自签发根证书(cer文件)
openssl x509 -req -days 365 -sha1 -extensions v3_ca -signkey \
private/ca.pem -in private/ca.csr -out cert/ca.cer用根证书签发server端证书
a).生成服务端私钥
openssl genrsa -aes256 -out private/server.pem 1024b).生成证书请求文件
openssl req -new -key private/server.pem -out private/server.csr -subj \
"/C=CN/ST=myprovince/L=mycity/O=myorganization/OU=mygroup/CN=myname"c).使用根证书签发服务端证书
openssl x509 -req -days 365 -sha1 -extensions v3_req -CA cert/ca.cer -CAkey private/ca.pem \
-CAserial ca.srl -CAcreateserial -in private/server.csr -out cert/server.ceropenssl x509 -req -days 365 -sha1 -extensions v3_req -CA cert/Cipher-SubRootCA.cer -CAkey private/Cipher-SubRootCA.pem \ -CAserial Cipher-SubRootCA.srl -CAcreateserial -in private/Client-SubCA.csr -out cert/Client-SubCA.cer
配置文件设置
定位一下OpenSSL的配置文件openssl.cnf
locate openssl.cnf复制openssl.cnf到当前目录
cp /openssl-dir/openssl.cnf ./在复制后的openssl.cnf文件中新增如下内容:
[ ca ]
default_ca = ca_default
[ ca_default ]
dir = /current-dir
certificate = $dir/cert/ca.cer
database = $dir/index.txt
private_key = $dir/private/ca.pem
default_md = sha256CRL
证书吊销方法
openssl ca -config openssl.cnf -revoke cert/server.cer
openssl ca -config openssl.cnf -crl-days 7 -gencrl -out crl/server.crl 查看CRL内容
openssl crl -in crl/server.crl -text -noout