一、创建私有的CA  

1)查看openssl的配置文件:/etc/pki/tls/openssl.cnf  

openssl创建CA、申请证书及其给web服务颁发证书  _CA

2)创建所需的文件 

touch /etc/pki/CA/index.txt   echo 01 >/etc/pki/CA/serial  


3)CA自签证书生成私钥

cd /etc/pki/CA 

(umask 066;openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)


4)生成自签名证书   

openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 7300 -out /etc/pki/CA/cacert.pem  


-new:生成新的证书签署请求     

-x509:专用CA生成自签证书 

-key:生成请求时用到的私钥文件 

-days n:证书的有限期 

-out /path/to/somecertfile:证书的保存路径 



代码演示:



[root@centos6 ~]# ls /etc/pki/CA/
certs  crl  newcerts  private
[root@centos6 ~]# touch /etc/pki/CA/index.txt
[root@centos6 ~]# ll /etc/pki/CA/
total 16
drwxr-xr-x. 2 root root 4096 May  9 22:56 certs
drwxr-xr-x. 2 root root 4096 May  9 22:56 crl
-rw-r--r--. 1 root root    0 Sep 23 07:08 index.txt
drwxr-xr-x. 2 root root 4096 May  9 22:56 newcerts
drwx------. 2 root root 4096 May  9 22:56 private
[root@centos6 ~]# echo 01 > /etc/pki/CA/serial
[root@centos6 ~]# ll /etc/pki/CA/
total 20
drwxr-xr-x. 2 root root 4096 May  9 22:56 certs
drwxr-xr-x. 2 root root 4096 May  9 22:56 crl
-rw-r--r--. 1 root root    0 Sep 23 07:08 index.txt
drwxr-xr-x. 2 root root 4096 May  9 22:56 newcerts
drwx------. 2 root root 4096 May  9 22:56 private
-rw-r--r--. 1 root root    3 Sep 23 07:09 serial
[root@centos6 ~]# cd /etc/pki/CA
[root@centos6 CA]# ls
certs  crl  index.txt  newcerts  private  serial
[root@centos6 CA]# (nmask 066;openssl genrsa -out private/cakey.pem 2048)
-bash: nmask: command not found
Generating RSA private key, 2048 bit long modulus
..................................+++
.............................+++
e is 65537 (0x10001)
[root@centos6 CA]# cd private/
[root@centos6 private]# cat cakey.pem
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAyvOMUreRADORN9F0bk08d4n/xASELShJzW6V2K57ma/lmB7e
PBrOWrGCWhZR9tF8+Ewk/OCeQLukAHLgeLlte7au7uXf6RjFwi/XXemKzEUDEcOl
+CKTU7wio7if86rzX8xOPmP2+l4pItqqAKp7Kx9TOuAhT7gcQKKr5iU6lTvS/EJf
xBLtwoTRIIUdYxLI7XFZe7Lm5uOiYDHIhF70TQC3s0/1lnGEsWmAZ+uOCFy6bKck
v6orwDu2UfjhSqkiIJBFSvZQJqh6s3kt5dN+MyAkG1wJ6daJS87FKuguLI+ISxIJ
Z7tXXCQqZFle5Iu1LuwRDAoieWfwO868WI+HmQIDAQABAoIBAFaVwXAo0Lv9RB9E
RSAp43o8bdn680kwvwvd+iAPkLvox1M3GCkcZp1azfoRO7bJeT+VfNJGIj4Lz9RB
LnNS6Nq2/br+Z6DS6MwIDSIL2SN87epORiiu15wJz915jwQuEtb0Gw2TKHN4aKRu
Fcli8llba+7aYFvaeHM684ukpnGz6bRYwRDrEgUvMksFvPA2dqzvP/OjEIqvvf/l
d+rhOQGlB18E2oQ3048PJpgPHyceKLuuFkvFGsHofI8a5hLqD3PJ4AjHuPPF/Yqz
ZQwxmncV+YM9nJ/s8J5PJQ+3hPkA6pbhpM1eXHSPajnnkWiMV1RkUBltkHdJGPT9
h4t2o2ECgYEA5z/8HvbnXlAHC8+5mKO0rkBifxUyG9FVYmGOPKJwoK16eRxWuQgo
VboVZm5mK4LCtsMzUXobSXtgsb941O6U7lxrogflcYEQkvWL7JNg8vdIMwHs75zF
vXnoyCF9ZoDFr0juTP94AI4WW8GTfSo3caL+T8pnQalu5y3JvBQIRVcCgYEA4Kw1
8VAGix+QYWK9h1R35cKcnZQb0eq0ChZ8XFd7leLImPCpv7t1R86mvwIvZkYMIqD3
btUXk8G2ezyoufntEP5KGv9QbsQS8vFDw0RSsYkwWJZBeIUV6yPdUHniIWT6Ozwv
pD6hJwVSAv7m4tNTwJLH2Ebbs22Di05q/kfqFI8CgYEA4SVD0+Xx57ok0hQhkAI7
BLh87Vv2mGzcI9f1gwVogJfGOSolKStPEgAFm9/6q3w5FXXBfh9Td9yejRBtlWrg
J55l0LC9bCALwfk9jU0ERCoL6lWCmNvbDhomUMuCaw0O6xUnpmHINUohbJ5weZlj
t8jIr2jR1XUgHAZRdkNOtisCgYAfOU+13b1LEHPsVOCqMh8Hm2hQrgi/v7KNxFo8
KxxN1Fq0hp3Qu6is9hdObGtR92IwXdaFXLAOJNnLfr6kOgusVOrPnbP78NwBT25v
cMtdSQejCB7JNRW6vB1B1e6LXZE5MkAcv2d+GMsxB2PnGh+Fn+COOirGYO3rKlbM
SApMGQKBgQCaAaZzscT3KnnZEFi3e2IrlJMxY09zCm2xRle70m0lK0BHZsoxvcAl
bf19tZsoD2wPcvB6j+SLhB5jdG5iJ6SCp+vx+p/XFORlU+3V5gD/+P9I2LZfVZ+z
7YvRfXzuEiZi0h4ljBb4Oh8Di/0ytKnBzbWs00Trj7ariZ/WfgmTDw==
-----END RSA PRIVATE KEY-----
[root@centos6 private]# ll
total 4
-rw-r--r--. 1 root root 1679 Sep 23 07:10 cakey.pem
[root@centos6 private]# openssl req -new -x509 -key cakey.pem  -days 7300 -out ../ca
cert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:bj
Organization Name (eg, company) [Default Company Ltd]:chen.com
Organizational Unit Name (eg, section) []:alren_1
Common Name (eg, your name or your server's hostname) []:centos6.localdomain
Email Address []:alren@163.com
[root@centos6 private]# cd ../
[root@centos6 CA]# cat cacert.pem
-----BEGIN CERTIFICATE-----
MIID7zCCAtegAwIBAgIJANEOQWU3qHpeMA0GCSqGSIb3DQEBBQUAMIGNMQswCQYD
VQQGEwJDTjEQMA4GA1UECAwHYmVpamluZzELMAkGA1UEBwwCYmoxETAPBgNVBAoM
CGNoZW4uY29tMRAwDgYDVQQLDAdhbHJlbl8xMRwwGgYDVQQDDBNjZW50b3M2Lmxv
Y2FsZG9tYWluMRwwGgYJKoZIhvcNAQkBFg1hbHJlbkAxNjMuY29tMB4XDTE2MDky
MjIzMTc1MFoXDTM2MDkxNzIzMTc1MFowgY0xCzAJBgNVBAYTAkNOMRAwDgYDVQQI
DAdiZWlqaW5nMQswCQYDVQQHDAJiajERMA8GA1UECgwIY2hlbi5jb20xEDAOBgNV
BAsMB2FscmVuXzExHDAaBgNVBAMME2NlbnRvczYubG9jYWxkb21haW4xHDAaBgkq
hkiG9w0BCQEWDWFscmVuQDE2My5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQDK84xSt5EAM5E30XRuTTx3if/EBIQtKEnNbpXYrnuZr+WYHt48Gs5a
sYJaFlH20Xz4TCT84J5Au6QAcuB4uW17tq7u5d/pGMXCL9dd6YrMRQMRw6X4IpNT
vCKjuJ/zqvNfzE4+Y/b6Xiki2qoAqnsrH1M64CFPuBxAoqvmJTqVO9L8Ql/EEu3C
hNEghR1jEsjtcVl7subm46JgMciEXvRNALezT/WWcYSxaYBn644IXLpspyS/qivA
O7ZR+OFKqSIgkEVK9lAmqHqzeS3l034zICQbXAnp1olLzsUq6C4sj4hLEglnu1dc
JCpkWV7ki7Uu7BEMCiJ5Z/A7zrxYj4eZAgMBAAGjUDBOMB0GA1UdDgQWBBQmophw
H4o7o6EFDot5NMVm+rmm2TAfBgNVHSMEGDAWgBQmophwH4o7o6EFDot5NMVm+rmm
2TAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQBkZgymfLYgWOK4RPv+
Vzs2eW+AaYNcNBcot/Ju6rByEZ/Sa4nWxNBVge/0ffSDUsmkSlUdS8oYUbLQU5Kq
pqDaQ0jbwqoMkR+YEau0Q8R+N9WtTOWew3xprRu9BvY9jTjBG5pyFp4pqOEcOTm3
YQyzv8C+0KUS2HDi13nBRet6PjYnt7zgiI2qjAuWaz70ntwFduvNDC7biX18CyJe
ydLnQDGot2dXWqGo/p4eDtIPxpsaH8UCz4SHDKnKZvVOg2r85Wv4F8If0puGGl7m
qhe40zy/s+F1V0lWeJ3nbk2vBSETdoZViUWuRz6acy0at6znlgcMLnwjum8jcp8K
IOnK
-----END CERTIFICATE-----
[root@centos6 CA]# openssl x509 -in cacert.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 15064049706582178398 (0xd10e416537a87a5e)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=CN, ST=beijing, L=bj, O=chen.com, OU=alren_1, CN=centos6.localdomain/emailAddress=alren@163.com
        Validity
            Not Before: Sep 22 23:17:50 2016 GMT
            Not After : Sep 17 23:17:50 2036 GMT
        Subject: C=CN, ST=beijing, L=bj, O=chen.com, OU=alren_1, CN=centos6.localdomain/emailAddress=alren@163.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:ca:f3:8c:52:b7:91:00:33:91:37:d1:74:6e:4d:
                    3c:77:89:ff:c4:04:84:2d:28:49:cd:6e:95:d8:ae:
                    7b:99:af:e5:98:1e:de:3c:1a:ce:5a:b1:82:5a:16:
                    51:f6:d1:7c:f8:4c:24:fc:e0:9e:40:bb:a4:00:72:
                    e0:78:b9:6d:7b:b6:ae:ee:e5:df:e9:18:c5:c2:2f:
                    d7:5d:e9:8a:cc:45:03:11:c3:a5:f8:22:93:53:bc:
                    22:a3:b8:9f:f3:aa:f3:5f:cc:4e:3e:63:f6:fa:5e:
                    29:22:da:aa:00:aa:7b:2b:1f:53:3a:e0:21:4f:b8:
                    1c:40:a2:ab:e6:25:3a:95:3b:d2:fc:42:5f:c4:12:
                    ed:c2:84:d1:20:85:1d:63:12:c8:ed:71:59:7b:b2:
                    e6:e6:e3:a2:60:31:c8:84:5e:f4:4d:00:b7:b3:4f:
                    f5:96:71:84:b1:69:80:67:eb:8e:08:5c:ba:6c:a7:
                    24:bf:aa:2b:c0:3b:b6:51:f8:e1:4a:a9:22:20:90:
                    45:4a:f6:50:26:a8:7a:b3:79:2d:e5:d3:7e:33:20:
                    24:1b:5c:09:e9:d6:89:4b:ce:c5:2a:e8:2e:2c:8f:
                    88:4b:12:09:67:bb:57:5c:24:2a:64:59:5e:e4:8b:
                    b5:2e:ec:11:0c:0a:22:79:67:f0:3b:ce:bc:58:8f:
                    87:99
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                26:A2:98:70:1F:8A:3B:A3:A1:05:0E:8B:79:34:C5:66:FA:B9:A6:D9
            X509v3 Authority Key Identifier:
                keyid:26:A2:98:70:1F:8A:3B:A3:A1:05:0E:8B:79:34:C5:66:FA:B9:A6:D9
            X509v3 Basic Constraints:
                CA:TRUE
    Signature Algorithm: sha1WithRSAEncryption
         64:66:0c:a6:7c:b6:20:58:e2:b8:44:fb:fe:57:3b:36:79:6f:
         80:69:83:5c:34:17:28:b7:f2:6e:ea:b0:72:11:9f:d2:6b:89:
         d6:c4:d0:55:81:ef:f4:7d:f4:83:52:c9:a4:4a:55:1d:4b:ca:
         18:51:b2:d0:53:92:aa:a6:a0:da:43:48:db:c2:aa:0c:91:1f:
         98:11:ab:b4:43:c4:7e:37:d5:ad:4c:e5:9e:c3:7c:69:ad:1b:
         bd:06:f6:3d:8d:38:c1:1b:9a:72:16:9e:29:a8:e1:1c:39:39:
         b7:61:0c:b3:bf:c0:be:d0:a5:12:d8:70:e2:d7:79:c1:45:eb:
         7a:3e:36:27:b7:bc:e0:88:8d:aa:8c:0b:96:6b:3e:f4:9e:dc:
         05:76:eb:cd:0c:2e:db:89:7d:7c:0b:22:5e:c9:d2:e7:40:31:
         a8:b7:67:57:5a:a1:a8:fe:9e:1e:0e:d2:0f:c6:9b:1a:1f:c5:
         02:cf:84:87:0c:a9:ca:66:f5:4e:83:6a:fc:e5:6b:f8:17:c2:
         1f:d2:9b:86:1a:5e:e6:aa:17:b8:d3:3c:bf:b3:e1:75:57:49:
         56:78:9d:e7:6e:4d:af:05:21:13:76:86:55:89:45:ae:47:3e:
         9a:73:2d:1a:b7:ac:e7:96:07:0c:2e:7c:23:ba:6f:23:72:9f:
         0a:20:e9:ca
[root@centos6 CA]# openssl x509 -in cacert.pem -noout -dates
notBefore=Sep 22 23:17:50 2016 GMT
notAfter=Sep 17 23:17:50 2036 GMT


二、颁发及其吊销证书  

1)颁发证书,在需要使用证书的主机生成证书请求,给web服务器生成私钥(本实验在另一台主机上)

(umask 066;openssl genrsa -out /etc/httpd/ssl/httpd.key 2048)


2)生成证书申请文件

openssl req -new-key /etc/httpd/ssl/httpd.key -days 365 -out /etc/httpd/ssl/httpd.csr 


3)将证书文件传给CA,CA签署证书并将证书颁发给请求者,注意:默认国家、省和公司必须和CA一致

openssl ca -in /tmp/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365 


4)查看证书中的信息

opessl x509 -in /path/from/cert_file -noout -text|sbuject|serial|dates 


5)吊销证书,在客户端获取要吊销的证书的serial 

openssl x509 -in /PATH/FROM/CERT_FILE -noout -serial -subject


6)在CA上,根据客户提交的serial与subject信息,对比检验 是否与index.txt文件中的信息一致吊销证书

 openssl ca -revoke /etc/pki/CA/newcerts/ SERIAL.pem

7)生成吊销证书的编号(第一次吊销一个证书时才需要执行) 

echo 01 > /etc/pki/CA/crlnumber 


8)更新证书吊销列表,查看crl文件

openssl ca -gencrl -out /etc/pki/CA/crl/ca.crl 

openssl crl -in /etc/pki/CA/crl/ca.crl -noout -text

9)安装mod_ssl模块并修改/etc/httpd/conf.d/ssl.conf配置文件

DocumentRoot "/web/pma"

ServerName www.chen.net:443

<Directory "/web/pma">

  AllowOverride All

  Options None

  require all granted

</Directory>


SSLCertificateFile /etc/httpd/ssl/httpd.crt

SSLCertificateFile /etc/httpd/ssl/httpd.key

图示:


授权目录

openssl创建CA、申请证书及其给web服务颁发证书  _CA_02

openssl创建CA、申请证书及其给web服务颁发证书  _创建_03



10)测试

openssl  s_client  [-connect host:port] [-cert filename] [-CApath directory] [-CAfile filename]

实例:

openssl s_client -connect www.chen.net:443 -CAfile /etc/pki/CA/cacert.pem

curl --cacert /etc/pki/CA/cacert.pem  https://www.chen.net/


实现图示:


openssl创建CA、申请证书及其给web服务颁发证书  _创建_04


代码演示:


[root@chen ~]# (umask 066;openssl genrsa -out /etc/pki/tls/private/httpd.key 2048)
Generating RSA private key, 2048 bit long modulus
..................+++
.....................+++
e is 65537 (0x10001)
[root@chen ~]# cd /etc/pki/tls/private/
[root@chen private]# cat httpd.key
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAydNdaHEea6lQpeMOof1bARNbNjerS+CG6bZWxYp3FVIEsqnQ
5dGZ9uvWFcN3XWAb3nTQR0cEjULIkLQS/RnoQA3t9uy83+PmL7imXnB6eDhBXOhb
QYXjAyShhR/Y+OHBJT6HhDZYxqNPoKIxi7ObJVmG6ovuE8P5SQJl5bX21/YB+CmJ
PpoY37WVd4lJagECSK2NjIuMCdMnmIKZIZgCU3XKnw1kDsG8DJXj7ZVuiimxgspM
wyXFI94vHDVxQ7mEJiIBT3F9rn95+Fy35p+fHBcXS4Iw+gJaa4GZeOuYaNxdwI9l
9nLwx9hW69UJ0wcuJQGc8kyN8AFul/sh2aWExQIDAQABAoIBAQC4snRN6w9CyVzj
oqm2dsv8bQFQ2ZsqQhxU7yfzeWbHHRrtgdiJKMq0nFh77DhlPFnkt5QPVp+EwrQX
MKQb+cSAMf8utLGYVtBFpb6iuF5rfFfctUsl6Ge6baBe2qlOAhMmiVWtGasehT+O
qj+bME9v28FLDalfbz3HoakskdyG/ptb6MEh/8Z4bAFovyYfI+IY+P3dzDd018Sv
V6wgj+A11wmhNUyete++DoO/JJtQJZuh0LeN4eg2W51M9vnnH7hrosyRwHfcYioU
SUoKEWs4Md78zVL7IeFcRwV3mSgm356u9SKl2gs+X9Qpb9Uyt5zs1q2jxGxwoe5s
ige9ERbVAoGBAPBIoELS4Cvdr1McaYbvnU6XfCVuWti0ZFDKcEaK2XUz2xMaCeBV
WPfNHq0PiC52RG8h0f9cqSt6m3rB8/5HjTuf9fyv2C6rnpUxfzqZ0P3euMBPIMHM
e2nBwr6hOMNeQwxs6YfXILlcRzMub4c4jqxNGESrWoQTogFe4TEINoe/AoGBANcG
yXsZRwI76lPEm5Z8eyFiHqKAq+QazyZoH1xXW6ByqtDA6toqHGOtuzhUIwR2HfiG
O2I3CWYVnIxWcnBMvdJ4XwIORVzfG9sh6fBqCRbYd2LhD6xTXPqq6dfssT/qI2ql
Cy5PNc0Q2XDFdar0dpIjbjcYuxGPlPPlDtdwALR7AoGBAJtZKRvrAHn72nVuYh+W
XWrJb783iM6gWlcNeudwr8UhoJrJ8+aw51NWr2WOLCp11irPf9iMjOcKXulP6jLV
Cc+pzLzw52DNHjsxBCPb/I2V6HaU8gW58XRfjEv5KhzNnaWz6IwlnweYTIQfmoWf
IEbvlSgYbO4FT3F5aThtKew7AoGADojo6adFw4LlThBGLB/x+sm1JGrqM5sUUZZM
OGO3T9swbLf9qA2cqag+tYoKa+zIDdqU/QiXXA0t7daSGcE2O5njYjIwwhxat69N
LvEb+C1dtJNeCdoAuPkAoZXgTV+4USci4Fh+XIQ9DoBqecnYkfxPIO5NBtzbxri/
DhUGFy0CgYB6Q0T2w3e8SkgF6FSgqIe4u5vio6RCsPIVhHuuZacOgeyzAqCEwQJg
b3SDZIexAUyPAnhNtkllnAYSKdFa97fXyGUdLNh0otj74C9Na6yLrUQ8zdEC1o3u
VOJyOO57bfBykghXYi9JN+29sBB0YOj9uDE0nOUImR95eiwKsP5QXg==
-----END RSA PRIVATE KEY-----
[root@chen private]# openssl req -new -key /etc/pki/tls/private/httpd.key  -days 365 -out  httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:bj
Organization Name (eg, company) [Default Company Ltd]:chen.com
Organizational Unit Name (eg, section) []:alren_1
Common Name (eg, your name or your server's hostname) []:www.alren.com
Email Address []:admin@chen.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@chen private]# ls
httpd.csr  httpd.key
[root@chen private]# scp httpd.csr 10.1.249.94:
[root@centos6 CA]# cp /root/httpd.csr  .
[root@centos6 CA]# ls
cacert.pem  certs  crl  httpd.csr  index.txt  newcerts  private  serial
[root@centos6 CA]# openssl ca -in httpd.csr  -out  certs/httpd.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Sep 22 23:43:02 2016 GMT
            Not After : Sep 22 23:43:02 2017 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = beijing
            organizationName          = chen.com
            organizationalUnitName    = alren_1
            commonName                = www.alren.com
            emailAddress              = admin@chen.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                CA:82:B2:CF:4A:A2:49:9B:1D:46:84:04:F8:C6:F6:0D:E0:49:B7:A4
            X509v3 Authority Key Identifier:
                keyid:26:A2:98:70:1F:8A:3B:A3:A1:05:0E:8B:79:34:C5:66:FA:B9:A6:D9

Certificate is to be certified until Sep 22 23:43:02 2017 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@centos6 CA]# ls
cacert.pem  crl        index.txt       index.txt.old  private  serial.old
certs       httpd.csr  index.txt.attr  newcerts       serial
[root@centos6 CA]# cat index.txt.attr
unique_subject = yes
[root@centos6 CA]# cat index.txt
V	170922234302Z		01	unknown	/C=CN/ST=beijing/O=chen.com/OU=alren_1/CN=www.alren.com/emailAddress=admin@chen.com
[root@centos6 CA]# cat serial
02
[root@centos6 CA]# cd certs/
[root@centos6 certs]# ls
httpd.crt
[root@centos6 certs]# openssl x509 -in httpd.crt  -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=CN, ST=beijing, L=bj, O=chen.com, OU=alren_1, CN=centos6.localdomain/emailAddress=alren@163.com
        Validity
            Not Before: Sep 22 23:43:02 2016 GMT
            Not After : Sep 22 23:43:02 2017 GMT
        Subject: C=CN, ST=beijing, O=chen.com, OU=alren_1, CN=www.alren.com/emailAddress=admin@chen.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c9:d3:5d:68:71:1e:6b:a9:50:a5:e3:0e:a1:fd:
                    5b:01:13:5b:36:37:ab:4b:e0:86:e9:b6:56:c5:8a:
                    77:15:52:04:b2:a9:d0:e5:d1:99:f6:eb:d6:15:c3:
                    77:5d:60:1b:de:74:d0:47:47:04:8d:42:c8:90:b4:
                    12:fd:19:e8:40:0d:ed:f6:ec:bc:df:e3:e6:2f:b8:
                    a6:5e:70:7a:78:38:41:5c:e8:5b:41:85:e3:03:24:
                    a1:85:1f:d8:f8:e1:c1:25:3e:87:84:36:58:c6:a3:
                    4f:a0:a2:31:8b:b3:9b:25:59:86:ea:8b:ee:13:c3:
                    f9:49:02:65:e5:b5:f6:d7:f6:01:f8:29:89:3e:9a:
                    18:df:b5:95:77:89:49:6a:01:02:48:ad:8d:8c:8b:
                    8c:09:d3:27:98:82:99:21:98:02:53:75:ca:9f:0d:
                    64:0e:c1:bc:0c:95:e3:ed:95:6e:8a:29:b1:82:ca:
                    4c:c3:25:c5:23:de:2f:1c:35:71:43:b9:84:26:22:
                    01:4f:71:7d:ae:7f:79:f8:5c:b7:e6:9f:9f:1c:17:
                    17:4b:82:30:fa:02:5a:6b:81:99:78:eb:98:68:dc:
                    5d:c0:8f:65:f6:72:f0:c7:d8:56:eb:d5:09:d3:07:
                    2e:25:01:9c:f2:4c:8d:f0:01:6e:97:fb:21:d9:a5:
                    84:c5
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                CA:82:B2:CF:4A:A2:49:9B:1D:46:84:04:F8:C6:F6:0D:E0:49:B7:A4
            X509v3 Authority Key Identifier:
                keyid:26:A2:98:70:1F:8A:3B:A3:A1:05:0E:8B:79:34:C5:66:FA:B9:A6:D9

    Signature Algorithm: sha1WithRSAEncryption
         5f:b8:37:e2:e5:e0:5e:65:99:60:9f:2f:5a:81:7e:55:e7:dc:
         85:94:bc:d0:ae:82:db:c0:cd:bb:0c:7c:7d:6e:97:41:35:94:
         71:d9:bc:a4:3e:76:d1:4e:09:3d:a2:a9:5e:a2:24:9c:98:f3:
         ac:7d:ea:f0:f2:ff:17:0d:47:fb:47:04:d6:29:7f:d8:3a:08:
         df:33:45:8c:15:2a:a0:be:03:dc:4e:9c:91:ef:a1:99:a8:6d:
         f2:4c:10:1d:9c:7b:23:28:0a:17:bd:cf:c4:2d:c6:07:d1:73:
         48:2c:f9:a0:0f:2a:21:d0:f7:a4:9c:85:d5:75:02:c0:09:19:
         97:b8:aa:1d:e0:e3:8a:39:29:f5:4c:d7:69:01:e8:e6:50:91:
         fe:75:8a:3d:75:1c:df:94:36:01:32:43:4e:9c:49:f4:4c:f2:
         d9:85:9d:45:89:7f:6d:47:a9:48:48:bc:b3:8b:ed:06:34:f5:
         30:6e:c9:8f:a9:54:f6:6d:e7:2d:ce:03:9d:2f:ea:fa:47:fa:
         ee:13:f2:26:3b:a8:7a:e8:fd:66:ae:c6:97:37:03:a7:e8:c7:
         ad:c3:d9:e1:b1:b9:b0:61:ba:34:ea:80:6b:42:e4:d9:b7:38:
         0d:49:13:b1:89:2f:ca:a0:aa:69:e5:95:c0:c0:e3:ba:af:9f:
         68:80:5a:4f
[root@centos6 certs]#
[root@centos6 certs]#
[root@centos6 certs]# openssl ca  -revoke httpd.crt
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 01.
Data Base Updated
[root@centos6 certs]# cd ../
[root@centos6 CA]# ls
cacert.pem  crl        index.txt       index.txt.attr.old  newcerts  serial
certs       httpd.csr  index.txt.attr  index.txt.old       private   serial.old
[root@centos6 CA]# cat index.txt
R	170922234302Z	160922234706Z	01	unknown	/C=CN/ST=beijing/O=chen.com/OU=alren_1/CN=www.alren.com/emailAddress=admin@chen.com
[root@centos6 CA]# echo 01 > crlnumber
[root@centos6 CA]# openssl ca -gencrl -out crl
crl/       crlnumber
[root@centos6 CA]# openssl ca -gencrl -out crl/ca.rcl
Using configuration from /etc/pki/tls/openssl.cnf
[root@centos6 CA]# cat crl/ca.rcl
-----BEGIN X509 CRL-----
MIIB/TCB5gIBATANBgkqhkiG9w0BAQUFADCBjTELMAkGA1UEBhMCQ04xEDAOBgNV
BAgMB2JlaWppbmcxCzAJBgNVBAcMAmJqMREwDwYDVQQKDAhjaGVuLmNvbTEQMA4G
A1UECwwHYWxyZW5fMTEcMBoGA1UEAwwTY2VudG9zNi5sb2NhbGRvbWFpbjEcMBoG
CSqGSIb3DQEJARYNYWxyZW5AMTYzLmNvbRcNMTYwOTIyMjM1MDU0WhcNMTYxMDIy
MjM1MDU0WjAUMBICAQEXDTE2MDkyMjIzNDcwNlqgDjAMMAoGA1UdFAQDAgEBMA0G
CSqGSIb3DQEBBQUAA4IBAQADo6PBGbyqpM+noDuaDZxy349jgqcmRLCPDYKRZ4L+
1PyRTVhuIZztSUu2u5x7ZEYx3jyR7rFY8tpHRYT4ZnJe9ol4pTUb8INNx0lIZ4r1
hGlKWKQSDS3WVrQnCswBhWcAccd9wU2+YTj4m7f1drTbu6d5elfaZR1yKsTLnZdV
ESKmr4MXjcD0F80Q8Dc0hpKVKt71JiDwJt0WuHI6XPz90ta8EAN7Ry87Aj8f9/HD
LDnOWEEA50F7JgUQgFKI72wvekQoZ9Cj/KeFbOov+wde7+uCGNqRcPLznnTxVz8a
e0/e9HGQaDLGKDoN/vxVXCRQ030fZrPzag810yqSxxgZ
-----END X509 CRL-----
[root@centos6 CA]# openssl crl -in crl/ca.rcl  -noout -text
Certificate Revocation List (CRL):
        Version 2 (0x1)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: /C=CN/ST=beijing/L=bj/O=chen.com/OU=alren_1/CN=centos6.localdomain/emailAddress=alren@163.com
        Last Update: Sep 22 23:50:54 2016 GMT
        Next Update: Oct 22 23:50:54 2016 GMT
        CRL extensions:
            X509v3 CRL Number:
                1
Revoked Certificates:
    Serial Number: 01
        Revocation Date: Sep 22 23:47:06 2016 GMT
    Signature Algorithm: sha1WithRSAEncryption
         03:a3:a3:c1:19:bc:aa:a4:cf:a7:a0:3b:9a:0d:9c:72:df:8f:
         63:82:a7:26:44:b0:8f:0d:82:91:67:82:fe:d4:fc:91:4d:58:
         6e:21:9c:ed:49:4b:b6:bb:9c:7b:64:46:31:de:3c:91:ee:b1:
         58:f2:da:47:45:84:f8:66:72:5e:f6:89:78:a5:35:1b:f0:83:
         4d:c7:49:48:67:8a:f5:84:69:4a:58:a4:12:0d:2d:d6:56:b4:
         27:0a:cc:01:85:67:00:71:c7:7d:c1:4d:be:61:38:f8:9b:b7:
         f5:76:b4:db:bb:a7:79:7a:57:da:65:1d:72:2a:c4:cb:9d:97:
         55:11:22:a6:af:83:17:8d:c0:f4:17:cd:10:f0:37:34:86:92:
         95:2a:de:f5:26:20:f0:26:dd:16:b8:72:3a:5c:fc:fd:d2:d6:
         bc:10:03:7b:47:2f:3b:02:3f:1f:f7:f1:c3:2c:39:ce:58:41:
         00:e7:41:7b:26:05:10:80:52:88:ef:6c:2f:7a:44:28:67:d0:
         a3:fc:a7:85:6c:ea:2f:fb:07:5e:ef:eb:82:18:da:91:70:f2:
         f3:9e:74:f1:57:3f:1a:7b:4f:de:f4:71:90:68:32:c6:28:3a:
         0d:fe:fc:55:5c:24:50:d3:7d:1f:66:b3:f3:6a:0f:35:d3:2a:
         92:c7:18:19
[root@centos6 CA]#


不同主机之间拷贝文件小技巧:

在使用ssh远程登录时提示:remote host indentification has changed!则需清除~/.ssh/known_hosts文件即可,因为系统检测出rsa钥匙发生了改变。清除此配置文件重连。



[root@centos6 ~]# ssh  10.1.229.40
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
3d:bb:7b:99:51:b3:9f:b8:81:4e:fd:6e:b5:ac:92:02.
Please contact your system administrator.
Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Offending key in /root/.ssh/known_hosts:1
RSA host key for 10.1.229.40 has changed and you have requested strict checking.
Host key verification failed.

[root@centos6 .ssh]#
[root@centos6 .ssh]# ssh root@10.1.229.93
The authenticity of host '10.1.249.93 (10.1.249.93)' can't be established.
RSA key fingerprint is d3:e3:99:1d:b6:00:fe:18:26:58:a5:7d:eb:14:c3:57.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.1.229.93' (RSA) to the list of known hosts.
root@10.1.249.93's password:






本文出自小耳朵原创,每天进步一点点,积少成多。