# cat /etc/redhat-release
CentOS release 6.6 (Final)
# uname -r
2.6.32-504.el6.x86_64
首先我们先演示加密文件的方式:
拷贝一个文件到当前目录,使用openssl enc命令进行加密文件测试。
加密所用到的选项
# -e --> 加密选项
# -d --> 解密选项
# -des3 --> 选择加密的算法
# -a --> 基于文件进行编码
# -salt --> 自动添加杂质
# -in --> 要加密的文件
# -out --> 加密后的文件
[root@Corazon ~]# cp /etc/passwd ./
[root@Corazon ~]# openssl enc -e -des3 -a -salt -in passwd -out passwd.des3
enter des-ede3-cbc encryption password: # 加密文件的密码,在解密的时候会提示输入
Verifying - enter des-ede3-cbc encryption password:
[root@Corazon ~]# cat passwdU2FsdGVkX19Fe7/dbd3mDAxvuy++eTbSz/2Hk1zg5BNH3446m0b5UmTZ8vnVplbu8yqRfUKD9Inlqq9hFqUB1TEY833YwW6SNy/Hx+4wD68cdIgzNwmuL7Lx1obeYoecLfttm40HSmSiUQzhfDV4NgaVkhf4OsFNz92vrH98RA6NW68J7o8/JOIzddOKk0P4NfFSqKqjBVqluvjbDcYsAxdxo6GWNa7ZGOayKDRnGOVkzfzSKf0BiMVIVnVZOY9rueaDazSwGvuiQ1L7awRssul3wE9tj8HJ+r+uH8zfV9w/LG6TXMYawLN+aCl3cerGnsz6kCzIc1jADPwwCGuGrPrr+njOAeHxEWDE8cFxdk41rrqAVWzsHQmssf4almeiFSC9V5unIvs5eimkqFwl0IPtZ082DHM+3gmxferNNqMS8OG4d6MHhq9tqc9fk/Lopq4+Aq1FUZCFUTqwbLh20kQ09kNdQewt5iCyhr0+eQgdy90iJig0EQZrRwJjxsgWUnlqBbPJNN/dJR4exQib7E8fEYbbmRZZW1PFBJDmw0bywD0T6h1VGD7SJHJvAszH3+P45QLq0n3/cDqp38443AZ6caAZWpBkJXArXPjX2cTa5O+uoCKPGDN7lpXKqh83WEoFlG5bn3sIeL4HbtjeAnPAxa8ZmFxtmd3gM0Ye8289iKIZ9dkd8A3aY0uEo81YXN+2MM3zKdt1UE8v0SwMVRth+IN1svFYpwaCovFoXSN0Tm2+90/gYuDGPtrIE6UF5xtXkUXCAVqmc3dCmd92gLPmtFvAgTDDI/LnwaZ86Sh69SZBSZ1wlbBfudX05DfdtqZ2eFrzowy4o6anOGdfqTG5FQA5h8td9Dm24Ml0ksGDHGcvNR75lfNtkH3RRPnUG6Tvf8vB8cm7M4CoWj95wjag+lOrR8pKEXf1wnfV/yVnpnFF4tYzIapcB2WHU6kgVG8lOFUNqGzzWFF0EtYyKno51YPu9OTQtXWMjdfgsNITDI/lxcIbeuUU4HUzCofMRIiI8sZ44u5Xu9H9fMvaddYqIFa+qKnNBOakAWGIcgbL14sBdxZALdUJtnrF1e+UYwio1123csUAKdV1POI900XBGqYM86pSsP+TpOuKYjMyHlrXw3SfATQfF6fgsgwQ2QGwBQXhzjxg0oz8e5CUYEfmFs1fu7TuVvVWCxzg6o3CLOpYOS9MdppZo+YkNAKBjovj3/wRtPjLPVrj7pZYl4BhCMAdM+3DFstrXURgzan8ugE5Qx5vJcV3fUWEDSZEA2+9ay/bzyRVFpYRzJLyQ1pjwlu5YzmNlzfd/jSVjqBA2qAbhXpFuZBLl76qMLc/NpnzTD+SM15hgBM/kikxNiZ9O64sFwsVvFA/hb+dCMxpxNLKQN7+70igLwwjR95Gy7ajYQciBIusYIKHI6Fc+dDIheKnx9v2ApgBp5Vguknda5L9axh54u6ERZSvDcsT8GI7e3WwMurJ+AXjE3jsfa+lIwguhyfpfsRlPCkI1ASnKNwvnXQdcJXh5m80NaXsOj647HAatb7LxbnWki3geqgpLub/E/sbKfvpGD4MhGCZJ3Q0f5lvucAmhSlEd9rBbzA0q3IeOD4ND5IN8fPOFYW5rt/xBchdAKa37MdJJLE7rtlt6+LS/W+umnrN7oKiLLXt8fsq7GDmNGJ7d+mNEhp/mnWKjiej1eYWNumWf2vMVDef5dT7Xj168U1Z2FgxDYepoJ7eBj6Cc5oFjDzLSOpTpeCUjZP+pbHIx8R0lRjxeTYAQQLWaezSGCOPFiNCjOBev+ZdWaETQ2B2tMQN+OqMHYhniIJhchDLWS5pnzEnZpL5HO8CbT9otCgfrTQ5C3N6HAIFORZV+hv3sDIsrD+c9iv/uQqIh5HurNS3HjjI2OrSMv41lKL5iiSF5QjUshLuwFqK18K86wH0CJm1qCbImTlWJtwltD32kXjB1jr7kr/9jxRSXyd/a9hM7YirIy6lyCDvUHC3yZhlDu2086iwRn2LQkE3bfDgEQ47Xx118YzXaxtV/qKO64x6nUs5ClL6dY2H5VYdANsybDdRDm7EsuvtvnS1yErzs+q2zfNoprnVymYx4X43KlHJs2bfnUL8NMetSJ/z/XT2xfCa/kkE2xt3XzqpMxYXO7XA7K7NVhJPIO2oR2QtIbiXvPpkWm12aTBuq+TfX1G7cPDEeFXfSo1kL828PbKGKoRaUZiHqikCMHtoARvsLaZ37jAY2JcHuHy/8lHrin7IaGxKiUlRPDzhLhF2UYKlud1jVjUUO4b15F612v/8dAp8RI4ql2GxC2BSJCHYgV4o0nSKDsmvFkJ9pUYpKh4bCzpchvEtrysQ7XqZiFpV1aqXYetN1JdwwcX7OGw6waP7lQ4evre6EX9kBrMoLDiepPBkJmIZ60hbmCV9cHi4oa2q6sMxt98tlmgBAPhvcjULsmTM+8JtReiAwclKinX1k/F0T8TaatnsEqcMs1OPTS7dbogwwHD9M6U5YnUyJ+6rdhMIO/5V7uEyuR+jkmKCRxHDiVXaRz5mL8tpH5SINd52uUpmgputjH4gJ2VtMAO4iVOob6VtARPNpEj0YUndkKCj8U4a6/bVjlPZoOtSvlDTY7Jl3gUBg57ccRM0W9MXllLMvTf3cMGO4Mhzvu1w5xncCxUV7zxWalmFlcK49+a6MNnUXNJ7jC5AmLFIhTiea4dgeEqidqcYczOaxMBOIzSPY6v+d42yHy0hQ6R5ESsJlGePElg+xmU4bFTtheitJ6ku9EV1ikLH43EibmlK9WgSNBNoAlsETiQ9papQK23/eByMa7AHaiigXUjeevhAVBV+mKF+h4uFNfsAow32gDLuIMxW8fkXIdEnBSTrAOPH7P7xk6LXwcsqcORlUoazKOWLWdwYKCyMPn6xJWGI6LqQ5chsBDehTBIQWqzZcZGKl75aIVsw8KoP9p1FE5kcArwr8gx4K997bhovbULUOOYMX+U=
为了确保验证把拷贝过来的passwd文件删除
[root@Corazon ~]# rm -rf passwd
在将文件解密恢复文件
[root@Corazon ~]# openssl enc -d -des3 -a -salt -in passwd.des3 -out passwd
enter des-ede3-cbc decryption password:
[root@Corazon ~]# cat passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
usbmuxd:x:113:113:usbmuxd user:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rtkit:x:499:497:RealtimeKit:/proc:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin
avahi-autoipd:x:170:170:Avahi IPv4LL Stack:/var/lib/avahi-autoipd:/sbin/nologin
abrt:x:173:173::/etc/abrt:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
gdm:x:42:42::/var/lib/gdm:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
saslauth:x:498:76:Saslauthd user:/var/empty/saslauth:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
pulse:x:497:496:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
随机生成#位的base64格式的随机密码
[root@Corazon ~]# openssl rand -base64 16 # --base64 --> 生成base64格式的随机密码
jELVzuuvyp2OWpBQH8Bdqg== # 16 --> 这里可以看自己的需要指定生成的密码长度生成rsa加密格式的密钥
[root@Corazon ~]# openssl genrsa -out rsa.key 1024 # genrsa --> rsa的加密算法Generating RSA private key, 1024 bit long modulus # -out --> 输出的密钥文件路径及名称...++++++ # 1024 --> 这里不是固定的,可以是2048,4096都可以
....................++++++e is 65537 (0x10001)
[root@Corazon ~]# cat rsa.key # 查看我们声场的密钥信息
-----BEGIN RSA PRIVATE KEY-----MIICXgIBAAKBgQC+rOQWZNNcCZFuJYVhc4GEa79t/U8d92p3QHr/Urr/gVHlKnnXOrVPZqznrnvAS51xYNxpSAzKCJq4Zhi69HDEyV9OmT9deCVOyLsEtcXCWtoFn6fOobpiBQu5iOa1XvvnCO0t+Vx44+s4OAWtET3rrbNU+BmJv58mU47qfcD5lQIDAQABAoGAMFZYBC1PP5fVXFz6sTe877r47oM22Vvti4m3JJ7udPNttXDNLnjdmeFnl9wt1xPUN/fcKHxxcY442uJXBp4NMAU7RKljA/IcWcmz2WjfXivhh9teiz1eoUE/383vauaoon7XHfpzfhQi5PEhnm5UHpSQRrKNQ/HmD/5xFIVidwkCQQD3Ka6RG4vySdBNuWdPdIZ5W9M8bGMuZGbRWjcn6EkQinAL67jvRwouqFfHV8WQTFrjKaWoD5twQyITWXumZrIbAkEAxX4rv2p2UR/RWP1QaB+h9abxApUmi1BVAXGT6rqM4RRZAtYNvwVOilkz5KrUTiXpCqfV6gDFPklXyfoIdW4+DwJBANscjZBAfnE9tLeivI54u9oMaJhxcf+nrGq98pWjXFqYj7pRr7IYJVO1k5O6IllP/KYOxveFcj9uWv7h5/PpoHAq8CQQCV
mZmyCgdONHf0nQ6HkU6yMp9mgW0NIvEBgvO1X1LQPQWgLF2FUZPJIQE6Ol1QRU9ejvxvod3H7O7fRNObgMLpAkEA7pUNopvI3aLruZieCQbqlM6/4VfsGp0nc/vQI10XJpEyvaGYj7Ts6DP6tiGmxThKJHQ9Blr6Uffan/48JwUrlw==-----END RSA PRIVATE KEY-----
密钥已经生成,公钥需要我们手动生成,自行保存
[root@Corazon ~]# openssl rsa -in rsa.key -pubout # -in --> 从哪个文件提取公钥信息
writing RSA key # -pubout --> 将公钥信息输出至屏幕
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+rOQWZNNcCZFuJYVhc4GEa79t
/U8d92p3QHr/Urr/gVHlKnnXOrVPZqznrnvAS51xYNxpSAzKCJq4Zhi69HDEyV9O
mT9deCVOyLsEtcXCWtoFn6fOobpiBQu5iOa1XvvnCO0t+Vx44+s4OAWtET3rrbNU
+BmJv58mU47qfcD5lQIDAQAB
-----END PUBLIC KEY-----
[root@Corazon ~]#
需要注意的是,密钥文件生成之后的权限
[root@Corazon ~]# ll rsa.key
-rw-r----- 1 root root 891 Sep 16 07:08 rsa.key
[root@Corazon ~]# chmod 600 rsa.key # 修改成只有管理员有权限查看修改
[root@Corazon ~]# ll rsa.key
-rw------- 1 root root 891 Sep 16 07:08 rsa.key
[root@Corazon ~]#
其实,创建密钥和修改权限我们可以简单的一个命令就可以完成
[root@Corazon ~]# (umask 077;openssl genrsa -out rsa.key2 2048) # 这次我们生成2048位的密钥
...........................+++................................+++e is 65537 (0x10001)
[root@Corazon ~]# ll rsa.key2 -rw------- 1 root root 1675 Sep 16 07:28 rsa.key2
[root@Corazon ~]# openssl rsa -in rsa.key2 -puboutwriting RSA key-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA9g9jIJi/ob+9Ey6//mCEXHvY4hRAmmJXMpy0PSO18fGbeh69owRpR8aN9LUXoTgE556Rj4zkHqe36M+iI6z9zkiCWF+a6OhpcO5jUiUvXgNcjeTT5eHYBwjlX1zMce4F2ndUps8ZFlJ0JNs4hZ6o1szZs8Xg42MULlKadXM6UNvR5ScPuKwglKOT9w2Nue4O7vJEj+fgvc1z55f52yAbZoXRQocAyUnISAk/YtsTILs04TcdWGXQj1yFyrZrfqcLqDdkDA9ov8YRNwLdrldlDe02+t2WzM89LQj5MgNcblphIZfdOsbxa89kCStOhft4fVjhb6Y7Ew/zgKQrSBppAwIDAQAB-----END PUBLIC KEY-----
这样我们就创建完成了!
下面我们演示创建私有CA及证书相关系列操作
Openssl的配置文件路径 --> /etc/pki/tls/openssl.cnf
CA的工作路径 --> /etc/pki/CA
CA已经签署的证书路径 --> /etc/pki/CA/certs
CA的自签证书路径 --> /etc/pki/CA/private/cakey.pem
证书存取库 --> /etc/pki/CA/certs
切换至CA的工作路径
[root@Corazon ~]# cd /etc/pki
[root@Corazon pki]# ls
CA ca-trust java nssdb rpm-gpg rsyslog tls
[root@Corazon pki]# cd CA
[root@Corazon CA]# ls
certs crl newcerts private
[root@Corazon CA]# pwd
/etc/pki/CA
创建私有CA的步骤:
1) 创建所需要的文件
[root@Corazon CA]# touch index.txt
[root@Corazon CA]# echo 01 > serial [root@Corazon CA]# ll total 20 drwxr-xr-x. 2 root root 4096 Oct 15 2014 certs drwxr-xr-x. 2 root root 4096 Oct 15 2014 crl -rw-r--r-- 1 root root 0 Sep 16 08:08 index.txt drwxr-xr-x. 2 root root 4096 Oct 15 2014 newcerts drwx------. 2 root root 4096 Sep 15 10:47 private -rw-r--r-- 1 root root 3 Sep 16 08:08 serial
2) CA自签证书 生成请求和签发命令
生成密钥文件:
[root@Corazon CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
...............................+++
........................................+++
e is 65537 (0x10001)
生成自签证书:
req:生成请求和签发命令
-new: 生成新证书的签署请求
-x509:专用于CA生成自签证书
-key: 说明私钥文件是谁,以提取公钥
-days # : 证书的有效期限
-out: 生成后的保存路径
[root@Corazon CA]# openssl req -new -x509 -key private/cakey.pem -days 365 -out cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN # 使用2位字母表示国家
State or Province Name (full name) []:Beijing # 你所在的省份
Locality Name (eg, city) [Default City]:dongcheng # 所在的城市
Organization Name (eg, company) [Default Company Ltd]:IBM # 公司的名称
Organizational Unit Name (eg, section) []:Ops # 公司的部门
Common Name (eg, your name or your server's hostname) []:ca.abc.com # 服务器的名称
Email Address []:xxx@mail.com # 真实的邮箱地址
查看证书已经生成
[root@Corazon CA]# ls -l cacert.pem
-rw-r--r-- 1 root root 1391 Sep 16 08:35 cacert.pem
3) 发证
使用Slave的主机,如果想使用加密的网站服务请求,需要自身有私钥和证书
[root@Slave ~]# cd /etc/httpd/
[root@Slave httpd]# ll
total 8
drwxr-xr-x. 2 root root 4096 Aug 14 13:58 conf
drwxr-xr-x. 2 root root 4096 Aug 14 13:58 conf.d
lrwxrwxrwx. 1 root root 19 Aug 14 13:58 logs -> ../../var/log/httpd
lrwxrwxrwx. 1 root root 29 Aug 14 13:58 modules -> ../../usr/lib64/httpd/modules
lrwxrwxrwx. 1 root root 19 Aug 14 13:58 run -> ../../var/run/httpd
[root@Slave httpd]# mkdir ssl
[root@Slave httpd]# cd ssl
[root@Slave ssl]# pwd
/etc/httpd/ssl
生成证书请求.csr文件
[root@Slave ssl]# (umask 077;openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus
.................................................................................................................+++
............+++
e is 65537 (0x10001)
[root@Slave ssl]# ll
total 4
-rw------- 1 root root 1679 Sep 16 08:48 httpd.key
[root@Slave ssl]# openssl req -new -key httpd.key -days 30 -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN # 需要和CA证书保持一致
State or Province Name (full name) []:Beijing # 需要和CA证书保持一致
Locality Name (eg, city) [Default City]:dongcheng # 需要和CA证书保持一致
Organization Name (eg, company) [Default Company Ltd]:IBM # 需要和CA证书保持一致
Organizational Unit Name (eg, section) []:Ops
Common Name (eg, your name or your server's hostname) []:www.abc.com # 这里要填写加密访问的主机名
Email Address []:xxxxx@mail.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:abc123 # 将证书请求进行加密,
An optional company name []:abc123
[root@Slave ssl]# ll
total 8
-rw-r--r-- 1 root root 1106 Sep 16 08:58 httpd.csr
-rw------- 1 root root 1679 Sep 16 08:48 httpd.key
将证书请求发送至CA服务器,发送的方式可以是内部的FTP服务器,或使用U盘面对面,这里我们为了演示效果
将会使用scp命令进行证书请求传送
[root@Slave ssl]# scp httpd.csr root@172.16.158.158:/tmp
root@172.16.158.158's password:
httpd.csr 100% 1106 1.1KB/s 00:00
切换到CA服务器 查看传送成功,已经有httpd.csr的代签证书请求存放在/tmp目录下
[root@Corazon tmp]# pwd
/tmp
[root@Corazon tmp]# ls -l httpd.csr
-rw-r--r-- 1 root root 1106 Sep 16 09:06 httpd.csr
签证
[root@Corazon tmp]# openssl ca -in /tmp/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 30
Using configuration from /etc/pki/tls/openssl.cn# 生成的证书要存放在 /etc/pki/CA/certs 证书存取库中
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Sep 16 01:11:40 2015 GMT
Not After : Oct 16 01:11:40 2015 GMT
Subject:
countryName = CN
stateOrProvinceName = Beijing
organizationName = IBM
organizationalUnitName = Ops
commonName = www.abc.com
emailAddress = xxxxx@mail.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
B6:F1:5F:33:BC:3E:43:52:E9:89:3E:1B:BB:10:92:89:07:96:9A:61
X509v3 Authority Key Identifier:
keyid:B6:6D:5D:E8:BD:E2:A2:52:14:0F:A8:BB:6A:23:C3:61:68:51:6D:3A
Certificate is to be certified until Oct 16 01:11:40 2015 GMT (30 days)
Sign the certificate? [y/n]:y # 询问是否确认
1 out of 1 certificate requests certified, commit? [y/n]y # 再次询问是否确认
Write out database with 1 new entries
Data Base Updated # 提示更新成功,索引信息保存
至/etc/pki/CA/index.txt
[root@Corazon tmp]# cat /etc/pki/CA/index.txt # 查看已经签署的证书索引记录
V 151016011140Z 01 unknown /C=CN/ST=Beijing/O=IBM/OU=Ops/CN=www.abc.com/emailAddress=xxxxx@mail.com
到这里我们已经签署完成证书了,可以将签署后的证书httpd.crt发送给证书申请者了
使用scp命令将签署的证书发送给申请者Slave
[root@Corazon certs]# scp httpd.crt root@172.16.249.177:/tmp
The authenticity of host '172.16.249.177 (172.16.249.177)' can't be established.
RSA key fingerprint is 2e:f3:b6:1d:fd:33:87:22:88:a1:a8:26:07:e9:38:42.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.16.249.177' (RSA) to the list of known hosts
root@172.16.249.177's password:
httpd.crt
切换到Slave,将httpd.crt移动到/etc/httpd/ssl下即可,这样就完成了证书的申请与签署
[root@Slave ssl]# cd /tmp
[root@Slave tmp]# ll httpd.crt
-rw-r--r-- 1 root root 4567 Sep 16 09:21 httpd.crt
[root@Slave tmp]# mv httpd.crt /etc/httpd/ssl/
查看证书中的信息
[root@Slave ssl]# openssl x509 -in /etc/httpd/httpd.crt -noout -text
吊销证书
1) 客户端获取要吊销的证书的序列号
[root@Slave ssl]# openssl x509 -in /etc/httpd/httpd.crt -noout -text
2) CA
先根据客户提交的serial与subject信息,对比检验是否与/etc/pki/CA/index.txt文件中的信息一致;
吊销证书:number信息保存在/etc/pki/CA/newcerts/目录
[root@Slave ssl]# openssl x509 -in /etc/httpd/httpd.crt -noout -text
3) 生成吊销证书的编号(第一次吊销一个证书才需要使用)
[root@Slave ssl]# echo 01 > /etc/pki/CA/crlnulmber
4) 更新证书吊销列表
[root@Slave ssl]# openssl ca -gencrl -out /etc/pki/CA/ca_dx.crl
# 将吊销信息保存至此
查看crl文件:
[root@Slave ssl]# openssl crl -in /etc/pki/CA/ca_dx.crl -noout -text
https://blog.51cto.com/corazon/1699494