一、配置OPENSSL
[root@test1 /]# rpm -qa|grep openssl
openssl-1.0.0-20.el6_2.5.i686
[root@test1 /]# cd /etc/pki/tls
[root@test1 tls]# ls
cert.pem certs misc openssl.cnf private
[root@test1 tls]# vim openssl.cnf
####################################################################
[ CA_default ]
dir = /etc/pki/CA # Where everything is kept (CA中心的目录)
certs = $dir/certs # Where the issued certs are kept (证书保存目录)
crl_dir = $dir/crl # Where the issued crl are kept (被吊销证书的目录)
database = $dir/index.txt # database index file. (证书索引文件)
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.(经过CA中心签名的证书备份目录)
certificate = $dir/my-ca.crt # The CA certificate (CA的公钥文件名)
serial = $dir/serial # The current serial number (CA中心的颁发证书序列号)
crlnumber = $dir/crlnumber # the current crl number (已吊销证书序列号)
# must be commented out to leave a V1 CRL
crl = $dir/my-ca.crl # The current CRL (证书吊销列表)
private_key = $dir/private/my-ca.key # The private key (CA私钥文件)
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
default_days = 365 # how long to certify for (证书有效期)
default_crl_days= 30 # how long before next CRL
default_md = default # use public key default MD
preserve = no # keep passed DN ordering
[ policy_match ] #此段为证书相关信息选项,其中match指定的项,要求被签名证书一定要与CA的对应项一致。
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
#
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = CN (国家代码需要自己修改)
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Hebei (州或省名需要自己修改)
localityName = Locality Name (eg, city)
localityName_default = Beijing (地点名称需要自己修改)
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Tianli Company (组织或公司名需要自己修改)
[root@test1 tls]# cd ../CA/
[root@test1 CA]# ls
certs crl newcerts private
注:需要有这几个目录,如果没有可以自己新建
[root@test1 CA]# touch index.txt
[root@test1 CA]# echo "00"> serial
[root@test1 CA]# ls
certs crl index.txt newcerts private serial
二、创建密钥过程
创建私钥
[root@test1 CA]#(umask 077;openssl genrsa -out private/my-ca.key -des3 2048)
Generating RSA private key, 2048 bit long modulus
............................................................+++
..........+++
e is 65537 (0x10001)
Enter pass phrase for private/my-ca.key:
Verifying - Enter pass phrase for private/my-ca.key:
由私钥生成公钥
[root@test1 CA]#openssl req -new -x509 -key private/my-ca.key -days 365 > my-ca.crt
Enter pass phrase for private/my-ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:CN
State or Province Name (full name) []:Hebei
Locality Name (eg, city) [Beijing]:Beijing
Organization Name (eg, company) [Default Company Ltd]:Tianli Company
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:test1
Email Address []:
[root@test1 CA]# ls
certs crl index.txt my-ca.crt newcerts private serial