自建CA及吊銷證書
#######################################################################
自建CA ===========>centos7==========>DIR:/etc/pki/CA數據庫
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:WUHAN
Locality Name (eg, city) [Default City]:JIANGXIA
Organization Name (eg, company) [Default Company Ltd]:CA.jack.com
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:JACK WANG
Email Address []:wang2891135657@163.com
#######################################################################
openssl配置文件: /etc/pki/tls/openssl.cnf 關於證書和吊銷列表配置
touch index.txt (生成索引數據庫,即證書的相關信息)
echo 01 > serial (給定初始證書編號)
(umask 066;openssl genrsa -out private/cakey.pem 2048)生成CA私鑰
openssl req -new -x509 -key private/cakey.pem -days 3650 -out cacert.pem
#用私鑰生成CA自簽名證書
openssl x509 -in cacert.pem -noout -text (查看CA證書信息,也可發送win查看,改後綴:crt)windows
#接受申請者的私鑰
openssl req -new -key /root/.ssh/wh5003.com.key -out wh5003.com.csr (用申請者的私鑰生成證書申請)
openssl ca -in wh5003.com.csr -out certs/wh5003.com.crt -days 710 (爲申請者生成有效期710天的證書)
openssl x509 -in certs/wh5003.com.crt -noout -serial -subject (查看生成的證書的信息)
openssl ca -status 01 (查看狀態)centos
#######################################################################
證書申請============>centos6==========>DIR:/data/certsssh
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:WUHAN
Locality Name (eg, city) [Default City]:WUCHANG
Organization Name (eg, company) [Default Company Ltd]:CA.jack.com
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:JACK LIN
Email Address []:953752844@qq.comide
#######################################################################
(umask 066;openssl genrsa -out wh5003.com.key 2048) 申請者生成私鑰
scp wh5003.com.key jack7:/root/.ssh/ 發送給CA機構centos7
#######################################################################
將CA和申請者證書安裝在windows便可查看效果
#######################################################################code
#######################################################################
證書吊銷==========>centos7(CA)=======>DIR:/etc/pki/CAserver
openssl x509 -in certs/wh5003.com.crt -noout -serial -subject (查看須要吊銷的證書編號)
openssl ca -revoke newcerts/01.pem (覈對吊銷信息)
echo 01 > crlnumber (生成初始吊銷編號)
openssl ca -gencrl -out crl.pem (生成吊銷列表證書)
openssl ca -status 01 (查看被吊銷的編號狀態)
cat index.txt (查看數據庫索引信息)
sz crl.pem (也可在windows查看,改後綴:crl)索引
###################################################################### [20:43:05-root@jack7 CA]#tree /etc/pki/CA/
/etc/pki/CA/
├── cacert.pem
├── certs
│ └── wh5003.com.crt
├── crl
├── crlnumber
├── crlnumber.old
├── crl.pem
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── newcerts
│ └── 01.pem
├── private
│ └── cakey.pem
├── serial
├── serial.old
└── wh5003.com.csrssl
- 1. 創建CA、申請證書、吊銷證書
- 2. Windows2016 證書吊銷
- 3. Linux 建立一個簡單的私有CA、發證、吊銷證書
- 4. Linux 創建一個簡單的私有CA、發證、吊銷證書
- 5. 自建CA 頒發證書
- 6. 自建CA認證和證書
- 7. open***2.2.2吊銷客戶端證書
- 8. 證書吊銷列表(CRL)介紹
- 9. Let's Encrypt證書吊銷,我有點慌!
- 10. 02-建立 TLS CA證書及密鑰
- 更多相關文章...
- • SQL 撤銷索引、撤銷表以及撤銷數據庫 - SQL 教程
- • Eclipse 添加書籤 - Eclipse 教程
- • Flink 數據傳輸及反壓詳解
- • 適用於PHP初學者的學習線路和建議
-
每一个你不满意的现在,都有一个你没有努力的曾经。