Certificate application process:
centos6 is the host that needs certificate services, centos7 is the server
1, establish a CA
1, [[emailprotected] ~]# tree /etc/pki/CA
/etc/pki/CA
├── certs
├── crl
├── newcerts
├── private
[ [emailprotected] ~]# cd /etc/ pki/CA
[ [emailprotected] CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048): Use umask 077/066 permissions to ensure security, at this time a private key file has been generated
[[email protected] ~]# tree
|── certs
├── crl
├── newcerts
├── private
│?? └── cakey.pem < br>At this time, the cakey.pem file is generated, and the permissions are 066
2, [[emailprotected] CA]# openssl req -new -x509 -key privavte/cakey.pem -out cacert.pem -days 3650
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg , company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:devops
Common Name (eg, your name or your server’s hostname) []:www.magedu.com
Email Address []:[email protected]
Registration information needs to be filled here, 1; 2; 4 items need to be the same as the following
[[email pro tected] CA]# cat cacert.pem The cacert.pem file generated here can be displayed in text with openssl x509 -incacert.pem -noout -text, or sz to windows can be changed to crt suffix, you can view it on the desktop
2. Apply for a certificate
Store the certificate and private key used in the software in a directory
A. First generate the private key: [[emailprotected] data]# (umask 066;openssl genrsa -out /test/app.key 1024)
B, then generate a certificate application: [[email protected] data]# openssl req -new -key /test/app.key -out /test/app.csr
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:devops
Common Name (eg, your name or your server’s hostname) []: www.magedu.com
Email Address []:[email protected]
Registration information needs to be filled here, 1; 2; 4 items need to be the same as the previous one. Here is the file app.csr
C , Then pass the app.csr to centos7 for review and if it passes, the certificate will be issued: scp app.csr 192.168.93.253:/etc/pki/CA and enter the password of centos7 to complete (it is more convenient to put in this directory)
At this time, an error will be reported when issuing a certificate, as follows:
[[emailprotected] CA]# openssl ca -in app.csr -out certs/app.crt -days 100
/etc/pki/CA/index. txt: No suc h file or directory
/index.txt: is the file that stores the certificate number, subject, status, etc.
D, [[emailprotected] CA]#> index.txt If this file is created, it will be used The file automatically fills in the information of the certificate
At this time, an error will be reported when the certificate is issued, as follows:
[[emailprotected] CA]# openssl ca -in app.csr -out certs/app.crt -days 100
I don’t know where to start because of the lack of a numbering system.
[[emailprotected] CA]# echo 09> serial Set the number to start from 09. By the way, set up the file
Cat serial –> 09
E、 [[email protected] CA]# openssl ca -in app.csr -out certs/app.crt -days 100
Certificate is to be certified until May 4 02:59:37 2019 GMT (100 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
There are two confirmation messages here. Do you want to issue a certificate?
F, [[email Protected] CA]# tree This is the rendering of the generated certificate
.
├── app.csr
├── cacert.pem
├── certs
│?? └── app.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│?? └── 09.pem
├── private
│?? └── cakey.pem
├── privkey.pem
├── serial
└── serial.old
G、[[emailprotected] CA]# cat index.txt
V 190504025937Z 09 unknown /C=CN/ST=beijing/O=magedu/O U=beiguo/CN=www.magedu.com/[emailprotected] indicates that this certificate file is valid
[[emailprotected] CA]# cat serial —> 0A Here is the next number after 09
Certs/app.crt is the same as newcerts/09.pem. The latter is automatically generated.
At this time, pass the certificate file, private key file, and CA certificate file to the user centos6, and the user can use it.
H、[[email Protected] CA]# scp certs/app.crt 192.168.93.253:/data
[email Protected]’s password:
app.crt 100% 3883 4.0MB/s 00 :00
J, [[email protected] data]# ll
total 28
-rw-r–r– 1 root root 3883 Jan 24 11:22 app.crt
-rw -r–r– 1 root root 704 Jan 24 10:24 app.csr
-rw——- 1 root root 891 Jan 24 10:22 app.key
here app. The key is the original private key, app.crt is the generated certificate, the app.csr file is useless, and it is useless after the application. So app.key and app.crt can use
K for software that needs to be encrypted. In the /CA file on centos7: -rw-r–r– 1 root root 1436 Jan 24 10:14 cacert .pem The certificate file is also copied to centos6, because some software will use it.
This certificate has been applied for.
L, [[emailprotected] CA]# sz certs/app.crt can be sz Go to the windows desktop to view, because it is the crt suffix, you can double-click to open it, because the certificate cannot be verified, so we need to import it into it, double-click and follow the steps to complete.
Revocation of the certificate:
You can check the status of the certificate first:
Openssl x509 -in certs/app3.crt -noout -subject/-issuer/-dates, etc.
[[emailprotected ] CA]# Openssl ca -revoke newcerts/0B.pem
Openssl ca -status 0B —> 0B=revoke indicates that the 0B certificate has been revoked. At this time, only you know that the certificate is revoked, and others don’t, so you need to generate a revocation List,
Openssl ca -gencrl -out crl.pem
will report an error, cannot find /etc/pki/CA/crlnumber This file stores the revocation number
Echo 09> crlnumber
Openssl ca -gencrl -out crl.pem At this time, the revocation list has been generated, and
Tree –> will display the new list of crl.pem. At this time, you can send crl.pem out of windows and you can view it after modifying the format.
Finally Send to the Internet to let users know that the certificate has been revoked.
If the revocation is wrong, cancel the revocation by:
Mv index.txt index.txt.bak
Mv index.txt.old index.txt
Openssl ca -statys 0B —> 0B = Valid indicates that the 0B certificate was successfully restored
Openssl verify-CAfile cacert.pem certs/app.crt
This command is to check whether the certificate app.crt was issued by me, to verify the validity of the certificate, if it is , You can display OK,
Summary steps:
cd /etc/pki/CA
(umask 077;openssl genrsa -out private/cakey.pem 2048 )
openssl req- new -x509 -key private/cakey.pem -out cacert.pem -days 3650
index.txt
echo 09> serial
2 Apply for a certificate
(umask 066 ;openssl genrsa -out /test/app.key 1024)
openssl req -new -key /test/app.key -out /test/app.csr
3 Issuing a certificate
openssl ca -in / test/app.csr -out /etc/pki/CA/certs/app.crt -days 100
At this time, pass the certificate file, private key file, and CA certificate file to the user centos6, and the user can use it.
4 Revoke certificate
openssl ca -revoke newcerts/0B.pem
openssl ca -status 0B
echo 09> crlnumber
openssl ca -gencrl -out /etc/pki/CA/crl .pem
If the 1, 2, 4, and the three items in the previous article are inconsistent, the analysis of the problems that occur (experiment on the same computer) is as follows:
1. Create a new one first The private key file: (umask 066;openssl genrsa -out /data/app2.key 1024)
2. Then generate a certificate application: openssl req -new -key /data/app2.key -out /data/app2. csr
Intentionally fill in the registration information differently. At this time, two files are generated under /data/, app2.csr app2.key
3. Certificate issuance: openssl ca -in /data/app2.csr -out certs/app2.crt -days 200
At this time, the error message is that the organization is different.
Rescue method:
Modify the configuration file, vim /etc/pki/tls/openssl. cnf can change 1, 2, 4, and three items to be different. Just write the certificate again, open the tree —> it will display: cat serial becomes 0B; cat index.txt will display two lines, indicating that the file has generated the second data, that is, the new certificate application is successful!
Note: If you submit a certificate application, it cannot be issued multiple times, because in /CA, “unique_subject -yes” will be displayed in cat index.txt.attr, indicating that the subject must be unique, so it cannot be issued multiple times. Second-rate. Change “yes” to “no” and it will be issued multiple times. Because it is the working directory, the priority is higher than that of the configuration file, so only by modifying the file here and changing yes to no in vim index.txt.attr, can it be issued multiple times.