建立私有CA---基于centos8

建立私有CA:

centos8沒有/etc/pki/CA/目錄下沒有所需檔案
[[email protected] ~]#for dir in certs crl newcerts private ; do mkdir -pv /etc/pki/CA/$dir;done
# 建立所需檔案
[[email protected] ~]#touch /etc/pki/CA/index.txt #生成證書索引資料庫檔案
[[email protected] ~]#echo 01 > /etc/pki/CA/serial #制定第一個頒發證書的序列号
#生成CA私鑰
[[email protected] ~]#cd /etc/pki/CA/
[[email protected] CA]#(umask 066; openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
.........+++++
......................................+++++
e is 65537 (0x010001)
# 生成CA自簽名證書  
[[email protected] CA]#openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem
#檢視自簽證書
[[email protected] CA]#openssl x509 -text -in cacert.pem -noout
           

選項說明：

-new：生成新證書簽署請求
-x509：專用于CA生成自簽證書
-key：生成請求時用到的私鑰檔案
-days n：證書的有效期限
-out /PATH/TO/SOMECERTFILE: 證書的儲存路徑
           

申請證書并頒發證書

[[email protected] CA]#cd /data/
#為需要使用證書的主機生成私鑰
[[email protected] data]#openssl genrsa -out docker.key 1024
Generating RSA private key, 1024 bit long modulus (2 primes)
.........+++++
........+++++
e is 65537 (0x010001)
#為需要使用證書的主機生成證書申請檔案
[[email protected] data]#openssl req -new -key docker.key -out docker.csr
#在CA簽署證書并将證書頒發給請求者  
[[email protected] data]#openssl ca -in /data/docker.csr -out /etc/pki/CA/certs/docker.crt -days 720
***預設要求國家、省、公司名稱三項必須和CA一緻！
[[email protected] data]#tree /etc/pki/CA
/etc/pki/CA
├── cacert.pem
├── certs
│   └── docker.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│   └── 01.pem
├── private
│   └── cakey.pem
├── serial
└── serial.old
           

吊銷證書

[[email protected] data]#openssl x509 -in /etc/pki/CA/certs/docker.crt -noout -serial -subject
[[email protected] CA]#openssl ca -revoke /etc/pki/CA/newcerts/01.pem
[[email protected] CA]#echo 11 >/etc/pki/CA/crlnumber
[[email protected] CA]#openssl ca -gencrl -out /etc/pki/CA/crl.pem
[[email protected] CA]#cat /etc/pki/CA/crlnumber
12