当前位置: 首页 > news >正文

用OpenSSL搭建PKI证书体系

1 创建PKI结构目录

mkdir 07_PKI
cd 07_PKI
mkdir 01_RootCA 02_SubCA 03_Client

2 创建根CA

cd 01_RootCA
mkdir key csr cert newcerts
touch index.txt index.txt.attr
echo 01 > serial

2.1 创建根CA密钥对

2.1.1 生成 长度为2048 bit 的RSA私钥。

cd key
openssl genrsa -out pri_key.pem 2048

2.1.2 查看生成的RSA私钥。

openssl rsa -in pri_key.pem -text

2.1.3 从私钥文件中提取RSA公钥

openssl rsa -in pri_key.pem -pubout -out pub_key.pem#

2.2 创建根CA的证书签名请求(CSR)

2.2.1 创建CSR

创建根 CA 配置文件 rootca.conf:

cd ..
touch rootca.conf

根 CA 配置文件 rootca.conf 内容如下:

[ ca ]
default_ca  = CA_default[ CA_default ]
dir         = E:/07_PKI/01_RootCA
certs       = $dir/cert
crl_dir     = $dir/crl
database    = $dir/index.txt
new_certs_dir   = $dir/newcerts
certificate = $dir/cert/rootca_cert.crt
serial      = $dir/serial
crlnumber   = $dir/crlnumber
crl         = $dir/crl.pem
private_key = $dir/key/pri_key.pem
RANDFILE    = $dir/key/.rand
unique_subject  = nox509_extensions = usr_cert
copy_extensions = copyname_opt    = ca_default
cert_opt    = ca_defaultdefault_days    = 5475
default_crl_days= 60
default_md  = sha256
preserve    = no
policy      = policy_ca[ policy_ca ]
countryName     = supplied
stateOrProvinceName = supplied
localityName        = supplied
organizationName    = supplied
organizationalUnitName  = optional
commonName      = supplied
emailAddress    = optional[ req ]
default_bits        = 2048
default_keyfile     = pri_key.pem
distinguished_name  = req_distinguished_name
attributes      = req_attributes
x509_extensions = v3_ca
string_mask = utf8only
utf8 = yes
prompt                  = no[ req_distinguished_name ]
countryName         = CN
stateOrProvinceName = GuangDong
localityName        = ShenZhen
organizationName    = TangTring
commonName          = RootCA[ usr_cert ]
basicConstraints = CA:TRUE[ v3_ca ]
basicConstraints = CA:TRUE[ req_attributes ]

创建根 CA 证书签名请求文件,指定签名算法为 sha256,默认为 sha1 算法。

cd csr
openssl req -new -key ../key/pri_key.pem -out rootca_csr.pem -config ../rootca.conf

2.2.2 查看CSR

openssl req -in rootca_csr.pem

输出内容如下:

-----BEGIN CERTIFICATE REQUEST-----
MIICnjCCAYYCAQAwWTELMAkGA1UEBhMCQ04xEjAQBgNVBAgMCUd1YW5nRG9uZzER
MA8GA1UEBwwIU2hlblpoZW4xEjAQBgNVBAoMCVRhbmdUcmluZzEPMA0GA1UEAwwG
Um9vdENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsGjDN8ge3f9i
CrAfsrLln/RMXz7EAqMMIjGmChMlQdXEArCT/FdxfoomOWfTHRTREnFthZ9w+TOq
kvgOyQuiFGTJRZ2c3T2FidfFJ5yA06UOELBXWXqhjvYYP+EWGtdn0kOg/tA7QKTG
ZyggQzJQmsAfZkk5vpV1Ok+ZtwoxWZPL0/xBRxZAuF2gxByN4Mt81rsgWLowPX5X
tINDCifEx1BlHZGxlWUWVIVj1SAf+g2S42s5d1xNrZNpKTMe46bduLuYGk4SqeZP
uXyTkVLq00VmgM7Ma9UHucrBmYQ/ybDJlOjgON1rVQqXR0dWTwx65iOVzAf+0hYj
Lc96+ZarEwIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBAAecVqSze262UIRgBYWG
RQAri+DM84tfVzj7ayIZnpBCHpi2dsatFRxAmwgKwhv/syE7xyTRQ8kUzBBIts6s
hqDblMRl/RDO05iXlk1US3rIoWhJvUrK++aWLHQTYfMMCCdEblRg4IMi1E1CFWSW
nmsnqHsb/JSdWKrGlpZFHamLHafR0IcTWwLierQ30DEvDuLLYbWO2VKq2u2r69V8
MDhOc8em1PEEdLGZR+QkJ+wKj1xt5ICn2KuQfrQXk5QdnkR2Wti/hZMm4rOQd8A1
APOWJAroYwdgNam/csyNF7binpEczCSamseWgrajTPhIdB+IUfjk3ha+djP10ivo
JYo=
-----END CERTIFICATE REQUEST-----

以文本形式输出请求文件头使用 -noout -text 参数.

openssl req -in rootca_csr.pem -text -noout

输出如下:

Certificate Request:Data:Version: 1 (0x0)Subject: C=CN, ST=GuangDong, L=ShenZhen, O=TangTring, CN=RootCASubject Public Key Info:Public Key Algorithm: rsaEncryptionPublic-Key: (2048 bit)Modulus:00:b0:68:c3:37:c8:1e:dd:ff:62:0a:b0:1f:b2:b2:e5:9f:f4:4c:5f:3e:c4:02:a3:0c:22:31:a6:0a:13:25:41:d5:c4:02:b0:93:fc:57:71:7e:8a:26:39:67:d3:1d:14:d1:12:71:6d:85:9f:70:f9:33:aa:92:f8:0e:c9:0b:a2:14:64:c9:45:9d:9c:dd:3d:85:89:d7:c5:27:9c:80:d3:a5:0e:10:b0:57:59:7a:a1:8e:f6:18:3f:e1:16:1a:d7:67:d2:43:a0:fe:d0:3b:40:a4:c6:67:28:20:43:32:50:9a:c0:1f:66:49:39:be:95:75:3a:4f:99:b7:0a:31:59:93:cb:d3:fc:41:47:16:40:b8:5d:a0:c4:1c:8d:e0:cb:7c:d6:bb:20:58:ba:30:3d:7e:57:b4:83:43:0a:27:c4:c7:50:65:1d:91:b1:95:65:16:54:85:63:d5:20:1f:fa:0d:92:e3:6b:39:77:5c:4d:a

http://www.mrgr.cn/news/35173.html

相关文章:

  • 如何在Debian系统里使用Redhat(CentOS)的方式配置网络
  • Mac解压包安装MongoDB8并设置launchd自启动
  • 探秘Spring Boot中的@Conditional注解
  • macOS 设置固定IP
  • 搜维尔科技:Manus VR数据手套集成,遥操作五指灵巧手解决方案
  • 两个链表求并集、交集、差集
  • 安卓驱动的部分命令总结
  • 中国科学院云南天文台博士招生目录
  • 宠物空气净化器去浮毛哪家强?希喂、美的和米家实测分享
  • 编曲为什么这么难学 编曲应该从何下手,想要学习编曲,一定要有扎实的乐理基础知识
  • 汽车售后诊断ECU参数分析
  • Leetcode 反转链表
  • 怎么把照片转换成jpg格式?这5种转换方法简单高效
  • MNE读取数据单位问题
  • akamai解混淆(ast)
  • 穿透式薪酬监管,红海云打造“三全”数智化薪酬管理系统
  • 近千亿市场开卷!AutoDisplay Week 2024车载显示产业周开放注册!
  • 性能测试工具——JMeter
  • vue2若依项目打包部署页面不请求或404
  • vant Uploader 文件上传 修改上传icon样式
  • Qt:关于16进制数转化那些事
  • 如何配置路由器支持UDP
  • Spring Boot 学习之路 -- 基础认知
  • Unity 百度AI实现无绿幕拍照抠像功能(详解版)
  • 统一建模语言(UML)在软件研发过程中常用图接受:类图、用例图、时序图、状态图、活动图、流程图、顺序图
  • 什么是BOM?