1.生成隨機(jī)密碼:
#第一種:
[19:19:16 root@rocky8 ~]#tr -dc '[:alnum:]' < /dev/urandom |head -c 8;echo
#第二種:
[19:18:18 root@rocky8 ~]#openssl rand -base64 9|head -c 8;echo
2.生成私鑰
8版本生成私鑰,默認(rèn)權(quán)限600,安全
[19:19:30 root@rocky8 ~]#openssl genrsa -out /data/nginx.key
centos7版本生成的私鑰文件權(quán)限不安全,所以寫腳本考慮通用性用以下命令生成私鑰
[19:21:39 root@rocky8 ~]#(umask 666;openssl genrsa -out /data/nginx.key)
3.創(chuàng)建CA證書
1、創(chuàng)建CA所需要的文件
#查看CA證書配置文件,里面有配置要求
[19:29:29 root@rocky8 ~]#cat /etc/pki/tls/openssl.cnf
#復(fù)制centos7上的CA目錄文件到rocky8
[root@centos7 ~]# scp -r /etc/pki/CA 10.0.0.18:/etc/pki/
2、生成CA私鑰
[13:25:37 root@rocky8-1 ~]#cd /etc/pki/CA
[13:27:34 root@rocky8-1 CA]#(umask 066;openssl genrsa -out private/cakey.pem 2048)
3、生成CA自簽名證書
[13:28:13 root@rocky8-1 CA]#openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem
查詢國(guó)家編碼
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:m49
Common Name (eg, your name or your server's hostname) []:www.magedu.org
Email Address []:
#查看自簽名證書:
[13:38:07 root@rocky8-1 CA]#openssl x509 -in /etc/pki/CA/cacert.pem -noout -text
#或者上傳到window電腦查看
[13:38:07 root@rocky8-1 CA]# sz /etc/pki/CA/cacert.pem
#需要更改后綴名為crt或者cer,window才能識(shí)別
4、申請(qǐng)證書并頒發(fā)證書
[13:40:22 root@rocky8-1 ~]#(umask 066;openssl genrsa -out /data/test.key 2048)
[13:40:53 root@rocky8-1 ~]#openssl req -new -key /data/test.key -out /data/test.csr
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:bj
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:m49-class
Common Name (eg, your name or your server's hostname) []:www.m49.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[13:43:49 root@rocky8-1 ~]#touch /etc/pki/CA/index.txt
[13:44:17 root@rocky8-1 ~]#echo 0F > /etc/pki/CA/serial
[13:44:42 root@rocky8-1 ~]#openssl ca -in /data/test.csr -out /etc/pki/CA/certs/test.crt -days 100
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
[13:44:52 root@rocky8-1 ~]#tree /etc/pki/CA
/etc/pki/CA
├── cacert.pem
├── certs
│ └── test.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│ └── 0F.pem
├── private
│ └── cakey.pem
├── serial
└── serial.old
生成證書完畢
下面給第二個(gè)用戶頒發(fā)證書
[13:47:16 root@rocky8-1 ~]#(umask 066;openssl genrsa -out /data/test2.key 2048)
[13:47:24 root@rocky8-1 ~]#openssl req -new -key /data/test2.key -out /data/test2.csr
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:bj
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:m49
Common Name (eg, your name or your server's hostname) []:www.m59.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[13:48:59 root@rocky8-1 ~]#openssl ca -in /data/test2.csr -out /etc/pki/CA/certs/test2.crt -days 100
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
[13:51:55 root@rocky8-1 ~]#tree /etc/pki/CA
/etc/pki/CA
├── cacert.pem
├── certs
│ ├── test2.crt
│ └── test.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── newcerts
│ ├── 0F.pem
│ └── 10.pem
├── private
│ └── cakey.pem
├── serial
└── serial.old
4 directories, 12 files
[13:52:33 root@rocky8-1 ~]#cat /etc/pki/CA/serial
11
吊銷證書:
[13:53:20 root@rocky8-1 ~]#openssl ca -revoke /etc/pki/CA/newcerts/10.pem
#查看被吊銷證書狀態(tài)變?yōu)镽
[13:54:02 root@rocky8-1 ~]#cat /etc/pki/CA/index.txt
V 250324054444Z 0F unknown /C=CN/ST=beijing/O=magedu/OU=m49-class/CN=www.m49.com
R 250324055152Z 241214055353Z 10 unknown /C=CN/ST=beijing/O=magedu/OU=m49/CN=www.m59.com
指定第一個(gè)吊銷證書的編號(hào):注意:第一次更新證書吊銷列表前,才需要執(zhí)行
[13:54:50 root@rocky8-1 ~]#echo 01 > /etc/pki/CA/crlnumber
更新證書吊銷列表
[13:54:50 root@rocky8-1 ~]#echo 01 > /etc/pki/CA/crlnumber
查看被吊銷列表
[13:57:36 root@rocky8-1 ~]#cat /etc/pki/CA/crl.pem
[13:59:32 root@rocky8-1 ~]#openssl crl -in /etc/pki/CA/crl.pem -noout -text
也可以拿到window查看,注意更改后綴.crl
生成CA證書還有一種方法更簡(jiǎn)單
注:一定是在centos7上操作
[root@centos7 ~]# cd /etc/pki/tls/certs/
[root@centos7 certs]# pwd
/etc/pki/tls/certs
[root@centos7 certs]# mkdir /data
[root@centos7 certs]# make /data/m49.key
#輸入加密密碼
Enter pass phrase:
Verifying - Enter pass phrase:
不想輸入密碼(把genrsa后的aes128刪掉就沒有密碼了)
[root@centos7 certs]# vim Makefile
%.key:
umask 77 ; \
/usr/bin/openssl genrsa $(KEYLEN) > $@
[root@centos7 certs]# make /data/test.crt
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:devops
Common Name (eg, your name or your server's hostname) []:www.m49.com
Email Address []:
[root@centos7 certs]# openssl x509 -in /data/test.crt -noout -text
拷貝到8上執(zhí)行
[root@centos7 certs]# scp Makefile 10.0.0.8:
[19:31:40 root@rocky8 ~]#make
