3 月 212020
创建根中级证书签发目录结构
[root@ip-172-31-2-174 ca]# mkdir -p intermediate/{certs,crl,csr,newcerts,private} [root@ip-172-31-2-174 ca]# chmod 700 intermediate/private/ [root@ip-172-31-2-174 ca]# touch intermediate/index.txt [root@ip-172-31-2-174 ca]# echo 1000 > intermediate/serial
准备中级CA配置文件
[root@ip-172-31-2-174 ca]# vi intermediate/openssl.cnf
生成中级CA私钥
openssl genrsa -aes256 \ -out intermediate/private/intermediate.key.pem 4096 [root@ip-172-31-2-174 ca]# openssl genrsa -aes256 \ > -out intermediate/private/intermediate.key.pem 4096 Generating RSA private key, 4096 bit long modulus ...................................................................................................................................................................++ ....................++ e is 65537 (0x10001) Enter pass phrase for intermediate/private/intermediate.key.pem: Verifying - Enter pass phrase for intermediate/private/intermediate.key.pem: [root@ip-172-31-2-174 ca]# chmod 400 intermediate/private/intermediate.key.pem [root@ip-172-31-2-174 ca]#
生成中级CA CSR文件
openssl req -config intermediate/openssl.cnf -new -sha256 \ -key intermediate/private/intermediate.key.pem \ -out intermediate/csr/intermediate.csr.pem [root@ip-172-31-2-174 ca]# openssl req -config intermediate/openssl.cnf -new -sha256 \ > -key intermediate/private/intermediate.key.pem \ > -out intermediate/csr/intermediate.csr.pem Enter pass phrase for intermediate/private/intermediate.key.pem: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:CN State or Province Name [England]:Guangdong Locality Name []:Shenzhen Organization Name [Alice Ltd]:YSWM Organizational Unit Name []:YSWM Certificate Authority Common Name []:YSWM Intermediate CA Email Address []: [root@ip-172-31-2-174 ca]#
生成中级CA证书
openssl ca -config openssl.cnf -extensions v3_intermediate_ca \ -days 3650 -notext -md sha256 \ -in intermediate/csr/intermediate.csr.pem \ -out intermediate/certs/intermediate.cert.pem [root@ip-172-31-2-174 ca]# openssl ca -config openssl.cnf -extensions v3_intermediate_ca \ > -days 3650 -notext -md sha256 \ > -in intermediate/csr/intermediate.csr.pem \ > -out intermediate/certs/intermediate.cert.pem Using configuration from openssl.cnf Enter pass phrase for /root/ca/private/ca.key.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 4096 (0x1000) Validity Not Before: Mar 21 05:54:42 2020 GMT Not After : Mar 19 05:54:42 2030 GMT Subject: countryName = CN stateOrProvinceName = Guangdong organizationName = YSWM organizationalUnitName = YSWM Certificate Authority commonName = YSWM Intermediate CA X509v3 extensions: X509v3 Subject Key Identifier: 80:81:95:8B:B9:21:57:07:AE:5E:E2:0A:2C:EE:88:2D:B6:DB:EF:EF X509v3 Authority Key Identifier: keyid:9A:A7:2A:30:06:3C:68:D4:92:6F:59:91:59:6B:E6:EC:E0:34:36:1F X509v3 Basic Constraints: critical CA:TRUE, pathlen:0 X509v3 Key Usage: critical Digital Signature, Certificate Sign, CRL Sign Certificate is to be certified until Mar 19 05:54:42 2030 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated [root@ip-172-31-2-174 ca]#
验证中级CA证书信息(10年)
[root@ip-172-31-2-174 ca]# openssl x509 -in intermediate/certs/intermediate.cert.pem -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 4096 (0x1000) Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, ST=Guangdong, L=Shenzhen, O=YSWM, OU=YSWM Certificate Authority, CN=YSWM ROOT CA Validity Not Before: Mar 21 05:54:42 2020 GMT Not After : Mar 19 05:54:42 2030 GMT Subject: C=CN, ST=Guangdong, O=YSWM, OU=YSWM Certificate Authority, CN=YSWM Intermediate CA Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit) Modulus: 00:a6:94:a7:fd:6b:0d:d5:28:48:82:26:ce:cf:55: eb:d6:b5:d8:f2:f3:57:13:53:e7:d6:95:c7:b4:51: 2e:ef:f5:20:df:e1:a6:23:63:72:2e:5d:5d:82:5b: 4d:6b:cb:4a:ee:25:57:0e:1a:7f:f6:fd:51:62:20: 88:c8:6d:b4:a9:34:60:ea:a2:6f:52:f0:ef:56:0e: 27:65:d3:e5:ad:a1:74:60:eb:11:50:c9:d6:37:11: fc:4e:89:f4:35:ca:b9:34:f1:22:ff:2a:ca:fc:f5: e4:9d:c9:49:0f:d9:54:aa:1e:0f:b6:50:d7:84:b0: ee:b3:a8:be:ce:16:10:24:00:7a:dc:e7:2d:b5:58: 79:9d:07:11:66:d0:77:4a:78:f4:37:b0:cd:3d:8c: 8d:91:fc:16:9d:70:3d:4e:b2:9b:7f:8a:37:5a:8b: 6d:e7:64:bb:fd:76:be:01:7e:e8:cf:81:f8:94:52: a1:c8:f8:aa:dc:f8:06:86:38:ba:23:ec:b9:08:1b: a6:fa:66:b1:12:66:84:af:41:dc:b1:bb:9c:06:6a: 82:2d:3b:06:19:6d:bf:e9:cd:ac:fa:a2:b9:2a:70: 61:f2:94:2c:2b:3e:5f:eb:c8:bb:e1:e8:0c:d1:52: 93:e9:71:a5:71:81:fc:04:58:34:59:c4:2f:1e:a5: 0b:43:13:a3:53:4c:c1:0c:b6:0b:1e:aa:a7:30:bf: 76:26:42:79:aa:02:cd:d1:42:40:21:e0:a0:a2:61: e8:6d:24:14:c7:53:67:99:6c:c4:ae:0c:a3:c2:76: 8c:0d:2a:18:42:85:c6:f6:29:fe:e9:56:4d:55:48: 19:9b:57:14:c8:19:5c:eb:b9:90:60:06:ed:37:ca: 0d:a6:9a:7d:4c:68:b3:0c:12:df:3a:d8:e4:d6:fa: b3:dc:72:dc:5c:68:c7:3a:0d:1b:8a:47:58:b0:23: e3:8f:78:a7:63:8e:e0:f8:96:dc:82:77:ab:11:60: d5:af:77:4d:5e:fb:7a:e4:de:1e:ca:a9:f4:5c:c4: f1:2c:95:f6:24:df:00:25:8b:a9:10:0c:6a:de:e2: 75:64:62:70:34:fd:9b:2e:04:fc:fc:b4:74:cd:97: 65:e7:53:b9:63:e5:13:5e:0b:1f:4e:5e:fa:48:be: d2:16:c8:31:a4:46:a0:9f:7f:ca:6b:0b:f0:c6:b0: ac:18:14:66:d2:fb:c6:07:94:8a:ae:61:2c:b8:4d: b8:9c:2b:aa:72:51:5f:3e:8e:64:b6:d9:42:fe:84: 92:38:ba:dc:c5:02:82:1f:65:95:d0:0f:c1:05:62: 82:30:6a:5d:63:65:82:b6:4d:4b:f2:aa:4f:7a:87: fd:c3:13 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 80:81:95:8B:B9:21:57:07:AE:5E:E2:0A:2C:EE:88:2D:B6:DB:EF:EF X509v3 Authority Key Identifier: keyid:9A:A7:2A:30:06:3C:68:D4:92:6F:59:91:59:6B:E6:EC:E0:34:36:1F X509v3 Basic Constraints: critical CA:TRUE, pathlen:0 X509v3 Key Usage: critical Digital Signature, Certificate Sign, CRL Sign Signature Algorithm: sha256WithRSAEncryption 9c:c0:fb:0f:f0:0e:4f:8b:b9:12:f5:9d:1a:9c:29:93:19:9e: cc:7d:23:f9:cd:f7:94:10:41:27:38:05:f1:f8:be:f8:cf:b8: 4d:4f:84:19:4e:ac:47:98:09:ee:d6:1d:a9:ba:2f:a5:29:c2: 1c:80:9d:c4:e5:9d:77:ba:60:dc:47:ca:fe:0f:5c:98:81:85: 48:22:cc:7b:11:be:80:fa:d8:1e:ad:b0:4d:3c:5d:d5:eb:3e: 88:52:67:0a:64:72:24:32:b5:ed:72:75:26:6d:61:7f:f1:48: 7a:72:36:40:23:ca:f6:82:9f:1c:6e:59:38:d1:bb:57:08:a1: a4:a5:88:bd:a4:a6:24:0d:68:96:36:5b:ba:2c:dd:0e:59:09: 10:c4:43:f7:e7:c9:ac:11:b6:8b:23:4b:be:9f:e8:13:18:c5: 75:22:2f:59:27:41:60:e2:54:5b:f0:1e:9d:0f:73:61:04:37: c9:a3:62:1b:6c:27:15:36:67:e0:0c:cf:f2:8c:fe:a9:cf:36: 5f:a4:ba:c5:d0:e4:a9:d1:45:0e:56:70:2e:a6:4b:e0:92:72: dd:ca:45:6f:ae:5b:f1:63:3c:a0:7a:85:77:48:b9:02:c9:bb: 68:79:35:80:d5:d5:7c:4f:b0:bc:3b:19:6a:ef:d0:b4:d5:c8: 6b:ec:3b:54:d5:28:6a:d0:71:b8:a0:1f:3a:87:ff:71:41:a4: 18:cf:10:03:96:93:fc:55:80:85:3d:f2:2a:ac:62:7c:0d:e4: 81:52:10:51:3d:fb:8a:81:2b:1b:6f:9f:1d:86:fa:a2:45:88: c2:8f:db:fe:77:7f:c0:13:1b:d4:97:bd:07:19:47:ce:5f:68: 0c:ac:2f:6c:51:86:21:c1:81:f7:fd:a6:32:e3:5d:78:79:eb: 25:90:e1:e4:9b:0a:5e:9f:e5:97:b4:8e:44:03:23:0d:af:99: 53:f0:54:82:26:8f:fe:8f:ce:5a:20:67:4e:23:c5:73:a6:42: 1c:76:23:96:d9:be:0a:9d:fc:4e:74:75:04:61:53:b2:6f:68: 2f:6c:34:e3:52:b9:19:52:64:94:7c:53:99:6c:f1:4f:92:1a: b4:a6:58:1c:c6:b0:9b:64:ca:68:94:98:99:47:bf:12:9c:6d: 06:c2:35:58:16:d5:97:84:a3:f5:5b:2e:43:61:b4:8f:ae:1a: 70:e6:5a:bf:26:68:58:f4:92:06:6e:84:75:44:99:ba:6f:e2: 01:3e:4d:e2:f9:9b:96:91:f7:e8:77:2d:3f:aa:76:9d:3f:46: 17:8c:bb:92:aa:d2:cb:46:72:6b:ae:df:a5:bd:0f:67:11:c0: b0:28:79:44:91:fa:93:13 [root@ip-172-31-2-174 ca]#