Create the root pair
Create the root pair
秋风醉了 发表于2年前
Create the root pair
  • 发表于 2年前
  • 阅读 34
  • 收藏 0
  • 点赞 0
  • 评论 0
摘要: Create the root pair

Create the root pair

https://jamielinux.com/docs/openssl-certificate-authority/index.html

Prepare the directory

首先做一些准备工作,

➜  ~  mkdir CA
➜  ~  cd CA
➜  CA  mkdir certs crl newcerts private
➜  CA  chmod 700 private
➜  CA  touch index.txt
➜  CA  echo 1000 > serial
➜  CA  ll
total 8
drwxr-xr-x  2 xinxingegeya  staff    68B  1  3 12:00 certs
drwxr-xr-x  2 xinxingegeya  staff    68B  1  3 12:00 crl
-rw-r--r--  1 xinxingegeya  staff     0B  1  3 12:00 index.txt
drwxr-xr-x  2 xinxingegeya  staff    68B  1  3 12:00 newcerts
drwx------  2 xinxingegeya  staff    68B  1  3 12:00 private
-rw-r--r--  1 xinxingegeya  staff     5B  1  3 12:01 serial
➜  CA


Prepare the configuration file

配置ca的配置文件:http://my.oschina.net/xinxingegeya/blog/596453


Create the root key

Create the root key (ca.key.pem) and keep it absolutely secure. Anyone in possession of the root key can issue trusted certificates. Encrypt the root key with AES 256-bit encryption and a strong password.

Use 4096 bits for all root and intermediate certificate authority keys. You’ll still be able to sign server and client certificates of a shorter length.

➜  CA   openssl genrsa -aes256 -out private/ca.key.pem 4096
Generating RSA private key, 4096 bit long modulus
.........................................................................................................................................................................................++
...........................................................................++
e is 65537 (0x10001)
Enter pass phrase for private/ca.key.pem:
Verifying - Enter pass phrase for private/ca.key.pem:
➜  CA  chmod 400 private/ca.key.pem


Create the root certificate

Use the root key (ca.key.pem) to create a root certificate (ca.cert.pem). Give the root certificate a long expiry date, such as twenty years. Once the root certificate expires, all certificates signed by the CA become invalid.

Whenever you use the req tool, you must specify a configuration file to use with the -config option, otherwise OpenSSL will default to $openssl-dir/openssl.cnf

➜  CA  openssl req -config openssl.cnf -key private/ca.key.pem -new -x509 -days 7300 -sha256 -extensions v3_ca -out certs/ca.cert.pem
Enter pass phrase for private/ca.key.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:CN
State or Province Name [BeiJing]:Beijing
Locality Name []:Beijing
Organization Name [Usoft Inc]:Usoft Inc
Organizational Unit Name []:developer
Common Name []:usoft.com
Email Address []:744858873@qq.com
➜  CA  chmod 444 certs/ca.cert.pem

主要命令:openssl req -config openssl.cnf -key private/ca.key.pem -new -x509 -days 7300 -sha256 -extensions v3_ca -out certs/ca.cert.pem


Verify the root certificate

➜  CA  openssl x509 -noout -text -in certs/ca.cert.pem

The output shows:

  • the Signature Algorithm used

  • the dates of certificate Validity

  • the Public-Key bit length

  • the Issuer, which is the entity that signed the certificate

  • the Subject, which refers to the certificate itself

https://jamielinux.com/docs/openssl-certificate-authority/index.html

===========END===========

共有 人打赏支持
粉丝 215
博文 608
码字总数 434545
×
秋风醉了
如果觉得我的文章对您有用,请随意打赏。您的支持将鼓励我继续创作!
* 金额(元)
¥1 ¥5 ¥10 ¥20 其他金额
打赏人
留言
* 支付类型
微信扫码支付
打赏金额:
已支付成功
打赏金额: