{"id":371,"date":"2014-12-21T20:20:14","date_gmt":"2014-12-21T12:20:14","guid":{"rendered":"http:\/\/www.ipcpu.com\/?p=371"},"modified":"2014-12-21T20:20:14","modified_gmt":"2014-12-21T12:20:14","slug":"openssl-private","status":"publish","type":"post","link":"https:\/\/c.ipcpu.com\/2014\/12\/openssl-private\/","title":{"rendered":"Openssl\u751f\u6210\u6839\u8bc1\u4e66\u3001\u670d\u52a1\u5668\u8bc1\u4e66\u5e76\u7b7e\u6838\u8bc1\u4e66"},"content":{"rendered":"

1.\u4fee\u6539Openssl\u914d\u7f6e\u6587\u4ef6CA\u76ee\u5f55<\/h4>\n

\u591a\u6570\u64cd\u4f5c\u7cfb\u7edf\u9ed8\u8ba4\u4e0d\u9700\u8981\u4fee\u6539<\/p>\n

  1. cat <\/span>\/<\/span>etc<\/span>\/<\/span>pki<\/span>\/<\/span>tls<\/span>\/<\/span>openssl<\/span>.<\/span>cnf<\/span><\/code><\/li>
  2. dir             <\/span>=<\/span> <\/span>\/etc\/<\/span>pki<\/span>\/<\/span>CA<\/span><\/code><\/li><\/ol><\/pre>\n
    2.\u751f\u6210\u6839\u8bc1\u4e66\u53ca\u79c1\u94a5<\/h4>\n
    1. cd <\/span>\/<\/span>etc<\/span>\/<\/span>pki<\/span>\/<\/span>CA<\/span><\/code><\/li>
    2. #\u65b0\u5efa\u8bc1\u4e66\u5b58\u653e\u76ee\u5f55<\/span><\/code><\/li>
    3. mkdir <\/span>private<\/span> crl certs newcerts <\/span><\/code><\/li>
    4. #\u65b0\u5efaserial\u6587\u4ef6\u5e76\u5199\u5165\u521d\u59cb\u5e8f\u5217\u53f700<\/span><\/code><\/li>
    5. echo <\/span>'00'<\/span> <\/span>><\/span> serial <\/span><\/code><\/li>
    6. #\u65b0\u5efaindex.txt\u7a7a\u6587\u4ef6<\/span><\/code><\/li>
    7. touch index<\/span>.<\/span>txt<\/span><\/code><\/li>
    8. #\u751f\u6210CA\u6839\u8bc1\u4e66\u79c1\u94a5<\/span><\/code><\/li>
    9. openssl genrsa <\/span>-<\/span>out<\/span> <\/span>private<\/span>\/<\/span>cakey<\/span>.<\/span>pem <\/span>2048<\/span> <\/span><\/code><\/li>
    10. #\u751f\u6210CA\u6839\u8bc1\u4e66<\/span><\/code><\/li>
    11. openssl req <\/span>-<\/span>new<\/span> <\/span>-<\/span>x509 <\/span>-<\/span>key <\/span>private<\/span>\/<\/span>cakey<\/span>.<\/span>pem  <\/span>-<\/span>out<\/span> cacert<\/span>.<\/span>pem  <\/span>-<\/span>days <\/span>3650<\/span><\/code><\/li><\/ol><\/pre>\n
      3.\u751f\u6210\u670d\u52a1\u5668\u8bc1\u4e66\u79c1\u94a5\u3001\u8bc1\u4e66\u8bf7\u6c42<\/h4>\n
      1. cd <\/span>\/<\/span>etc<\/span>\/<\/span>nginx<\/span><\/code><\/li>
      2. #\u751f\u6210\u7f51\u7ad9\u79c1\u94a5<\/span><\/code><\/li>
      3. openssl genrsa <\/span>-<\/span>out<\/span> m<\/span>.<\/span>ipcpu<\/span>.<\/span>com<\/span>.<\/span>key <\/span>2048<\/span><\/code><\/li>
      4. #\u751f\u6210\u8bc1\u4e66\u8bf7\u6c42\u6587\u4ef6<\/span><\/code><\/li>
      5. openssl req <\/span>-<\/span>new<\/span> <\/span>-<\/span>key m<\/span>.<\/span>ipcpu<\/span>.<\/span>com<\/span>.<\/span>key <\/span>-<\/span>out<\/span> m<\/span>.<\/span>ipcpu<\/span>.<\/span>com<\/span>.<\/span>csr<\/span><\/code><\/li><\/ol><\/pre>\n
        4.\u4f7f\u7528\u672c\u5730CA\u7b7e\u53d1\u8bc1\u4e66<\/h4>\n
        1. openssl ca <\/span>-<\/span>in<\/span> m<\/span>.<\/span>ipcpu<\/span>.<\/span>com<\/span>.<\/span>csr <\/span>-<\/span>out<\/span> m<\/span>.<\/span>ipcpu<\/span>.<\/span>com<\/span>.<\/span>crt <\/span>-<\/span>days <\/span>365<\/span><\/code><\/li><\/ol><\/pre>\n
          \u7b7e\u53d1\u6210\u529f\u540e\u4f1a\u63d0\u793a\u6570\u636e\u5e93\u5df2\u7ecf\u66f4\u65b0<\/p>\n
          1. [<\/span>root@ip<\/span>-<\/span>172<\/span>-<\/span>31<\/span>-<\/span>32<\/span>-<\/span>208<\/span> nginx<\/span>]#<\/span> openssl ca <\/span>-<\/span>in<\/span> m<\/span>.<\/span>ipcpu<\/span>.<\/span>com<\/span>.<\/span>csr <\/span>-<\/span>out<\/span> m<\/span>.<\/span>ipcpu<\/span>.<\/span>com<\/span>.<\/span>crt <\/span>-<\/span>days <\/span>365<\/span><\/code><\/li>
          2. Using<\/span> configuration <\/span>from<\/span> <\/span>\/<\/span>etc<\/span>\/<\/span>pki<\/span>\/<\/span>tls<\/span>\/<\/span>openssl<\/span>.<\/span>cnf<\/span><\/code><\/li>
          3. Check<\/span> that the request matches the signature<\/span><\/code><\/li>
          4. Signature<\/span> ok<\/span><\/code><\/li>
          5. Certificate<\/span> <\/span>Details<\/span>:<\/span><\/code><\/li>
          6.         <\/span>Serial<\/span> <\/span>Number<\/span>:<\/span> <\/span>0<\/span> <\/span>(<\/span>0x0<\/span>)<\/span><\/code><\/li>
          7.         <\/span>Validity<\/span><\/code><\/li>
          8.             <\/span>Not<\/span> <\/span>Before<\/span>:<\/span> <\/span>Dec<\/span> <\/span>20<\/span> <\/span>15<\/span>:<\/span>20<\/span>:<\/span>03<\/span> <\/span>2014<\/span> GMT<\/span><\/code><\/li>
          9.             <\/span>Not<\/span> <\/span>After<\/span> <\/span>:<\/span> <\/span>Dec<\/span> <\/span>20<\/span> <\/span>15<\/span>:<\/span>20<\/span>:<\/span>03<\/span> <\/span>2015<\/span> GMT<\/span><\/code><\/li>
          10.         <\/span>Subject<\/span>:<\/span><\/code><\/li>
          11.             countryName               <\/span>=<\/span> CN<\/span><\/code><\/li>
          12.             stateOrProvinceName       <\/span>=<\/span> <\/span>Beijing<\/span><\/code><\/li>
          13.             organizationName          <\/span>=<\/span> ipcpu<\/span>.<\/span>com<\/span><\/code><\/li>
          14.             organizationalUnitName    <\/span>=<\/span> ops<\/span><\/code><\/li>
          15.             commonName                <\/span>=<\/span> m<\/span>.<\/span>ipcpu<\/span>.<\/span>com<\/span><\/code><\/li>
          16.             emailAddress              <\/span>=<\/span> m@ipcpu<\/span>.<\/span>com<\/span><\/code><\/li>
          17.         X509v3 extensions<\/span>:<\/span><\/code><\/li>
          18.             X509v3 <\/span>Basic<\/span> <\/span>Constraints<\/span>:<\/span> <\/span><\/code><\/li>
          19.                 CA<\/span>:<\/span>FALSE<\/span><\/code><\/li>
          20.             <\/span>Netscape<\/span> <\/span>Comment<\/span>:<\/span> <\/span><\/code><\/li>
          21.                 <\/span>OpenSSL<\/span> <\/span>Generated<\/span> <\/span>Certificate<\/span><\/code><\/li>
          22.             X509v3 <\/span>Subject<\/span> <\/span>Key<\/span> <\/span>Identifier<\/span>:<\/span> <\/span><\/code><\/li>
          23.                 AA<\/span>:<\/span>00<\/span>:<\/span>B2<\/span>:<\/span>61<\/span>:<\/span>9F<\/span>:<\/span>55<\/span>:<\/span>D1<\/span>:<\/span>C6<\/span>:<\/span>67<\/span>:<\/span>69<\/span>:<\/span>75<\/span>:<\/span>B4<\/span>:<\/span>BF<\/span>:<\/span>5D<\/span>:<\/span>3C<\/span>:<\/span>A3<\/span>:<\/span>DC<\/span>:<\/span>A8<\/span>:<\/span>82<\/span>:<\/span>94<\/span><\/code><\/li>
          24.             X509v3 <\/span>Authority<\/span> <\/span>Key<\/span> <\/span>Identifier<\/span>:<\/span> <\/span><\/code><\/li>
          25.                 keyid<\/span>:<\/span>87<\/span>:<\/span>73<\/span>:<\/span>06<\/span>:<\/span>6C<\/span>:<\/span>EF<\/span>:<\/span>01<\/span>:<\/span>EB<\/span>:<\/span>9B<\/span>:<\/span>47<\/span>:<\/span>3B<\/span>:<\/span>69<\/span>:<\/span>4E<\/span>:<\/span>26<\/span>:<\/span>21<\/span>:<\/span>76<\/span>:<\/span>9A<\/span>:<\/span>61<\/span>:<\/span>F3<\/span>:<\/span>E2<\/span>:<\/span>A5<\/span><\/code><\/li>
          26. <\/code><\/li>
          27. Certificate<\/span> <\/span>is<\/span> to be certified <\/span>until<\/span> <\/span>Dec<\/span> <\/span>20<\/span> <\/span>15<\/span>:<\/span>20<\/span>:<\/span>03<\/span> <\/span>2015<\/span> GMT <\/span>(<\/span>365<\/span> days<\/span>)<\/span><\/code><\/li>
          28. Sign<\/span> the certificate<\/span>?<\/span> <\/span>[<\/span>y<\/span>\/<\/span>n<\/span>]:<\/span>y<\/span><\/code><\/li>
          29. <\/code><\/li>
          30. <\/code><\/li>
          31. 1<\/span> <\/span>out<\/span> of <\/span>1<\/span> certificate requests certified<\/span>,<\/span> commit<\/span>?<\/span> <\/span>[<\/span>y<\/span>\/<\/span>n<\/span>]<\/span>y<\/span><\/code><\/li>
          32. Write<\/span> <\/span>out<\/span> database <\/span>with<\/span> <\/span>1<\/span> <\/span>new<\/span> entries<\/span><\/code><\/li>
          33. Data<\/span> <\/span>Base<\/span> <\/span>Updated<\/span><\/code><\/li><\/ol><\/pre>\n
            \u6b64\u65f6CA\u76ee\u5f55\u4e0b\u7684serial\u548cindex.txt\u5747\u6709\u66f4\u65b0\u3002<\/p>\n
            1. [<\/span>root@ip<\/span>-<\/span>172<\/span>-<\/span>31<\/span>-<\/span>32<\/span>-<\/span>208<\/span> CA<\/span>]#<\/span> cat serial<\/span><\/code><\/li>
            2. 01<\/span><\/code><\/li>
            3. [<\/span>root@ip<\/span>-<\/span>172<\/span>-<\/span>31<\/span>-<\/span>32<\/span>-<\/span>208<\/span> CA<\/span>]#<\/span> cat index<\/span>.<\/span>txt<\/span><\/code><\/li>
            4. V    <\/span>151220152003Z<\/span>        <\/span>00<\/span>    unknown    <\/span>\/<\/span>C<\/span>=<\/span>CN<\/span>\/<\/span>ST<\/span>=<\/span>Beijing<\/span>\/<\/span>O<\/span>=<\/span>ipcpu<\/span>.<\/span>com<\/span>\/<\/span>OU<\/span>=<\/span>ops<\/span>\/<\/span>CN<\/span>=<\/span>m<\/span>.<\/span>ipcpu<\/span>.<\/span>com<\/span>\/<\/span>emailAddress<\/span>=<\/span>m@ipcpu<\/span>.<\/span>com<\/span><\/code><\/li>
            5. [<\/span>root@ip<\/span>-<\/span>172<\/span>-<\/span>31<\/span>-<\/span>32<\/span>-<\/span>208<\/span> CA<\/span>]#<\/span><\/code><\/li><\/ol><\/pre>\n
              \u53c2\u8003\u6587\u7ae0\uff1a http:\/\/www.haiyun.me\/archives\/openssl-ca-cert.html<\/a><\/p>\n
              \u6765\u81ea\u4e3a\u77e5\u7b14\u8bb0(Wiz)<\/a><\/div>\n
              \u8f6c\u8f7d\u8bf7\u6ce8\u660e\uff1aIPCPU-\u7f51\u7edc\u4e4b\u8def<\/a> » Openssl\u751f\u6210\u6839\u8bc1\u4e66\u3001\u670d\u52a1\u5668\u8bc1\u4e66\u5e76\u7b7e\u6838\u8bc1\u4e66<\/a><\/p>","protected":false},"excerpt":{"rendered":"
              1.\u4fee\u6539Openssl\u914d\u7f6e\u6587\u4ef6CA\u76ee\u5f55 \u591a\u6570\u64cd\u4f5c\u7cfb\u7edf\u9ed8\u8ba4\u4e0d\u9700\u8981\u4fee\u6539 cat \/etc\/pki\/tls\/openssl.cnfdir = \/etc\/pki\/CA 2.\u751f\u6210\u6839\u8bc1\u4e66\u53ca\u79c1\u94a5 cd \/etc\/pki\/CA#\u65b0\u5efa\u8bc1\u4e66\u5b58\u653e\u76ee\u5f55mkdir private crl certs newcerts #\u65b0\u5efaserial\u6587\u4ef6\u5e76\u5199\u5165\u521d\u59cb\u5e8f\u5217\u53f700echo ’00’ > serial #\u65b0\u5efaindex.txt\u7a7a\u6587\u4ef6touch index.txt#\u751f\u6210CA\u6839\u8bc1\u4e66\u79c1\u94a5openssl genrsa -out private\/cakey.pem 2048 #\u751f\u6210CA\u6839\u8bc1\u4e66openssl req -new -x509 -key private\/cakey.pem -out cacert.pem -days 3650 3.\u751f\u6210\u670d\u52a1\u5668\u8bc1\u4e66\u79c1\u94a5\u3001\u8bc1\u4e66\u8bf7\u6c42 cd \/etc\/nginx#\u751f\u6210\u7f51\u7ad9\u79c1\u94a5openssl genrsa -out m.ipcpu.com.key 2048#\u751f\u6210\u8bc1\u4e66\u8bf7\u6c42\u6587\u4ef6openssl req -new -key m.ipcpu.com.key -out m.ipcpu.com.csr 4.\u4f7f\u7528\u672c\u5730CA\u7b7e\u53d1\u8bc1\u4e66 openssl ca -in m.ipcpu.com.csr -out m.ipcpu.com.crt -days 365 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[3,13],"tags":[28,8,9],"_links":{"self":[{"href":"https:\/\/c.ipcpu.com\/wp-json\/wp\/v2\/posts\/371"}],"collection":[{"href":"https:\/\/c.ipcpu.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/c.ipcpu.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/c.ipcpu.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/c.ipcpu.com\/wp-json\/wp\/v2\/comments?post=371"}],"version-history":[{"count":0,"href":"https:\/\/c.ipcpu.com\/wp-json\/wp\/v2\/posts\/371\/revisions"}],"wp:attachment":[{"href":"https:\/\/c.ipcpu.com\/wp-json\/wp\/v2\/media?parent=371"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/c.ipcpu.com\/wp-json\/wp\/v2\/categories?post=371"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/c.ipcpu.com\/wp-json\/wp\/v2\/tags?post=371"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}