事前准备

准备CA的私钥的长度以及CSR的Subject的配置信息，可通过cfssl print-defaults来生成csr文件的模版，然后在此基础上进行修改

生成CSR文件模版

[root@liumiaocn cfssl]# lscfssl  cfssl-certinfo  cfssljson[root@liumiaocn cfssl]# mkdir ca[root@liumiaocn cfssl]# cd ca[root@liumiaocn ca]# ../cfssl versionVersion: 1.2.0Revision: devRuntime: go1.6[root@liumiaocn ca]# [root@liumiaocn ca]# ../cfssl print-defaults listDefault configurations are available for:	config	csr[root@liumiaocn ca]# [root@liumiaocn ca]# ../cfssl print-defaults csr{    "CN": "example.net",    "hosts": [        "example.net",        "www.example.net"    ],    "key": {        "algo": "ecdsa",        "size": 256    },    "names": [        {            "C": "US",            "L": "CA",            "ST": "San Francisco"        }    ]}[root@liumiaocn ca]# [root@liumiaocn ca]# ../cfssl print-defaults csr >ca-csr.json[root@liumiaocn ca]#

修改之后生成的CA的CSR文件信息如下所示：

[root@liumiaocn ca]# lsca-csr.json[root@liumiaocn ca]# cat ca-csr.json {    "CN": "devops.com",    "key": {        "algo": "rsa",        "size": 2048    },    "names": [        {            "C": "CN",            "L": "DaLian",            "ST": "LiaoNing",            "O": "devops",            "OU": "unicorn"        }    ]}[root@liumiaocn ca]#

生成CA私钥、CSR文件与CA证书

使用如下命令可以一次性生成CA私钥、CSR文件与CA证书。

[root@liumiaocn ca]# ../cfssl gencert -initca ca-csr.json |../cfssljson -bare ca -2019/12/15 06:12:02 [INFO] generating a new CA key and certificate from CSR2019/12/15 06:12:02 [INFO] generate received request2019/12/15 06:12:02 [INFO] received CSR2019/12/15 06:12:02 [INFO] generating key: rsa-20482019/12/15 06:12:03 [INFO] encoded CSR2019/12/15 06:12:03 [INFO] signed certificate with serial number 72583730418191516028003096307996422627737938938[root@liumiaocn ca]# lsca.csr  ca-csr.json  ca-key.pem  ca.pem[root@liumiaocn ca]#

文件种类信息如下所示：

[root@liumiaocn ca]# file *ca.csr:      PEM certificate requestca-csr.json: ASCII textca-key.pem:  PEM RSA private keyca.pem:      PEM certificate[root@liumiaocn ca]#

文件内容如下所示：

[root@liumiaocn ca]# cat ca-key.pem -----BEGIN RSA PRIVATE KEY-----MIIEpQIBAAKCAQEAqOeeZJI29et/dOGqljuiIDki067DUdQ/ua2Hq2gFGFrDXL6SULpM0Ks1pRDJD9VQCB/Es5uexYrp0ZVs7ePWE/ms25oxqXScE2iROIyUZp8gZrgjNc9o4ynG7kKlPNgeSnCKDZ6nPRy6BiRMDCN37LZ93dE/d4fXUuMYccs8TUeB7Uga/5a60VAIZbMCKtZ1WCkUwzjoJbPVVUPsbjGM8pP2637Gk0khUQm9gSEfRL1ZrZ7cUUCqxKFPcyUpl93vj9h03E3/suL3tmutQtibVoqLR+jOEIauewqv/gxv/fH6EEqF5UWHREmdEiiLhTYzoRKeRS5GYZUOm1HT2pu2CwIDAQABAoIBAQClVSv3eCRybpXxvF/19OOLNUKBAQXSGLhUMaemwgiSwW2QYD7q5KICdETrkdWuOPjBKw+pXEB7T7H25JSe/DF2liR9RZ8tJ6cLXIUiXIF7PnJB+icFKkSacC941CXYvBhSd3y7PjyoFnGFR4xlKWbff/cO5R+CCqdcTE2GPhGF9kz6ttX1+vX9p8hMuo0bmbp20eOvFyv/EFIdqSLnp2CBcnxA9hM2DojCxixGguy6cCNVhOn1imxZLfpwb9R9tTXitPcapMjKwvn3BNSVHAETxcsqpJv779Az77/ML9TZgPwgqvAnAKxCV4czoweQZQ3ssOymznQa3/e2YT1poh75AoGBAM2o0v0GT6DpNfPuHW3Z0T8VYjW8iOO5FG2qcblCF97ltDdslp4MBEtACpv5wZo9CtNxDyDUXjrz1sH5bSI4+n9RZDDP8IH7c8mbX5D4GgqII389J4XCiYJ9LqLU1eKmCpxxbNO5zMzsozRV4B9XypdDXn2/B8Tq72d6DMVr9TotAoGBANI/pUTOjgq8aO0U/lY7/p+M3FKT2+vdhN/0njNH5ckilTSBgOCW79uAFjZaWb2F+NLLFpOJSSWasYyVevQDoQJBe84GOmZu7BxFkVuUMl4gcQUOhunkqYpk1z5qwoqsHiRWTQq/wihYxrb4YVO2pGIyQDDzSdrLnkmyb3ke+uwXAoGAQ/E5OvQhzGQfOeX5fPgPw8p5to0BoFHdqNk9Vtm57x5t6j2KiM4pgP64Qo1BY4Y1FGNufwcJ1moGEfEoF71BLFykP+gCab67ougcq1T7rW0KZRe7/dml+iEHDi5INudp7AMg09W3DiBDTp/sOg6T1GMiTWKV231N+B5/J52h10UCgYEAsdMO74FcdgwhGtS0wS8BDuVOu7E/QuEbL2hwHaNj4JiVZdFatZozyI0vPE1ytW+IopEOyT5GVb3fCa6sTZJ8LbJBCmIOJvEOVmMorDJN33rE3KgKx+yU0O61dp9JZ4xn+gfcJYlGqGVdvQebGfjSVBN4Y26COsIZYO/AhMsFI4UCgYEAhA8iHtljm0Q/aO078A7512Ra4xKJp4FFPG6qAokquRhXnb4AmXksUn414h/iKCjKW2QvVDFwbOBkRhoEph2BskF9BDlcgr2/tUGZawHGoNZLOsyC7AfcMSjwP6Ulwzv9lYe5XxEOzQ/YDVDljpXApQX+ZHfbp53q0fFbedHiypg=-----END RSA PRIVATE KEY-----[root@liumiaocn ca]# [root@liumiaocn ca]# cat ca.csr -----BEGIN CERTIFICATE REQUEST-----MIICrjCCAZYCAQAwaTELMAkGA1UEBhMCQ04xETAPBgNVBAgTCExpYW9OaW5nMQ8wDQYDVQQHEwZEYUxpYW4xDzANBgNVBAoTBmRldm9wczEQMA4GA1UECxMHdW5pY29ybjETMBEGA1UEAxMKZGV2b3BzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKjnnmSSNvXrf3ThqpY7oiA5ItOuw1HUP7mth6toBRhaw1y+klC6TNCrNaUQyQ/VUAgfxLObnsWK6dGVbO3j1hP5rNuaMal0nBNokTiMlGafIGa4IzXPaOMpxu5CpTzYHkpwig2epz0cugYkTAwjd+y2fd3RP3eH11LjGHHLPE1Hge1IGv+WutFQCGWzAirWdVgpFMM46CWz1VVD7G4xjPKT9ut+xpNJIVEJvYEhH0S9Wa2e3FFAqsShT3MlKZfd74/YdNxN/7Li97ZrrULYm1aKi0fozhCGrnsKr/4Mb/3x+hBKheVFh0RJnRIoi4U2M6ESnkUuRmGVDptR09qbtgsCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQAxHhkvw+GjxXhE3KeCcXxaXefdtfoJJvKzB3HPJGBHwJDEYWeld3LY76rEUCoAg1RpYyXnhtzwnWxKQj1D4u9W7kAH8nLADa4+2cqI8B/WFXf5VU1GIuxUDXxWy4A1ye48V7G6Tawqs9s1WzYTkIy/C/gPMKSVhsWv2FnXI6mawJjOhf5mWxXCh8gHY3VqIERe2YQ5Fspkh+Cd3V0uJrWviaNtn1bvX2logo/v9/IhO0iQg+PN/WLykq6C30iFDASJJeVl3UAcPNw5rw0I16RkILNQWh0g9chPNodiZDjK67Uzd3zkUpscSDPXqjlbsyzeHsepu3Qenj0M54YWVuwH-----END CERTIFICATE REQUEST-----[root@liumiaocn ca]# [root@liumiaocn ca]# cat ca.pem -----BEGIN CERTIFICATE-----MIIDxjCCAq6gAwIBAgIUDLbEXKukkhGbTQFdF4LH8EBnK/owDQYJKoZIhvcNAQELBQAwaTELMAkGA1UEBhMCQ04xETAPBgNVBAgTCExpYW9OaW5nMQ8wDQYDVQQHEwZEYUxpYW4xDzANBgNVBAoTBmRldm9wczEQMA4GA1UECxMHdW5pY29ybjETMBEGA1UEAxMKZGV2b3BzLmNvbTAeFw0xOTEyMTUxMTA3MDBaFw0yNDEyMTMxMTA3MDBaMGkxCzAJBgNVBAYTAkNOMREwDwYDVQQIEwhMaWFvTmluZzEPMA0GA1UEBxMGRGFMaWFuMQ8wDQYDVQQKEwZkZXZvcHMxEDAOBgNVBAsTB3VuaWNvcm4xEzARBgNVBAMTCmRldm9wcy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo555kkjb163904aqWO6IgOSLTrsNR1D+5rYeraAUYWsNcvpJQukzQqzWlEMkP1VAIH8Szm57FiunRlWzt49YT+azbmjGpdJwTaJE4jJRmnyBmuCM1z2jjKcbuQqU82B5KcIoNnqc9HLoGJEwMI3fstn3d0T93h9dS4xhxyzxNR4HtSBr/lrrRUAhlswIq1nVYKRTDOOgls9VVQ+xuMYzyk/brfsaTSSFRCb2BIR9EvVmtntxRQKrEoU9zJSmX3e+P2HTcTf+y4ve2a61C2JtWiotH6M4Qhq57Cq/+DG/98foQSoXlRYdESZ0SKIuFNjOhEp5FLkZhlQ6bUdPam7YLAgMBAAGjZjBkMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgECMB0GA1UdDgQWBBQhIS4LdvUwgDp6Hx/Kd04Hrj2CczAfBgNVHSMEGDAWgBQhIS4LdvUwgDp6Hx/Kd04Hrj2CczANBgkqhkiG9w0BAQsFAAOCAQEAQ56h0t1HVSnaX9ExBDlMIivK/znevJ2GPqvPG2Fq+C1nX/Gpv+biuuA0V15NEDC3YLlUfsfbjstYAwNRY51gFnhZh/PwJXs1SlktoQ4RuxjwGfdRt1kNSOpzwZbz5JUcTqoEmgtOLZIIhjLMiALV5br6zbNPqSDv18cLYWqS1is7sD0ppxNRMteizdYdHjk+t3Z1em+6Onk0cqzZzBXVfELGb19FUcrcwLdQDpccAWTUzrQ/H9d595P6Og3bWmWDSgpYyIrTmQ0PHXkxAJAMOrY90l+k7r6SfI5f3InTVGv+zMw4HVct9BPUGIOA88tt6rvjSprJ08uzibszD2ZBEA==-----END CERTIFICATE-----[root@liumiaocn ca]#

确认结果

使用cfssl-certinfo命令可以确认CA证书内容，详细如下所示

[root@liumiaocn ca]# ../cfssl-certinfo -cert ca.pem {  "subject": {    "common_name": "devops.com",    "country": "CN",    "organization": "devops",    "organizational_unit": "unicorn",    "locality": "DaLian",    "province": "LiaoNing",    "names": [      "CN",      "LiaoNing",      "DaLian",      "devops",      "unicorn",      "devops.com"    ]  },  "issuer": {    "common_name": "devops.com",    "country": "CN",    "organization": "devops",    "organizational_unit": "unicorn",    "locality": "DaLian",    "province": "LiaoNing",    "names": [      "CN",      "LiaoNing",      "DaLian",      "devops",      "unicorn",      "devops.com"    ]  },  "serial_number": "72583730418191516028003096307996422627737938938",  "not_before": "2019-12-15T11:07:00Z",  "not_after": "2024-12-13T11:07:00Z",  "sigalg": "SHA256WithRSA",  "authority_key_id": "21:21:2E:B:76:F5:30:80:3A:7A:1F:1F:CA:77:4E:7:AE:3D:82:73",  "subject_key_id": "21:21:2E:B:76:F5:30:80:3A:7A:1F:1F:CA:77:4E:7:AE:3D:82:73",  "pem": "-----BEGIN CERTIFICATE-----\nMIIDxjCCAq6gAwIBAgIUDLbEXKukkhGbTQFdF4LH8EBnK/owDQYJKoZIhvcNAQEL\nBQAwaTELMAkGA1UEBhMCQ04xETAPBgNVBAgTCExpYW9OaW5nMQ8wDQYDVQQHEwZE\nYUxpYW4xDzANBgNVBAoTBmRldm9wczEQMA4GA1UECxMHdW5pY29ybjETMBEGA1UE\nAxMKZGV2b3BzLmNvbTAeFw0xOTEyMTUxMTA3MDBaFw0yNDEyMTMxMTA3MDBaMGkx\nCzAJBgNVBAYTAkNOMREwDwYDVQQIEwhMaWFvTmluZzEPMA0GA1UEBxMGRGFMaWFu\nMQ8wDQYDVQQKEwZkZXZvcHMxEDAOBgNVBAsTB3VuaWNvcm4xEzARBgNVBAMTCmRl\ndm9wcy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo555kkjb1\n63904aqWO6IgOSLTrsNR1D+5rYeraAUYWsNcvpJQukzQqzWlEMkP1VAIH8Szm57F\niunRlWzt49YT+azbmjGpdJwTaJE4jJRmnyBmuCM1z2jjKcbuQqU82B5KcIoNnqc9\nHLoGJEwMI3fstn3d0T93h9dS4xhxyzxNR4HtSBr/lrrRUAhlswIq1nVYKRTDOOgl\ns9VVQ+xuMYzyk/brfsaTSSFRCb2BIR9EvVmtntxRQKrEoU9zJSmX3e+P2HTcTf+y\n4ve2a61C2JtWiotH6M4Qhq57Cq/+DG/98foQSoXlRYdESZ0SKIuFNjOhEp5FLkZh\nlQ6bUdPam7YLAgMBAAGjZjBkMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAG\nAQH/AgECMB0GA1UdDgQWBBQhIS4LdvUwgDp6Hx/Kd04Hrj2CczAfBgNVHSMEGDAW\ngBQhIS4LdvUwgDp6Hx/Kd04Hrj2CczANBgkqhkiG9w0BAQsFAAOCAQEAQ56h0t1H\nVSnaX9ExBDlMIivK/znevJ2GPqvPG2Fq+C1nX/Gpv+biuuA0V15NEDC3YLlUfsfb\njstYAwNRY51gFnhZh/PwJXs1SlktoQ4RuxjwGfdRt1kNSOpzwZbz5JUcTqoEmgtO\nLZIIhjLMiALV5br6zbNPqSDv18cLYWqS1is7sD0ppxNRMteizdYdHjk+t3Z1em+6\nOnk0cqzZzBXVfELGb19FUcrcwLdQDpccAWTUzrQ/H9d595P6Og3bWmWDSgpYyIrT\nmQ0PHXkxAJAMOrY90l+k7r6SfI5f3InTVGv+zMw4HVct9BPUGIOA88tt6rvjSprJ\n08uzibszD2ZBEA==\n-----END CERTIFICATE-----\n"}[root@liumiaocn ca]#

当然也可以使用x509子命令确认

[root@liumiaocn ca]# openssl x509 -noout -text -in ca.pem Certificate:    Data:        Version: 3 (0x2)        Serial Number:            0c:b6:c4:5c:ab:a4:92:11:9b:4d:01:5d:17:82:c7:f0:40:67:2b:fa        Signature Algorithm: sha256WithRSAEncryption        Issuer: C = CN, ST = LiaoNing, L = DaLian, O = devops, OU = unicorn, CN = devops.com        Validity            Not Before: Dec 15 11:07:00 2019 GMT            Not After : Dec 13 11:07:00 2024 GMT        Subject: C = CN, ST = LiaoNing, L = DaLian, O = devops, OU = unicorn, CN = devops.com        Subject Public Key Info:            Public Key Algorithm: rsaEncryption                RSA Public-Key: (2048 bit)                Modulus:                    00:a8:e7:9e:64:92:36:f5:eb:7f:74:e1:aa:96:3b:                    a2:20:39:22:d3:ae:c3:51:d4:3f:b9:ad:87:ab:68:                    05:18:5a:c3:5c:be:92:50:ba:4c:d0:ab:35:a5:10:                    c9:0f:d5:50:08:1f:c4:b3:9b:9e:c5:8a:e9:d1:95:                    6c:ed:e3:d6:13:f9:ac:db:9a:31:a9:74:9c:13:68:                    91:38:8c:94:66:9f:20:66:b8:23:35:cf:68:e3:29:                    c6:ee:42:a5:3c:d8:1e:4a:70:8a:0d:9e:a7:3d:1c:                    ba:06:24:4c:0c:23:77:ec:b6:7d:dd:d1:3f:77:87:                    d7:52:e3:18:71:cb:3c:4d:47:81:ed:48:1a:ff:96:                    ba:d1:50:08:65:b3:02:2a:d6:75:58:29:14:c3:38:                    e8:25:b3:d5:55:43:ec:6e:31:8c:f2:93:f6:eb:7e:                    c6:93:49:21:51:09:bd:81:21:1f:44:bd:59:ad:9e:                    dc:51:40:aa:c4:a1:4f:73:25:29:97:dd:ef:8f:d8:                    74:dc:4d:ff:b2:e2:f7:b6:6b:ad:42:d8:9b:56:8a:                    8b:47:e8:ce:10:86:ae:7b:0a:af:fe:0c:6f:fd:f1:                    fa:10:4a:85:e5:45:87:44:49:9d:12:28:8b:85:36:                    33:a1:12:9e:45:2e:46:61:95:0e:9b:51:d3:da:9b:                    b6:0b                Exponent: 65537 (0x10001)        X509v3 extensions:            X509v3 Key Usage: critical                Certificate Sign, CRL Sign            X509v3 Basic Constraints: critical                CA:TRUE, pathlen:2            X509v3 Subject Key Identifier:                 21:21:2E:0B:76:F5:30:80:3A:7A:1F:1F:CA:77:4E:07:AE:3D:82:73            X509v3 Authority Key Identifier:                 keyid:21:21:2E:0B:76:F5:30:80:3A:7A:1F:1F:CA:77:4E:07:AE:3D:82:73    Signature Algorithm: sha256WithRSAEncryption         43:9e:a1:d2:dd:47:55:29:da:5f:d1:31:04:39:4c:22:2b:ca:         ff:39:de:bc:9d:86:3e:ab:cf:1b:61:6a:f8:2d:67:5f:f1:a9:         bf:e6:e2:ba:e0:34:57:5e:4d:10:30:b7:60:b9:54:7e:c7:db:         8e:cb:58:03:03:51:63:9d:60:16:78:59:87:f3:f0:25:7b:35:         4a:59:2d:a1:0e:11:bb:18:f0:19:f7:51:b7:59:0d:48:ea:73:         c1:96:f3:e4:95:1c:4e:aa:04:9a:0b:4e:2d:92:08:86:32:cc:         88:02:d5:e5:ba:fa:cd:b3:4f:a9:20:ef:d7:c7:0b:61:6a:92:         d6:2b:3b:b0:3d:29:a7:13:51:32:d7:a2:cd:d6:1d:1e:39:3e:         b7:76:75:7a:6f:ba:3a:79:34:72:ac:d9:cc:15:d5:7c:42:c6:         6f:5f:45:51:ca:dc:c0:b7:50:0e:97:1c:01:64:d4:ce:b4:3f:         1f:d7:79:f7:93:fa:3a:0d:db:5a:65:83:4a:0a:58:c8:8a:d3:         99:0d:0f:1d:79:31:00:90:0c:3a:b6:3d:d2:5f:a4:ee:be:92:         7c:8e:5f:dc:89:d3:54:6b:fe:cc:cc:38:1d:57:2d:f4:13:d4:         18:83:80:f3:cb:6d:ea:bb:e3:4a:9a:c9:d3:cb:b3:89:bb:33:         0f:66:41:10[root@liumiaocn ca]#

可以看到此证书签发的有效期缺省为5年时间。

转载地址：https://liumiaocn.blog.csdn.net/article/details/103553480 如侵犯您的版权，请留言回复原文章的地址，我们会给您删除此文章，给您带来不便请您谅解！

上一篇：CFSSL: 证书管理工具：3:使用CA私钥与证书签发证书

下一篇：CFSSL: 证书管理工具：1:概要与安装

发表评论

关于作者

喝酒易醉，品茶养心，人生如梦，品茶悟道，何以解忧？唯有杜康！

-- 愿君每日到此一游！