CFSSL: 证书管理工具:3:使用CA私钥与证书签发证书
发布日期:2021-06-30 20:15:39
浏览次数:2
分类:技术文章
本文共 5907 字,大约阅读时间需要 19 分钟。
这篇文章介绍一下如何使用CFSSL的命令创建出来的CA私钥和CA证书签发新的证书。事前准备
创建CA私钥和CA证书:
[root@liumiaocn ca]# lsca.csr ca-csr.json ca-key.pem ca.pem [root@liumiaocn ca]#
- ca-csr.json: CSR的JSON设定文件
- ca.csr: 证书签名请求文件
- ca-key.pem:CA私钥
- ca.pem: CA证书
详细生成方法可参看:https://liumiaocn.blog.csdn.net/article/details/103553480
准备签名CSR配置文件
[root@liumiaocn ca]# cat request-dev.json { "CN": "dev.com", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "DaLian", "ST": "LiaoNing", "O": "devops", "OU": "dev" } ]}[root@liumiaocn ca]# [root@liumiaocn ca]# lsca.csr ca-csr.json ca-key.pem ca.pem request-dev.json[root@liumiaocn ca]#
准备配置文件
生成证书配置文件模版
[root@liumiaocn ca]# ../cfssl print-defaults config >cert-config.json[root@liumiaocn ca]# cat cert-config.json { "signing": { "default": { "expiry": "168h" }, "profiles": { "www": { "expiry": "8760h", "usages": [ "signing", "key encipherment", "server auth" ] }, "client": { "expiry": "8760h", "usages": [ "signing", "key encipherment", "client auth" ] } } }}[root@liumiaocn ca]#
进行如下修改
[root@liumiaocn ca]# cat cert-config.json { "signing": { "default": { "expiry": "8760h" }, "profiles": { "client": { "expiry": "8760h", "usages": [ "signing", "key encipherment", "client auth" ] } } }}[root@liumiaocn ca]#
- signing:表示此证书可以对其他证书进行签名(CA=TRUE)
- server auth:客户端可以使用该证书对server端进行验证
- client auth:表示server端可以使用该证书对客户端提供的证书进行验证
签发证书
使用CA的私钥和CA证书签发新的证书文件, 执行命令如下所示
执行命令:…/cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -profile=client -config=cert-config.json request-dev.json | …/cfssljson -bare cert-test
[root@liumiaocn ca]# lsca.csr ca-csr.json ca-key.pem ca.pem cert-config.json request-dev.json[root@liumiaocn ca]# ../cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -profile=client -config=cert-config.json request-dev.json | ../cfssljson -bare cert-test2019/12/15 07:47:15 [INFO] generate received request2019/12/15 07:47:15 [INFO] received CSR2019/12/15 07:47:15 [INFO] generating key: rsa-20482019/12/15 07:47:15 [INFO] encoded CSR2019/12/15 07:47:15 [INFO] signed certificate with serial number 5737643689242258451149914547451785193286338335222019/12/15 07:47:15 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable forwebsites. For more information see the Baseline Requirements for the Issuance and Managementof Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);specifically, section 10.2.3 ("Information Requirements").[root@liumiaocn ca]# lsca.csr ca-csr.json ca-key.pem ca.pem cert-config.json cert-test.csr cert-test-key.pem cert-test.pem request-dev.json[root@liumiaocn ca]#
生成的证书信息如下所示
[root@liumiaocn ca]# ../cfssl-certinfo -cert cert-test.pem { "subject": { "common_name": "dev.com", "country": "CN", "organization": "devops", "organizational_unit": "dev", "locality": "DaLian", "province": "LiaoNing", "names": [ "CN", "LiaoNing", "DaLian", "devops", "dev", "dev.com" ] }, "issuer": { "common_name": "devops.com", "country": "CN", "organization": "devops", "organizational_unit": "unicorn", "locality": "DaLian", "province": "LiaoNing", "names": [ "CN", "LiaoNing", "DaLian", "devops", "unicorn", "devops.com" ] }, "serial_number": "573764368924225845114991454745178519328633833522", "not_before": "2019-12-15T12:42:00Z", "not_after": "2020-12-14T12:42:00Z", "sigalg": "SHA256WithRSA", "authority_key_id": "21:21:2E:B:76:F5:30:80:3A:7A:1F:1F:CA:77:4E:7:AE:3D:82:73", "subject_key_id": "AB:B7:51:23:6D:65:42:77:2:25:B2:89:8F:5D:53:E5:77:3F:92:BB", "pem": "-----BEGIN CERTIFICATE-----\nMIIDzjCCAragAwIBAgIUZIB77+8RLPqJ5ZoAPMXW3fGGyDIwDQYJKoZIhvcNAQEL\nBQAwaTELMAkGA1UEBhMCQ04xETAPBgNVBAgTCExpYW9OaW5nMQ8wDQYDVQQHEwZE\nYUxpYW4xDzANBgNVBAoTBmRldm9wczEQMA4GA1UECxMHdW5pY29ybjETMBEGA1UE\nAxMKZGV2b3BzLmNvbTAeFw0xOTEyMTUxMjQyMDBaFw0yMDEyMTQxMjQyMDBaMGIx\nCzAJBgNVBAYTAkNOMREwDwYDVQQIEwhMaWFvTmluZzEPMA0GA1UEBxMGRGFMaWFu\nMQ8wDQYDVQQKEwZkZXZvcHMxDDAKBgNVBAsTA2RldjEQMA4GA1UEAxMHZGV2LmNv\nbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMiiv3OFHq0dzrWQ9H/t\ncQx2Frn5PwZqNlaE3YwqPKCT6fNhXP/pxEWuRdJSQWk+qKUfj7+hclzu8JbJ/Gt1\ngoNX4TzGGqbK16PTiI04jrXfs++8EBIYw79rbNQNjMJfRbLPODTSzrTW3nHkUj2x\nEOIJVvD67p4+3gzRu4WImSSVyKyku2nce+31YSkru/zR9RGBq8p4BwJJqxfLc4do\npOf5y1saI1d3n9OI+IqXqIBPiDyz3NmfzSKd6GWIQEdzYHDDmSaeGV+ylRFwW4Nf\nluwyNfaHHRk83WHjDL72g5BjShHUfSU5Do81+twA3n7kzVLW4k8Z5xvkpnAy+UKO\nbr8CAwEAAaN1MHMwDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMC\nMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFKu3USNtZUJ3AiWyiY9dU+V3P5K7MB8G\nA1UdIwQYMBaAFCEhLgt29TCAOnofH8p3TgeuPYJzMA0GCSqGSIb3DQEBCwUAA4IB\nAQBd8hx8Ef4XgYD/mW6P7IrY53q/Jt0Ghg7x7qB97FNQwUknMunNm8KyZT8ewCvT\nC2OgNQOiHsv0DN1vEWz/qSH6ZDNBkEqI756qR45CXEDTWTOOcrzw8nTEr3A4bOmA\n/2Z3cwbVLIOcJ+aJbcAQNbItZnwc3VZkaX/1WXg5TZD9jWhH2C6liGKIxyn44pF3\nHOLovH0Qdir4sXzpYP4d8RLQjTwT82os57c4yxbH7itpinJ3yVyoIIrKHfeIqnxG\nLK7cl22lPsmGqpLhsnf8zvrKF7l/Ze+Z/CYTczNnuVtqe0zxCtFovLqI0RjPcrJ6\nUEXbv02VjrLbWLn6XcInlEFm\n-----END CERTIFICATE-----\n"}[root@liumiaocn ca]#
使用openssl命令确认
[root@liumiaocn ca]# openssl x509 -noout -in cert-test.pem -issuer -subject -datesissuer=C = CN, ST = LiaoNing, L = DaLian, O = devops, OU = unicorn, CN = devops.comsubject=C = CN, ST = LiaoNing, L = DaLian, O = devops, OU = dev, CN = dev.comnotBefore=Dec 15 12:42:00 2019 GMTnotAfter=Dec 14 12:42:00 2020 GMT[root@liumiaocn ca]#
转载地址:https://liumiaocn.blog.csdn.net/article/details/103554037 如侵犯您的版权,请留言回复原文章的地址,我们会给您删除此文章,给您带来不便请您谅解!
发表评论
最新留言
逛到本站,mark一下
[***.202.152.39]2024年04月25日 15时46分44秒
关于作者
喝酒易醉,品茶养心,人生如梦,品茶悟道,何以解忧?唯有杜康!
-- 愿君每日到此一游!
推荐文章
nginx访问控制、基于用户认证、https配置
2019-04-30
用zabbix监控nginx
2019-04-30
SaltStack
2019-04-30
Jenkins 控制台输出中的奇怪字符
2019-04-30
Linux添加系统调用
2019-04-30
linux内存的寻址方式
2019-04-30
ubunut16.04的pip3出现问题,重新安装pip3
2019-04-30
how2heap-double free
2019-04-30
how2heap-fastbin_dup_consolidate
2019-04-30
orw_shellcode_模板
2019-04-30
[fmt+shellcode]string
2019-04-30
fmt在bss段(neepusec_easy_format)
2019-04-30
[double free] 9447 CTF : Search Engine
2019-04-30
python 函数式编程
2019-04-30
python编码
2019-04-30
scala maven plugin
2019-04-30
flink 1-个人理解
2019-04-30
redis cli
2019-04-30
redis api
2019-04-30