本文共 5907 字，大约阅读时间需要 19 分钟。

事前准备

创建CA私钥和CA证书：

[root@liumiaocn ca]# lsca.csr  ca-csr.json  ca-key.pem  ca.pem  [root@liumiaocn ca]#

• ca-csr.json: CSR的JSON设定文件
• ca.csr: 证书签名请求文件
• ca-key.pem：CA私钥
• ca.pem: CA证书

详细生成方法可参看：https://liumiaocn.blog.csdn.net/article/details/103553480

准备签名CSR配置文件

[root@liumiaocn ca]# cat request-dev.json {    "CN": "dev.com",    "key": {        "algo": "rsa",        "size": 2048    },    "names": [        {            "C": "CN",            "L": "DaLian",            "ST": "LiaoNing",            "O": "devops",            "OU": "dev"        }    ]}[root@liumiaocn ca]# [root@liumiaocn ca]# lsca.csr  ca-csr.json  ca-key.pem  ca.pem  request-dev.json[root@liumiaocn ca]#

准备配置文件

生成证书配置文件模版

[root@liumiaocn ca]# ../cfssl print-defaults config >cert-config.json[root@liumiaocn ca]# cat cert-config.json {    "signing": {        "default": {            "expiry": "168h"        },        "profiles": {            "www": {                "expiry": "8760h",                "usages": [                    "signing",                    "key encipherment",                    "server auth"                ]            },            "client": {                "expiry": "8760h",                "usages": [                    "signing",                    "key encipherment",                    "client auth"                ]            }        }    }}[root@liumiaocn ca]#

进行如下修改

[root@liumiaocn ca]# cat cert-config.json {    "signing": {        "default": {            "expiry": "8760h"        },        "profiles": {            "client": {                "expiry": "8760h",                "usages": [                    "signing",                    "key encipherment",                    "client auth"                ]            }        }    }}[root@liumiaocn ca]#

• signing：表示此证书可以对其他证书进行签名（CA=TRUE）
• server auth：客户端可以使用该证书对server端进行验证
• client auth：表示server端可以使用该证书对客户端提供的证书进行验证

签发证书

使用CA的私钥和CA证书签发新的证书文件, 执行命令如下所示

执行命令：…/cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -profile=client -config=cert-config.json request-dev.json | …/cfssljson -bare cert-test

[root@liumiaocn ca]# lsca.csr  ca-csr.json  ca-key.pem  ca.pem  cert-config.json  request-dev.json[root@liumiaocn ca]# ../cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -profile=client -config=cert-config.json request-dev.json | ../cfssljson -bare cert-test2019/12/15 07:47:15 [INFO] generate received request2019/12/15 07:47:15 [INFO] received CSR2019/12/15 07:47:15 [INFO] generating key: rsa-20482019/12/15 07:47:15 [INFO] encoded CSR2019/12/15 07:47:15 [INFO] signed certificate with serial number 5737643689242258451149914547451785193286338335222019/12/15 07:47:15 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable forwebsites. For more information see the Baseline Requirements for the Issuance and Managementof Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);specifically, section 10.2.3 ("Information Requirements").[root@liumiaocn ca]# lsca.csr  ca-csr.json  ca-key.pem  ca.pem  cert-config.json  cert-test.csr  cert-test-key.pem  cert-test.pem  request-dev.json[root@liumiaocn ca]#

生成的证书信息如下所示

[root@liumiaocn ca]# ../cfssl-certinfo -cert cert-test.pem {  "subject": {    "common_name": "dev.com",    "country": "CN",    "organization": "devops",    "organizational_unit": "dev",    "locality": "DaLian",    "province": "LiaoNing",    "names": [      "CN",      "LiaoNing",      "DaLian",      "devops",      "dev",      "dev.com"    ]  },  "issuer": {    "common_name": "devops.com",    "country": "CN",    "organization": "devops",    "organizational_unit": "unicorn",    "locality": "DaLian",    "province": "LiaoNing",    "names": [      "CN",      "LiaoNing",      "DaLian",      "devops",      "unicorn",      "devops.com"    ]  },  "serial_number": "573764368924225845114991454745178519328633833522",  "not_before": "2019-12-15T12:42:00Z",  "not_after": "2020-12-14T12:42:00Z",  "sigalg": "SHA256WithRSA",  "authority_key_id": "21:21:2E:B:76:F5:30:80:3A:7A:1F:1F:CA:77:4E:7:AE:3D:82:73",  "subject_key_id": "AB:B7:51:23:6D:65:42:77:2:25:B2:89:8F:5D:53:E5:77:3F:92:BB",  "pem": "-----BEGIN CERTIFICATE-----\nMIIDzjCCAragAwIBAgIUZIB77+8RLPqJ5ZoAPMXW3fGGyDIwDQYJKoZIhvcNAQEL\nBQAwaTELMAkGA1UEBhMCQ04xETAPBgNVBAgTCExpYW9OaW5nMQ8wDQYDVQQHEwZE\nYUxpYW4xDzANBgNVBAoTBmRldm9wczEQMA4GA1UECxMHdW5pY29ybjETMBEGA1UE\nAxMKZGV2b3BzLmNvbTAeFw0xOTEyMTUxMjQyMDBaFw0yMDEyMTQxMjQyMDBaMGIx\nCzAJBgNVBAYTAkNOMREwDwYDVQQIEwhMaWFvTmluZzEPMA0GA1UEBxMGRGFMaWFu\nMQ8wDQYDVQQKEwZkZXZvcHMxDDAKBgNVBAsTA2RldjEQMA4GA1UEAxMHZGV2LmNv\nbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMiiv3OFHq0dzrWQ9H/t\ncQx2Frn5PwZqNlaE3YwqPKCT6fNhXP/pxEWuRdJSQWk+qKUfj7+hclzu8JbJ/Gt1\ngoNX4TzGGqbK16PTiI04jrXfs++8EBIYw79rbNQNjMJfRbLPODTSzrTW3nHkUj2x\nEOIJVvD67p4+3gzRu4WImSSVyKyku2nce+31YSkru/zR9RGBq8p4BwJJqxfLc4do\npOf5y1saI1d3n9OI+IqXqIBPiDyz3NmfzSKd6GWIQEdzYHDDmSaeGV+ylRFwW4Nf\nluwyNfaHHRk83WHjDL72g5BjShHUfSU5Do81+twA3n7kzVLW4k8Z5xvkpnAy+UKO\nbr8CAwEAAaN1MHMwDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMC\nMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFKu3USNtZUJ3AiWyiY9dU+V3P5K7MB8G\nA1UdIwQYMBaAFCEhLgt29TCAOnofH8p3TgeuPYJzMA0GCSqGSIb3DQEBCwUAA4IB\nAQBd8hx8Ef4XgYD/mW6P7IrY53q/Jt0Ghg7x7qB97FNQwUknMunNm8KyZT8ewCvT\nC2OgNQOiHsv0DN1vEWz/qSH6ZDNBkEqI756qR45CXEDTWTOOcrzw8nTEr3A4bOmA\n/2Z3cwbVLIOcJ+aJbcAQNbItZnwc3VZkaX/1WXg5TZD9jWhH2C6liGKIxyn44pF3\nHOLovH0Qdir4sXzpYP4d8RLQjTwT82os57c4yxbH7itpinJ3yVyoIIrKHfeIqnxG\nLK7cl22lPsmGqpLhsnf8zvrKF7l/Ze+Z/CYTczNnuVtqe0zxCtFovLqI0RjPcrJ6\nUEXbv02VjrLbWLn6XcInlEFm\n-----END CERTIFICATE-----\n"}[root@liumiaocn ca]#

使用openssl命令确认

[root@liumiaocn ca]# openssl x509 -noout -in cert-test.pem -issuer -subject -datesissuer=C = CN, ST = LiaoNing, L = DaLian, O = devops, OU = unicorn, CN = devops.comsubject=C = CN, ST = LiaoNing, L = DaLian, O = devops, OU = dev, CN = dev.comnotBefore=Dec 15 12:42:00 2019 GMTnotAfter=Dec 14 12:42:00 2020 GMT[root@liumiaocn ca]#

转载地址：https://liumiaocn.blog.csdn.net/article/details/103554037 如侵犯您的版权，请留言回复原文章的地址，我们会给您删除此文章，给您带来不便请您谅解！