系统相关
首页 > 系统相关> > CentOS8 创建私有CA证书服务器,颁发证书,吊销证书

CentOS8 创建私有CA证书服务器,颁发证书,吊销证书

作者:互联网

CentOS8 创建私有CA证书服务器,颁发证书,吊销证书

1. 创建CA相关目录和文件

[root@cent8 yum.repos.d]#mkdir -pv /etc/pki/CA/{certs,crl,newcerts,private}
mkdir: created directory '/etc/pki/CA'
mkdir: created directory '/etc/pki/CA/certs'
mkdir: created directory '/etc/pki/CA/crl'
mkdir: created directory '/etc/pki/CA/newcerts'
mkdir: created directory '/etc/pki/CA/private'
[root@cent8 yum.repos.d]#tree /etc/pki/CA/
/etc/pki/CA/
├── certs
├── crl
├── newcerts
└── private

4 directories, 0 files

index.txt和serial文件在颁发证书时需要使用,如果不存在,会出现以下错误提示

[root@cent8 yum.repos.d]#touch /etc/pki/CA/index.txt
[root@cent8 yum.repos.d]#
[root@cent8 yum.repos.d]#echo 0F > /etc/pki/CA/serial

2. 创建CA的私钥

[root@cent8 yum.repos.d]#cd /etc/pki/CA/
[root@cent8 CA]#(umask 066; openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
....................+++++
.+++++
e is 65537 (0x010001)
[root@cent8 CA]#tree
.
├── certs
├── crl
├── index.txt
├── newcerts
├── private
│   └── cakey.pem
└── serial

4 directories, 3 files
[root@cent8 CA]#ll private/
total 4
-rw------- 1 root root 1679 Oct 29 09:23 cakey.pem
[root@cent8 CA]#cat private/cakey.pem
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA+ekx0EfAl4THKF9nn7R6Ix4EKVlrMs/igtYALsEgkVN0EL3R
SaNq+r6FGrgUncB7BuNJZRcQfuJ/7WZHkbUyeVto4Ik3WGpMLwWb3nALesuVbA4K
IekkiBFPpZsl423WRoom82hbkqsEJRLZfC/kblvbj5mEwbrQbgnefc7r60K+H71s
LU1fPFnpRDfy8vMVcUnlux9Vu4Xl2ArOL04rf7VEe0TsYjMcwsZ5wynmJe4+iRQ0
u9wopyOfFb5VKZU9jdVC2iYwuOrzJwNTDbgDen91hOkZr1fNvA/IDyNsSMfzvPSW
8gcfag2GoGQ3/vQOs/IrfXBN5NvHjpM/YJn/WQIDAQABAoIBAQCFyvCePyu+cplk
5d7GQ4r37gPwVyzq4Ry1SviCD2buJq2GoPjA4bpOT11XNqHi6r9yqpAKjNSJ+Zzf
bdh3C3jgO63kN9HnhdEPg4M1DOs4bHGsjb+i8/xY1Fu9n1gjcBQ9Y40C1yXfWas4
ZeUFdWZoJslfEaNfTDJ2FtaEqBjps5zb7deFgRzhAXB5cOn4BFj9gimR42UOoBC4
AR1Rt52zobHe7TVG/KezrhS2kAN60ARFOevl8dDMNmohkuolMS7dIqMyKqrUQaio
bgv9pw9ExRhpqMkrUVNJR8T2Ysjfx7CJsFFt0TtfSnyF5NcMOQ1EcVaaKnbIHY5U
0yLfrmh5AoGBAP6M5aLopR1FRpbP3rKipPnmJSDOSAyBpjpS5n7J6cFZ5Jxhu2NF
G9N6YNd0GR9fIb1ELZIelqZrCCcXp0j5v/UBAjXuhp5cUJvLHhXNJwEy9uikxzsZ
K0TPy80dJ3al8cizeWUjUcP/wgu/AMzw6ZgMgm1kPTCHcS7kXmNYKEIDAoGBAPtV
iKdnPMPTKRVoH9kIxPF9BikTGJTf4wf25K0edv7S45oDZGkF2GL6ZokwqeIHm9hO
PSWv5NdW3IrcasDjPaooj78Xcj1PA3Xi4zUzAIyEeEzLHCwaNIq2oS6hqvI3nqtx
YAeES5wOn9s/eORMRy//85SDR+rAzg6ZtLzXpshzAoGBAJuxaD+FVoCZv7w8tnTC
oG+tQeZX5Z+oqRihXhQMweoeZoL0EB5+xa9K+fKuMzOKB2PxUIJALVrquljW0d4D
zFI55LVCCJrR0ggIa4VgLsw/9N+E8csG8P0sr/XsMBgVFdbxV33x5XAhffmbQQ0Z
CXeTpy7rkbWeEi9hRQ40fKMrAoGAA8cIU8PIdQUCdBDpkaCBHUQMyKdB0lL/HYqH
a1au4SuYQiNU6gMtemdbDSrPEtecbwbWAm//V4E1tVyUuitwLNOJPY0DqYo7ehUb
5xvKIVKIYFcZKEyIh6ExEPtbD2LonpkIoXRKkqDhpDDzBzNiSoVlStEiTpPxROTo
g4IWPqMCgYAF/H4FngD9s5gsJplB39c2oYsdF42rjdQ7PJASzSKYyLMKvW8DEotr
NF3JPZOdkhqoKvAtAbVSriooRixqpplAwhMRJ0sUYaMA2vWS7UPRjee6id6/5X05
jekXgq5ex31evJAFzhMrPl4Db+uy82+xEqfojxNjAhx6ambhL4VNsw==
-----END RSA PRIVATE KEY-----

3. 给CA颁发自签名证书

[root@cent8 CA]#openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days
req: Option -days needs a value
req: Use -help for summary.
[root@cent8 CA]#3650 -out     /etc/pki/CA/cacert.pem^C
[root@cent8 CA]#openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out     /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:liaoning
Locality Name (eg, city) [Default City]:shenyang
Organization Name (eg, company) [Default Company Ltd]:meng
Organizational Unit Name (eg, section) []:devops
Common Name (eg, your name or your server's hostname) []:ca.meng.com
Email Address []:admin@meng.com
[root@cent8 CA]#tree /etc/pki/CA
/etc/pki/CA
├── cacert.pem
├── certs
├── crl
├── index.txt
├── newcerts
├── private
│   └── cakey.pem
└── serial

4 directories, 4 files
[root@cent8 CA]#cat /etc/pki/CA/cacert.pem
-----BEGIN CERTIFICATE-----
MIID8zCCAtugAwIBAgIUT8GfrrRWZaBNQNxvOlDToATIc6MwDQYJKoZIhvcNAQEL
BQAwgYgxCzAJBgNVBAYTAkNOMREwDwYDVQQIDAhsaWFvbmluZzERMA8GA1UEBwwI
c2hlbnlhbmcxDTALBgNVBAoMBG1lbmcxDzANBgNVBAsMBmRldm9wczEUMBIGA1UE
AwwLY2EubWVuZy5jb20xHTAbBgkqhkiG9w0BCQEWDmFkbWluQG1lbmcuY29tMB4X
DTIxMTAyOTAxMjYwMloXDTMxMTAyNzAxMjYwMlowgYgxCzAJBgNVBAYTAkNOMREw
DwYDVQQIDAhsaWFvbmluZzERMA8GA1UEBwwIc2hlbnlhbmcxDTALBgNVBAoMBG1l
bmcxDzANBgNVBAsMBmRldm9wczEUMBIGA1UEAwwLY2EubWVuZy5jb20xHTAbBgkq
hkiG9w0BCQEWDmFkbWluQG1lbmcuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEA+ekx0EfAl4THKF9nn7R6Ix4EKVlrMs/igtYALsEgkVN0EL3RSaNq
+r6FGrgUncB7BuNJZRcQfuJ/7WZHkbUyeVto4Ik3WGpMLwWb3nALesuVbA4KIekk
iBFPpZsl423WRoom82hbkqsEJRLZfC/kblvbj5mEwbrQbgnefc7r60K+H71sLU1f
PFnpRDfy8vMVcUnlux9Vu4Xl2ArOL04rf7VEe0TsYjMcwsZ5wynmJe4+iRQ0u9wo
pyOfFb5VKZU9jdVC2iYwuOrzJwNTDbgDen91hOkZr1fNvA/IDyNsSMfzvPSW8gcf
ag2GoGQ3/vQOs/IrfXBN5NvHjpM/YJn/WQIDAQABo1MwUTAdBgNVHQ4EFgQUQQ1K
FrP++kt1TzTIDy4zM90G4T0wHwYDVR0jBBgwFoAUQQ1KFrP++kt1TzTIDy4zM90G
4T0wDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAZ8wc75lFWTJQ
qkfkc+P6mPQ29m5p+NiG/kEnEbA7rGWa2l1u9WMVqLTTq/hZGz5UCQK1HOkrGUY4
TLn/9xzKACQSCI6j2G8LhU8Qu/lZuiFonN5F41y6lHG9OasaII1kZ6yXL3gheBvV
pWIYDZgzrzMvl+tgG+Wr+vyk6Ra2Di+npoEdz/LqKx8VT2dgTueIN12sqNt+ZIt+
je4FDjWFFTBhlIfO/mCCe1B6KBqfvkPymp2vM77aDGIH2DxzOG/IvrSfhTaHk54f
DHAoZ0iRntgsMrJuDp6N7dvaJMay6MxPlUqLfG4IApUkBZoSOEPH2E+IH5AO068X
VvQIg/ULTQ==
-----END CERTIFICATE-----
[root@cent8 CA]#openssl x509 -in /etc/pki/CA/cacert.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            4f:c1:9f:ae:b4:56:65:a0:4d:40:dc:6f:3a:50:d3:a0:04:c8:73:a3
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = CN, ST = liaoning, L = shenyang, O = meng, OU = devops, CN = ca.m                                                                                  eng.com, emailAddress = admin@meng.com
        Validity
            Not Before: Oct 29 01:26:02 2021 GMT
            Not After : Oct 27 01:26:02 2031 GMT
        Subject: C = CN, ST = liaoning, L = shenyang, O = meng, OU = devops, CN = ca.                                                                                  meng.com, emailAddress = admin@meng.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:f9:e9:31:d0:47:c0:97:84:c7:28:5f:67:9f:b4:
                    7a:23:1e:04:29:59:6b:32:cf:e2:82:d6:00:2e:c1:
                    20:91:53:74:10:bd:d1:49:a3:6a:fa:be:85:1a:b8:
                    14:9d:c0:7b:06:e3:49:65:17:10:7e:e2:7f:ed:66:
                    47:91:b5:32:79:5b:68:e0:89:37:58:6a:4c:2f:05:
                    9b:de:70:0b:7a:cb:95:6c:0e:0a:21:e9:24:88:11:
                    4f:a5:9b:25:e3:6d:d6:46:8a:26:f3:68:5b:92:ab:
                    04:25:12:d9:7c:2f:e4:6e:5b:db:8f:99:84:c1:ba:
                    d0:6e:09:de:7d:ce:eb:eb:42:be:1f:bd:6c:2d:4d:
                    5f:3c:59:e9:44:37:f2:f2:f3:15:71:49:e5:bb:1f:
                    55:bb:85:e5:d8:0a:ce:2f:4e:2b:7f:b5:44:7b:44:
                    ec:62:33:1c:c2:c6:79:c3:29:e6:25:ee:3e:89:14:
                    34:bb:dc:28:a7:23:9f:15:be:55:29:95:3d:8d:d5:
                    42:da:26:30:b8:ea:f3:27:03:53:0d:b8:03:7a:7f:
                    75:84:e9:19:af:57:cd:bc:0f:c8:0f:23:6c:48:c7:
                    f3:bc:f4:96:f2:07:1f:6a:0d:86:a0:64:37:fe:f4:
                    0e:b3:f2:2b:7d:70:4d:e4:db:c7:8e:93:3f:60:99:
                    ff:59
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                41:0D:4A:16:B3:FE:FA:4B:75:4F:34:C8:0F:2E:33:33:DD:06:E1:3D
            X509v3 Authority Key Identifier:
                keyid:41:0D:4A:16:B3:FE:FA:4B:75:4F:34:C8:0F:2E:33:33:DD:06:E1:3D

            X509v3 Basic Constraints: critical
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         67:cc:1c:ef:99:45:59:32:50:aa:47:e4:73:e3:fa:98:f4:36:
         f6:6e:69:f8:d8:86:fe:41:27:11:b0:3b:ac:65:9a:da:5d:6e:
         f5:63:15:a8:b4:d3:ab:f8:59:1b:3e:54:09:02:b5:1c:e9:2b:
         19:46:38:4c:b9:ff:f7:1c:ca:00:24:12:08:8e:a3:d8:6f:0b:
         85:4f:10:bb:f9:59:ba:21:68:9c:de:45:e3:5c:ba:94:71:bd:
         39:ab:1a:20:8d:64:67:ac:97:2f:78:21:78:1b:d5:a5:62:18:
         0d:98:33:af:33:2f:97:eb:60:1b:e5:ab:fa:fc:a4:e9:16:b6:
         0e:2f:a7:a6:81:1d:cf:f2:ea:2b:1f:15:4f:67:60:4e:e7:88:
         37:5d:ac:a8:db:7e:64:8b:7e:8d:ee:05:0e:35:85:15:30:61:
         94:87:ce:fe:60:82:7b:50:7a:28:1a:9f:be:43:f2:9a:9d:af:
         33:be:da:0c:62:07:d8:3c:73:38:6f:c8:be:b4:9f:85:36:87:
         93:9e:1f:0c:70:28:67:48:91:9e:d8:2c:32:b2:6e:0e:9e:8d:
         ed:db:da:24:c6:b2:e8:cc:4f:95:4a:8b:7c:6e:08:02:95:24:
         05:9a:12:38:43:c7:d8:4f:88:1f:90:0e:d3:af:17:56:f4:08:
         83:f5:0b:4d
[root@cent8 CA]#ll
total 8
-rw-r--r-- 1 root root 1432 Oct 29 09:26 cacert.pem
drwxr-xr-x 2 root root    6 Oct 29 09:21 certs
drwxr-xr-x 2 root root    6 Oct 29 09:21 crl
-rw-r--r-- 1 root root    0 Oct 29 09:22 index.txt
drwxr-xr-x 2 root root    6 Oct 29 09:21 newcerts
drwxr-xr-x 2 root root   23 Oct 29 09:23 private
-rw-r--r-- 1 root root    3 Oct 29 09:22 serial
[root@cent8 CA]#pwd
/etc/pki/CA

#将文件cacert.pem传到windows上,修改文件名为cacert.pem.crt,双击可以看到下面显示
在这里插入图片描述
在这里插入图片描述

4. 用户生成私钥和证书申请

[root@cent8 CA]#mkdir /data/app1
[root@cent8 CA]#(umask 066; openssl genrsa -out   /data/app1/app1.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
.............+++++
........................................................................+++++
e is 65537 (0x010001)
[root@cent8 CA]#cat /data/app1/app1.key
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAug42sXJhZq+RSBATdchjcid1iTlJ5tFjrNPVCBVOb8x3Xg6E
TUI9VPBTVzZOtS/PI/SRzjFBnDXr+UKAMqERC0aaDHQgUF4k5xA89gdzFi1wbNst
RX4KFoprouDe7+r6Z8U0PIcMJCGegssPENAqpoSZgmaQu3T0lLjpiOfmVrTslI40
eGknpMPYqRvmKeVRtK+3E7GhzGCIIiZtROam55xfUyBaiWYbReVxYMdVdgZ7xt5a
ErAHiBQqloIp5GZpKPwvAysvvw3yEh0jt8u4NtJ8shX2jc93UlZVxaIzLNvQgsNZ
+zphv45608D8u5mdddXE/9r2Flz4RwLGj27NfwIDAQABAoIBABMfgt+aMgir4vLV
NCrW/eGtzJbeHIps2yHYY/0As58qFNrGAzMtq8AfM3GzU0OsNk4rxRC8X1H++NIV
07dgdrACAbNl/CxGgOR+9sUS3vFYmkWWAYEzAzZt48JJ+qAONs6TplrSRp0wF2q6
FEJWIwwadOzCPf4Gd10R5G795t7ibM+IKo1RnJOjSYEkZoYDTz4W6g9yvEX6ftag
cdjIqNykvbDsrqyMsijH100zG2RrxkKdvUE1PFSPVSaHu+aY7ivf5NA5rd4ZvtD/
eaEYdGfbIsv4E6U9bSozrOqSYhDWczMHiYRy5eq2c/R25ZQN2hMYmWiGv58jW/6U
kuVqjgECgYEA3lqUA2iryQbEJ0PbTN4suvtnMmnEQH/NDEjMF0+cT8SEQrbaAiC0
Wj7CS667sS1g5rJlvn+wBEV0o/69Tv4bYkyKDX+h+85HPwJc4IRVY9mJDrdBwsWl
q3E4cg2MCNshJoxSk6uEm0oqM70TD2P9P56bWyKPOGU/Q200lLihBU8CgYEA1jWI
GSNYDYsnU5VethZx2irCbof/LUgP9NBCTHx99twKV2DlrTBRuiGDOFqx7ZMq9ABA
q2yYu746N1H1aKULmwyOrzDlGEgMvtCTeBT6rlkMN5dMnbBoVjsUf3QCOgG/YAZz
VpPzZ7CDVxd7rub8g4FjSZf4H/n4zH324TGBCNECgYAVrTTixDCDD4LN5SKa8snf
jKS52G/Gbe8adHpZB2zQpfLS4iqMrI2IgrfEUwt/MVJSCzA6Cw6oy/CcEDh6W/Fl
etq2iCvNdYWikeNmC+CbNFjVM25Yw5XsCcSb8dAmCN7JeEKQnNb3oJpOou8ZwACv
VBIHJ25Y7B3nv9yxZvJjpwKBgGZ9tIG6nH3Wb9mZJXjgIldtkBwMq/aBfUj4gFBS
XH7J55TJQvtrnB7/u+Yx1uJCQRIAMPEUg7uImBgx+ca4+WWVS4vdTDAjAR4nc/fH
qe3To3nRxZHJfxKLMBKPciVJAsUyMOti3Npm5WC9Vqtnz7goJ1ZmBQ1fsEA/oOk8
o22RAoGADZP1Fb/vB77YqPE/ASN+ISebYYRv3O57trXjhXJtWX0dAOBQZHivLudE
XxynHNJO7Vikc+EnRZTDaKkdB0q7KZeM24PKscJ2MWkcj8xxKILzXIM/sTC4jl+9
oh/FcOgK4VODX4S6qgAXnC+xwOnMX3pke489CLol5NhU2IgxROE=
-----END RSA PRIVATE KEY-----

生成证书申请文件

[root@cent8 CA]#openssl req -new -key /data/app1/app1.key -out /data/app1/app1.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:liaoning
Locality Name (eg, city) [Default City]:shenyang
Organization Name (eg, company) [Default Company Ltd]:meng
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:app1.meng.com
Email Address []:root@meng.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@cent8 CA]#ll /data/app1
total 8
-rw-r--r-- 1 root root 1045 Oct 29 10:41 app1.csr
-rw------- 1 root root 1675 Oct 29 10:40 app1.key

默认有三项内容必须和CA一致:国家,省份,组织,如果不同,会出现错误提示

5. CA颁发证书

[root@cent8 CA]#openssl ca -in /data/app1/app1.csr -out /etc/pki/CA/certs/app1.crt -d                                                                                  ays 1000
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 15 (0xf)
        Validity
            Not Before: Oct 29 02:43:33 2021 GMT
            Not After : Jul 25 02:43:33 2024 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = liaoning
            organizationName          = meng
            organizationalUnitName    = it
            commonName                = app1.meng.com
            emailAddress              = root@meng.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                54:6A:1B:74:DB:6E:4B:47:35:2F:C9:31:F9:3D:FF:2D:6B:D9:DF:B8
            X509v3 Authority Key Identifier:
                keyid:41:0D:4A:16:B3:FE:FA:4B:75:4F:34:C8:0F:2E:33:33:DD:06:E1:3D

Certificate is to be certified until Jul 25 02:43:33 2024 GMT (1000 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@cent8 CA]#tree /etc/pki/CA
/etc/pki/CA
├── cacert.pem
├── certs
│   └── app1.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│   └── 0F.pem
├── private
│   └── cakey.pem
├── serial
└── serial.old

4 directories, 9 files

6. 查看证书

[root@cent8 CA]#cat /etc/pki/CA/certs/app1.crt
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 15 (0xf)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=liaoning, L=shenyang, O=meng, OU=devops, CN=ca.meng.com/emai                                                                                  lAddress=admin@meng.com
        Validity
            Not Before: Oct 29 02:43:33 2021 GMT
            Not After : Jul 25 02:43:33 2024 GMT
        Subject: C=CN, ST=liaoning, O=meng, OU=it, CN=app1.meng.com/emailAddress=root                                                                                  @meng.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:ba:0e:36:b1:72:61:66:af:91:48:10:13:75:c8:
                    63:72:27:75:89:39:49:e6:d1:63:ac:d3:d5:08:15:
                    4e:6f:cc:77:5e:0e:84:4d:42:3d:54:f0:53:57:36:
                    4e:b5:2f:cf:23:f4:91:ce:31:41:9c:35:eb:f9:42:
                    80:32:a1:11:0b:46:9a:0c:74:20:50:5e:24:e7:10:
                    3c:f6:07:73:16:2d:70:6c:db:2d:45:7e:0a:16:8a:
                    6b:a2:e0:de:ef:ea:fa:67:c5:34:3c:87:0c:24:21:
                    9e:82:cb:0f:10:d0:2a:a6:84:99:82:66:90:bb:74:
                    f4:94:b8:e9:88:e7:e6:56:b4:ec:94:8e:34:78:69:
                    27:a4:c3:d8:a9:1b:e6:29:e5:51:b4:af:b7:13:b1:
                    a1:cc:60:88:22:26:6d:44:e6:a6:e7:9c:5f:53:20:
                    5a:89:66:1b:45:e5:71:60:c7:55:76:06:7b:c6:de:
                    5a:12:b0:07:88:14:2a:96:82:29:e4:66:69:28:fc:
                    2f:03:2b:2f:bf:0d:f2:12:1d:23:b7:cb:b8:36:d2:
                    7c:b2:15:f6:8d:cf:77:52:56:55:c5:a2:33:2c:db:
                    d0:82:c3:59:fb:3a:61:bf:8e:7a:d3:c0:fc:bb:99:
                    9d:75:d5:c4:ff:da:f6:16:5c:f8:47:02:c6:8f:6e:
                    cd:7f
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                54:6A:1B:74:DB:6E:4B:47:35:2F:C9:31:F9:3D:FF:2D:6B:D9:DF:B8
            X509v3 Authority Key Identifier:
                keyid:41:0D:4A:16:B3:FE:FA:4B:75:4F:34:C8:0F:2E:33:33:DD:06:E1:3D

    Signature Algorithm: sha256WithRSAEncryption
         d4:fc:3c:ee:28:03:83:be:1b:49:51:43:22:cd:e6:3f:75:d4:
         89:8d:84:36:53:5e:f4:46:f9:49:ef:97:f8:af:a3:d5:ea:1d:
         cf:44:e8:47:86:9d:b2:e5:80:90:d3:5d:aa:ae:75:fc:72:62:
         6b:ab:75:ba:0e:b3:0d:b3:17:b3:25:05:8e:d4:48:40:10:bb:
         73:79:e5:35:da:0b:e4:99:3f:04:bb:c3:2b:5d:bd:b7:48:d7:
         af:b6:59:62:e2:4f:58:68:16:39:1a:7e:de:3a:c8:10:a8:ad:
         67:8a:9b:b5:6b:2f:48:66:63:e7:99:bd:72:83:32:37:7a:89:
         0e:fd:fb:33:ca:19:ad:e3:69:0e:f3:b7:08:8a:ec:6c:e2:a6:
         fe:cc:15:8c:e0:a4:7f:13:a0:09:f7:fc:d6:56:4b:8f:b9:54:
         ff:7c:95:19:25:1b:25:4c:f1:1f:f5:a3:7c:51:19:4c:87:f3:
         51:15:3f:09:d0:65:cc:9d:59:ed:46:6c:e4:79:bf:e4:19:99:
         42:ee:90:0d:87:ec:2f:1f:f5:9a:45:65:3c:a1:85:49:a5:ca:
         6b:7e:6f:fe:b6:31:99:47:4c:ed:f5:23:92:14:d5:69:b4:7b:
         0a:ae:90:7e:d4:9f:7b:db:a0:5b:90:6e:c7:1d:13:55:d1:f3:
         8e:cb:ae:9d
-----BEGIN CERTIFICATE-----
MIID8TCCAtmgAwIBAgIBDzANBgkqhkiG9w0BAQsFADCBiDELMAkGA1UEBhMCQ04x
ETAPBgNVBAgMCGxpYW9uaW5nMREwDwYDVQQHDAhzaGVueWFuZzENMAsGA1UECgwE
bWVuZzEPMA0GA1UECwwGZGV2b3BzMRQwEgYDVQQDDAtjYS5tZW5nLmNvbTEdMBsG
CSqGSIb3DQEJARYOYWRtaW5AbWVuZy5jb20wHhcNMjExMDI5MDI0MzMzWhcNMjQw
NzI1MDI0MzMzWjByMQswCQYDVQQGEwJDTjERMA8GA1UECAwIbGlhb25pbmcxDTAL
BgNVBAoMBG1lbmcxCzAJBgNVBAsMAml0MRYwFAYDVQQDDA1hcHAxLm1lbmcuY29t
MRwwGgYJKoZIhvcNAQkBFg1yb290QG1lbmcuY29tMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAug42sXJhZq+RSBATdchjcid1iTlJ5tFjrNPVCBVOb8x3
Xg6ETUI9VPBTVzZOtS/PI/SRzjFBnDXr+UKAMqERC0aaDHQgUF4k5xA89gdzFi1w
bNstRX4KFoprouDe7+r6Z8U0PIcMJCGegssPENAqpoSZgmaQu3T0lLjpiOfmVrTs
lI40eGknpMPYqRvmKeVRtK+3E7GhzGCIIiZtROam55xfUyBaiWYbReVxYMdVdgZ7
xt5aErAHiBQqloIp5GZpKPwvAysvvw3yEh0jt8u4NtJ8shX2jc93UlZVxaIzLNvQ
gsNZ+zphv45608D8u5mdddXE/9r2Flz4RwLGj27NfwIDAQABo3sweTAJBgNVHRME
AjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0
ZTAdBgNVHQ4EFgQUVGobdNtuS0c1L8kx+T3/LWvZ37gwHwYDVR0jBBgwFoAUQQ1K
FrP++kt1TzTIDy4zM90G4T0wDQYJKoZIhvcNAQELBQADggEBANT8PO4oA4O+G0lR
QyLN5j911ImNhDZTXvRG+Unvl/ivo9XqHc9E6EeGnbLlgJDTXaqudfxyYmurdboO
sw2zF7MlBY7USEAQu3N55TXaC+SZPwS7wytdvbdI16+2WWLiT1hoFjkaft46yBCo
rWeKm7VrL0hmY+eZvXKDMjd6iQ79+zPKGa3jaQ7ztwiK7Gzipv7MFYzgpH8ToAn3
/NZWS4+5VP98lRklGyVM8R/1o3xRGUyH81EVPwnQZcydWe1GbOR5v+QZmULukA2H
7C8f9ZpFZTyhhUmlymt+b/62MZlHTO31I5IU1Wm0ewqukH7Un3vboFuQbscdE1XR
847Lrp0=
-----END CERTIFICATE-----
[root@cent8 CA]#openssl x509 -in /etc/pki/CA/certs/app1.crt -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 15 (0xf)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = CN, ST = liaoning, L = shenyang, O = meng, OU = devops, CN = ca.m                                                                                  eng.com, emailAddress = admin@meng.com
        Validity
            Not Before: Oct 29 02:43:33 2021 GMT
            Not After : Jul 25 02:43:33 2024 GMT
        Subject: C = CN, ST = liaoning, O = meng, OU = it, CN = app1.meng.com, emailA                                                                                  ddress = root@meng.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:ba:0e:36:b1:72:61:66:af:91:48:10:13:75:c8:
                    63:72:27:75:89:39:49:e6:d1:63:ac:d3:d5:08:15:
                    4e:6f:cc:77:5e:0e:84:4d:42:3d:54:f0:53:57:36:
                    4e:b5:2f:cf:23:f4:91:ce:31:41:9c:35:eb:f9:42:
                    80:32:a1:11:0b:46:9a:0c:74:20:50:5e:24:e7:10:
                    3c:f6:07:73:16:2d:70:6c:db:2d:45:7e:0a:16:8a:
                    6b:a2:e0:de:ef:ea:fa:67:c5:34:3c:87:0c:24:21:
                    9e:82:cb:0f:10:d0:2a:a6:84:99:82:66:90:bb:74:
                    f4:94:b8:e9:88:e7:e6:56:b4:ec:94:8e:34:78:69:
                    27:a4:c3:d8:a9:1b:e6:29:e5:51:b4:af:b7:13:b1:
                    a1:cc:60:88:22:26:6d:44:e6:a6:e7:9c:5f:53:20:
                    5a:89:66:1b:45:e5:71:60:c7:55:76:06:7b:c6:de:
                    5a:12:b0:07:88:14:2a:96:82:29:e4:66:69:28:fc:
                    2f:03:2b:2f:bf:0d:f2:12:1d:23:b7:cb:b8:36:d2:
                    7c:b2:15:f6:8d:cf:77:52:56:55:c5:a2:33:2c:db:
                    d0:82:c3:59:fb:3a:61:bf:8e:7a:d3:c0:fc:bb:99:
                    9d:75:d5:c4:ff:da:f6:16:5c:f8:47:02:c6:8f:6e:
                    cd:7f
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                54:6A:1B:74:DB:6E:4B:47:35:2F:C9:31:F9:3D:FF:2D:6B:D9:DF:B8
            X509v3 Authority Key Identifier:
                keyid:41:0D:4A:16:B3:FE:FA:4B:75:4F:34:C8:0F:2E:33:33:DD:06:E1:3D

    Signature Algorithm: sha256WithRSAEncryption
         d4:fc:3c:ee:28:03:83:be:1b:49:51:43:22:cd:e6:3f:75:d4:
         89:8d:84:36:53:5e:f4:46:f9:49:ef:97:f8:af:a3:d5:ea:1d:
         cf:44:e8:47:86:9d:b2:e5:80:90:d3:5d:aa:ae:75:fc:72:62:
         6b:ab:75:ba:0e:b3:0d:b3:17:b3:25:05:8e:d4:48:40:10:bb:
         73:79:e5:35:da:0b:e4:99:3f:04:bb:c3:2b:5d:bd:b7:48:d7:
         af:b6:59:62:e2:4f:58:68:16:39:1a:7e:de:3a:c8:10:a8:ad:
         67:8a:9b:b5:6b:2f:48:66:63:e7:99:bd:72:83:32:37:7a:89:
         0e:fd:fb:33:ca:19:ad:e3:69:0e:f3:b7:08:8a:ec:6c:e2:a6:
         fe:cc:15:8c:e0:a4:7f:13:a0:09:f7:fc:d6:56:4b:8f:b9:54:
         ff:7c:95:19:25:1b:25:4c:f1:1f:f5:a3:7c:51:19:4c:87:f3:
         51:15:3f:09:d0:65:cc:9d:59:ed:46:6c:e4:79:bf:e4:19:99:
         42:ee:90:0d:87:ec:2f:1f:f5:9a:45:65:3c:a1:85:49:a5:ca:
         6b:7e:6f:fe:b6:31:99:47:4c:ed:f5:23:92:14:d5:69:b4:7b:
         0a:ae:90:7e:d4:9f:7b:db:a0:5b:90:6e:c7:1d:13:55:d1:f3:
         8e:cb:ae:9d
[root@cent8 CA]#openssl x509 -in /etc/pki/CA/certs/app1.crt -noout -issuer
issuer=C = CN, ST = liaoning, L = shenyang, O = meng, OU = devops, CN = ca.meng.com,                                                                                   emailAddress = admin@meng.com
[root@cent8 CA]#openssl x509 -in /etc/pki/CA/certs/app1.crt -noout -subject
subject=C = CN, ST = liaoning, O = meng, OU = it, CN = app1.meng.com, emailAddress =                                                                                   root@meng.com
[root@cent8 CA]#openssl x509 -in /etc/pki/CA/certs/app1.crt -noout -dates
notBefore=Oct 29 02:43:33 2021 GMT
notAfter=Jul 25 02:43:33 2024 GMT
[root@cent8 CA]#openssl x509 -in /etc/pki/CA/certs/app1.crt -noout -serial
serial=0F

验证指定编号对应证书的有效性

[root@cent8 CA]#cat /etc/pki/CA/index.txt
V       240725024333Z           0F      unknown /C=CN/ST=liaoning/O=meng/OU=it/CN=app                                                                                  1.meng.com/emailAddress=root@meng.com
[root@cent8 CA]#openssl ca -status 0F
Using configuration from /etc/pki/tls/openssl.cnf
0F=Valid (V)
[root@cent8 CA]#cat /etc/pki/CA/index.txt.old
[root@cent8 CA]#cat /etc/pki/CA/serial
10
[root@cent8 CA]#cat /etc/pki/CA/serial.old
0F
[root@cent8 CA]#ll
total 20
-rw-r--r-- 1 root root 1432 Oct 29 09:26 cacert.pem
drwxr-xr-x 2 root root   22 Oct 29 10:43 certs
drwxr-xr-x 2 root root    6 Oct 29 09:21 crl
-rw-r--r-- 1 root root  103 Oct 29 10:43 index.txt
-rw-r--r-- 1 root root   21 Oct 29 10:43 index.txt.attr
-rw-r--r-- 1 root root    0 Oct 29 09:22 index.txt.old
drwxr-xr-x 2 root root   20 Oct 29 10:43 newcerts
drwxr-xr-x 2 root root   23 Oct 29 09:23 private
-rw-r--r-- 1 root root    3 Oct 29 10:43 serial
-rw-r--r-- 1 root root    3 Oct 29 09:22 serial.old
[root@cent8 CA]#cd certs/
[root@cent8 certs]#ll
total 8
-rw-r--r-- 1 root root 4602 Oct 29 10:43 app1.crt
[root@cent8 certs]#pwd
/etc/pki/CA/certs
[root@cent8 certs]#cp /etc/pki/CA/certs/app1.crt /data/app1/
[root@cent8 certs]#tree /data/app1/
/data/app1/
├── app1.crt
├── app1.csr
└── app1.key

0 directories, 3 files


导入根证书,可以看到app1证书已经有根了
在这里插入图片描述
在这里插入图片描述
在这里插入图片描述
在这里插入图片描述

利用原有证书申请文件生成新证书报错,需要修改/etc/pki/tls/openssl.cnf以便可以同一证书申请文件存在多证书,并且可以实现跨国的证书授权。

[root@cent8 certs]#openssl ca -in /data/app1/app1.csr -out /etc/pki/CA/certs/app1-new.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
ERROR:There is already a certificate for /C=CN/ST=liaoning/O=meng/OU=it/CN=app1.meng.com/emailAddress=root@meng.com
The matching entry has the following details
Type          :Valid
Expires on    :240725024333Z
Serial Number :0F
File name     :unknown
Subject Name  :/C=CN/ST=liaoning/O=meng/OU=it/CN=app1.meng.com/emailAddress=root@meng.com
[root@cent8 certs]#cat /etc/pki/CA/index.txt
V       240725024333Z           0F      unknown /C=CN/ST=liaoning/O=meng/OU=it/CN=app1.meng.com/emailAddress=root@meng.com

7. 修改配置文件以便允许跨国CA授权和对同一证书申请文件多次授权

[root@cent8 certs]#cp /etc/pki/tls/openssl.cnf /etc/pki/tls/openssl.cnf.old


[root@cent8 certs]#vim /etc/pki/tls/openssl.cnf

#policy         = policy_match
policy          = policy_anything

[root@cent8 certs]#openssl ca -in /data/app1/app1.csr -out /etc/pki/CA/certs/app1-new.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 16 (0x10)
        Validity
            Not Before: Oct 29 03:14:00 2021 GMT
            Not After : Jul 25 03:14:00 2024 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = liaoning
            localityName              = shenyang
            organizationName          = meng
            organizationalUnitName    = it
            commonName                = app1.meng.com
            emailAddress              = root@meng.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                54:6A:1B:74:DB:6E:4B:47:35:2F:C9:31:F9:3D:FF:2D:6B:D9:DF:B8
            X509v3 Authority Key Identifier:
                keyid:41:0D:4A:16:B3:FE:FA:4B:75:4F:34:C8:0F:2E:33:33:DD:06:E1:3D

Certificate is to be certified until Jul 25 03:14:00 2024 GMT (1000 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@cent8 certs]#cat /etc/pki/CA/index.txt
V       240725024333Z           0F      unknown /C=CN/ST=liaoning/O=meng/OU=it/CN=app1.meng.com/emailAddress=root@meng.com
V       240725031400Z           10      unknown /C=CN/ST=liaoning/L=shenyang/O=meng/OU=it/CN=app1.meng.com/emailAddress=root@meng.com
[root@cent8 certs]#mkdir /data/app2 -p
[root@cent8 certs]#(umask 066; openssl genrsa -out /data/app2/app2.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
...............................................................................................................+++++
...........................+++++
e is 65537 (0x010001)
[root@cent8 certs]#openssl req -new -key /data/app2/app2.key -out /data/app2/app2.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:newyork
Locality Name (eg, city) [Default City]:newyork
Organization Name (eg, company) [Default Company Ltd]:meng
Organizational Unit Name (eg, section) []:sales
Common Name (eg, your name or your server's hostname) []:sales.meng.com
Email Address []:sales@meng.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@cent8 certs]#ll
total 16
-rw-r--r-- 1 root root 4602 Oct 29 10:43 app1.crt
-rw-r--r-- 1 root root 4643 Oct 29 11:14 app1-new.crt
[root@cent8 certs]#openssl ca -in /data/app2/app2.csr -out /etc/pki/CA/certs/app2.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 17 (0x11)
        Validity
            Not Before: Oct 29 03:17:41 2021 GMT
            Not After : Jul 25 03:17:41 2024 GMT
        Subject:
            countryName               = US
            stateOrProvinceName       = newyork
            localityName              = newyork
            organizationName          = meng
            organizationalUnitName    = sales
            commonName                = sales.meng.com
            emailAddress              = sales@meng.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                BC:D2:DB:77:5E:C7:91:30:04:22:8A:24:72:80:73:02:C1:0D:89:FB
            X509v3 Authority Key Identifier:
                keyid:41:0D:4A:16:B3:FE:FA:4B:75:4F:34:C8:0F:2E:33:33:DD:06:E1:3D

Certificate is to be certified until Jul 25 03:17:41 2024 GMT (1000 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@cent8 certs]#ll
total 24
-rw-r--r-- 1 root root 4602 Oct 29 10:43 app1.crt
-rw-r--r-- 1 root root 4643 Oct 29 11:14 app1-new.crt
-rw-r--r-- 1 root root 4650 Oct 29 11:17 app2.crt
[root@cent8 certs]#cp app2.crt /data/app2/
[root@cent8 certs]#pwd
/etc/pki/CA/certs

[root@cent8 certs]#tree /etc/pki/CA/
/etc/pki/CA/
├── cacert.pem
├── certs
│   ├── app1.crt
│   ├── app1-new.crt
│   └── app2.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── newcerts
│   ├── 0F.pem
│   ├── 10.pem
│   └── 11.pem
├── private
│   └── cakey.pem
├── serial
└── serial.old

4 directories, 14 files

8. 吊销证书

[root@cent8 certs]#cat /etc/pki/CA/index.txt
V       240725024333Z           0F      unknown /C=CN/ST=liaoning/O=meng/OU=it/CN=app1.meng.com/emailAddress=root@meng.com
V       240725031400Z           10      unknown /C=CN/ST=liaoning/L=shenyang/O=meng/OU=it/CN=app1.meng.com/emailAddress=root@meng.com
V       240725031741Z           11      unknown /C=US/ST=newyork/L=newyork/O=meng/OU=sales/CN=sales.meng.com/emailAddress=sales@meng.com
[root@cent8 certs]#openssl ca -revoke /etc/pki/CA/newcerts/10.pem
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 10.
Data Base Updated
[root@cent8 certs]#cat /etc/pki/CA/index.txt
V       240725024333Z           0F      unknown /C=CN/ST=liaoning/O=meng/OU=it/CN=app1.meng.com/emailAddress=root@meng.com
R       240725031400Z   211029032107Z   10      unknown /C=CN/ST=liaoning/L=shenyang/O=meng/OU=it/CN=app1.meng.com/emailAddress=root@meng.com
V       240725031741Z           11      unknown /C=US/ST=newyork/L=newyork/O=meng/OU=sales/CN=sales.meng.com/emailAddress=sales@meng.com
[root@cent8 certs]#echo 01 > /etc/pki/CA/crlnumber
[root@cent8 certs]#openssl ca -gencrl -out /etc/pki/CA/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf
[root@cent8 certs]#tree /etc/pki/CA/
/etc/pki/CA/
├── cacert.pem
├── certs
│   ├── app1.crt
│   ├── app1-new.crt
│   └── app2.crt
├── crl
├── crlnumber
├── crlnumber.old
├── crl.pem
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── newcerts
│   ├── 0F.pem
│   ├── 10.pem
│   └── 11.pem
├── private
│   └── cakey.pem
├── serial
└── serial.old

4 directories, 17 files
[root@cent8 certs]#ll
total 24
-rw-r--r-- 1 root root 4602 Oct 29 10:43 app1.crt
-rw-r--r-- 1 root root 4643 Oct 29 11:14 app1-new.crt
-rw-r--r-- 1 root root 4650 Oct 29 11:17 app2.crt
[root@cent8 certs]#cd ..
[root@cent8 CA]#ll
total 40
-rw-r--r-- 1 root root 1432 Oct 29 09:26 cacert.pem
drwxr-xr-x 2 root root   58 Oct 29 11:17 certs
drwxr-xr-x 2 root root    6 Oct 29 09:21 crl
-rw-r--r-- 1 root root    3 Oct 29 11:21 crlnumber
-rw-r--r-- 1 root root    3 Oct 29 11:21 crlnumber.old
-rw-r--r-- 1 root root  739 Oct 29 11:21 crl.pem
-rw-r--r-- 1 root root  347 Oct 29 11:21 index.txt
-rw-r--r-- 1 root root   21 Oct 29 11:21 index.txt.attr
-rw-r--r-- 1 root root   21 Oct 29 11:17 index.txt.attr.old
-rw-r--r-- 1 root root  334 Oct 29 11:17 index.txt.old
drwxr-xr-x 2 root root   48 Oct 29 11:17 newcerts
drwxr-xr-x 2 root root   23 Oct 29 09:23 private
-rw-r--r-- 1 root root    3 Oct 29 11:17 serial
-rw-r--r-- 1 root root    3 Oct 29 11:14 serial.old
[root@cent8 CA]#pwd
/etc/pki/CA
[root@cent8 CA]#cd crl/
[root@cent8 crl]#ll
total 0
[root@cent8 crl]#cd ..
[root@cent8 CA]#cat /etc/pki/CA/crlnumber
02
[root@cent8 CA]#cat /etc/pki/CA/crl.pem
-----BEGIN X509 CRL-----
MIIB+DCB4QIBATANBgkqhkiG9w0BAQsFADCBiDELMAkGA1UEBhMCQ04xETAPBgNV
BAgMCGxpYW9uaW5nMREwDwYDVQQHDAhzaGVueWFuZzENMAsGA1UECgwEbWVuZzEP
MA0GA1UECwwGZGV2b3BzMRQwEgYDVQQDDAtjYS5tZW5nLmNvbTEdMBsGCSqGSIb3
DQEJARYOYWRtaW5AbWVuZy5jb20XDTIxMTAyOTAzMjE0MloXDTIxMTEyODAzMjE0
MlowFDASAgEQFw0yMTEwMjkwMzIxMDdaoA4wDDAKBgNVHRQEAwIBATANBgkqhkiG
9w0BAQsFAAOCAQEAvIhz86qREujUnkuR2iEMgEbgUbMtNa8Rk4b32kUQdMhrg7Q6
EhPBpj3GpryOrGr46yA9I3jRcMC0RXf98tAMU7NEWjkNaEg2QEsF5yZZ6RpkSriR
WZeqD/3jg+k8+BOiLFUYdwSLa2rOm3dWeQtQGI3g9bBW3J78WpHzzK7hiKE09BU7
UBqgLjgTFI5b+u2YgAjYqgLqi2ACG4222GdeUxKZJldWLxyxYQ5ipSp1JhA7kA0m
4BgCcQa0G0MJQPeO7LHK/y7JD/Wpo0A6GgR8ONMu6h0WMPo5PsQgTfrEURQsFKCf
QvbSp6LtQPl970sUNItNNWzBAF1L/qP4QAXKfw==
-----END X509 CRL-----
[root@cent8 CA]#openssl crl -in /etc/pki/CA/crl.pem -noout -text
Certificate Revocation List (CRL):
        Version 2 (0x1)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = CN, ST = liaoning, L = shenyang, O = meng, OU = devops, CN = ca.meng.com, emailAddress = admin@meng.com
        Last Update: Oct 29 03:21:42 2021 GMT
        Next Update: Nov 28 03:21:42 2021 GMT
        CRL extensions:
            X509v3 CRL Number:
                1
Revoked Certificates:
    Serial Number: 10
        Revocation Date: Oct 29 03:21:07 2021 GMT
    Signature Algorithm: sha256WithRSAEncryption
         bc:88:73:f3:aa:91:12:e8:d4:9e:4b:91:da:21:0c:80:46:e0:
         51:b3:2d:35:af:11:93:86:f7:da:45:10:74:c8:6b:83:b4:3a:
         12:13:c1:a6:3d:c6:a6:bc:8e:ac:6a:f8:eb:20:3d:23:78:d1:
         70:c0:b4:45:77:fd:f2:d0:0c:53:b3:44:5a:39:0d:68:48:36:
         40:4b:05:e7:26:59:e9:1a:64:4a:b8:91:59:97:aa:0f:fd:e3:
         83:e9:3c:f8:13:a2:2c:55:18:77:04:8b:6b:6a:ce:9b:77:56:
         79:0b:50:18:8d:e0:f5:b0:56:dc:9e:fc:5a:91:f3:cc:ae:e1:
         88:a1:34:f4:15:3b:50:1a:a0:2e:38:13:14:8e:5b:fa:ed:98:
         80:08:d8:aa:02:ea:8b:60:02:1b:8d:b6:d8:67:5e:53:12:99:
         26:57:56:2f:1c:b1:61:0e:62:a5:2a:75:26:10:3b:90:0d:26:
         e0:18:02:71:06:b4:1b:43:09:40:f7:8e:ec:b1:ca:ff:2e:c9:
         0f:f5:a9:a3:40:3a:1a:04:7c:38:d3:2e:ea:1d:16:30:fa:39:
         3e:c4:20:4d:fa:c4:51:14:2c:14:a0:9f:42:f6:d2:a7:a2:ed:
         40:f9:7d:ef:4b:14:34:8b:4d:35:6c:c1:00:5d:4b:fe:a3:f8:
         40:05:ca:7f

标签:cent8,证书,CA,pki,etc,meng,root,CentOS8
来源: https://blog.csdn.net/mandarin_meng/article/details/121031410