CentOS8 创建私有CA证书服务器,颁发证书,吊销证书
作者:互联网
CentOS8 创建私有CA证书服务器,颁发证书,吊销证书
- 1. 创建CA相关目录和文件
- 2. 创建CA的私钥
- 3. 给CA颁发自签名证书
- 4. 用户生成私钥和证书申请
- 5. CA颁发证书
- 6. 查看证书
- 7. 修改配置文件以便允许跨国CA授权和对同一证书申请文件多次授权
- 8. 吊销证书
1. 创建CA相关目录和文件
[root@cent8 yum.repos.d]#mkdir -pv /etc/pki/CA/{certs,crl,newcerts,private}
mkdir: created directory '/etc/pki/CA'
mkdir: created directory '/etc/pki/CA/certs'
mkdir: created directory '/etc/pki/CA/crl'
mkdir: created directory '/etc/pki/CA/newcerts'
mkdir: created directory '/etc/pki/CA/private'
[root@cent8 yum.repos.d]#tree /etc/pki/CA/
/etc/pki/CA/
├── certs
├── crl
├── newcerts
└── private
4 directories, 0 files
index.txt和serial文件在颁发证书时需要使用,如果不存在,会出现以下错误提示
[root@cent8 yum.repos.d]#touch /etc/pki/CA/index.txt
[root@cent8 yum.repos.d]#
[root@cent8 yum.repos.d]#echo 0F > /etc/pki/CA/serial
2. 创建CA的私钥
[root@cent8 yum.repos.d]#cd /etc/pki/CA/
[root@cent8 CA]#(umask 066; openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
....................+++++
.+++++
e is 65537 (0x010001)
[root@cent8 CA]#tree
.
├── certs
├── crl
├── index.txt
├── newcerts
├── private
│ └── cakey.pem
└── serial
4 directories, 3 files
[root@cent8 CA]#ll private/
total 4
-rw------- 1 root root 1679 Oct 29 09:23 cakey.pem
[root@cent8 CA]#cat private/cakey.pem
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA+ekx0EfAl4THKF9nn7R6Ix4EKVlrMs/igtYALsEgkVN0EL3R
SaNq+r6FGrgUncB7BuNJZRcQfuJ/7WZHkbUyeVto4Ik3WGpMLwWb3nALesuVbA4K
IekkiBFPpZsl423WRoom82hbkqsEJRLZfC/kblvbj5mEwbrQbgnefc7r60K+H71s
LU1fPFnpRDfy8vMVcUnlux9Vu4Xl2ArOL04rf7VEe0TsYjMcwsZ5wynmJe4+iRQ0
u9wopyOfFb5VKZU9jdVC2iYwuOrzJwNTDbgDen91hOkZr1fNvA/IDyNsSMfzvPSW
8gcfag2GoGQ3/vQOs/IrfXBN5NvHjpM/YJn/WQIDAQABAoIBAQCFyvCePyu+cplk
5d7GQ4r37gPwVyzq4Ry1SviCD2buJq2GoPjA4bpOT11XNqHi6r9yqpAKjNSJ+Zzf
bdh3C3jgO63kN9HnhdEPg4M1DOs4bHGsjb+i8/xY1Fu9n1gjcBQ9Y40C1yXfWas4
ZeUFdWZoJslfEaNfTDJ2FtaEqBjps5zb7deFgRzhAXB5cOn4BFj9gimR42UOoBC4
AR1Rt52zobHe7TVG/KezrhS2kAN60ARFOevl8dDMNmohkuolMS7dIqMyKqrUQaio
bgv9pw9ExRhpqMkrUVNJR8T2Ysjfx7CJsFFt0TtfSnyF5NcMOQ1EcVaaKnbIHY5U
0yLfrmh5AoGBAP6M5aLopR1FRpbP3rKipPnmJSDOSAyBpjpS5n7J6cFZ5Jxhu2NF
G9N6YNd0GR9fIb1ELZIelqZrCCcXp0j5v/UBAjXuhp5cUJvLHhXNJwEy9uikxzsZ
K0TPy80dJ3al8cizeWUjUcP/wgu/AMzw6ZgMgm1kPTCHcS7kXmNYKEIDAoGBAPtV
iKdnPMPTKRVoH9kIxPF9BikTGJTf4wf25K0edv7S45oDZGkF2GL6ZokwqeIHm9hO
PSWv5NdW3IrcasDjPaooj78Xcj1PA3Xi4zUzAIyEeEzLHCwaNIq2oS6hqvI3nqtx
YAeES5wOn9s/eORMRy//85SDR+rAzg6ZtLzXpshzAoGBAJuxaD+FVoCZv7w8tnTC
oG+tQeZX5Z+oqRihXhQMweoeZoL0EB5+xa9K+fKuMzOKB2PxUIJALVrquljW0d4D
zFI55LVCCJrR0ggIa4VgLsw/9N+E8csG8P0sr/XsMBgVFdbxV33x5XAhffmbQQ0Z
CXeTpy7rkbWeEi9hRQ40fKMrAoGAA8cIU8PIdQUCdBDpkaCBHUQMyKdB0lL/HYqH
a1au4SuYQiNU6gMtemdbDSrPEtecbwbWAm//V4E1tVyUuitwLNOJPY0DqYo7ehUb
5xvKIVKIYFcZKEyIh6ExEPtbD2LonpkIoXRKkqDhpDDzBzNiSoVlStEiTpPxROTo
g4IWPqMCgYAF/H4FngD9s5gsJplB39c2oYsdF42rjdQ7PJASzSKYyLMKvW8DEotr
NF3JPZOdkhqoKvAtAbVSriooRixqpplAwhMRJ0sUYaMA2vWS7UPRjee6id6/5X05
jekXgq5ex31evJAFzhMrPl4Db+uy82+xEqfojxNjAhx6ambhL4VNsw==
-----END RSA PRIVATE KEY-----
3. 给CA颁发自签名证书
[root@cent8 CA]#openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days
req: Option -days needs a value
req: Use -help for summary.
[root@cent8 CA]#3650 -out /etc/pki/CA/cacert.pem^C
[root@cent8 CA]#openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:liaoning
Locality Name (eg, city) [Default City]:shenyang
Organization Name (eg, company) [Default Company Ltd]:meng
Organizational Unit Name (eg, section) []:devops
Common Name (eg, your name or your server's hostname) []:ca.meng.com
Email Address []:admin@meng.com
[root@cent8 CA]#tree /etc/pki/CA
/etc/pki/CA
├── cacert.pem
├── certs
├── crl
├── index.txt
├── newcerts
├── private
│ └── cakey.pem
└── serial
4 directories, 4 files
[root@cent8 CA]#cat /etc/pki/CA/cacert.pem
-----BEGIN CERTIFICATE-----
MIID8zCCAtugAwIBAgIUT8GfrrRWZaBNQNxvOlDToATIc6MwDQYJKoZIhvcNAQEL
BQAwgYgxCzAJBgNVBAYTAkNOMREwDwYDVQQIDAhsaWFvbmluZzERMA8GA1UEBwwI
c2hlbnlhbmcxDTALBgNVBAoMBG1lbmcxDzANBgNVBAsMBmRldm9wczEUMBIGA1UE
AwwLY2EubWVuZy5jb20xHTAbBgkqhkiG9w0BCQEWDmFkbWluQG1lbmcuY29tMB4X
DTIxMTAyOTAxMjYwMloXDTMxMTAyNzAxMjYwMlowgYgxCzAJBgNVBAYTAkNOMREw
DwYDVQQIDAhsaWFvbmluZzERMA8GA1UEBwwIc2hlbnlhbmcxDTALBgNVBAoMBG1l
bmcxDzANBgNVBAsMBmRldm9wczEUMBIGA1UEAwwLY2EubWVuZy5jb20xHTAbBgkq
hkiG9w0BCQEWDmFkbWluQG1lbmcuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEA+ekx0EfAl4THKF9nn7R6Ix4EKVlrMs/igtYALsEgkVN0EL3RSaNq
+r6FGrgUncB7BuNJZRcQfuJ/7WZHkbUyeVto4Ik3WGpMLwWb3nALesuVbA4KIekk
iBFPpZsl423WRoom82hbkqsEJRLZfC/kblvbj5mEwbrQbgnefc7r60K+H71sLU1f
PFnpRDfy8vMVcUnlux9Vu4Xl2ArOL04rf7VEe0TsYjMcwsZ5wynmJe4+iRQ0u9wo
pyOfFb5VKZU9jdVC2iYwuOrzJwNTDbgDen91hOkZr1fNvA/IDyNsSMfzvPSW8gcf
ag2GoGQ3/vQOs/IrfXBN5NvHjpM/YJn/WQIDAQABo1MwUTAdBgNVHQ4EFgQUQQ1K
FrP++kt1TzTIDy4zM90G4T0wHwYDVR0jBBgwFoAUQQ1KFrP++kt1TzTIDy4zM90G
4T0wDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAZ8wc75lFWTJQ
qkfkc+P6mPQ29m5p+NiG/kEnEbA7rGWa2l1u9WMVqLTTq/hZGz5UCQK1HOkrGUY4
TLn/9xzKACQSCI6j2G8LhU8Qu/lZuiFonN5F41y6lHG9OasaII1kZ6yXL3gheBvV
pWIYDZgzrzMvl+tgG+Wr+vyk6Ra2Di+npoEdz/LqKx8VT2dgTueIN12sqNt+ZIt+
je4FDjWFFTBhlIfO/mCCe1B6KBqfvkPymp2vM77aDGIH2DxzOG/IvrSfhTaHk54f
DHAoZ0iRntgsMrJuDp6N7dvaJMay6MxPlUqLfG4IApUkBZoSOEPH2E+IH5AO068X
VvQIg/ULTQ==
-----END CERTIFICATE-----
[root@cent8 CA]#openssl x509 -in /etc/pki/CA/cacert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
4f:c1:9f:ae:b4:56:65:a0:4d:40:dc:6f:3a:50:d3:a0:04:c8:73:a3
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CN, ST = liaoning, L = shenyang, O = meng, OU = devops, CN = ca.m eng.com, emailAddress = admin@meng.com
Validity
Not Before: Oct 29 01:26:02 2021 GMT
Not After : Oct 27 01:26:02 2031 GMT
Subject: C = CN, ST = liaoning, L = shenyang, O = meng, OU = devops, CN = ca. meng.com, emailAddress = admin@meng.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:f9:e9:31:d0:47:c0:97:84:c7:28:5f:67:9f:b4:
7a:23:1e:04:29:59:6b:32:cf:e2:82:d6:00:2e:c1:
20:91:53:74:10:bd:d1:49:a3:6a:fa:be:85:1a:b8:
14:9d:c0:7b:06:e3:49:65:17:10:7e:e2:7f:ed:66:
47:91:b5:32:79:5b:68:e0:89:37:58:6a:4c:2f:05:
9b:de:70:0b:7a:cb:95:6c:0e:0a:21:e9:24:88:11:
4f:a5:9b:25:e3:6d:d6:46:8a:26:f3:68:5b:92:ab:
04:25:12:d9:7c:2f:e4:6e:5b:db:8f:99:84:c1:ba:
d0:6e:09:de:7d:ce:eb:eb:42:be:1f:bd:6c:2d:4d:
5f:3c:59:e9:44:37:f2:f2:f3:15:71:49:e5:bb:1f:
55:bb:85:e5:d8:0a:ce:2f:4e:2b:7f:b5:44:7b:44:
ec:62:33:1c:c2:c6:79:c3:29:e6:25:ee:3e:89:14:
34:bb:dc:28:a7:23:9f:15:be:55:29:95:3d:8d:d5:
42:da:26:30:b8:ea:f3:27:03:53:0d:b8:03:7a:7f:
75:84:e9:19:af:57:cd:bc:0f:c8:0f:23:6c:48:c7:
f3:bc:f4:96:f2:07:1f:6a:0d:86:a0:64:37:fe:f4:
0e:b3:f2:2b:7d:70:4d:e4:db:c7:8e:93:3f:60:99:
ff:59
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
41:0D:4A:16:B3:FE:FA:4B:75:4F:34:C8:0F:2E:33:33:DD:06:E1:3D
X509v3 Authority Key Identifier:
keyid:41:0D:4A:16:B3:FE:FA:4B:75:4F:34:C8:0F:2E:33:33:DD:06:E1:3D
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
67:cc:1c:ef:99:45:59:32:50:aa:47:e4:73:e3:fa:98:f4:36:
f6:6e:69:f8:d8:86:fe:41:27:11:b0:3b:ac:65:9a:da:5d:6e:
f5:63:15:a8:b4:d3:ab:f8:59:1b:3e:54:09:02:b5:1c:e9:2b:
19:46:38:4c:b9:ff:f7:1c:ca:00:24:12:08:8e:a3:d8:6f:0b:
85:4f:10:bb:f9:59:ba:21:68:9c:de:45:e3:5c:ba:94:71:bd:
39:ab:1a:20:8d:64:67:ac:97:2f:78:21:78:1b:d5:a5:62:18:
0d:98:33:af:33:2f:97:eb:60:1b:e5:ab:fa:fc:a4:e9:16:b6:
0e:2f:a7:a6:81:1d:cf:f2:ea:2b:1f:15:4f:67:60:4e:e7:88:
37:5d:ac:a8:db:7e:64:8b:7e:8d:ee:05:0e:35:85:15:30:61:
94:87:ce:fe:60:82:7b:50:7a:28:1a:9f:be:43:f2:9a:9d:af:
33:be:da:0c:62:07:d8:3c:73:38:6f:c8:be:b4:9f:85:36:87:
93:9e:1f:0c:70:28:67:48:91:9e:d8:2c:32:b2:6e:0e:9e:8d:
ed:db:da:24:c6:b2:e8:cc:4f:95:4a:8b:7c:6e:08:02:95:24:
05:9a:12:38:43:c7:d8:4f:88:1f:90:0e:d3:af:17:56:f4:08:
83:f5:0b:4d
[root@cent8 CA]#ll
total 8
-rw-r--r-- 1 root root 1432 Oct 29 09:26 cacert.pem
drwxr-xr-x 2 root root 6 Oct 29 09:21 certs
drwxr-xr-x 2 root root 6 Oct 29 09:21 crl
-rw-r--r-- 1 root root 0 Oct 29 09:22 index.txt
drwxr-xr-x 2 root root 6 Oct 29 09:21 newcerts
drwxr-xr-x 2 root root 23 Oct 29 09:23 private
-rw-r--r-- 1 root root 3 Oct 29 09:22 serial
[root@cent8 CA]#pwd
/etc/pki/CA
#将文件cacert.pem传到windows上,修改文件名为cacert.pem.crt,双击可以看到下面显示
4. 用户生成私钥和证书申请
[root@cent8 CA]#mkdir /data/app1
[root@cent8 CA]#(umask 066; openssl genrsa -out /data/app1/app1.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
.............+++++
........................................................................+++++
e is 65537 (0x010001)
[root@cent8 CA]#cat /data/app1/app1.key
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAug42sXJhZq+RSBATdchjcid1iTlJ5tFjrNPVCBVOb8x3Xg6E
TUI9VPBTVzZOtS/PI/SRzjFBnDXr+UKAMqERC0aaDHQgUF4k5xA89gdzFi1wbNst
RX4KFoprouDe7+r6Z8U0PIcMJCGegssPENAqpoSZgmaQu3T0lLjpiOfmVrTslI40
eGknpMPYqRvmKeVRtK+3E7GhzGCIIiZtROam55xfUyBaiWYbReVxYMdVdgZ7xt5a
ErAHiBQqloIp5GZpKPwvAysvvw3yEh0jt8u4NtJ8shX2jc93UlZVxaIzLNvQgsNZ
+zphv45608D8u5mdddXE/9r2Flz4RwLGj27NfwIDAQABAoIBABMfgt+aMgir4vLV
NCrW/eGtzJbeHIps2yHYY/0As58qFNrGAzMtq8AfM3GzU0OsNk4rxRC8X1H++NIV
07dgdrACAbNl/CxGgOR+9sUS3vFYmkWWAYEzAzZt48JJ+qAONs6TplrSRp0wF2q6
FEJWIwwadOzCPf4Gd10R5G795t7ibM+IKo1RnJOjSYEkZoYDTz4W6g9yvEX6ftag
cdjIqNykvbDsrqyMsijH100zG2RrxkKdvUE1PFSPVSaHu+aY7ivf5NA5rd4ZvtD/
eaEYdGfbIsv4E6U9bSozrOqSYhDWczMHiYRy5eq2c/R25ZQN2hMYmWiGv58jW/6U
kuVqjgECgYEA3lqUA2iryQbEJ0PbTN4suvtnMmnEQH/NDEjMF0+cT8SEQrbaAiC0
Wj7CS667sS1g5rJlvn+wBEV0o/69Tv4bYkyKDX+h+85HPwJc4IRVY9mJDrdBwsWl
q3E4cg2MCNshJoxSk6uEm0oqM70TD2P9P56bWyKPOGU/Q200lLihBU8CgYEA1jWI
GSNYDYsnU5VethZx2irCbof/LUgP9NBCTHx99twKV2DlrTBRuiGDOFqx7ZMq9ABA
q2yYu746N1H1aKULmwyOrzDlGEgMvtCTeBT6rlkMN5dMnbBoVjsUf3QCOgG/YAZz
VpPzZ7CDVxd7rub8g4FjSZf4H/n4zH324TGBCNECgYAVrTTixDCDD4LN5SKa8snf
jKS52G/Gbe8adHpZB2zQpfLS4iqMrI2IgrfEUwt/MVJSCzA6Cw6oy/CcEDh6W/Fl
etq2iCvNdYWikeNmC+CbNFjVM25Yw5XsCcSb8dAmCN7JeEKQnNb3oJpOou8ZwACv
VBIHJ25Y7B3nv9yxZvJjpwKBgGZ9tIG6nH3Wb9mZJXjgIldtkBwMq/aBfUj4gFBS
XH7J55TJQvtrnB7/u+Yx1uJCQRIAMPEUg7uImBgx+ca4+WWVS4vdTDAjAR4nc/fH
qe3To3nRxZHJfxKLMBKPciVJAsUyMOti3Npm5WC9Vqtnz7goJ1ZmBQ1fsEA/oOk8
o22RAoGADZP1Fb/vB77YqPE/ASN+ISebYYRv3O57trXjhXJtWX0dAOBQZHivLudE
XxynHNJO7Vikc+EnRZTDaKkdB0q7KZeM24PKscJ2MWkcj8xxKILzXIM/sTC4jl+9
oh/FcOgK4VODX4S6qgAXnC+xwOnMX3pke489CLol5NhU2IgxROE=
-----END RSA PRIVATE KEY-----
生成证书申请文件
[root@cent8 CA]#openssl req -new -key /data/app1/app1.key -out /data/app1/app1.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:liaoning
Locality Name (eg, city) [Default City]:shenyang
Organization Name (eg, company) [Default Company Ltd]:meng
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:app1.meng.com
Email Address []:root@meng.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@cent8 CA]#ll /data/app1
total 8
-rw-r--r-- 1 root root 1045 Oct 29 10:41 app1.csr
-rw------- 1 root root 1675 Oct 29 10:40 app1.key
默认有三项内容必须和CA一致:国家,省份,组织,如果不同,会出现错误提示
5. CA颁发证书
[root@cent8 CA]#openssl ca -in /data/app1/app1.csr -out /etc/pki/CA/certs/app1.crt -d ays 1000
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 15 (0xf)
Validity
Not Before: Oct 29 02:43:33 2021 GMT
Not After : Jul 25 02:43:33 2024 GMT
Subject:
countryName = CN
stateOrProvinceName = liaoning
organizationName = meng
organizationalUnitName = it
commonName = app1.meng.com
emailAddress = root@meng.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
54:6A:1B:74:DB:6E:4B:47:35:2F:C9:31:F9:3D:FF:2D:6B:D9:DF:B8
X509v3 Authority Key Identifier:
keyid:41:0D:4A:16:B3:FE:FA:4B:75:4F:34:C8:0F:2E:33:33:DD:06:E1:3D
Certificate is to be certified until Jul 25 02:43:33 2024 GMT (1000 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@cent8 CA]#tree /etc/pki/CA
/etc/pki/CA
├── cacert.pem
├── certs
│ └── app1.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│ └── 0F.pem
├── private
│ └── cakey.pem
├── serial
└── serial.old
4 directories, 9 files
6. 查看证书
[root@cent8 CA]#cat /etc/pki/CA/certs/app1.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 15 (0xf)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=liaoning, L=shenyang, O=meng, OU=devops, CN=ca.meng.com/emai lAddress=admin@meng.com
Validity
Not Before: Oct 29 02:43:33 2021 GMT
Not After : Jul 25 02:43:33 2024 GMT
Subject: C=CN, ST=liaoning, O=meng, OU=it, CN=app1.meng.com/emailAddress=root @meng.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:ba:0e:36:b1:72:61:66:af:91:48:10:13:75:c8:
63:72:27:75:89:39:49:e6:d1:63:ac:d3:d5:08:15:
4e:6f:cc:77:5e:0e:84:4d:42:3d:54:f0:53:57:36:
4e:b5:2f:cf:23:f4:91:ce:31:41:9c:35:eb:f9:42:
80:32:a1:11:0b:46:9a:0c:74:20:50:5e:24:e7:10:
3c:f6:07:73:16:2d:70:6c:db:2d:45:7e:0a:16:8a:
6b:a2:e0:de:ef:ea:fa:67:c5:34:3c:87:0c:24:21:
9e:82:cb:0f:10:d0:2a:a6:84:99:82:66:90:bb:74:
f4:94:b8:e9:88:e7:e6:56:b4:ec:94:8e:34:78:69:
27:a4:c3:d8:a9:1b:e6:29:e5:51:b4:af:b7:13:b1:
a1:cc:60:88:22:26:6d:44:e6:a6:e7:9c:5f:53:20:
5a:89:66:1b:45:e5:71:60:c7:55:76:06:7b:c6:de:
5a:12:b0:07:88:14:2a:96:82:29:e4:66:69:28:fc:
2f:03:2b:2f:bf:0d:f2:12:1d:23:b7:cb:b8:36:d2:
7c:b2:15:f6:8d:cf:77:52:56:55:c5:a2:33:2c:db:
d0:82:c3:59:fb:3a:61:bf:8e:7a:d3:c0:fc:bb:99:
9d:75:d5:c4:ff:da:f6:16:5c:f8:47:02:c6:8f:6e:
cd:7f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
54:6A:1B:74:DB:6E:4B:47:35:2F:C9:31:F9:3D:FF:2D:6B:D9:DF:B8
X509v3 Authority Key Identifier:
keyid:41:0D:4A:16:B3:FE:FA:4B:75:4F:34:C8:0F:2E:33:33:DD:06:E1:3D
Signature Algorithm: sha256WithRSAEncryption
d4:fc:3c:ee:28:03:83:be:1b:49:51:43:22:cd:e6:3f:75:d4:
89:8d:84:36:53:5e:f4:46:f9:49:ef:97:f8:af:a3:d5:ea:1d:
cf:44:e8:47:86:9d:b2:e5:80:90:d3:5d:aa:ae:75:fc:72:62:
6b:ab:75:ba:0e:b3:0d:b3:17:b3:25:05:8e:d4:48:40:10:bb:
73:79:e5:35:da:0b:e4:99:3f:04:bb:c3:2b:5d:bd:b7:48:d7:
af:b6:59:62:e2:4f:58:68:16:39:1a:7e:de:3a:c8:10:a8:ad:
67:8a:9b:b5:6b:2f:48:66:63:e7:99:bd:72:83:32:37:7a:89:
0e:fd:fb:33:ca:19:ad:e3:69:0e:f3:b7:08:8a:ec:6c:e2:a6:
fe:cc:15:8c:e0:a4:7f:13:a0:09:f7:fc:d6:56:4b:8f:b9:54:
ff:7c:95:19:25:1b:25:4c:f1:1f:f5:a3:7c:51:19:4c:87:f3:
51:15:3f:09:d0:65:cc:9d:59:ed:46:6c:e4:79:bf:e4:19:99:
42:ee:90:0d:87:ec:2f:1f:f5:9a:45:65:3c:a1:85:49:a5:ca:
6b:7e:6f:fe:b6:31:99:47:4c:ed:f5:23:92:14:d5:69:b4:7b:
0a:ae:90:7e:d4:9f:7b:db:a0:5b:90:6e:c7:1d:13:55:d1:f3:
8e:cb:ae:9d
-----BEGIN CERTIFICATE-----
MIID8TCCAtmgAwIBAgIBDzANBgkqhkiG9w0BAQsFADCBiDELMAkGA1UEBhMCQ04x
ETAPBgNVBAgMCGxpYW9uaW5nMREwDwYDVQQHDAhzaGVueWFuZzENMAsGA1UECgwE
bWVuZzEPMA0GA1UECwwGZGV2b3BzMRQwEgYDVQQDDAtjYS5tZW5nLmNvbTEdMBsG
CSqGSIb3DQEJARYOYWRtaW5AbWVuZy5jb20wHhcNMjExMDI5MDI0MzMzWhcNMjQw
NzI1MDI0MzMzWjByMQswCQYDVQQGEwJDTjERMA8GA1UECAwIbGlhb25pbmcxDTAL
BgNVBAoMBG1lbmcxCzAJBgNVBAsMAml0MRYwFAYDVQQDDA1hcHAxLm1lbmcuY29t
MRwwGgYJKoZIhvcNAQkBFg1yb290QG1lbmcuY29tMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAug42sXJhZq+RSBATdchjcid1iTlJ5tFjrNPVCBVOb8x3
Xg6ETUI9VPBTVzZOtS/PI/SRzjFBnDXr+UKAMqERC0aaDHQgUF4k5xA89gdzFi1w
bNstRX4KFoprouDe7+r6Z8U0PIcMJCGegssPENAqpoSZgmaQu3T0lLjpiOfmVrTs
lI40eGknpMPYqRvmKeVRtK+3E7GhzGCIIiZtROam55xfUyBaiWYbReVxYMdVdgZ7
xt5aErAHiBQqloIp5GZpKPwvAysvvw3yEh0jt8u4NtJ8shX2jc93UlZVxaIzLNvQ
gsNZ+zphv45608D8u5mdddXE/9r2Flz4RwLGj27NfwIDAQABo3sweTAJBgNVHRME
AjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0
ZTAdBgNVHQ4EFgQUVGobdNtuS0c1L8kx+T3/LWvZ37gwHwYDVR0jBBgwFoAUQQ1K
FrP++kt1TzTIDy4zM90G4T0wDQYJKoZIhvcNAQELBQADggEBANT8PO4oA4O+G0lR
QyLN5j911ImNhDZTXvRG+Unvl/ivo9XqHc9E6EeGnbLlgJDTXaqudfxyYmurdboO
sw2zF7MlBY7USEAQu3N55TXaC+SZPwS7wytdvbdI16+2WWLiT1hoFjkaft46yBCo
rWeKm7VrL0hmY+eZvXKDMjd6iQ79+zPKGa3jaQ7ztwiK7Gzipv7MFYzgpH8ToAn3
/NZWS4+5VP98lRklGyVM8R/1o3xRGUyH81EVPwnQZcydWe1GbOR5v+QZmULukA2H
7C8f9ZpFZTyhhUmlymt+b/62MZlHTO31I5IU1Wm0ewqukH7Un3vboFuQbscdE1XR
847Lrp0=
-----END CERTIFICATE-----
[root@cent8 CA]#openssl x509 -in /etc/pki/CA/certs/app1.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 15 (0xf)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CN, ST = liaoning, L = shenyang, O = meng, OU = devops, CN = ca.m eng.com, emailAddress = admin@meng.com
Validity
Not Before: Oct 29 02:43:33 2021 GMT
Not After : Jul 25 02:43:33 2024 GMT
Subject: C = CN, ST = liaoning, O = meng, OU = it, CN = app1.meng.com, emailA ddress = root@meng.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:ba:0e:36:b1:72:61:66:af:91:48:10:13:75:c8:
63:72:27:75:89:39:49:e6:d1:63:ac:d3:d5:08:15:
4e:6f:cc:77:5e:0e:84:4d:42:3d:54:f0:53:57:36:
4e:b5:2f:cf:23:f4:91:ce:31:41:9c:35:eb:f9:42:
80:32:a1:11:0b:46:9a:0c:74:20:50:5e:24:e7:10:
3c:f6:07:73:16:2d:70:6c:db:2d:45:7e:0a:16:8a:
6b:a2:e0:de:ef:ea:fa:67:c5:34:3c:87:0c:24:21:
9e:82:cb:0f:10:d0:2a:a6:84:99:82:66:90:bb:74:
f4:94:b8:e9:88:e7:e6:56:b4:ec:94:8e:34:78:69:
27:a4:c3:d8:a9:1b:e6:29:e5:51:b4:af:b7:13:b1:
a1:cc:60:88:22:26:6d:44:e6:a6:e7:9c:5f:53:20:
5a:89:66:1b:45:e5:71:60:c7:55:76:06:7b:c6:de:
5a:12:b0:07:88:14:2a:96:82:29:e4:66:69:28:fc:
2f:03:2b:2f:bf:0d:f2:12:1d:23:b7:cb:b8:36:d2:
7c:b2:15:f6:8d:cf:77:52:56:55:c5:a2:33:2c:db:
d0:82:c3:59:fb:3a:61:bf:8e:7a:d3:c0:fc:bb:99:
9d:75:d5:c4:ff:da:f6:16:5c:f8:47:02:c6:8f:6e:
cd:7f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
54:6A:1B:74:DB:6E:4B:47:35:2F:C9:31:F9:3D:FF:2D:6B:D9:DF:B8
X509v3 Authority Key Identifier:
keyid:41:0D:4A:16:B3:FE:FA:4B:75:4F:34:C8:0F:2E:33:33:DD:06:E1:3D
Signature Algorithm: sha256WithRSAEncryption
d4:fc:3c:ee:28:03:83:be:1b:49:51:43:22:cd:e6:3f:75:d4:
89:8d:84:36:53:5e:f4:46:f9:49:ef:97:f8:af:a3:d5:ea:1d:
cf:44:e8:47:86:9d:b2:e5:80:90:d3:5d:aa:ae:75:fc:72:62:
6b:ab:75:ba:0e:b3:0d:b3:17:b3:25:05:8e:d4:48:40:10:bb:
73:79:e5:35:da:0b:e4:99:3f:04:bb:c3:2b:5d:bd:b7:48:d7:
af:b6:59:62:e2:4f:58:68:16:39:1a:7e:de:3a:c8:10:a8:ad:
67:8a:9b:b5:6b:2f:48:66:63:e7:99:bd:72:83:32:37:7a:89:
0e:fd:fb:33:ca:19:ad:e3:69:0e:f3:b7:08:8a:ec:6c:e2:a6:
fe:cc:15:8c:e0:a4:7f:13:a0:09:f7:fc:d6:56:4b:8f:b9:54:
ff:7c:95:19:25:1b:25:4c:f1:1f:f5:a3:7c:51:19:4c:87:f3:
51:15:3f:09:d0:65:cc:9d:59:ed:46:6c:e4:79:bf:e4:19:99:
42:ee:90:0d:87:ec:2f:1f:f5:9a:45:65:3c:a1:85:49:a5:ca:
6b:7e:6f:fe:b6:31:99:47:4c:ed:f5:23:92:14:d5:69:b4:7b:
0a:ae:90:7e:d4:9f:7b:db:a0:5b:90:6e:c7:1d:13:55:d1:f3:
8e:cb:ae:9d
[root@cent8 CA]#openssl x509 -in /etc/pki/CA/certs/app1.crt -noout -issuer
issuer=C = CN, ST = liaoning, L = shenyang, O = meng, OU = devops, CN = ca.meng.com, emailAddress = admin@meng.com
[root@cent8 CA]#openssl x509 -in /etc/pki/CA/certs/app1.crt -noout -subject
subject=C = CN, ST = liaoning, O = meng, OU = it, CN = app1.meng.com, emailAddress = root@meng.com
[root@cent8 CA]#openssl x509 -in /etc/pki/CA/certs/app1.crt -noout -dates
notBefore=Oct 29 02:43:33 2021 GMT
notAfter=Jul 25 02:43:33 2024 GMT
[root@cent8 CA]#openssl x509 -in /etc/pki/CA/certs/app1.crt -noout -serial
serial=0F
验证指定编号对应证书的有效性
[root@cent8 CA]#cat /etc/pki/CA/index.txt
V 240725024333Z 0F unknown /C=CN/ST=liaoning/O=meng/OU=it/CN=app 1.meng.com/emailAddress=root@meng.com
[root@cent8 CA]#openssl ca -status 0F
Using configuration from /etc/pki/tls/openssl.cnf
0F=Valid (V)
[root@cent8 CA]#cat /etc/pki/CA/index.txt.old
[root@cent8 CA]#cat /etc/pki/CA/serial
10
[root@cent8 CA]#cat /etc/pki/CA/serial.old
0F
[root@cent8 CA]#ll
total 20
-rw-r--r-- 1 root root 1432 Oct 29 09:26 cacert.pem
drwxr-xr-x 2 root root 22 Oct 29 10:43 certs
drwxr-xr-x 2 root root 6 Oct 29 09:21 crl
-rw-r--r-- 1 root root 103 Oct 29 10:43 index.txt
-rw-r--r-- 1 root root 21 Oct 29 10:43 index.txt.attr
-rw-r--r-- 1 root root 0 Oct 29 09:22 index.txt.old
drwxr-xr-x 2 root root 20 Oct 29 10:43 newcerts
drwxr-xr-x 2 root root 23 Oct 29 09:23 private
-rw-r--r-- 1 root root 3 Oct 29 10:43 serial
-rw-r--r-- 1 root root 3 Oct 29 09:22 serial.old
[root@cent8 CA]#cd certs/
[root@cent8 certs]#ll
total 8
-rw-r--r-- 1 root root 4602 Oct 29 10:43 app1.crt
[root@cent8 certs]#pwd
/etc/pki/CA/certs
[root@cent8 certs]#cp /etc/pki/CA/certs/app1.crt /data/app1/
[root@cent8 certs]#tree /data/app1/
/data/app1/
├── app1.crt
├── app1.csr
└── app1.key
0 directories, 3 files
导入根证书,可以看到app1证书已经有根了
利用原有证书申请文件生成新证书报错,需要修改/etc/pki/tls/openssl.cnf以便可以同一证书申请文件存在多证书,并且可以实现跨国的证书授权。
[root@cent8 certs]#openssl ca -in /data/app1/app1.csr -out /etc/pki/CA/certs/app1-new.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
ERROR:There is already a certificate for /C=CN/ST=liaoning/O=meng/OU=it/CN=app1.meng.com/emailAddress=root@meng.com
The matching entry has the following details
Type :Valid
Expires on :240725024333Z
Serial Number :0F
File name :unknown
Subject Name :/C=CN/ST=liaoning/O=meng/OU=it/CN=app1.meng.com/emailAddress=root@meng.com
[root@cent8 certs]#cat /etc/pki/CA/index.txt
V 240725024333Z 0F unknown /C=CN/ST=liaoning/O=meng/OU=it/CN=app1.meng.com/emailAddress=root@meng.com
7. 修改配置文件以便允许跨国CA授权和对同一证书申请文件多次授权
[root@cent8 certs]#cp /etc/pki/tls/openssl.cnf /etc/pki/tls/openssl.cnf.old
[root@cent8 certs]#vim /etc/pki/tls/openssl.cnf
#policy = policy_match
policy = policy_anything
[root@cent8 certs]#openssl ca -in /data/app1/app1.csr -out /etc/pki/CA/certs/app1-new.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 16 (0x10)
Validity
Not Before: Oct 29 03:14:00 2021 GMT
Not After : Jul 25 03:14:00 2024 GMT
Subject:
countryName = CN
stateOrProvinceName = liaoning
localityName = shenyang
organizationName = meng
organizationalUnitName = it
commonName = app1.meng.com
emailAddress = root@meng.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
54:6A:1B:74:DB:6E:4B:47:35:2F:C9:31:F9:3D:FF:2D:6B:D9:DF:B8
X509v3 Authority Key Identifier:
keyid:41:0D:4A:16:B3:FE:FA:4B:75:4F:34:C8:0F:2E:33:33:DD:06:E1:3D
Certificate is to be certified until Jul 25 03:14:00 2024 GMT (1000 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@cent8 certs]#cat /etc/pki/CA/index.txt
V 240725024333Z 0F unknown /C=CN/ST=liaoning/O=meng/OU=it/CN=app1.meng.com/emailAddress=root@meng.com
V 240725031400Z 10 unknown /C=CN/ST=liaoning/L=shenyang/O=meng/OU=it/CN=app1.meng.com/emailAddress=root@meng.com
[root@cent8 certs]#mkdir /data/app2 -p
[root@cent8 certs]#(umask 066; openssl genrsa -out /data/app2/app2.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
...............................................................................................................+++++
...........................+++++
e is 65537 (0x010001)
[root@cent8 certs]#openssl req -new -key /data/app2/app2.key -out /data/app2/app2.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:newyork
Locality Name (eg, city) [Default City]:newyork
Organization Name (eg, company) [Default Company Ltd]:meng
Organizational Unit Name (eg, section) []:sales
Common Name (eg, your name or your server's hostname) []:sales.meng.com
Email Address []:sales@meng.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@cent8 certs]#ll
total 16
-rw-r--r-- 1 root root 4602 Oct 29 10:43 app1.crt
-rw-r--r-- 1 root root 4643 Oct 29 11:14 app1-new.crt
[root@cent8 certs]#openssl ca -in /data/app2/app2.csr -out /etc/pki/CA/certs/app2.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 17 (0x11)
Validity
Not Before: Oct 29 03:17:41 2021 GMT
Not After : Jul 25 03:17:41 2024 GMT
Subject:
countryName = US
stateOrProvinceName = newyork
localityName = newyork
organizationName = meng
organizationalUnitName = sales
commonName = sales.meng.com
emailAddress = sales@meng.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
BC:D2:DB:77:5E:C7:91:30:04:22:8A:24:72:80:73:02:C1:0D:89:FB
X509v3 Authority Key Identifier:
keyid:41:0D:4A:16:B3:FE:FA:4B:75:4F:34:C8:0F:2E:33:33:DD:06:E1:3D
Certificate is to be certified until Jul 25 03:17:41 2024 GMT (1000 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@cent8 certs]#ll
total 24
-rw-r--r-- 1 root root 4602 Oct 29 10:43 app1.crt
-rw-r--r-- 1 root root 4643 Oct 29 11:14 app1-new.crt
-rw-r--r-- 1 root root 4650 Oct 29 11:17 app2.crt
[root@cent8 certs]#cp app2.crt /data/app2/
[root@cent8 certs]#pwd
/etc/pki/CA/certs
[root@cent8 certs]#tree /etc/pki/CA/
/etc/pki/CA/
├── cacert.pem
├── certs
│ ├── app1.crt
│ ├── app1-new.crt
│ └── app2.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── newcerts
│ ├── 0F.pem
│ ├── 10.pem
│ └── 11.pem
├── private
│ └── cakey.pem
├── serial
└── serial.old
4 directories, 14 files
8. 吊销证书
[root@cent8 certs]#cat /etc/pki/CA/index.txt
V 240725024333Z 0F unknown /C=CN/ST=liaoning/O=meng/OU=it/CN=app1.meng.com/emailAddress=root@meng.com
V 240725031400Z 10 unknown /C=CN/ST=liaoning/L=shenyang/O=meng/OU=it/CN=app1.meng.com/emailAddress=root@meng.com
V 240725031741Z 11 unknown /C=US/ST=newyork/L=newyork/O=meng/OU=sales/CN=sales.meng.com/emailAddress=sales@meng.com
[root@cent8 certs]#openssl ca -revoke /etc/pki/CA/newcerts/10.pem
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 10.
Data Base Updated
[root@cent8 certs]#cat /etc/pki/CA/index.txt
V 240725024333Z 0F unknown /C=CN/ST=liaoning/O=meng/OU=it/CN=app1.meng.com/emailAddress=root@meng.com
R 240725031400Z 211029032107Z 10 unknown /C=CN/ST=liaoning/L=shenyang/O=meng/OU=it/CN=app1.meng.com/emailAddress=root@meng.com
V 240725031741Z 11 unknown /C=US/ST=newyork/L=newyork/O=meng/OU=sales/CN=sales.meng.com/emailAddress=sales@meng.com
[root@cent8 certs]#echo 01 > /etc/pki/CA/crlnumber
[root@cent8 certs]#openssl ca -gencrl -out /etc/pki/CA/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf
[root@cent8 certs]#tree /etc/pki/CA/
/etc/pki/CA/
├── cacert.pem
├── certs
│ ├── app1.crt
│ ├── app1-new.crt
│ └── app2.crt
├── crl
├── crlnumber
├── crlnumber.old
├── crl.pem
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── newcerts
│ ├── 0F.pem
│ ├── 10.pem
│ └── 11.pem
├── private
│ └── cakey.pem
├── serial
└── serial.old
4 directories, 17 files
[root@cent8 certs]#ll
total 24
-rw-r--r-- 1 root root 4602 Oct 29 10:43 app1.crt
-rw-r--r-- 1 root root 4643 Oct 29 11:14 app1-new.crt
-rw-r--r-- 1 root root 4650 Oct 29 11:17 app2.crt
[root@cent8 certs]#cd ..
[root@cent8 CA]#ll
total 40
-rw-r--r-- 1 root root 1432 Oct 29 09:26 cacert.pem
drwxr-xr-x 2 root root 58 Oct 29 11:17 certs
drwxr-xr-x 2 root root 6 Oct 29 09:21 crl
-rw-r--r-- 1 root root 3 Oct 29 11:21 crlnumber
-rw-r--r-- 1 root root 3 Oct 29 11:21 crlnumber.old
-rw-r--r-- 1 root root 739 Oct 29 11:21 crl.pem
-rw-r--r-- 1 root root 347 Oct 29 11:21 index.txt
-rw-r--r-- 1 root root 21 Oct 29 11:21 index.txt.attr
-rw-r--r-- 1 root root 21 Oct 29 11:17 index.txt.attr.old
-rw-r--r-- 1 root root 334 Oct 29 11:17 index.txt.old
drwxr-xr-x 2 root root 48 Oct 29 11:17 newcerts
drwxr-xr-x 2 root root 23 Oct 29 09:23 private
-rw-r--r-- 1 root root 3 Oct 29 11:17 serial
-rw-r--r-- 1 root root 3 Oct 29 11:14 serial.old
[root@cent8 CA]#pwd
/etc/pki/CA
[root@cent8 CA]#cd crl/
[root@cent8 crl]#ll
total 0
[root@cent8 crl]#cd ..
[root@cent8 CA]#cat /etc/pki/CA/crlnumber
02
[root@cent8 CA]#cat /etc/pki/CA/crl.pem
-----BEGIN X509 CRL-----
MIIB+DCB4QIBATANBgkqhkiG9w0BAQsFADCBiDELMAkGA1UEBhMCQ04xETAPBgNV
BAgMCGxpYW9uaW5nMREwDwYDVQQHDAhzaGVueWFuZzENMAsGA1UECgwEbWVuZzEP
MA0GA1UECwwGZGV2b3BzMRQwEgYDVQQDDAtjYS5tZW5nLmNvbTEdMBsGCSqGSIb3
DQEJARYOYWRtaW5AbWVuZy5jb20XDTIxMTAyOTAzMjE0MloXDTIxMTEyODAzMjE0
MlowFDASAgEQFw0yMTEwMjkwMzIxMDdaoA4wDDAKBgNVHRQEAwIBATANBgkqhkiG
9w0BAQsFAAOCAQEAvIhz86qREujUnkuR2iEMgEbgUbMtNa8Rk4b32kUQdMhrg7Q6
EhPBpj3GpryOrGr46yA9I3jRcMC0RXf98tAMU7NEWjkNaEg2QEsF5yZZ6RpkSriR
WZeqD/3jg+k8+BOiLFUYdwSLa2rOm3dWeQtQGI3g9bBW3J78WpHzzK7hiKE09BU7
UBqgLjgTFI5b+u2YgAjYqgLqi2ACG4222GdeUxKZJldWLxyxYQ5ipSp1JhA7kA0m
4BgCcQa0G0MJQPeO7LHK/y7JD/Wpo0A6GgR8ONMu6h0WMPo5PsQgTfrEURQsFKCf
QvbSp6LtQPl970sUNItNNWzBAF1L/qP4QAXKfw==
-----END X509 CRL-----
[root@cent8 CA]#openssl crl -in /etc/pki/CA/crl.pem -noout -text
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CN, ST = liaoning, L = shenyang, O = meng, OU = devops, CN = ca.meng.com, emailAddress = admin@meng.com
Last Update: Oct 29 03:21:42 2021 GMT
Next Update: Nov 28 03:21:42 2021 GMT
CRL extensions:
X509v3 CRL Number:
1
Revoked Certificates:
Serial Number: 10
Revocation Date: Oct 29 03:21:07 2021 GMT
Signature Algorithm: sha256WithRSAEncryption
bc:88:73:f3:aa:91:12:e8:d4:9e:4b:91:da:21:0c:80:46:e0:
51:b3:2d:35:af:11:93:86:f7:da:45:10:74:c8:6b:83:b4:3a:
12:13:c1:a6:3d:c6:a6:bc:8e:ac:6a:f8:eb:20:3d:23:78:d1:
70:c0:b4:45:77:fd:f2:d0:0c:53:b3:44:5a:39:0d:68:48:36:
40:4b:05:e7:26:59:e9:1a:64:4a:b8:91:59:97:aa:0f:fd:e3:
83:e9:3c:f8:13:a2:2c:55:18:77:04:8b:6b:6a:ce:9b:77:56:
79:0b:50:18:8d:e0:f5:b0:56:dc:9e:fc:5a:91:f3:cc:ae:e1:
88:a1:34:f4:15:3b:50:1a:a0:2e:38:13:14:8e:5b:fa:ed:98:
80:08:d8:aa:02:ea:8b:60:02:1b:8d:b6:d8:67:5e:53:12:99:
26:57:56:2f:1c:b1:61:0e:62:a5:2a:75:26:10:3b:90:0d:26:
e0:18:02:71:06:b4:1b:43:09:40:f7:8e:ec:b1:ca:ff:2e:c9:
0f:f5:a9:a3:40:3a:1a:04:7c:38:d3:2e:ea:1d:16:30:fa:39:
3e:c4:20:4d:fa:c4:51:14:2c:14:a0:9f:42:f6:d2:a7:a2:ed:
40:f9:7d:ef:4b:14:34:8b:4d:35:6c:c1:00:5d:4b:fe:a3:f8:
40:05:ca:7f
标签:cent8,证书,CA,pki,etc,meng,root,CentOS8 来源: https://blog.csdn.net/mandarin_meng/article/details/121031410