发布日期：2021-06-30 20:15:36 浏览次数：2 分类：技术文章

本文共 17952 字，大约阅读时间需要 59 分钟。

在这里插入图片描述

ca子命令使用事前准备的CSR文件，可通过-selfsign选项指定私钥生成自签名证书。使用req子命令也可以生成自签名证书，自签名证书在实际的使用中用处一般是用来创建ca证书的，上篇文章介绍了如何使用x509子命令结合自签名的ca证书对其他证书签名请求CSR文件进行签名，这篇文章介绍一下使用ca子命令的方式。

事前准备: 准备自签名证书

准备私钥和CSR文件

可以分别使用genrsa子命令和req -new来分别准备私钥和CSR文件，也可以直接使用req -newkey一次直接生成。

[root@liumiaocn ca]# openssl req -newkey rsa:2048 -keyout ca.key  -nodes -out request.csr -subj "/C=CN/ST=LiaoNing/L=DaLian/O=devops/OU=unicorn/CN=devops.com"Generating a RSA private key...........................+++++.........+++++writing new private key to 'ca.key'-----[root@liumiaocn ca]# lsca.key  request.csr[root@liumiaocn ca]#

确认私钥和CSR内容

[root@liumiaocn ca]# openssl req -text -noout -verify -in request.csrverify OKCertificate Request:    Data:        Version: 1 (0x0)        Subject: C = CN, ST = LiaoNing, L = DaLian, O = devops, OU = unicorn, CN = devops.com        Subject Public Key Info:            Public Key Algorithm: rsaEncryption                RSA Public-Key: (2048 bit)                Modulus:                    00:9a:18:76:96:e8:29:f6:f0:e7:ad:39:38:31:92:                    23:7e:3d:f8:88:5f:8f:5f:27:c7:9c:07:6e:b1:3d:                    13:05:85:37:44:a1:1c:e9:d2:05:40:a7:99:e7:92:                    0b:6a:2e:4b:1c:54:b6:5f:ea:4e:db:0c:78:64:74:                    e8:33:35:bd:f9:6e:65:58:5e:e7:a6:93:c5:32:99:                    27:df:e3:34:01:a7:b8:32:18:b3:d1:2d:54:df:ec:                    65:99:88:55:12:45:9b:6f:d5:f8:6f:6c:10:fd:85:                    c0:f4:ab:38:a9:41:6b:91:42:6f:fd:f3:5c:c9:ec:                    e0:f6:5e:81:9d:e1:10:56:ad:16:b9:26:e9:93:23:                    20:f0:a3:3c:86:f8:bc:a3:2e:4e:0d:b0:3f:33:9c:                    79:c1:0e:8d:37:66:8c:97:d8:78:4a:a8:5f:5a:f9:                    1b:d7:b7:cc:8e:c9:24:a3:d6:1b:b0:7e:c4:a8:74:                    dc:fb:b5:81:6c:97:69:92:92:39:69:e5:f3:26:12:                    aa:af:33:05:31:41:9e:65:90:f0:b7:94:44:9d:41:                    7e:b8:04:97:00:b4:2a:50:54:79:bf:35:09:8a:29:                    27:39:06:e7:b3:23:c2:cf:43:d1:ec:69:8d:db:5a:                    c7:e3:7f:55:09:4f:e4:e0:52:d6:98:fb:b7:1d:38:                    4b:c3                Exponent: 65537 (0x10001)        Attributes:            a0:00    Signature Algorithm: sha256WithRSAEncryption         6f:bd:e4:40:de:3f:0b:d1:37:03:74:e3:d6:e3:81:12:d8:bb:         9e:e0:f0:d6:f3:7a:90:80:09:78:c1:8e:2f:22:d3:5e:06:89:         01:10:2f:b3:46:dd:91:95:c9:28:4f:cc:71:fe:cc:a4:70:37:         e7:3d:fb:73:5d:9c:6a:40:b8:7a:bd:93:61:a5:53:7f:ba:59:         b3:c4:47:25:2b:d1:4b:f5:cd:99:df:64:1b:85:19:88:37:5a:         b2:6a:00:26:b0:8e:5e:d4:29:f8:09:eb:bb:75:9b:38:d8:6d:         35:e5:79:b6:fc:fb:e0:f5:1e:03:eb:1e:34:74:f9:f7:e0:f4:         4e:a4:03:ac:17:8a:39:86:82:b4:0c:ed:b1:94:a3:ed:c8:e6:         f2:f7:ef:12:5b:32:50:e4:f2:b0:e4:42:e3:22:84:f1:86:5e:         77:d8:c9:b1:19:df:f1:0d:88:38:1f:2f:af:ad:63:3a:b8:a3:         bf:aa:35:c1:de:84:ff:d3:4a:85:6d:e4:fd:56:a3:f7:72:99:         e0:29:35:35:d3:9b:48:ac:0c:f3:5e:45:7f:a6:21:19:a9:40:         b3:ab:a7:ac:80:4b:e8:84:a0:e7:77:1e:b6:ff:e1:f6:bf:51:         1d:d9:d6:85:6c:7a:ce:c2:00:9a:4e:c3:9c:6b:51:59:a3:ce:         a6:d6:66:43[root@liumiaocn ca]#

步骤2: 使用CA对CSR文件签名

执行命令：openssl ca -selfsign -keyfile ca.key -in request.csr -out test-cert.crt -config openssl.cnf -days 365 -batch

配置文件设定示例

结合前面对配置文件选项的说明，此处使用如下示例配置文件，此配置文件为最小程度所需要配置的内容

[root@liumiaocn ca]# vi openssl.cnf[root@liumiaocn ca]# mkdir newcerts[root@liumiaocn ca]# touch index.txt[root@liumiaocn ca]# echo "01" > serial[root@liumiaocn ca]# cat serial 01[root@liumiaocn ca]# cat openssl.cnf [ ca ]default_ca	= CA_default		# The default ca section[ CA_default ]dir		= .new_certs_dir	= $dir/newcerts		# default place for new certs.database	= $dir/index.txt	# database index file.default_md	= sha256		# use SHA-256 by defaultpolicy		= policy_matchserial		= $dir/serial 		# The current serial number[ policy_match ]countryName		= matchstateOrProvinceName	= matchorganizationName	= matchorganizationalUnitName	= optionalcommonName		= suppliedemailAddress		= optional[root@liumiaocn ca]#

配置说明：配合上述设定内容，所以设定了newcerts目录用于存放新生成的证书存放路径，同时使用设定serial用于存放当前序列号字符串

创建自签名证书

[root@liumiaocn ca]# openssl ca -selfsign -keyfile ca.key -in request.csr -out test-cert.crt  -config openssl.cnf -days 365 -batchUsing configuration from openssl.cnfCheck that the request matches the signatureSignature okThe Subject's Distinguished Name is as followscountryName           :PRINTABLE:'CN'stateOrProvinceName   :ASN.1 12:'LiaoNing'localityName          :ASN.1 12:'DaLian'organizationName      :ASN.1 12:'devops'organizationalUnitName:ASN.1 12:'unicorn'commonName            :ASN.1 12:'devops.com'Certificate is to be certified until Dec 14 03:07:57 2020 GMT (365 days)Write out database with 1 new entriesData Base Updated[root@liumiaocn ca]#

结果确认

[root@liumiaocn ca]# tree ..├── ca.key├── index.txt├── index.txt.attr├── index.txt.old├── newcerts│   └── 01.pem├── openssl.cnf├── request.csr├── serial├── serial.old└── test-cert.crt1 directory, 10 files[root@liumiaocn ca]#

使用x509子命令进行签名

步骤1: 生成证书签名请求CSR文件

签名的动作是需要求前提的，CSR文件就是这个前提，而实际向各个CA机构进行收费的证书申请也是需要提供CSR文件，只是可能会以另外一种格式出现，最终CA机构也是类似的需要生成类似的CSR文件。

执行示例文件：openssl req -new -out request-dev.csr -nodes -subj “/C=CN/ST=LiaoNing/L=DaLian/O=devops/OU=dev/CN=dev.com”

比如这里生成如下的CSR文件：

[root@liumiaocn ca]# openssl req -new -out request-dev.csr -nodes -subj "/C=CN/ST=LiaoNing/L=DaLian/O=devops/OU=dev/CN=dev.com"Generating a RSA private key..........................+++++........................................................................................................................................................................................................................................................................................+++++writing new private key to 'privkey.pem'-----[root@liumiaocn ca]# lsca.key     index.txt.attr  newcerts     privkey.pem  request-dev.csr  serial.oldindex.txt  index.txt.old   openssl.cnf  request.csr  serial           test-cert.crt[root@liumiaocn ca]#

步骤2: 使用x509子命令和ca证书进行签名

使用CA和CAkey指定CA的私钥和证书文件，然后对CSR文件进行签名，得到签名之后的证书文件02.pem

证书签名命令示例：openssl ca -in request-dev.csr -keyfile ca.key -cert newcerts/01.pem -config openssl.cnf -days 90 -batch

[root@liumiaocn ca]# openssl ca -in request-dev.csr -keyfile ca.key -cert newcerts/01.pem -config openssl.cnf -days 90 -batchUsing configuration from openssl.cnfCheck that the request matches the signatureSignature okThe Subject's Distinguished Name is as followscountryName           :PRINTABLE:'CN'stateOrProvinceName   :ASN.1 12:'LiaoNing'localityName          :ASN.1 12:'DaLian'organizationName      :ASN.1 12:'devops'organizationalUnitName:ASN.1 12:'dev'commonName            :ASN.1 12:'dev.com'Certificate is to be certified until Mar 14 03:10:23 2020 GMT (90 days)Write out database with 1 new entriesCertificate:    Data:        Version: 1 (0x0)        Serial Number: 2 (0x2)        Signature Algorithm: sha256WithRSAEncryption        Issuer: C=CN, ST=LiaoNing, O=devops, OU=unicorn, CN=devops.com        Validity            Not Before: Dec 15 03:10:23 2019 GMT            Not After : Mar 14 03:10:23 2020 GMT        Subject: C=CN, ST=LiaoNing, O=devops, OU=dev, CN=dev.com        Subject Public Key Info:            Public Key Algorithm: rsaEncryption                RSA Public-Key: (2048 bit)                Modulus:                    00:ac:3c:66:ee:17:f0:60:9c:5c:3c:cb:82:72:57:                    5e:a2:1a:c7:36:39:53:e9:96:76:ea:b0:60:9a:6f:                    74:0a:fb:88:ae:16:bf:94:a1:9d:e9:f9:93:9b:13:                    6d:48:af:29:b4:ab:4c:8d:77:59:05:5d:cf:86:14:                    db:f8:4c:63:c0:bf:2c:8d:46:b7:19:4a:91:3f:a0:                    70:41:d0:5f:e8:cd:6a:60:08:da:96:31:74:6c:4d:                    18:b4:1e:d7:af:0d:db:0a:f2:87:8b:be:a9:6c:48:                    c7:3d:55:76:5e:15:a6:86:1f:b8:58:ec:70:1d:4d:                    fb:ab:9e:9e:66:66:f1:43:e0:22:b6:ea:65:5f:35:                    75:35:8d:41:a2:1e:af:21:b5:53:ac:3e:7b:3f:c2:                    83:f2:af:cd:d1:63:9f:83:d2:16:19:13:30:f1:a3:                    93:05:16:93:fb:3c:1a:5b:8d:c5:82:7a:70:cb:78:                    95:58:be:94:6a:bb:8e:86:1f:59:24:d2:43:cd:39:                    36:22:b9:3b:1e:d4:a4:4b:23:36:43:a3:44:2d:be:                    89:56:e3:de:04:a1:68:6f:9a:d0:a2:ea:4a:ff:f3:                    e6:31:95:c4:3d:f1:a5:52:cb:08:44:67:8e:f0:f0:                    36:43:2d:67:77:a2:32:01:9d:45:51:0b:bf:6b:4f:                    b1:f5                Exponent: 65537 (0x10001)    Signature Algorithm: sha256WithRSAEncryption         81:99:be:7b:c8:b4:f0:b5:5f:5c:a2:39:bc:47:bb:b0:e1:46:         b9:63:54:33:c0:89:d2:4b:f1:16:b2:08:ef:63:a9:7d:26:45:         95:08:62:a6:11:d1:45:c3:78:db:cd:05:95:77:a1:30:cd:b5:         59:70:2b:35:11:23:c7:92:48:d1:19:b2:d0:e6:de:53:47:59:         bd:c7:c2:d7:b1:19:54:8c:66:86:34:4c:26:14:90:43:63:35:         19:44:79:cf:f0:b9:e3:04:74:6b:c0:ee:5d:58:db:c4:a8:18:         fa:b6:43:71:ee:41:b9:f0:cb:0c:b9:0c:a5:09:49:11:72:7b:         d3:cb:f0:25:99:e2:61:74:c2:20:3c:d8:06:f8:b4:fe:70:f1:         c4:c9:1c:fb:c4:89:87:16:34:39:f0:de:03:da:a3:b7:f5:5f:         16:cf:58:68:2c:fc:a0:86:49:20:49:a6:1e:09:bf:6d:6b:2f:         0c:af:df:df:8c:42:6f:95:69:ed:26:90:07:35:66:3b:e1:9a:         b8:18:6c:14:91:0c:10:3c:25:0a:ff:97:fe:e9:ca:13:61:22:         c0:7e:16:63:92:c5:a5:88:f2:38:e8:e9:fb:a0:62:54:e6:e2:         fb:3d:71:e7:9f:b3:3b:f1:0d:2b:a4:d0:18:13:0f:25:b5:77:         76:b4:21:b8-----BEGIN CERTIFICATE-----MIIDHTCCAgUCAQIwDQYJKoZIhvcNAQELBQAwWDELMAkGA1UEBhMCQ04xETAPBgNVBAgMCExpYW9OaW5nMQ8wDQYDVQQKDAZkZXZvcHMxEDAOBgNVBAsMB3VuaWNvcm4xEzARBgNVBAMMCmRldm9wcy5jb20wHhcNMTkxMjE1MDMxMDIzWhcNMjAwMzE0MDMxMDIzWjBRMQswCQYDVQQGEwJDTjERMA8GA1UECAwITGlhb05pbmcxDzANBgNVBAoMBmRldm9wczEMMAoGA1UECwwDZGV2MRAwDgYDVQQDDAdkZXYuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArDxm7hfwYJxcPMuCcldeohrHNjlT6ZZ26rBgmm90CvuIrha/lKGd6fmTmxNtSK8ptKtMjXdZBV3PhhTb+ExjwL8sjUa3GUqRP6BwQdBf6M1qYAjaljF0bE0YtB7Xrw3bCvKHi76pbEjHPVV2XhWmhh+4WOxwHU37q56eZmbxQ+AituplXzV1NY1Boh6vIbVTrD57P8KD8q/N0WOfg9IWGRMw8aOTBRaT+zwaW43Fgnpwy3iVWL6UaruOhh9ZJNJDzTk2Irk7HtSkSyM2Q6NELb6JVuPeBKFob5rQoupK//PmMZXEPfGlUssIRGeO8PA2Qy1nd6IyAZ1FUQu/a0+x9QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCBmb57yLTwtV9cojm8R7uw4Ua5Y1QzwInSS/EWsgjvY6l9JkWVCGKmEdFFw3jbzQWVd6EwzbVZcCs1ESPHkkjRGbLQ5t5TR1m9x8LXsRlUjGaGNEwmFJBDYzUZRHnP8LnjBHRrwO5dWNvEqBj6tkNx7kG58MsMuQylCUkRcnvTy/AlmeJhdMIgPNgG+LT+cPHEyRz7xImHFjQ58N4D2qO39V8Wz1hoLPyghkkgSaYeCb9tay8Mr9/fjEJvlWntJpAHNWY74Zq4GGwUkQwQPCUK/5f+6coTYSLAfhZjksWliPI46On7oGJU5uL7PXHnn7M78Q0rpNAYEw8ltXd2tCG4-----END CERTIFICATE-----Data Base Updated[root@liumiaocn ca]#

结果确认如下所示

[root@liumiaocn ca]# tree ..├── ca.key├── index.txt├── index.txt.attr├── index.txt.attr.old├── index.txt.old├── newcerts│   ├── 01.pem│   └── 02.pem├── openssl.cnf├── privkey.pem├── request.csr├── request-dev.csr├── serial├── serial.old└── test-cert.crt1 directory, 14 files[root@liumiaocn ca]# [root@liumiaocn ca]# openssl x509 -noout -in newcerts/02.pem -issuer -subject -datesissuer=C = CN, ST = LiaoNing, O = devops, OU = unicorn, CN = devops.comsubject=C = CN, ST = LiaoNing, O = devops, OU = dev, CN = dev.comnotBefore=Dec 15 03:10:23 2019 GMTnotAfter=Mar 14 03:10:23 2020 GMT[root@liumiaocn ca]#

简化证书签名

因为ca子命令使用配置文件，所以可以通过设定配置文件减少证书签名时所需要输入的参数，修改证书配置如下：

[root@liumiaocn ca]# cat openssl.cnf [ ca ]default_ca	= CA_default		# The default ca section[ CA_default ]dir		= .new_certs_dir	= $dir/newcerts		# default place for new certs.database	= $dir/index.txt	# database index file.default_md	= sha256		# use SHA-256 by defaultpolicy		= policy_matchserial		= $dir/serial 		# The current serial numberprivate_key	= $dir/private/ca.key   # The private keycertificate	= $dir/ca.crt   	# The CA certificatedefault_days	= 90 			# how long to certify for[ policy_match ]countryName		= matchstateOrProvinceName	= matchorganizationName	= matchorganizationalUnitName	= optionalcommonName		= suppliedemailAddress		= optional[root@liumiaocn ca]#

然后根据设定，做如下准备

[root@liumiaocn ca]# cp newcerts/01.pem ca.crt[root@liumiaocn ca]# mkdir private[root@liumiaocn ca]# cp ca.key private/ca.key[root@liumiaocn ca]# tree ..├── ca.crt├── ca.key├── index.txt├── index.txt.attr├── index.txt.attr.old├── index.txt.old├── newcerts│   ├── 01.pem│   └── 02.pem├── openssl.cnf├── private│   └── ca.key├── privkey.pem├── request.csr├── request-dev.csr├── serial├── serial.old└── test-cert.crt2 directories, 16 files[root@liumiaocn ca]#

生成CSR命令示例：openssl req -new -out request-test.csr -nodes -subj “/C=CN/ST=LiaoNing/L=DaLian/O=devops/OU=test/CN=test.com”

[root@liumiaocn ca]# openssl req -new -out request-test.csr -nodes -subj "/C=CN/ST=LiaoNing/L=DaLian/O=devops/OU=test/CN=test.com"Generating a RSA private key.........+++++....................................................................................+++++writing new private key to 'privkey.pem'-----[root@liumiaocn ca]#

证书签名命令示例：openssl ca -config openssl.cnf -batch -in request-test.csr

[root@liumiaocn ca]# openssl ca -config openssl.cnf -batch -in request-test.csr Using configuration from openssl.cnfCheck that the request matches the signatureSignature okThe Subject's Distinguished Name is as followscountryName           :PRINTABLE:'CN'stateOrProvinceName   :ASN.1 12:'LiaoNing'localityName          :ASN.1 12:'DaLian'organizationName      :ASN.1 12:'devops'organizationalUnitName:ASN.1 12:'test'commonName            :ASN.1 12:'test.com'Certificate is to be certified until Mar 14 05:07:14 2020 GMT (90 days)Write out database with 1 new entriesCertificate:    Data:        Version: 1 (0x0)        Serial Number: 3 (0x3)        Signature Algorithm: sha256WithRSAEncryption        Issuer: C=CN, ST=LiaoNing, O=devops, OU=unicorn, CN=devops.com        Validity            Not Before: Dec 15 05:07:14 2019 GMT            Not After : Mar 14 05:07:14 2020 GMT        Subject: C=CN, ST=LiaoNing, O=devops, OU=test, CN=test.com        Subject Public Key Info:            Public Key Algorithm: rsaEncryption                RSA Public-Key: (2048 bit)                Modulus:                    00:b2:28:1e:a6:1b:2c:67:69:6d:7d:bf:ec:a5:df:                    d7:87:f1:b6:42:3c:48:87:39:36:08:13:29:1e:48:                    ab:dd:45:33:77:44:81:00:6f:95:63:1a:3f:58:d7:                    6d:70:ff:f7:d8:3c:c7:50:9d:e5:d9:d2:49:16:cb:                    92:dc:20:11:46:96:67:d6:16:ba:cd:c2:67:d1:6b:                    a2:c4:a7:aa:d0:cf:34:2a:b8:98:8d:30:b1:c0:86:                    d2:a8:77:85:de:29:11:7f:6a:cf:83:b2:c9:c3:a4:                    4f:f2:4b:c2:51:14:7e:cc:db:d4:a9:e5:65:50:a4:                    a1:95:f8:d0:a0:c6:71:85:3b:c1:89:69:8b:e8:60:                    c8:d2:b4:ee:85:35:56:a1:5a:db:b4:d6:66:ff:16:                    cd:55:fe:7d:61:d6:51:7f:3e:30:ff:63:9c:0d:5f:                    af:24:7a:c6:21:ee:57:80:d2:a3:d8:1d:10:42:54:                    b0:27:cd:dc:7c:da:8a:8e:3a:68:89:09:5d:4b:7e:                    04:d0:5e:ec:a4:ea:2e:a5:ea:06:52:8a:8e:f4:72:                    8e:b8:ff:e6:1b:36:11:a9:1e:f0:02:25:c2:8f:05:                    f8:0e:e2:43:18:a2:43:4b:6f:23:f4:3f:96:54:3e:                    68:de:6c:9e:98:a7:44:5e:6a:17:ac:2a:70:01:cb:                    d5:1f                Exponent: 65537 (0x10001)    Signature Algorithm: sha256WithRSAEncryption         0c:6e:41:38:29:ad:a4:5d:0b:05:1c:f7:fb:1b:d7:14:29:8c:         70:fe:61:78:5c:d7:3f:ab:b9:da:e9:44:ca:c0:9c:8f:2a:1c:         75:4a:7d:c3:29:fe:9a:8f:8f:60:e7:54:cc:f1:7c:36:05:d9:         9a:11:e8:c5:d2:44:78:65:2e:24:21:84:22:41:09:50:9c:72:         82:4f:b0:54:4b:a9:55:cc:fc:87:b7:9b:de:af:98:34:b0:3d:         1f:fb:cc:ad:c3:c3:b7:47:0a:e2:05:47:70:2c:25:92:48:3f:         38:8e:df:24:69:80:6d:99:f3:6e:db:ac:57:1e:9b:88:44:dd:         e8:12:03:ac:03:8c:07:a4:49:6f:00:96:6a:70:e3:a7:55:1b:         78:82:a2:89:14:eb:3a:d9:d7:e7:2c:62:79:65:11:e1:8a:51:         f2:3e:aa:98:d7:fe:c8:89:5a:05:1b:1e:b4:65:c5:a4:b0:ba:         e9:25:58:07:14:02:6e:54:6a:58:75:af:05:5a:5e:01:c8:3f:         b6:37:76:e2:4e:a0:ff:5f:c5:f9:c3:15:d3:27:7f:5d:fa:a5:         64:f5:2b:c5:14:01:5c:12:ec:1f:c7:a2:86:31:c2:7c:9e:cf:         44:8f:da:96:ae:a9:dd:aa:18:78:02:6d:1b:b1:4c:2a:76:cb:         f1:0b:1d:79-----BEGIN CERTIFICATE-----MIIDHzCCAgcCAQMwDQYJKoZIhvcNAQELBQAwWDELMAkGA1UEBhMCQ04xETAPBgNVBAgMCExpYW9OaW5nMQ8wDQYDVQQKDAZkZXZvcHMxEDAOBgNVBAsMB3VuaWNvcm4xEzARBgNVBAMMCmRldm9wcy5jb20wHhcNMTkxMjE1MDUwNzE0WhcNMjAwMzE0MDUwNzE0WjBTMQswCQYDVQQGEwJDTjERMA8GA1UECAwITGlhb05pbmcxDzANBgNVBAoMBmRldm9wczENMAsGA1UECwwEdGVzdDERMA8GA1UEAwwIdGVzdC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCyKB6mGyxnaW19v+yl39eH8bZCPEiHOTYIEykeSKvdRTN3RIEAb5VjGj9Y121w//fYPMdQneXZ0kkWy5LcIBFGlmfWFrrNwmfRa6LEp6rQzzQquJiNMLHAhtKod4XeKRF/as+DssnDpE/yS8JRFH7M29Sp5WVQpKGV+NCgxnGFO8GJaYvoYMjStO6FNVahWtu01mb/Fs1V/n1h1lF/PjD/Y5wNX68kesYh7leA0qPYHRBCVLAnzdx82oqOOmiJCV1LfgTQXuyk6i6l6gZSio70co64/+YbNhGpHvACJcKPBfgO4kMYokNLbyP0P5ZUPmjebJ6Yp0ReahesKnABy9UfAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAAxuQTgpraRdCwUc9/sb1xQpjHD+YXhc1z+rudrpRMrAnI8qHHVKfcMp/pqPj2DnVMzxfDYF2ZoR6MXSRHhlLiQhhCJBCVCccoJPsFRLqVXM/Ie3m96vmDSwPR/7zK3Dw7dHCuIFR3AsJZJIPziO3yRpgG2Z827brFcem4hE3egSA6wDjAekSW8Almpw46dVG3iCookU6zrZ1+csYnllEeGKUfI+qpjX/siJWgUbHrRlxaSwuuklWAcUAm5Ualh1rwVaXgHIP7Y3duJOoP9fxfnDFdMnf136pWT1K8UUAVwS7B/HooYxwnyez0SP2pauqd2qGHgCbRuxTCp2y/ELHXk=-----END CERTIFICATE-----Data Base Updated[root@liumiaocn ca]#

生成的03.pem即是生成的证书文件

[root@liumiaocn ca]# tree ..├── ca.crt├── ca.key├── index.txt├── index.txt.attr├── index.txt.attr.old├── index.txt.old├── newcerts│   ├── 01.pem│   ├── 02.pem│   └── 03.pem├── openssl.cnf├── private│   └── ca.key├── privkey.pem├── request.csr├── request-dev.csr├── request-test.csr├── serial├── serial.old└── test-cert.crt2 directories, 18 files[root@liumiaocn ca]# openssl x509 -in newcerts/03.pem -noout -issuer -subject -datesissuer=C = CN, ST = LiaoNing, O = devops, OU = unicorn, CN = devops.comsubject=C = CN, ST = LiaoNing, O = devops, OU = test, CN = test.comnotBefore=Dec 15 05:07:14 2019 GMTnotAfter=Mar 14 05:07:14 2020 GMT[root@liumiaocn ca]#

转载地址：https://liumiaocn.blog.csdn.net/article/details/103546370 如侵犯您的版权，请留言回复原文章的地址，我们会给您删除此文章，给您带来不便请您谅解！

上一篇：SSL基础：22:非交互方式生成CSR证书签名文件(配置文件方式)

下一篇：SSL基础：20:使用x509子命令为其他证书签名

发表评论

关于作者

喝酒易醉，品茶养心，人生如梦，品茶悟道，何以解忧？唯有杜康！

-- 愿君每日到此一游！