[root@ubuntu-158 ~]#openssl version
OpenSSL 3.4.1 11 Feb 2025 (Library: OpenSSL 3.4.1 11 Feb 2025)
[root@rocky8-153 ~]#openssl
OpenSSL> version
OpenSSL 1.1.1k FIPS 25 Mar 2021
获得帮助
复制代码
[root@ubuntu-158 ~]#openssl help
help:
Standard commands
asn1parse ca ciphers cmp
cms crl crl2pkcs7 dgst
dhparam dsa dsaparam ec
ecparam enc engine errstr
fipsinstall gendsa genpkey genrsa
help info kdf list
mac nseq ocsp passwd
pkcs12 pkcs7 pkcs8 pkey
pkeyparam pkeyutl prime rand
rehash req rsa rsautl
s_client s_server s_time sess_id
smime speed spkac srp
storeutl ts verify version
x509
Message Digest commands (see the `dgst' command for more details)
blake2b512 blake2s256 md4 md5
rmd160 sha1 sha224 sha256
sha3-224 sha3-256 sha3-384 sha3-512
sha384 sha512 sha512-224 sha512-256
shake128 shake256 sm3
Cipher commands (see the `enc' command for more details)
aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb
aes-256-cbc aes-256-ecb aria-128-cbc aria-128-cfb
aria-128-cfb1 aria-128-cfb8 aria-128-ctr aria-128-ecb
aria-128-ofb aria-192-cbc aria-192-cfb aria-192-cfb1
aria-192-cfb8 aria-192-ctr aria-192-ecb aria-192-ofb
aria-256-cbc aria-256-cfb aria-256-cfb1 aria-256-cfb8
aria-256-ctr aria-256-ecb aria-256-ofb base64
bf bf-cbc bf-cfb bf-ecb
bf-ofb camellia-128-cbc camellia-128-ecb camellia-192-cbc
camellia-192-ecb camellia-256-cbc camellia-256-ecb cast
cast-cbc cast5-cbc cast5-cfb cast5-ecb
cast5-ofb des des-cbc des-cfb
des-ecb des-ede des-ede-cbc des-ede-cfb
des-ede-ofb des-ede3 des-ede3-cbc des-ede3-cfb
des-ede3-ofb des-ofb des3 desx
rc2 rc2-40-cbc rc2-64-cbc rc2-cbc
rc2-cfb rc2-ecb rc2-ofb rc4
rc4-40 seed seed-cbc seed-cfb
seed-ecb seed-ofb sm4-cbc sm4-cfb
sm4-ctr sm4-ecb sm4-ofb zlib
zstd
[root@ubuntu-158 CA]#openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN #国家代码
State or Province Name (full name) [Some-State]:tianjin #省/州
Locality Name (eg, city) []:tianjin #城市
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Hcompany #公司/单位
Organizational Unit Name (eg, section) []:HHH #部门
Common Name (e.g. server FQDN or YOUR name) []:test-certificate #域名
Email Address []:3506934363@qq.com #邮箱
[root@ubuntu-158 CA]#ls
cacert.pem certs crl newcerts private
#查看证书
[root@ubuntu-158 CA]#cat cacert.pem
-----BEGIN CERTIFICATE-----
MIIEATCCAumgAwIBAgIUfdOQV13NEl6fVJs/TnuNRT3rEewwDQYJKoZIhvcNAQEL
BQAwgY8xCzAJBgNVBAYTAkNOMRAwDgYDVQQIDAd0aWFuamluMRAwDgYDVQQHDAd0
aWFuamluMREwDwYDVQQKDAhIY29tcGFueTEMMAoGA1UECwwDSEhIMRkwFwYDVQQD
...
-----END CERTIFICATE-----
#查看证书
[root@ubuntu-158 CA]#openssl x509 -in /etc/pki/CA/cacert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
7d:d3:90:57:5d:cd:12:5e:9f:54:9b:3f:4e:7b:8d:45:3d:eb:11:ec
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=tianjin, L=tianjin, O=Hcompany, OU=HHH, CN=test-certificate, emailAddress=3506934363@qq.com
Validity
Not Before: Oct 8 11:05:24 2025 GMT
Not After : Oct 6 11:05:24 2035 GMT
Subject: C=CN, ST=tianjin, L=tianjin, O=Hcompany, OU=HHH, CN=test-certificate, emailAddress=3506934363@qq.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b0:d3:8c:5d:ed:8e:cf:99:a8:5d:f2:d0:ed:1d:
b0:70:16:99:82:80:47:99:c5:c2:f8:0f:3d:d4:05:
38:34:73:e9:93:1f:8b:34:a5:61:25:84:9a:a1:de:
...
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
83:35:29:EB:BE:49:F6:65:BA:28:16:6D:C9:50:15:FF:15:79:B6:1E
X509v3 Authority Key Identifier:
83:35:29:EB:BE:49:F6:65:BA:28:16:6D:C9:50:15:FF:15:79:B6:1E
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
6f:d9:4b:d4:87:1f:47:e7:30:1b:99:dc:47:6a:35:ec:6f:f5:
37:04:f9:5c:ca:1f:27:74:86:50:d2:52:8d:63:e8:35:95:1e:
ba:aa:6b:1c:fc:28:2a:17:a3:c4:81:4d:41:3e:be:43:25:ee:
...
#导入到WINDOS中查看,添加后缀.crt
[root@ubuntu-158 CA]#sz cacert.pem
#注意:默认要求国家,省,公司名称三项必须和CA一致
[root@ubuntu-158 108]#openssl req -new -key test.key -out test.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:tianjin
Locality Name (eg, city) []:tianjin
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Hcompany
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:test-cert
Email Address []:3506934363@qq.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@ubuntu-158 108]# ll
total 16
-rw-r--r-- 1 root root 1029 Oct 8 19:22 test.csr
-rw------- 1 root root 1704 Oct 8 19:18 test.key
③用CA签署证书并将证书颁发给请求者
如果证书申请文件中的配置项与CA机构的匹配规则不一致,将无法签发证书。
索引文件:记录所有已颁发证书的元数据,相当于 CA 的"证书数据库"。用于查询、撤销或验证证书状态。
序号文件:存储下一个待颁发证书的序列号,确保每个证书的序列号唯一。
openssl ra用于证书签发、撤销、管理
复制代码
#创建索引文件
[root@ubuntu-158 CA]#touch index.txt
#创建序号文件
[root@ubuntu-158 CA]#echo 0F > serial
[root@ubuntu-158 CA]#ll
total 32
-rw-r--r-- 1 root root 1448 Oct 8 19:05 cacert.pem
drwxr-xr-x 2 root root 4096 Oct 8 18:44 certs/
drwxr-xr-x 2 root root 4096 Oct 8 18:44 crl/
-rw-r--r-- 1 root root 0 Oct 8 19:24 index.txt
drwxr-xr-x 2 root root 4096 Oct 8 18:44 newcerts/
drwxr-xr-x 2 root root 4096 Oct 8 18:55 private/
-rw-r--r-- 1 root root 3 Oct 8 19:24 serial
#签发证书
[root@ubuntu-158 CA]#openssl ca -in /root/hu/108/test.csr -out certs/test.crt -days 100
Using configuration from /usr/lib/ssl/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 15 (0xf)
Validity
Not Before: Oct 8 11:26:26 2025 GMT
Not After : Jan 16 11:26:26 2026 GMT
Subject:
countryName = CN
stateOrProvinceName = tianjin
organizationName = Hcompany
commonName = test-cert
emailAddress = 3506934363@qq.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
0B:7B:A6:2E:3A:56:93:56:B0:1B:AD:99:69:08:E3:F4:20:24:C8:AD
X509v3 Authority Key Identifier:
83:35:29:EB:BE:49:F6:65:BA:28:16:6D:C9:50:15:FF:15:79:B6:1E
Certificate is to be certified until Jan 16 11:26:26 2026 GMT (100 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Database updated
#查看
[root@ubuntu-158 CA]#tree /etc/pki/CA
/etc/pki/CA
├── cacert.pem
├── certs
│ └── test.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│ └── 0F.pem
├── private
│ └── cakey.pem
├── serial
└── serial.old
5 directories, 9 files
#原来是0F,加1变成10
[root@ubuntu-158 CA]#cat /etc/pki/CA/serial
10
#V - 表示有效,260116 - 表示2026年11月6日过期,0F 表示证书编号
[root@ubuntu-158 CA]#cat /etc/pki/CA/index.txt
V 260116112626Z 0F unknown /C=CN/ST=tianjin/O=Hcompany/CN=test-cert/emailAddress=3506934363@qq.com
④查看证书中信息
复制代码
#根据编号查看状态
[root@ubuntu-158 CA]#openssl ca -status 0F
Using configuration from /usr/lib/ssl/openssl.cnf
0F=Valid (V)
[root@ubuntu-158 CA]#openssl x509 -in /etc/pki/CA/certs/test.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 15 (0xf)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=tianjin, L=tianjin, O=Hcompany, OU=HHH, CN=test-certificate, emailAddress=3506934363@qq.com
Validity
Not Before: Oct 8 11:26:26 2025 GMT
Not After : Jan 16 11:26:26 2026 GMT
Subject: C=CN, ST=tianjin, O=Hcompany, CN=test-cert, emailAddress=3506934363@qq.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:a9:1b:0d:b9:4a:cf:6d:d3:98:0e:91:49:65:06:
3c:61:2f:2f:1d:81:b4:c9:1c:11:3a:84:c8:0c:3a:
fc:9a:eb:a7:cf:0a:d5:1f:dd:6e:26:2f:a3:24:3e:
...
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
0B:7B:A6:2E:3A:56:93:56:B0:1B:AD:99:69:08:E3:F4:20:24:C8:AD
X509v3 Authority Key Identifier:
83:35:29:EB:BE:49:F6:65:BA:28:16:6D:C9:50:15:FF:15:79:B6:1E
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
6b:43:a1:ab:70:6d:c3:9c:d1:2c:cd:5c:b5:e2:ce:b0:20:48:
6c:7c:40:5d:13:4c:3b:2c:93:0e:35:38:f2:57:7a:ff:4b:e7:
14:cd:a0:36:4c:2b:6f:9c:9f:89:2e:03:e3:53:5e:21:99:c2:
...
#导入到WINDOS中查看
[root@ubuntu-158 CA]#sz certs/test.crt