基础环境
mkdir Test
cd Test
mkdir -p ./CA/{private,newcerts}
touch
touch CA/serial
touch CA/crlnumber
echo01 > CA/serial
echo01 > CA/crlnumber
cp /etc/pki/tls/opensslf ./x1650gt
# 修改dir为当前CA⽬录
杨氏模量数据处理
vim opensslf
[ CA_default ]
dir = ./CA
stkx
[ v3_req ]
keyUsage = nonRepudiation,digitalSignature
extendedKeyUsage = clientAuth
⽣成CA证书
# ⽣成CA私钥
(umask 077;openssl genrsa -des3 -out ./CA/private/cakey.pem 2048)
# ⽣成ca证书
openssl req -new -x509 -days 365 -key ./CA/private/cakey.pem -out ./CA/cacert.pem -subj "/C=CN/ST=GD/L=SZ/O=organization/OU=dev/CN=organization/emailAddress=aa@organization"
⽣成⽤户证书
# user私钥
(umask 077;openssl genrsa -out userkey.pem 2048)
# 签署请求
openssl req -new -days 365 -key userkey.pem -out userreq.pem -subj "/C=CN/ST=GD/L=SZ/O=organization/OU=dev/CN=organization/emailAddress=aa@organization"
华大博雅# ⽣成user证书拓展市场
openssl ca -in userreq.pem -out usercert.pem -extensions v3_req -config opensslf
# ⽣成pkcs12证书
openssl pkcs12 -export -inkey userkey.pem -in usercert.pem -out user.pfx
# rm ./ && touch ./ 重新⽣成user证书
干热岩# 吊销user证书
openssl ca -revoke usercert.pem -cert ./CA/cacert.pem -keyfile ./CA/private/cakey.pem
# ⽣成user证书吊销列表
openssl ca -gencrl -l -cert ./CA/cacert.pem -keyfile ./CA/private/cakey.pem -config opensslf