Статьи‎ > ‎

Управление сертификатами openssl


Данное описание создавалось на CentOS 6; в других ОС расположение файлов может отличаться
Первое, что нам понадобится - создать сертификат "центра сертификации", которым будут подписываться все последующие сертификаты:

[root@centserv misc]# /etc/pki/tls/misc/CA -newca
CA certificate filename (or enter to create)

Making CA certificate ...
Generating a 2048 bit RSA private key
writing new private key to '/etc/pki/CA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [XX]:RU
State or Province Name (full name) []:Moscow
Locality Name (eg, city) [Default City]:Moscow
Organization Name (eg, company) [Default Company Ltd]:JSC Horns&Hoffs
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:centserv.test.lan
Email Address []:root@test.lan

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:        
An optional company name []:
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/./cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
            Not Before: Aug  8 07:24:38 2013 GMT
            Not After : Aug  7 07:24:38 2016 GMT
            countryName               = RU
            stateOrProvinceName       = Moscow
            organizationName          = JSC Horns&Hoffs
            organizationalUnitName    = IT
            commonName                = centserv.test.lan
            emailAddress              = root@test.lan
        X509v3 extensions:
            X509v3 Subject Key Identifier:
            X509v3 Authority Key Identifier:

            X509v3 Basic Constraints:
Certificate is to be certified until Aug  7 07:24:38 2016 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated

[root@centserv misc]#

В результате будет создан ключевой файл /etc/pki/CA/private/cakey.pem