国密CA建立
修改openssl.cnf
[ CA_default ]
dir = /SMCA # Where everything is kept
建立CA文件夹结构
cd / && mkdir SMCA
mkdir SMCA/{certs,crl,newcerts,private}
cd SMCA
touch index.txt
echo 01 > serial
生成CA根证书
##生成私钥
openssl ecparam -genkey -name SM2 -param_enc explicit -outform pem -out private/cakey.pem
## 生成证书
openssl req -new -key private/cakey.pem -out private/cacert.csr
openssl x509 -req -days 3650 -in private/cacert.csr -signkey private/cakey.pem -out cacert.pem
颁发证书
## 生成私钥
openssl ecparam -genkey -name SM2 -param_enc explicit -outform pem -out private/it.key
## 生成证书
openssl req -new -key private/it.key -out private/it.csr
openssl ca -in private/it.csr -out certs/it.crt -days 3650
国际CA建立
修改openssl.cnf
[ CA_default ]
dir = /RSACA # Where everything is kept
建立CA文件夹结构
cd / && mkdir RSACA
mkdir RSACA/{certs,crl,newcerts,private}
cd RSACA
touch index.txt
echo 01 > serial
生成CA根证书
##生成私钥
openssl genrsa -out private/cakey.pem 2048
## 生成证书
openssl req -new -key private/cakey.pem -out private/ca.csr
openssl x509 -days 3650 -req -in private/ca.csr -signkey private/cakey.pem -out cacert.pem
颁发证书
## 生成私钥
openssl genrsa -out private/it.key 2048
## 生成证书
openssl req -new -key private/it.key -out private/it.csr
openssl ca -in private/it.csr -out certs/it.crt -days 3650
其他命令
pem证书合并为p12(fpx)证书
openssl pkcs12 -export -in cacert.pem -inkey private/cakey.pem -out rootca.p12
openssl pkcs12 -export -in certs/it.crt -inkey private/it.key -out user.p12
吊销证书
## 查看证书信息
openssl x509 -in certs/it.crt -noout -serial -subject
## 吊销证书
openssl ca -revoke certs/it.crt
## 更新吊销证书列表
openssl ca -gencrl -out crl.pem -config openssl.cnf
# 查看吊销证书信息
openssl crl -in crl.pem -noout -text
评论区