openssl证书请求和自签名

来源：互联网发布：基金软件手机版编辑：程序博客网时间：2024/06/05 08:13

### 目录

- - 概念
    - PKICAX509
  - 证书获取
    - 获取证书两种方法
  - 安全协议
    - SSL和TLS协议
  - OpenSSL
    - OpenSSL开源项目
    - OpenSSL命令
    - 对称加密enc
    - 单向加密dgst
    - 生成用户密码和随机数
    - 生成密码对儿man genresa
    - 随机数生成器伪随机数字
  - 建立私有CA
    - - 创建所需要的文件
      - CA自签证书
      - 生成自签名证书
      - 生成证书的各字段详解
  - 证书申请过程
    - 证书申请及签署步骤
    - 创建CA和申请证书
      - 在需要使用证书的主机生成证书请求
      - RA核验与CA签署
      - 获取证书
    - 吊销证书
      - 在客户端获取要吊销的证书的serial
      - 在CA上根据客户提交的serial与subject信息对比检验是否与indextxt文件中的信息一致吊销证书
      - 指定第一个吊销证书的编号
      - 更新证书吊销列表

概念：

PKI、CA、X.509

PKI: Public Key Infrastructure

公开密钥基础建设： 是一组由硬件、软件、参与者、管理政策与流程组成的基础架构，其目的在于创造、管理、分配、使用、存储以及撤销数字证书。

X.509： 是由ITU-T为了公开密钥基础建设（PKI）与授权管理基础建设（PMI）提出的产业标准。X.509标准，规范了公开密钥认证、证书吊销列表、授权证书、证书路径验证算法等。

CA： 数字证书认证机构(英文全称：Catificate Authority)。主要负责：证书发放、证书更新、证书撤销和证书验证。

证书获取

获取证书两种方法：

使用证书授权机构
- 生成签名请求（csr）
- 将csr发送给CA
- 从CA处接收签名

自签名的证书
- 自已签发自己的公钥

安全协议

SSL和TLS协议

SSL(Secure Sockets Layer 安全套接层),及其继任者传输层安全（Transport Layer Security，TLS）是为网络通信提供安全及数据完整性的一种安全协议。TLS与SSL在传输层对网络连接进行加密。

Handshake协议：包括协商安全参数和密码套件、服务器身份认证（客户端身份认证可选）、密钥交换
ChangeCipherSpec 协议：一条消息表明握手协议已经完成
Alert 协议：对握手协议中一些异常的错误提醒，分为fatal``和``warning``两个级别，fatal类型错误会直接中断SSL链接，而warning级别的错误SSL`链接仍可继续，只是会给出错误警告
Record 协议：包括对消息的分段、压缩、消息认证和完整性保护、加密等
HTTPS 协议：就是“HTTP 协议”和“SSL/TLS 协议”的组合。 HTTP over SSL”或“HTTP over TLS”，对http协议的文本数据进行加密处理后，成为二进制形式传输

OpenSSL

OpenSSL：开源项目

OpenSSL 是一个安全套接字层密码库，囊括主要的密码算法、常用的密钥和证书封装管理功能及SSL协议，并提供丰富的应用程序供测试或其它目的使用。

三个组件：

openssl: 多用途的命令行工具，包openssl
libcrypto: 加密算法库，包openssl-libs
libssl：加密模块应用库，实现了ssl及tls，包nss

OpenSSL命令：

两种运行模式：交互模式和批处理模式
openssl version：查看OpenSSL程序版本号
标准命令：enc(对称加密),ca(签署证书),req`(生成自签名证书), …

对称加密enc：

工具： openssl enc, gpg
算法： 3des, aes, blowfish, twofish
enc命令：
帮助： man enc

加密：

openssl enc -e -des3 -a -salt -in testfile -out testfile.cipher

[root@centos7 app]# openssl enc -e -des3 -a -salt -in testfile -out testfile.cipher   #<==使用des3算法对testfile文件加密，输出为testfile.cipher    enter des-ede3-cbc encryption password:       #<==输入密码Verifying - enter des-ede3-cbc encryption password:       #<==再次输入密码[root@centos7 app]# cat testfile testfile.cipher      #<==查看加密和未加密的文件this is a test fileU2FsdGVkX1/a0QHbk2ol6aB39zpO7+yS2cZ+jI7YqUQiKfGhC4SqZg==

解密：

openssl enc -d -des3 -a -salt –in testfile.cipher-out testfile

[root@centos7 app]# rm -f testfile            #<==删除testfile文件[root@centos7 app]# openssl enc -d -des3 -a -salt -in testfile.cipher -out testfile   #<==使用des3算法对testfile.cipher文件enter des-ede3-cbc decryption password:       #<==输入密码[root@centos7 app]# ls                testfile  testfile.cipher[root@centos7 app]# cat testfile      #<==查看testfile内容和原来是一样的。this is a test file

单向加密dgst

单向加密：

工具： md5sum, sha1sum, sha224sum,sha256sumopenssl dgst…dgst命令：帮助：man dgst`
openssl dgst -md5 [-hex默认] /PATH/SOMEFILE
openssl dgst -md5 testfile
md5sum /PATH/TO/SOMEFILE

[root@centos7 app]# openssl dgst -md5 testfile            #<==计算testfile的md5MD5(testfile)= 4221d002ceb5d3c9e9137e495ceaa647[root@centos7 app]# openssl dgst -md5 -hex testfile   #<==-hex是转换为16进制（默认）MD5(testfile)= 4221d002ceb5d3c9e9137e495ceaa647   [root@centos7 app]# md5sum testfile                   #<==计算testfile的md54221d002ceb5d3c9e9137e495ceaa647  testfile

生成用户密码和随机数：

生成用户密码：

passwd命令:
帮助： man sslpasswd
openssl passwd -1 -salt SALT(最多8位)

openssl passwd -1 –salt centos

[root@centos7 app]# openssl passwd -1 -salt 12345678      #<==生成openssl对passwd密码加密并加盐Password: $1$12345678$tRy4cXc3kmcfRZVj4iFXr/[root@centos7 app]# openssl passwd -1 -salt 123456789     #<==注：盐最多8位，如果输入9位是不显示的Password: $1$12345678$tRy4cXc3kmcfRZVj4iFXr/

生成随机数：

帮助： man sslrand
openssl rand -base64|-hex NUM

NUM: 表示字节数；hex时，每个字符为十六进制，相当于4位二进制，出现的字符数为NUM*2

[root@centos7 app]# openssl rand -hex 16  #<==生成的是32位的随机数5666c7c5f5369120f0c8c3254fa82abe[root@centos7 app]# openssl rand -base64 16       #<==生成的是16位的随机数EHpDSxUBcX/uCvYBfhW61w==[root@centos7 app]# openssl rand -base64 -hex 16  #<==-hex和-base64是不能放在一块使用的Usage: rand [options] num

生成密码对儿：man genresa

生成私钥：
- openssl genrsa -out /PATH/TO/PRIVATEKEY.FILE NUM_BITS
- (umask 077; openssl genrsa –out test.key –des 2048)

从私钥中提取出公钥
- openssl rsa -in PRIVATEKEYFILE –pubout –out PUBLICKEYFILE

Openssl rsa –in test.key –pubout –out test.key.pub

[root@centos7 app]# (umask 077 ; openssl genrsa -out test.key -des3 2048) #<==生成私钥，其权限为600Generating RSA private key, 2048 bit long modulus................................+++.........+++e is 65537 (0x10001)Enter pass phrase for test.key:Verifying - Enter pass phrase for test.key:[root@centos7 app]# openssl rsa -in test.key -pubout -out test.key.pub        #<==从私钥中，提取出公钥Enter pass phrase for test.key:writing RSA key[root@centos7 app]# ll            #<==查看生成的私钥和提取出来的公钥total 8-rw-------. 1 root root 1751 Sep  9 21:29 test.key-rw-r--r--. 1 root root  451 Sep  9 21:30 test.key.pub

随机数生成器：伪随机数字

键盘和鼠标
块设备中断：cp一个大文件可以生成很多随机数
/dev/random：仅从熵池返回随机数；随机数用尽，阻塞

/dev/urandom：从熵池返回随机数；随机数用尽，会利用软件生成伪随机数,非阻塞

[root@centos6 script]#  head /dev/urandom | cksum         #<==通过/dev/urandom配合cksum生成随机数1712568099 3350[root@centos6 script]#  head /dev/urandom | cksum 1558657086 1998

建立私有CA

openssl的配置文件： /etc/pki/tls/openssl.cnf
三种策略：匹配、支持和可选
匹配指要求申请填写的信息跟CA设置信息必须一致，支持指必须填写这项申请信息，可选指可有可无

1. 创建所需要的文件

touch /etc/pki/CA/index.txt 生成证书索引数据库文件
echo 01 > /etc/pki/CA/serial 指定第一个颁发证书的序列号

2. CA自签证书

生成私钥
cd /etc/pki/CA/
(umask 066; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)

3. 生成自签名证书

openssl req -new -x509 –key
/etc/pki/CA/private/cakey.pem -days 7300 -out /etc/pki/CA/cacert.pem
-new: 生成新证书签署请求
-x509: 专用于CA生成自签证书
-key: 生成请求时用到的私钥文件
-days n：证书的有效期限
-out /PATH/TO/SOMECERTFILE: 证书的保存路径

4. 生成证书的各字段详解：

DN字段名 缩写说明 填写要求 Country Name C 证书持有者所在国家要求填写国家代码，用2个字母表示 State or Province Name ST 证书持有者所在州或省份填写全称，可省略不填 Locality Name L 证书持有者所在城市可省略不填 Organization Name O 证书持有者所属组织或公司最好还是填一下 Organizational Unit Name OU 证书持有者所属部门可省略不填 Common Name CN 证书持有者的通用名必填。对于非应用证书，它应该在一定程度上具有惟一性；对于应用证书，一般填写服务器域名或通配符样式的域名。 Email Address 证书持有者的通信邮箱可省略不填

[root@centos7 ~]# touch /etc/pki/CA/index.txt      #<==生成证书索引数据库文件[root@centos7 ~]# echo 01 > /etc/pki/CA/serial     #<==指定第一个颁发证书的序列号[root@centos7 ~]# cd /etc/pki/CA/              [root@centos7 CA]# (umask 066 ; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)     #<== 生成私钥Generating RSA private key, 2048 bit long modulus.................................+++......................................+++e is 65537 (0x10001)[root@centos7 CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 7300 -out /etc/pki/CA/cacert.pem         #<==生成自签名证书You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:CN        State or Province Name (full name) []:beijing   Locality Name (eg, city) [Default City]:haidian     Organization Name (eg, company) [Default Company Ltd]:iav18.com Organizational Unit Name (eg, section) []:opt   Common Name (eg, your name or your server's hostname) []:ca.iav18.com   Email Address []:

证书申请过程：

证书申请及签署步骤：

生成申请请求
RA核验
CA签署
获取证书

创建CA和申请证书

1. 在需要使用证书的主机生成证书请求

给web服务器生成私钥
(umask 066; openssl genrsa -out /etc/pki/tls/private/test.key 2048)
生成证书申请文件
openssl req -new -key /etc/pki/tls/private/test.key -days 365 -out etc/pki/tls/test.csr

将证书请求文件传输给CA

[root@centos6 ~]# (umask 066 ; openssl genrsa -out /etc/pki/tls/private/test.key 2048)     #<== 生成私钥Generating RSA private key, 2048 bit long modulus...............................................+++..................................................................................................................................+++e is 65537 (0x10001)[root@centos6 ~]# openssl req -new -key /etc/pki/tls/private/test.key -days 365 -out /etc/pki/tls/test.csr     #<==生成证书申请文件[root@centos6 ~]# openssl req -new -key /etc/pki/CA/private/test.key -out test.csr You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:CN            #<==此项必须一样State or Province Name (full name) []:beijing   #<==此项必须一样Locality Name (eg, city) [Default City]:caoyangOrganization Name (eg, company) [Default Company Ltd]:iav18.com #<==此项必须一样Organizational Unit Name (eg, section) []:optCommon Name (eg, your name or your server's hostname) []:www.ihaiyun.comEmail Address []:Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:        #<==是否添加密码An optional company name []:    #<==公司名称[root@centos6 ~]# scp test.csr 192.168.8.129:/etc/pki/CA       #<==将证书请求文件传输给CAroot@192.168.8.129's password: test.csr                      100% 1013     1.0KB/s   00:00

2. `RA`核验与`CA`签署

CA签署证书
openssl ca -in /tmp/test.csr –out /etc/pki/CA/certs/test.crt -days 365
同一个请求默认是不能签署两次的，修改配文件也能允许修改两次（还未截图，需要截图）
注意：默认国家，省，公司名称三项必须和CA一致

[root@centos7 CA]# openssl ca -in /etc/pki/CA/test.csr -out /etc/pki/CA/certs/test.crt      #<==CA签署认证Using configuration from /etc/pki/tls/openssl.cnfCheck that the request matches the signatureSignature okCertificate Details:        Serial Number: 1 (0x1)        Validity            Not Before: Sep  9 16:31:14 2017 GMT            Not After : Sep  9 16:31:14 2018 GMT        Subject:            countryName               = CN            stateOrProvinceName       = beijing            localityName              = caoyang            organizationName          = iav18.com            organizationalUnitName    = opt            commonName                = www.ihaiyun.com        X509v3 extensions:            X509v3 Basic Constraints:                 CA:FALSE            Netscape Comment:                 OpenSSL Generated Certificate            X509v3 Subject Key Identifier:                 C6:DC:8C:69:C1:5F:D2:53:D3:F4:74:D7:AE:4F:0D:8E:4E:5D:3B:13            X509v3 Authority Key Identifier:                 keyid:58:76:AE:27:21:CB:7F:FF:7F:BC:B7:BA:31:72:E2:BF:12:AF:78:6ACertificate is to be certified until Sep  9 16:31:14 2018 GMT (365 days)Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base Updated[root@centos7 CA]# tree .├── cacert.pem├── certs│   └── test.crt        #<==可以看到证书生成到certs目录下├── crl├── index.txt├── index.txt.attr├── index.txt.old├── newcerts│   └── 01.pem          #<==此处也是证书├── private│   └── cakey.pem├── serial├── serial.old└── test.csr4 directories, 10 files[root@centos7 CA]# diff certs/test.crt newcerts/01.pem      #<==比较这两个文件是相同的

3. 获取证书

安装证书：需要在客户端安装

[root@centos7 CA]# scp certs/test.crt 192.168.8.128:/etc/pki/tls/certs  #<==复制证书到客户端root@192.168.8.128's password: test.crt                      100% 4508     4.4KB/s   00:00    [root@centos6 ~]# ls -l  /etc/pki/tls/certs/test.crt       #<==在客户端确认证书是否存在-rw-r--r--. 1 root root 4508 Sep 10 00:17 /etc/pki/tls/certs/test.crt

查看证书中的信息：

openssl x509 -in /PATH/FROM/CERT_FILE -noout -text|issuer|subject|serial|dates
penssl ca -status SERIAL查看指定编号的证书状态

[root@centos6 ~]# openssl x509 -in /etc/pki/tls/certs/test.crt -text   #<==查看证书内容Certificate:    Data:        Version: 3 (0x2)        Serial Number: 1 (0x1)    Signature Algorithm: sha256WithRSAEncryption        Issuer: C=CN, ST=beijing, L=haidian, O=iav18.com, OU=opt, CN=ca.iav18.com        Validity            Not Before: Sep  9 16:31:14 2017 GMT            Not After : Sep  9 16:31:14 2018 GMT        Subject: C=CN, ST=beijing, L=caoyang, O=iav18.com, OU=opt, CN=www.ihaiyun.com        Subject Public Key Info:            Public Key Algorithm: rsaEncryption                Public-Key: (2048 bit)                Modulus:                    00:de:2c:75:19:dd:13:a2:14:ac:9d:2e:23:59:43:                    1e:3e:68:40:2b:0f:98:a4:10:23:9d:62:5e:bb:af:                    51:e6:f2:ff:a6:3a:87:df:7c:a7:05:33:7c:16:86:                    5d:6b:c7:c6:19:bb:71:2c:1e:0a:3d:13:61:6b:ae:                    47:5b:08:b3:66:c7:60:44:5d:14:d9:e0:50:64:26:                    40:24:3f:a2:4b:6a:a1:19:e6:6f:5c:76:1e:7e:81:                    91:b7:ca:97:66:50:dc:40:4b:2f:3d:d3:1b:b8:26:                    79:4d:00:69:d9:8c:51:3e:24:36:14:14:33:a2:86:                    57:ed:70:6c:52:b8:0a:c2:5a:51:9b:36:5b:33:72:                    79:cd:13:1d:a4:13:64:5b:20:46:04:a2:62:e8:0b:                    e9:06:5f:04:b4:3a:b9:15:b0:14:f5:a1:5d:29:3a:                    71:9c:bb:5b:b5:7a:77:c5:72:fc:b9:79:e9:df:07:                    91:6c:df:60:b2:41:72:6b:9d:2c:54:b5:35:dc:84:                    de:a4:1b:80:15:48:16:40:c2:42:95:bb:ff:0e:d0:                    66:22:01:4e:02:30:64:53:13:7a:75:5d:37:58:50:                    df:33:e7:72:f2:97:66:ac:90:ed:22:73:84:ac:88:                    c7:dd:0e:1c:86:ce:18:bf:2f:fe:b0:c4:42:bb:a9:                    b1:a9                Exponent: 65537 (0x10001)        X509v3 extensions:            X509v3 Basic Constraints:                 CA:FALSE            Netscape Comment:                 OpenSSL Generated Certificate            X509v3 Subject Key Identifier:                 C6:DC:8C:69:C1:5F:D2:53:D3:F4:74:D7:AE:4F:0D:8E:4E:5D:3B:13            X509v3 Authority Key Identifier:                 keyid:58:76:AE:27:21:CB:7F:FF:7F:BC:B7:BA:31:72:E2:BF:12:AF:78:6A    Signature Algorithm: sha256WithRSAEncryption         9a:12:6a:92:f7:c1:b3:fb:fe:2b:f5:89:24:86:b4:b0:8f:af:         8d:c7:06:92:aa:76:6b:f8:6b:5c:45:5f:21:41:a8:e0:41:00:         f7:57:51:55:88:f9:0f:cc:2b:7d:c0:b0:99:65:d4:f4:56:e0:         39:3b:bf:45:db:f1:4a:80:7a:d5:2e:1c:0f:ac:9b:02:ac:28:         70:19:6d:ba:36:c7:56:0b:7e:96:ea:55:ae:e3:f0:5c:2a:10:         f4:7e:ea:60:48:63:9e:04:26:d2:92:76:d7:f2:9a:3a:8e:5a:         20:aa:69:20:d9:25:ec:f5:3d:91:c3:84:fb:8c:50:bf:93:47:         ff:9a:3e:1a:f2:da:9e:36:f2:3f:81:a8:cc:d5:23:19:ad:b3:         ee:e2:87:ca:3f:10:3f:9c:bf:72:bd:9c:c8:73:56:28:1f:75:         fb:f5:10:16:37:6f:ce:b7:56:68:49:e5:8b:24:9c:02:63:67:         bb:e0:7c:7b:06:f1:82:1a:59:21:06:d9:9f:8d:e4:4e:e6:25:         cf:96:40:9a:39:69:8b:7e:70:aa:df:93:40:66:e8:8e:3b:52:         c6:58:2a:ad:54:a6:1d:a2:e6:b6:0a:1d:c3:9c:92:b1:c6:2b:         7d:30:3a:42:36:57:4a:9e:d9:b0:75:05:9d:19:4b:cf:eb:8d:         9a:61:0a:b7-----BEGIN CERTIFICATE-----MIIDzTCCArWgAwIBAgIBATANBgkqhkiG9w0BAQsFADBqMQswCQYDVQQGEwJDTjEQMA4GA1UECAwHYmVpamluZzEQMA4GA1UEBwwHaGFpZGlhbjESMBAGA1UECgwJaWF2MTguY29tMQwwCgYDVQQLDANvcHQxFTATBgNVBAMMDGNhLmlhdjE4LmNvbTAeFw0xNzA5MDkxNjMxMTRaFw0xODA5MDkxNjMxMTRaMG0xCzAJBgNVBAYTAkNOMRAwDgYDVQQIDAdiZWlqaW5nMRAwDgYDVQQHDAdjYW95YW5nMRIwEAYDVQQKDAlpYXYxOC5jb20xDDAKBgNVBAsMA29wdDEYMBYGA1UEAwwPd3d3LmloYWl5dW4uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3ix1Gd0TohSsnS4jWUMePmhAKw+YpBAjnWJeu69R5vL/pjqH33ynBTN8FoZda8fGGbtxLB4KPRNha65HWwizZsdgRF0U2eBQZCZAJD+iS2qhGeZvXHYefoGRt8qXZlDcQEsvPdMbuCZ5TQBp2YxRPiQ2FBQzooZX7XBsUrgKwlpRmzZbM3J5zRMdpBNkWyBGBKJi6AvpBl8EtDq5FbAU9aFdKTpxnLtbtXp3xXL8uXnp3weRbN9gskFya50sVLU13ITepBuAFUgWQMJClbv/DtBmIgFOAjBkUxN6dV03WFDfM+dy8pdmrJDtInOErIjH3Q4chs4Yvy/+sMRCu6mxqQIDAQABo3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUxtyMacFf0lPT9HTXrk8Njk5dOxMwHwYDVR0jBBgwFoAUWHauJyHLf/9/vLe6MXLivxKveGowDQYJKoZIhvcNAQELBQADggEBAJoSapL3wbP7/iv1iSSGtLCPr43HBpKqdmv4a1xFXyFBqOBBAPdXUVWI+Q/MK33AsJll1PRW4Dk7v0Xb8UqAetUuHA+smwKsKHAZbbo2x1YLfpbqVa7j8FwqEPR+6mBIY54EJtKSdtfymjqOWiCqaSDZJez1PZHDhPuMUL+TR/+aPhry2p428j+BqMzVIxmts+7ih8o/ED+cv3K9nMhzVigfdfv1EBY3b863VmhJ5YsknAJjZ7vgfHsG8YIaWSEG2Z+N5E7mJc+WQJo5aYt+cKrfk0Bm6I47UsZYKq1Uph2i5rYKHcOckrHGK30wOkI2V0qe2bB1BZ0ZS8/rjZphCrc=-----END CERTIFICATE-----

吊销证书

1. 在客户端获取要吊销的证书的`serial`

openssl x509 -in /PATH/FROM/CERT_FILE -noout -serial -subject

[root@centos6 ~]# openssl x509 -in /etc/pki/tls/certs/test.crt -noout -serial -subjectserial=01subject= /C=CN/ST=beijing/L=caoyang/O=iav18.com/OU=opt/CN=www.ihaiyun.com

2. 在CA上，根据客户提交的`serial`与`subject`信息，对比检验是否与`index.txt`文件中的信息一致，吊销证书：

openssl ca -revoke /etc/pki/CA/newcerts/SERIAL.pem

[root@centos7 CA]# openssl ca -revoke /etc/pki/CA/newcerts/01.pem Using configuration from /etc/pki/tls/openssl.cnfRevoking Certificate 01.Data Base Updated

3. 指定第一个吊销证书的编号

注意：第一次更新证书吊销列表前，才需要执行
echo 01 > /etc/pki/CA/crlnumber

[root@centos7 CA]# echo 01 > /etc/pki/CA/crlnumber

4. 更新证书吊销列表

更新证书吊销列

openssl ca -gencrl -out /etc/pki/CA/crl/crl.pem
查看crl文件：
openssl crl -in /etc/pki/CA/crl/crl.pem -noout -text

[root@centos7 CA]# openssl ca -gencrl -out /etc/pki/CA/crl/crl.pem      #<==更新证书吊销列表Using configuration from /etc/pki/tls/openssl.cnf[root@centos7 CA]# openssl crl -in /etc/pki/CA/crl/crl.pem -noout -text     #<==查看crl文件Certificate Revocation List (CRL):        Version 2 (0x1)    Signature Algorithm: sha256WithRSAEncryption        Issuer: /C=CN/ST=beijing/L=haidian/O=iav18.com/OU=opt/CN=ca.iav18.com        Last Update: Sep  9 17:10:46 2017 GMT        Next Update: Oct  9 17:10:46 2017 GMT        CRL extensions:            X509v3 CRL Number:                 1Revoked Certificates:    Serial Number: 01        Revocation Date: Sep  9 17:07:32 2017 GMT    Signature Algorithm: sha256WithRSAEncryption         0c:64:a1:42:af:0d:e0:32:f3:3c:29:80:bb:cf:a3:10:dc:e4:         b5:61:f1:8c:c0:a2:8d:92:03:82:83:0a:b2:5f:e7:37:a1:7d:         e2:e9:a7:3c:4b:95:e3:0e:57:b7:f3:af:cf:ba:7c:ce:e6:a5:         be:cc:78:cb:2b:3e:73:a7:0e:c8:d8:f7:a5:5b:5b:61:70:fe:         94:1a:41:6f:cb:fb:29:5d:04:56:e4:a1:44:85:d9:69:56:a5:         01:2e:a1:f8:35:97:e3:ba:91:31:ab:e3:9b:f7:e2:34:03:3b:         9e:b7:19:8c:96:cd:89:e7:47:42:49:5b:8e:24:e6:10:d5:4b:         e6:8d:c2:73:42:e5:eb:a9:87:6b:20:52:66:47:f4:55:2b:09:         78:a6:d0:17:0d:39:d2:6b:4e:c4:d4:61:98:31:28:19:d3:b7:         c1:3f:08:09:2b:61:b7:87:a3:f4:4a:10:fa:59:e8:6f:06:db:         8d:89:7c:10:29:fc:bc:37:52:4b:35:48:1c:4d:af:a9:fd:f2:         38:69:d7:e0:4f:45:98:61:f8:03:cf:ca:a5:8e:3b:f2:ca:0d:         d7:b0:de:81:ec:65:8f:39:41:1d:f1:98:46:6a:a9:3d:7e:72:         b1:13:4d:fd:e6:a8:20:57:06:e7:51:98:dd:e1:a1:49:95:5c:         9c:ce:10:0f

阅读全文

0 0