美文网首页
搭建CA,申请证书

搭建CA,申请证书

作者: 素瑾汐 | 来源:发表于2017-07-17 17:37 被阅读0次

    搭建CA和申请证书

    相关参考配置文件:/etc/pki/tls/openssl.cnf

    ####################################################################
    [ ca ]
    default_ca      = CA_default            # The default ca section
    
    ####################################################################
    [ CA_default ]
    
    dir             = /etc/pki/CA           # Where everything is kept
    certs           = $dir/certs            # Where the issued certs are kept
    crl_dir         = $dir/crl              # Where the issued crl are kept
    database        = $dir/index.txt        # database index file.
    #unique_subject = no                    # Set to 'no' to allow creation of
                                            # several ctificates with same subject.
    new_certs_dir   = $dir/newcerts         # default place for new certs.
    
    certificate     = $dir/cacert.pem       # The CA certificate
    serial          = $dir/serial           # The current serial number
    crlnumber       = $dir/crlnumber        # the current crl number
                                            # must be commented out to leave a V1 CRL
    crl             = $dir/crl.pem          # The current CRL
    private_key     = $dir/private/cakey.pem# The private key
    RANDFILE        = $dir/private/.rand    # private random number file
    
    x509_extensions = usr_cert              # The extentions to add to the cert
    
    # Comment out the following two lines for the "traditional"
    # (and highly broken) format.
    name_opt        = ca_default            # Subject Name options
    cert_opt        = ca_default            # Certificate field options
    
    # Extension copying option: use with caution.
    # copy_extensions = copy
    
    # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
    # so this is commented out by default to leave a V1 CRL.
    # crlnumber must also be commented out to leave a V1 CRL.
    # crl_extensions        = crl_ext
    
    default_days    = 365                   # how long to certify for
    default_crl_days= 30                    # how long before next CRL
    default_md      = sha256                # use SHA-256 by default
    preserve        = no                    # keep passed DN ordering
    
    # A few difference way of specifying how similar the request should look
    # For type CA, the listed attributes must be the same, and the optional
    # and supplied fields are just that :-)
    policy          = policy_match
    
    # For the CA policy
    [ policy_match ]
    countryName             = match
    stateOrProvinceName     = match
    organizationName        = match
    organizationalUnitName  = optional
    commonName              = supplied
    emailAddress            = optional
    
    # For the 'anything' policy
    # At this point in time, you must list all acceptable 'object'
    # types.
    [ policy_anything ]
    countryName             = optional
    stateOrProvinceName     = optional
    localityName            = optional
    organizationName        = optional
    organizationalUnitName  = optional
    commonName              = supplied
    emailAddress            = optional
    
    ####################################################################
    [ req ]
    default_bits            = 2048
    default_md              = sha256
    default_keyfile         = privkey.pem
    distinguished_name      = req_distinguished_name
    attributes              = req_attributes
    x509_extensions = v3_ca # The extentions to add to the self signed cert
    

    需要用到的参考目录

    dir             = /etc/pki/CA           # Where everything is kept
    certs           = /etc/pki/CA/certs            # Where the issued certs are kept
    database        = /etc/pki/CA/index.txt        # database index file.
    new_certs_dir   = /etc/pki/CA/newcerts         # default place for new certs.
    certificate     = /etc/pki/CA/cacert.pem       # The CA certificate
    serial          = /etc/pki/CA/serial           # The current serial number
    private_key     = /etc/pki/CA/private/cakey.pem   # The private key
    

    注意事项:默认客户端证书请求中国家、省、公司名称三项必须和CA保持一致,否则无法颁发证书,原因:/etc/pki/tls/openssl.cnf配置文件中policy = policy_match,将其改为policy=policy_anything,或者将[ policy_match ]下countryName 、stateOrProvinceName、organizationName 这三项的值由match改为optional将不再要求一致

    服务端搭建私有CA

    1、创建所需的文件
    touch /etc/pki/CA/index.txt 生成证书索引数据库文件
    echo 01 > /etc/pki/CA/serial 指定第一个颁发证书的序列号(可自定,但需是两位数)
    2、生成CA私钥
    (umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)

    [root@centos CA]#(umask 077; openssl genrsa -out private/cakey.pem 2048)
    Generating RSA private key, 2048 bit long modulus
    ........................................................................+++
    ....................................+++
    e is 65537 (0x10001)
    

    3、自签名(给自己颁发证书)
    openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3650
    -new: 生成新证书签署请求
    -x509: 专用于CA生成自签证书
    -key: 生成请求时用到的私钥文件
    -days n:证书的有效期限
    -out /PATH/TO/SOMECERTFILE: 证书的保存路径

    [root@centos CA]#openssl req -new -x509 -key private/cakey.pem -days 7300 -out cacert.pem
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [XX]:cn
    State or Province Name (full name) []:henan
    Locality Name (eg, city) [Default City]:zhengzhou
    Organization Name (eg, company) [Default Company Ltd]:xmj
    Organizational Unit Name (eg, section) []:x
    Common Name (eg, your name or your server's hostname) []:xmj.com
    Email Address []:
    

    openssl x509 -in /etc/pki/CA/cacert.pem -noout -text 查看CA证书信息

    [root@centos CA]#openssl x509 -in cacert.pem -noout -text
    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number: 11583334546095199587 (0xa0c045660683d563)
        Signature Algorithm: sha1WithRSAEncryption
            Issuer: C=cn, ST=henan, L=zhengzhou, O=xmj, OU=x, CN=xmj.com
            Validity
                Not Before: Jul 17 07:11:40 2017 GMT
                Not After : Jul 12 07:11:40 2037 GMT
            Subject: C=cn, ST=henan, L=zhengzhou, O=xmj, OU=x, CN=xmj.com
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                    Public-Key: (2048 bit)
                    Modulus:
                        00:c3:c1:ed:52:ee:9f:8b:52:2d:48:69:86:05:84:
                        30:8b:57:14:1f:04:23:2d:a3:3d:c5:87:5d:65:35:
                        61:65:0e:fc:74:93:88:be:2a:66:47:ea:e4:c6:e7:
                        0c:6b:74:4d:28:e9:eb:21:75:58:8a:61:83:84:d8:
                        7f:09:4a:0e:63:c9:e1:d6:26:92:46:94:79:3b:f1:
                        08:a3:f7:05:cc:f6:87:f7:74:29:67:71:f0:f4:82:
                        6a:bf:51:e9:99:01:4e:df:dc:ff:d7:88:54:22:06:
                        d4:76:e1:1b:4f:4e:8a:e4:2f:64:6e:2f:c4:0d:25:
                        2c:cd:4f:e3:d0:1f:3e:e2:2d:82:a5:12:7a:95:88:
                        10:08:36:71:59:af:3a:c5:bf:b5:1d:8c:11:79:bc:
                        d6:18:d5:cd:39:f7:66:8a:ef:19:11:22:e3:7d:3f:
                        db:2b:67:4d:e5:20:98:43:7b:a3:60:cb:da:75:65:
                        d0:e3:22:f7:d0:98:90:e5:c8:16:5b:65:c0:64:6a:
                        71:33:6a:80:5c:2d:47:b5:8a:b5:53:64:3d:70:a4:
                        77:a5:df:dc:67:53:d9:f3:55:3c:68:9c:c5:f8:61:
                        25:ff:8b:e1:9a:2c:11:0f:4f:ad:f6:da:55:e9:d8:
                        57:d3:81:6d:45:b9:f0:f3:4f:c6:bb:2c:9b:de:4e:
                        cd:a1
                    Exponent: 65537 (0x10001)
            X509v3 extensions:
                X509v3 Subject Key Identifier: 
                    04:9D:1F:51:07:F9:4B:23:D2:58:6C:89:EC:30:13:94:4D:1B:14:EF
                X509v3 Authority Key Identifier: 
                    keyid:04:9D:1F:51:07:F9:4B:23:D2:58:6C:89:EC:30:13:94:4D:1B:14:EF
    
                X509v3 Basic Constraints: 
                    CA:TRUE
        Signature Algorithm: sha1WithRSAEncryption
             c1:1f:ab:c9:3b:61:71:ff:21:b4:6f:03:0e:de:e8:f7:78:be:
             b7:1c:50:85:6d:20:5a:4f:fa:22:6b:b6:29:d0:a2:a2:dc:7e:
             95:bc:14:a4:84:49:9f:cb:cd:27:1e:c9:8f:5a:98:89:a4:1d:
             af:76:b8:13:6d:96:d3:f7:7d:8b:9a:b7:26:71:63:32:af:59:
             d2:12:0a:4f:4b:e8:55:c2:79:ef:da:bd:2d:ea:c2:7a:3d:87:
             4d:7f:51:22:48:f8:84:2e:0b:43:8c:a4:6b:e3:ea:d7:79:3b:
             f2:ee:8f:26:f6:08:97:b7:e1:b2:0a:a7:30:46:23:04:74:d8:
             75:22:77:ac:1a:88:db:41:e5:a9:e6:9d:18:a5:14:44:58:c5:
             87:4e:f0:b1:ce:01:a7:8d:c5:ed:0a:51:04:c5:a6:9a:c9:00:
             64:1b:21:96:58:69:54:05:1a:3b:14:10:d0:6a:49:db:78:34:
             69:77:c9:24:33:63:85:fc:41:0f:f8:e0:da:9e:ca:c7:10:fe:
             7e:03:8f:60:e2:bb:56:92:38:12:a4:e7:d3:6a:07:f1:c6:44:
             81:f1:68:81:d8:c4:92:91:0a:b9:28:1d:ea:17:3b:ef:91:8c:
             ab:b1:78:6d:c8:ac:63:02:3a:12:ba:d0:bb:bc:2d:28:c4:ba:
             cb:59:7a:5e
    

    客户端申请证书

    1、给web服务器生成私钥
    (umask 077;openssl genrsa -out /root/app/service.key 2048 )
    2、申请证书
    生成证书申请文件
    openssl req -new -key /root/app/service.key -out /root/app/service.csr
    3、发送申请文件至服务端
    scp /root/app/service.csr IP:/etc/pki/CA

    CA签署证书,颁发证书给申请者

    服务端
    1、创建客户端证书申请目录
    mkdir /etc/pki/CA/csr
    mv /etc/pki/CA/service.csr /etc/pki/CA/csr

    [root@centos CA]#tree
    .
    ├── cacert.pem
    ├── certs
    ├── crl
    ├── index.txt
    ├── newcerts
    ├── private
    │   └── cakey.pem
    ├── serial
    └── service.csr
    
    4 directories, 5 files
    [root@centos CA]#mkdir csr
    [root@centos CA]#mv service.csr csr
    [root@centos CA]#tree
    .
    ├── cacert.pem
    ├── certs
    ├── crl
    ├── csr
    │   └── service.csr
    ├── index.txt
    ├── newcerts
    ├── private
    │   └── cakey.pem
    └── serial
    
    5 directories, 5 files
    [root@centos CA]#ll
    total 28
    -rw-r--r--. 1 root root 1294 Jul 17 15:11 cacert.pem
    drwxr-xr-x. 2 root root 4096 Mar 23 05:46 certs
    drwxr-xr-x. 2 root root 4096 Mar 23 05:46 crl
    drwxr-xr-x. 2 root root 4096 Jul 17 15:59 csr
    -rw-r--r--. 1 root root    0 Jul 17 14:55 index.txt
    drwxr-xr-x. 2 root root 4096 Mar 23 05:46 newcerts
    drwx------. 2 root root 4096 Jul 17 15:00 private
    -rw-r--r--. 1 root root    3 Jul 17 14:55 serial
    

    2、颁发证书
    openssl ca -in /etc/pki/CA/csr/service.csr -out /etc/pki/CA/certs/service.crt -days 365

    [root@centos CA]#pwd
    /etc/pki/CA
    [root@centos CA]#openssl ca -in csr/service.csr -out certs/service.crt -days 365
    Using configuration from /etc/pki/tls/openssl.cnf
    Check that the request matches the signature
    Signature ok
    Certificate Details:
            Serial Number: 1 (0x1)
            Validity
                Not Before: Jul 17 08:08:07 2017 GMT
                Not After : Jul 17 08:08:07 2018 GMT
            Subject:
                countryName               = cn
                stateOrProvinceName       = henan
                organizationName          = xmj
                organizationalUnitName    = m
                commonName                = www.xmj.com
                emailAddress              = 111111
            X509v3 extensions:
                X509v3 Basic Constraints: 
                    CA:FALSE
                Netscape Comment: 
                    OpenSSL Generated Certificate
                X509v3 Subject Key Identifier: 
                    58:C1:E6:56:07:FF:B7:FD:EC:AC:9A:DD:05:19:EA:98:D0:7F:9B:6B
                X509v3 Authority Key Identifier: 
                    keyid:04:9D:1F:51:07:F9:4B:23:D2:58:6C:89:EC:30:13:94:4D:1B:14:EF
    
    Certificate is to be certified until Jul 17 08:08:07 2018 GMT (365 days)
    Sign the certificate? [y/n]:y
    
    
    1 out of 1 certificate requests certified, commit? [y/n]y
    Write out database with 1 new entries
    Data Base Updated
    [root@centos CA]#ll
    total 40
    -rw-r--r--. 1 root root 1294 Jul 17 15:11 cacert.pem
    drwxr-xr-x. 2 root root 4096 Jul 17 16:08 certs
    drwxr-xr-x. 2 root root 4096 Mar 23 05:46 crl
    drwxr-xr-x. 2 root root 4096 Jul 17 15:59 csr
    -rw-r--r--. 1 root root   89 Jul 17 16:08 index.txt
    -rw-r--r--. 1 root root   21 Jul 17 16:08 index.txt.attr
    -rw-r--r--. 1 root root    0 Jul 17 14:55 index.txt.old
    drwxr-xr-x. 2 root root 4096 Jul 17 16:08 newcerts
    drwx------. 2 root root 4096 Jul 17 15:00 private
    -rw-r--r--. 1 root root    3 Jul 17 16:08 serial
    -rw-r--r--. 1 root root    3 Jul 17 14:55 serial.old
    [root@centos CA]#cd newcerts/
    [root@centos newcerts]#ls
    01.pem
    [root@centos newcerts]#cd ..
    ######serial文件里放的是下一个申请证书的证书编号
    [root@centos CA]#cat serial
    02
    ######此时数据库已更新,V为证书状态表示已颁发可用的
    [root@centos CA]#cat index.txt
    V       180717080807Z           01      unknown /C=cn/ST=henan/O=xmj/OU=m/CN=www.xmj.com/emailAddress=111111
    [root@centos CA]#tree
    .
    ├── cacert.pem
    ├── certs
    │   └── service.crt
    ├── crl
    ├── csr
    │   └── service.csr
    ├── index.txt
    ├── index.txt.attr
    ├── index.txt.old
    ├── newcerts
    │   └── 01.pem
    ├── private
    │   └── cakey.pem
    ├── serial
    └── serial.old
    
    5 directories, 10 files
    

    3、申请的证书的查看
    openssl x509 -in /etc/pki/CA/certs/service.crt -noout -text|issuer|subject|serial|dates
    openssl ca -status SERIAL 查看指定编号的证书状态

    [root@centos CA]#openssl x509 -in certs/service.crt -noout -text
    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number: 1 (0x1)
        Signature Algorithm: sha1WithRSAEncryption
            Issuer: C=cn, ST=henan, L=zhengzhou, O=xmj, OU=x, CN=xmj.com
            Validity
                Not Before: Jul 17 08:08:07 2017 GMT
                Not After : Jul 17 08:08:07 2018 GMT
            Subject: C=cn, ST=henan, O=xmj, OU=m, CN=www.xmj.com/emailAddress=111111
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                    Public-Key: (2048 bit)
                    Modulus:
                        00:bd:a1:a2:49:f0:e5:9a:fd:3f:e6:87:24:0e:79:
                        6b:3e:05:db:52:06:d7:34:15:4a:2c:92:48:1f:c1:
                        0f:c6:7d:18:4b:fd:d0:82:10:c1:a4:9e:ae:65:05:
                        6a:2c:e4:53:cd:0d:07:cf:ff:77:1a:b6:3d:87:0f:
                        c5:b9:81:82:bb:7c:ef:9b:1b:24:82:f1:1e:2a:4d:
                        0c:a1:a5:1b:43:ad:33:01:e3:a4:ee:4f:d8:28:7a:
                        e7:fa:e4:fc:08:f4:89:13:e7:ca:85:77:00:34:15:
                        3d:61:02:74:bc:7d:af:13:de:02:4e:c2:ac:60:7d:
                        ff:2b:70:ed:06:66:6a:1f:63:c0:a2:bf:87:6d:d8:
                        dc:dc:14:70:3c:e3:14:72:75:b4:6d:d1:e8:28:72:
                        f5:f5:0f:9c:32:c5:cb:04:54:e9:51:32:5d:d9:5e:
                        71:54:3a:da:d4:33:ed:ac:14:25:6d:4b:c8:08:33:
                        11:f5:9f:ba:04:95:8b:d3:c9:11:e3:16:ae:c3:23:
                        d1:12:f0:80:cb:e9:d6:5b:03:d5:9e:1e:11:e2:4a:
                        ec:7a:c8:fd:69:ab:56:2d:3e:f3:db:48:a0:a6:b3:
                        0a:17:20:f0:bb:f8:e9:3d:a1:f3:87:a3:13:a6:93:
                        f9:9c:cd:88:cc:73:af:43:6a:ce:2f:5f:f6:08:a1:
                        31:3d
                    Exponent: 65537 (0x10001)
            X509v3 extensions:
                X509v3 Basic Constraints: 
                    CA:FALSE
                Netscape Comment: 
                    OpenSSL Generated Certificate
                X509v3 Subject Key Identifier: 
                    58:C1:E6:56:07:FF:B7:FD:EC:AC:9A:DD:05:19:EA:98:D0:7F:9B:6B
                X509v3 Authority Key Identifier: 
                    keyid:04:9D:1F:51:07:F9:4B:23:D2:58:6C:89:EC:30:13:94:4D:1B:14:EF
    
        Signature Algorithm: sha1WithRSAEncryption
             2e:a5:ed:ab:b7:b1:e5:fb:03:e7:dd:4e:15:61:25:81:c3:ee:
             a6:e4:60:e2:74:36:61:8b:39:e4:25:fd:12:12:ce:37:28:fe:
             7d:1f:c4:c7:fa:fc:60:a9:e9:36:1d:b9:23:e9:d9:91:e3:e0:
             b2:e2:32:41:a7:4e:8d:a4:9e:33:0d:66:b9:cb:1a:7c:31:61:
             78:18:ce:03:50:b1:e1:07:b9:39:0d:f5:c8:80:b9:d6:06:0f:
             4c:5a:67:29:3c:34:70:c6:d5:2d:d8:5f:0b:4d:ba:0e:8c:cb:
             56:b9:fb:df:5f:58:df:ab:7e:ac:41:9e:32:74:65:b3:2d:70:
             d2:f7:78:05:17:47:bb:ef:de:44:b3:8b:70:03:11:da:79:eb:
             e9:57:9d:e8:c2:43:43:73:72:b6:ff:e4:bc:0f:41:38:b7:af:
             7a:74:b2:17:57:c5:8a:8d:b5:d1:ba:aa:42:bf:3f:17:f3:54:
             8e:54:86:3c:95:0a:d1:27:d6:a7:ce:f6:c5:2b:e6:79:68:76:
             6a:5b:bb:d9:6a:23:7a:f2:3d:41:bb:f5:ec:29:fc:0a:46:e5:
             11:8b:04:39:86:6e:7d:59:50:7e:2c:47:f2:9f:20:31:54:07:
             87:1e:39:af:28:dd:c0:c2:6f:2a:89:91:c6:25:2a:35:0e:f9:
             a6:2e:51:62
    [root@centos CA]#openssl x509 -in certs/service.crt -noout -issuer
    issuer= /C=cn/ST=henan/L=zhengzhou/O=xmj/OU=x/CN=xmj.com
    [root@centos CA]#openssl x509 -in certs/service.crt -noout -subject
    subject= /C=cn/ST=henan/O=xmj/OU=m/CN=www.xmj.com/emailAddress=111111
    [root@centos CA]#openssl x509 -in certs/service.crt -noout -serial
    serial=01
    [root@centos CA]#openssl x509 -in certs/service.crt -noout -dates
    notBefore=Jul 17 08:08:07 2017 GMT
    notAfter=Jul 17 08:08:07 2018 GMT
    [root@centos CA]#openssl ca -status 01
    Using configuration from /etc/pki/tls/openssl.cnf
    01=Valid (V)
    

    4、把证书复制发送给客户端

    吊销证书

    1、在客户端获取要吊销的证书的serial
    openssl x509 -in /PATH/FROM/CERT_FILE -noout -serial -subject

    [root@centos app]#pwd
    /root/app
    [root@centos app]#openssl x509 -in service.crt -noout -serial -subject
    serial=01
    subject= /C=cn/ST=henan/O=xmj/OU=m/CN=www.xmj.com/emailAddress=111111
    

    2、在CA上,根据客户提交的serial与subject信息,对比检验是 否与index.txt文件中的信息一致,吊销证书:
    openssl ca -revoke /etc/pki/CA/newcerts/*.pem
    创建吊销列表数据库(初始值01可自定)
    echo 01 > /etc/pki/CA/crlnumber
    更新证书吊销列表
    openssl ca -gencrl -out crl.pem
    查看吊销列表
    openssl crl -in crl.pem -noout -text

    [root@centos CA]#pwd
    /etc/pki/CA
    [root@centos CA]#cat index.txt
    V       180717080807Z           01      unknown /C=cn/ST=henan/O=xmj/OU=m/CN=www.xmj.com/emailAddress=111111
    ######吊销证书
    [root@centos CA]#openssl ca -revoke newcerts/01.pem
    Using configuration from /etc/pki/tls/openssl.cnf
    Revoking Certificate 01.
    Data Base Updated
    ######数据库更新,证书状态由V变为R(吊销)
    [root@centos CA]#cat index.txt                     
    R       180717080807Z   170717090033Z   01      unknown /C=cn/ST=henan/O=xmj/OU=m/CN=www.xmj.com/emailAddress=111111
    ######创建吊销列表数据库(初始值01可自定)
    [root@centos CA]#echo 01 > crlnumber
    [root@centos CA]#tree
    .
    ├── cacert.pem
    ├── certs
    │   └── service.crt
    ├── crl
    ├── crlnumber
    ├── csr
    │   └── service.csr
    ├── index.txt
    ├── index.txt.attr
    ├── index.txt.attr.old
    ├── index.txt.old
    ├── newcerts
    │   └── 01.pem
    ├── private
    │   └── cakey.pem
    ├── serial
    └── serial.old
    
    5 directories, 12 
    ######更新证书吊销列表
    [root@centos CA]#openssl ca -gencrl -out crl/crl.pem
    Using configuration from /etc/pki/tls/openssl.cnf
    [root@centos CA]#tree
    .
    ├── cacert.pem
    ├── certs
    │   └── service.crt
    ├── crl
    │   └── crl.pem
    ├── crlnumber
    ├── crlnumber.old
    ├── csr
    │   └── service.csr
    ├── index.txt
    ├── index.txt.attr
    ├── index.txt.attr.old
    ├── index.txt.old
    ├── newcerts
    │   └── 01.pem
    ├── private
    │   └── cakey.pem
    ├── serial
    └── serial.old
    
    5 directories, 14 files
    ######crlnumber文件中存放的是下一个被吊销证书的编号
    [root@centos CA]#cat crlnumber
    02
    [root@centos CA]#cat crlnumber.old 
    01
    ######查看吊销列表
    [root@centos CA]#openssl crl -in crl/crl.pem -noout -text
    Certificate Revocation List (CRL):
            Version 2 (0x1)
        Signature Algorithm: sha1WithRSAEncryption
            Issuer: /C=cn/ST=henan/L=zhengzhou/O=xmj/OU=x/CN=xmj.com
            Last Update: Jul 17 09:02:34 2017 GMT
            Next Update: Aug 16 09:02:34 2017 GMT
            CRL extensions:
                X509v3 CRL Number: 
                    1
    Revoked Certificates:
        Serial Number: 01
            Revocation Date: Jul 17 09:00:33 2017 GMT
        Signature Algorithm: sha1WithRSAEncryption
             5c:87:ce:3e:52:da:f3:6f:5f:d9:4a:f2:20:73:d1:22:d6:85:
             34:2d:0d:5a:99:6a:90:13:ec:ff:3c:b1:b2:ad:d9:c1:00:f3:
             29:0c:21:22:c6:76:2d:0a:8e:b1:23:76:70:c8:38:ae:28:2d:
             2a:b6:df:8e:87:cf:db:dd:79:db:17:ba:aa:73:1f:3c:b9:8e:
             69:e3:1b:24:30:56:f3:36:50:57:83:a5:ee:3e:c5:15:44:de:
             6d:38:b3:47:29:c6:e8:7a:6b:66:0e:4a:c7:23:c1:ef:d6:2b:
             fd:5a:c0:48:04:c1:33:b8:fb:78:3b:27:30:f8:76:0f:4d:44:
             35:13:0d:af:67:14:03:63:38:00:44:db:79:1c:0e:27:4d:5f:
             27:0b:2b:79:b2:94:75:19:1b:a9:79:1c:00:62:41:ad:28:ec:
             78:06:eb:04:0f:92:4d:01:42:e7:b3:a2:d5:82:6d:f2:4d:b6:
             00:1e:45:35:ab:ac:50:15:6d:1e:60:74:84:a3:d6:17:f4:21:
             b4:d7:5d:1e:ed:69:82:22:13:34:a8:60:5a:9e:70:cc:58:26:
             68:5d:92:dd:78:87:47:91:c8:94:12:89:43:fc:eb:1f:9f:8e:
             22:1e:19:4b:ea:6d:2d:0b:1c:e7:17:e7:e9:33:e6:19:37:6f:
             70:03:25:51
    

    相关文章

      网友评论

          本文标题:搭建CA,申请证书

          本文链接:https://www.haomeiwen.com/subject/drezhxtx.html