Documentation
我要评分
获取效率
正确性
完整性
易理解
提交关闭

Issuing Certificates

  1. Set up a CA server.
    1. Select a server as the CA server and prepare the directories for the CA server to issue certificates.
      mkdir -p /home/ca_server
cd /home/ca_server/
mkdir demoCA
cp /etc/pki/tls/openssl.cnf ./
mkdir ./demoCA/newcerts  ./demoCA/private ./demoCA/certs
chmod 777 ./demoCA/private/
echo 01 > ./demoCA/serial
touch ./demoCA/index.txt
    2. Change dir in the CA_default option in the openssl.cnf file to the CA server directory.
      1. Open the file.
        vim openssl.cnf
      2. Press i to enter the insert mode and set dir to /home/ca_server/demoCA/.

      3. Press Esc, type :wq!, and press Enter to save the file and exit.
    3. Generate a CA private key and a root certificate. You are advised to set the certificate validity period to 30 years, for example, -days 10950.
      openssl genrsa  -out ca.key 3072
openssl req -new -x509 -days 10950 -sha1 -extensions v3_ca  -key ca.key  -out ca.crt   -subj "/C=CN/ST=shenzhen/L=shenzhen/O=Huawei/OU=Huawei/CN=CA1"  -config ./openssl.cnf
cp ca.key demoCA/private/cakey.pem
cp ca.crt demoCA/cacert.pem
    4. Check whether the CA certificate is CA:TRUE.
      openssl x509 -in ca.crt -noout -text

  2. Issue certificates.

    After Exporting CSR Files is performed, the CSR files of the nodes are transferred to the corresponding issuing paths on the remote CA server. The prefix is the MAC address of the exported CSR file.

    To obtain the MAC address, run ifconfig | grep ether | awk 'NR==1' | awk '{print $2}'. An example command output is 68:4x:xx:xx:xx:aa, and the character string after the colons (:) are deleted is the MAC address.

    [root@agent3]# ll /home/ca_server/
total 32K
-rw------- 1 root root 1.5K Nov 17 09:07 844xxxxxxxbbtarget.csr
-rw-r--r-- 1 root root 1.7K Nov 17 10:24 ca.crt
-rw------- 1 root root 2.5K Nov 17 10:24 ca.key
drwxr-xr-x 5 root root 4.0K Nov 17 15:32 demoCA
-rw-r--r-- 1 root root  11K Nov 17 10:23 openssl.cnf
    • Manual issuing
      To issue the haf_user and daemon certificates, run the following commands respectively in the corresponding CA server certificate issuing paths:
      openssl ca -policy policy_anything  -extensions v3_req -out 844xxxxxxxbbtarget.crt  -config openssl.cnf -days 10950 -cert ca.crt -keyfile ca.key -infiles 84xxxxxxx2bbtarget.csr
      Table 1 Parameters description

      Option

      Value

      -out

      Output certificate file.

      NOTE:

      The prefix of the certificate file name must be the same as that of the CSR file.

      -config

      Configuration file.

      -days

      Certificate validity period.

      -cert

      CA certificate for issuing certificates.

      NOTE:

      The CA certificate must be named ca.crt, which will be used in the subsequent certificate import steps.

      -keyfile

      CA private key file.

      -infiles

      CSR files to be processed.

      NOTE:

      The name of an issued certificate must be the same as the corresponding CSR file.
    • Automatic issuing

      The script can be used to automatically issue certificates. The main functions and implementation are as follows:

      1. Checks whether new CSR files are generated in the certificate generation directory in real time.
      2. Issues the new CSR files and generates .crt files with the same prefix with the corresponding CSR file in the current directory. For example, the corresponding .crt file name of service.csr is service.crt. You are advised to set the certificate validity period to 30 years, for example, -days 10950.
        # Check whether new CSR files are generated in the directory and issue the files.
cert_path=/home/ca_server/
inotifywait -m -e create "${cert_path}"| while read path action file
do
    if [[ "$file" =~ .*csr$ ]]; then # Does the file end with .csr?
        echo "Find new csr file "
        cert_name=$path$file
        echo ${cert_name}
        prefix_name="${cert_name%.*}"
        echo ${prefix_name}
        cd ${cert_path}
        openssl ca -batch -policy policy_anything -extensions v3_req  -out $prefix_name.crt -days 10950 -config ${cert_path}/openssl.cnf -cert ${cert_path}/ca.crt -keyfile ${cert_path}/ca.key -infiles ${cert_name}
    rm -rf ${cert_name}
    fi
    echo "End"
done
      3. If the preceding automatic certificate issuing script is started, you can obtain the issued certificates from the certificate issuing path after the export. The corresponding CSR files on the CA server are automatically deleted.
        [root@ca_server]# ll /home/ca_server/
total 40K
-rw-r--r-- 1 root root 5.6K Nov 17 15:44 8446fe73b2bbtarget.crt
-rw-r--r-- 1 root root 1.7K Nov 17 10:24 ca.crt
-rw------- 1 root root 2.5K Nov 17 10:24 ca.key
drwxr-xr-x 5 root root 4.0K Nov 17 15:44 demoCA
-rw-r--r-- 1 root root  11K Nov 17 10:23 openssl.cnf
Parent topic: Configure Certificates