文档
我要评分
获取效率
正确性
完整性
易理解
提交关闭

Configuring the Certificate Authority

In this section, the certificate authority (CA) refers to the digital certificate authority.

If a CA server has been set up, skip this operation.

The CA server is a key node for TLS security. You need to set up a CA server by yourself. This following procedure is used only for testing and does not ensure security.

  1. Select a server as the CA and create the following directories and files:
    mkdir -p /opt/gcache/secure/CACerts
mkdir -p /opt/gcache/secure/CACerts/certs
mkdir -p /opt/gcache/secure/CACerts/crl
mkdir -p /opt/gcache/secure/CACerts/csr
mkdir -p /opt/gcache/secure/CACerts/newcerts
mkdir -p /opt/gcache/secure/CACerts/private
mkdir -p /opt/gcache/secure/CACerts/public
touch /opt/gcache/secure/CACerts/index.txt
echo 01 > /opt/gcache/secure/CACerts/serial
  2. Copy the openssl.conf file in the system directory and modify it.
    cp /etc/pki/tls/openssl.cnf /opt/gcache/secure/CACerts/openssl.cnf
chmod 600 /opt/gcache/secure/CACerts/openssl.cnf
vi /opt/gcache/secure/CACerts/openssl.cnf
    Modify the following content (if the content exists, modify it; if the content does not exist, add it): 
    [ CA_default ]
dir             = /opt/gcache/secure/CACerts
certs           = $dir/certs
crl_dir         = $dir/crl
unique_subject  = no
certificate	= $certs/ca.crt
crl		= $crl_dir/crl.pem
private_key	= $dir/private/ca.self
default_md	= default

[ req ]
default_md		= sm3

[ v3_req ]
keyUsage = nonRepudiation, digitalSignature

[ v3enc_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = keyAgreement, keyEncipherment, dataEncipherment

[ v3_ca ]
keyUsage = cRLSign, keyCertSign
  3. The CA node generates public and private keys. When generating the public and private keys, enter the CA password. The password must meet the password complexity requirements. This password is required for subsequent certificate issuing. Keep the password properly.
    cd /opt/gcache/secure/CACerts
openssl genrsa -aes256 -out private/ca.self 4096

    openssl rsa -in private/ca.self -pubout -out public/ca.common

  4. The CA node issues a certificate for itself.
    openssl req -new -x509 -key private/ca.self -days 3650 -out certs/ca.crt -subj "/C=CN/ST=HZ/L=Binjiang/O=Huawei/CN=GCACHED"

Parent topic: Configuring TLS