中文
注册
我要评分
文档获取效率
文档正确性
内容完整性
文档易理解
在线提单
论坛求助
鲲鹏小智

数字证书认证机构配置

本部分内容中CA(Certificate Authority)均代表数字证书认证机构。

如果已经有搭建的CA,请跳过此步骤。

CA服务器为TLS安全性保证的关键节点,请客户自行构建CA服务器,本流程仅供测试使用,安全性不保证。

  1. 选择一台服务器做为CA,创建如下目录及文件。
    mkdir -p /opt/gcache/secure/CACerts
    mkdir -p /opt/gcache/secure/CACerts/certs
    mkdir -p /opt/gcache/secure/CACerts/crl
    mkdir -p /opt/gcache/secure/CACerts/csr
    mkdir -p /opt/gcache/secure/CACerts/newcerts
    mkdir -p /opt/gcache/secure/CACerts/private
    mkdir -p /opt/gcache/secure/CACerts/public
    touch /opt/gcache/secure/CACerts/index.txt
    echo 01 > /opt/gcache/secure/CACerts/serial
  2. 拷贝位于系统目录的openssl.conf并修改。
    cp /etc/pki/tls/openssl.cnf /opt/gcache/secure/CACerts/openssl.cnf
    chmod 600 /opt/gcache/secure/CACerts/openssl.cnf
    vi /opt/gcache/secure/CACerts/openssl.cnf
    修改如下内容(有则修改,无则添加)。
    [ CA_default ]
    dir             = /opt/gcache/secure/CACerts
    certs           = $dir/certs
    crl_dir         = $dir/crl
    unique_subject  = no
    certificate	= $certs/ca.crt
    crl		= $crl_dir/crl.pem
    private_key	= $dir/private/ca.self
    default_md	= default
    
    [ req ]
    default_md		= sm3
    
    [ v3_req ]
    keyUsage = nonRepudiation, digitalSignature
    
    [ v3enc_req ]
    # Extensions to add to a certificate request
    basicConstraints = CA:FALSE
    keyUsage = keyAgreement, keyEncipherment, dataEncipherment
    
    [ v3_ca ]
    keyUsage = cRLSign, keyCertSign
  3. CA节点生成公私钥,生成公私钥时请输入CA密码,保证密码复杂度。因为后续执行证书签发需要此密码,请妥善保存。
    cd /opt/gcache/secure/CACerts
    openssl genrsa -aes256 -out private/ca.self 4096

    openssl rsa -in private/ca.self -pubout -out public/ca.common

  4. CA节点为自己签发证书。
    openssl req -new -x509 -key private/ca.self -days 3650 -out certs/ca.crt -subj "/C=CN/ST=HZ/L=Binjiang/O=Huawei/CN=GCACHED"

搜索结果
找到“0”个结果

当前产品无相关内容

未找到相关内容,请尝试其他搜索词