首页 > 代码库 > 创建CA自签证书
创建CA自签证书
创建CA自签证书
1,创建CA服务器的私钥:
(umask 0077;openssl genrsa -out cakey.pem 2048)
注意:将私钥放在目录下
/etc/pki/CA/private
2,创建CA服务器自签证书:
[root@localhost CA]# openssl req -new -x509 -key cakey.pem -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BeiJing
Locality Name (eg, city) [Default City]:BeiJing
Organization Name (eg, company) [Default Company Ltd]:liubin
Organizational Unit Name (eg, section) []:ops
Common Name (eg, your name or your server‘s hostname) []:www1.stu12.com
Email Address []:
3,创建文件:
[root@localhost CA]# touch index.txt
[root@localhost CA]# echo 01 > serial
4,创建服务器私钥:
创建存放私钥和证书位置:
mkdir -pv /www/html/ssl
[root@localhost /www/ssl]#(umask 0077;openssl genrsa -out httpd_key.pem)
5,创建服务器自签证书:
[root@localhost /www/ssl]#openssl req -new -key httpd_key.pem -out httpd_csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BeiJing
Locality Name (eg, city) [Default City]:BeiJing
Organization Name (eg, company) [Default Company Ltd]:liubin
Organizational Unit Name (eg, section) []:ops
Common Name (eg, your name or your server‘s hostname) []:www1.stu12.com
Email Address []:
Please enter the following ‘extra‘ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
6,将服务器的证书传送到CA服务器上:
scp httpd_csr root@172.16.12.21:/root
7,在CA服务器上对证书进行签署:
[root@localhost CA]# openssl ca -in httpd_csr -out httpd_crt.pem
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jun 1 21:04:37 2017 GMT
Not After : Jun 1 21:04:37 2018 GMT
Subject:
countryName = CN
stateOrProvinceName = BeiJing
organizationName = liubin
organizationalUnitName = ops
commonName = www1.stu12.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
51:B2:FC:C3:77:C2:CB:A1:4A:43:53:EA:D9:F8:C8:83:0A:59:91:41
X509v3 Authority Key Identifier:
keyid:F3:0E:EB:57:25:77:45:EC:98:41:8F:D1:54:A9:DA:4C:9C:FA:04:3D
Certificate is to be certified until Jun 1 21:04:37 2018 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
8,将证书传回服务器:
scp httpd_crt.pem root@172.16.12.11:/www/ssl/
9,在服务器安装ssl模块:
yum -y install mod_ssl
10修改ssl配置文件:
SSLCertificateFile /www/ssl/httpd_crt.pem
SSLCertificateKeyFile /www/ssl/httpd_key.pem
创建CA自签证书
声明:以上内容来自用户投稿及互联网公开渠道收集整理发布,本网站不拥有所有权,未作人工编辑处理,也不承担相关法律责任,若内容有误或涉及侵权可进行投诉: 投诉/举报 工作人员会在5个工作日内联系你,一经查实,本站将立刻删除涉嫌侵权内容。