首先在其他主机上创建一个私有的CA

假如我我现在就另外开一台虚拟机

登录进去

一、生存一对密钥（私钥和公钥，公钥可以在私钥中提取因此创建私钥就可以了）

[root@CentOS6 ~]#cd/etc/pki/CA

[root@CentOS6 CA]#(umask 077; opensslgenrsa –out private/cakey.pem 2048)

二、生成CA的证书

[root@CentOS6 CA]# openssl req -new -x509-key private/cakey.pem -out cacert.pem

You are about to be asked to enterinformation that will be incorporated

into your certificate request.

What you are about to enter is what iscalled a Distinguished Name or a DN.

There are quite a few fields but you canleave some blank

For some fields there will be a defaultvalue,

If you enter ‘.‘, the field will be leftblank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:Henan

Locality Name (eg, city) [DefaultCity]:Zhengzhou

Organization Name (eg, company) [DefaultCompany Ltd]:HuangBY

Organizational Unit Name (eg, section)[]:Tech

Common Name (eg, your name or your server‘shostname) []:www.huangbaoying.com

Email Address []:479714212@qq.com

Please enter the following ‘extra‘attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

[root@CentOS6 CA]# mkdir certs newcerts crl

[root@CentOS6 CA]# touch index.txt

[root@CentOS6 CA]# touch serial

[root@CentOS6 CA]# echo 01 > serial

OK准备给人家签证吧

三、好了，现在在httpd服务器的主机上

[root@CentOS6 ~]# cd /etc/httpd/

[root@CentOS6 httpd]# mkdir ssl

[root@CentOS6 httpd]#cd ssl

创建私钥

[root@CentOS6 ssl]# (umask 077; opensslgenrsa –out httpd.key 1024)

创建证书

[root@CentOS6 CA]# openssl req –new -key httpd.key-out httpd.csr

把证书发给CA

现在我们切换到CA如果你在同一台主机上就不再切换了

四、签证

[root@CentOS6 ~]#openssl ca –in httpd.csr –outhttpd.crt –days 3650

好了签证完毕把httpd.crt发给httpd的服务器主机

五、登录到httpd的服务器主机

将收到的httpd.crt放到/etc/httpd/ssl/下面去备用

本文出自 “奔向互联网” 博客，请务必保留此出处http://huangbaoying.blog.51cto.com/9267029/1604725

https服务器的配置（三）创建私有CA和证书