**CA主机执行命令**[root@centos7 ~]# cd /etc/pki/CA[root@centos7 CA]# touch index.txt[root@centos7 CA]# echo 01 > serial生成私钥文件[root@centos7 CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)Generating RSA private key, 2048 bit long modulus.......................................+++.....................................................................+++e is 65537 (0x10001)[root@centos7 CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter ‘.‘, the field will be left blank.-----Country Name (2 letter code) [XX]:CN ????State or Province Name (full name) []:beijingLocality Name (eg, city) [Default City]:beijingOrganization Name (eg, company) [Default Company Ltd]:magedu.comOrganizational Unit Name (eg, section) []:OptCommon Name (eg, your name or your server‘s hostname) []:ca.magedu.com ?????**颁发者名**Email Address []:admin@magedu.com[root@centos7 CA]# tree ..├── cacert.pem├── certs├── crl├── httpd.csr├── index.txt├── newcerts├── private│?? └── cakey.pem└── serial4 directories, 5 files[root@centos7 CA]# openssl ca -in httpd.csr -out certs/httpd.crt -days 700Using configuration from /etc/pki/tls/openssl.cnfCheck that the request matches the signatureSignature okCertificate Details: ???????Serial Number: 1 (0x1) ???????Validity ???????????Not Before: Jan 27 19:08:15 2018 GMT ???????????Not After : Dec 28 19:08:15 2019 GMT ???????Subject: ???????????countryName ??????????????= CN ???????????stateOrProvinceName ??????= beijing ???????????organizationName ?????????= magedu.com ???????????organizationalUnitName ???= Opt ???????????commonName ???????????????= *.magedu.com ???????????emailAddress ?????????????= admin@magedu.com ???????X509v3 extensions: ???????????X509v3 Basic Constraints: ????????????????CA:FALSE ???????????Netscape Comment: ????????????????OpenSSL Generated Certificate ???????????X509v3 Subject Key Identifier: ????????????????17:2B:8B:4F:9D:7A:0C:6B:33:05:1B:8A:49:94:A5:B2:41:72:47:1C ???????????X509v3 Authority Key Identifier: ????????????????keyid:EA:25:41:70:B4:61:A0:15:29:97:C6:60:4B:E9:B4:C1:8A:FA:3D:B7Certificate is to be certified until Dec 28 19:08:15 2019 GMT (700 days)Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base Updated[root@centos7 CA]# scp ccacert.pem ?certs/ ?????crl/ ???????[root@centos7 CA]# scp certs/httpd.crt 192.168.64.103:/etc/httpd/conf.d/sslThe authenticity of host ‘192.168.64.103 (192.168.64.103)‘ can‘t be established.RSA key fingerprint is SHA256:9m0dbsLLKTd4m4JYuBNwUB9D6Zk8jLIO5ySUs9nhCRc.RSA key fingerprint is MD5:1a:f2:be:d3:9e:6e:df:83:a8:a4:1f:a8:c0:33:cd:b8.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added ‘192.168.64.103‘ (RSA) to the list of known hosts.root@192.168.64.103‘s password: httpd.crt ??????????????????????????????????????????????????????100% 3870 ????6.4MB/s ??00:00 ???[root@centos7 CA]# tree ..├── cacert.pem├── certs│?? └── httpd.crt├── crl├── httpd.csr├── index.txt├── index.txt.attr├── index.txt.old├── newcerts│?? └── 01.pem├── private│?? └── cakey.pem├── serial└── serial.old4 directories, 10 files[root@centos7 CA]# scp cacert.pem 192.168.64.103:/etc/httpd/conf.d/sslroot@192.168.64.103‘s password: Permission denied, please try again.root@192.168.64.103‘s password: cacert.pem ????????????????????????????????100% 1424 ????3.2MB/s ??00:00 **webserver主机执行命令**[root@cent6OS CA]# mkdir /etc/httpd/conf.d/ssl[root@cent6OS CA]# cd /etc/httpd/conf.d/ssl[root@cent6OS ssl]# (umask 077;openssl genrsa -out httpd.key)Generating RSA private key, 1024 bit long modulus...........++++++....++++++e is 65537 (0x10001)[root@cent6OS ssl]# openssl req -new -key httpd.key -out httpd.csrYou are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter ‘.‘, the field will be left blank.-----Country Name (2 letter code) [XX]:CN ???State or Province Name (full name) []:beijingLocality Name (eg, city) [Default City]:bjOrganization Name (eg, company) [Default Company Ltd]:magedu.comOrganizational Unit Name (eg, section) []:OptCommon Name (eg, your name or your server‘s hostname) []:*.magedu.com ?????**webserver服务名,即是颁发给**Email Address []:admin@magedu.comPlease enter the following ‘extra‘ attributesto be sent with your certificate requestA challenge password []:An optional company name []:[root@cent6OS ssl]# scp httpd.csr 192.168.64.104:/etc/pki/CAroot@192.168.64.104‘s password: httpd.csr ??????????????????????????????????????????????????????100% ?696 ????0.7KB/s ??00:00[root@cent6OS ssl]# tree ..├── cacert.pem├── httpd.crt├── httpd.csr└── httpd.key0 directories, 4 filesvim /etc/httpd/conf.d/ssl.conf servername www.magedu.com:443SSLCertificateKeyFile /etc/httpd/conf.d/ssl/httpd.key# ??Server Certificate Chain:# ??Point SSLCertificateChainFile at a file containing the# ??concatenation of PEM encoded CA certificates which form the# ??certificate chain for the server certificate. Alternatively# ??the referenced file can be the same as SSLCertificateFile# ??when the CA certificates are directly appended to the server# ??certificate for convinience.#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt# ??Certificate Authority (CA):# ??Set the CA certificate verification path where to find CA# ??certificates for client authentication or alternatively one# ??huge file containing all of them (file must be PEM encoded)SSLCACertificateFile /etc/httpd/conf.d/ssl/cacert.pemhttps ?CA自签名证书,并给Webserver颁发证书
原文地址:http://blog.51cto.com/11034229/2065872