环境:centos6.5
两台主机,一个是CA签证 一个是apache服务器
第一步:apache上安装ssl支持
yum install -y mod_ssl
然后httpd -M就能看到ssl模块了
ssl_module (shared)
第二步:在CA机器上生成自签证书
先生成私钥
[root@slave CA]# cd /etc/pki/CA
[root@slave CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
..........................................................+++
...................................................................+++
e is 65537 (0x10001)
这样就是成功了
生成自签证书
[root@slave CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:GD
Locality Name (eg, city) [Default City]:gz
Organization Name (eg, company) [Default Company Ltd]:hu
Organizational Unit Name (eg, section) []:hu
Common Name (eg, your name or your server's hostname) []:ca.8.com
Email Address []:a
[root@slave CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:gd
Locality Name (eg, city) [Default City]:gz
Organization Name (eg, company) [Default Company Ltd]:hu
Organizational Unit Name (eg, section) []:hu
Common Name (eg, your name or your server's hostname) []:ca.920.com
Email Address []:[email protected]
到这里,自签证书就生成完毕了
第三步:新建证书数据库
[root@slave CA]# touch index.txt #证书数据库
[root@slave CA]# echo 01 serial #序列号
第四步:在apache机器上生成一堆密钥
[root@nginx ~]# mkdir /etc/httpd/ssl
[root@nginx ~]# (umask 077;openssl genrsa 1024 > httpd.key)
Generating RSA private key, 1024 bit long modulus
....++++++
.......++++++
e is 65537 (0x10001)
生成CA证书请求
注意,这里一定要跟CA上面输入的一直,hostname例外
[root@nginx ssl]# openssl req -new -key httpd.key -out http.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:GD
Locality Name (eg, city) [Default City]:^C
[root@nginx ssl]# openssl req -new -key httpd.key -out http.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:gd
Locality Name (eg, city) [Default City]:gz
Organization Name (eg, company) [Default Company Ltd]:hu
Organizational Unit Name (eg, section) []:hu
Common Name (eg, your name or your server's hostname) []:qq.com
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
然后将此http.csr拷贝到CA服务器上签名
第五步:在CA上签名
[root@slave CA]# openssl ca -in /tmp/http.csr -out /tmp/http.rt -days 3650
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Feb 13 10:03:52 2015 GMT
Not After : Feb 10 10:03:52 2025 GMT
Subject:
countryName = CN
stateOrProvinceName = gd
organizationName = hu
organizationalUnitName = hu
commonName = qq.com
emailAddress = [email protected]
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
A5:7E:50:2A:8C:4D:B5:E3:DB:72:D7:F8:CE:E2:20:B0:F9:FD:18:0D
X509v3 Authority Key Identifier:
keyid:45:71:85:FA:99:EE:F1:0E:0F:EC:AB:6D:8C:F7:1F:A2:32:DF:31:6A
Certificate is to be certified until Feb 10 10:03:52 2025 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
签名成功
[root@slave CA]# cat /etc/pki/CA/index.txt
V 250210100352Z 01 unknown /C=CN/ST=gd/O=hu/OU=hu/CN=qq.com/[email protected]
可以看到数据库更新了