自建CA,颁发SSL证书

环境

系统:CentOS 6.6

准备

  • 安装依赖包
# yum install openssl openssl-perl

创建CA

  • 编辑openssl.cnf(修改默认配置,非必需)
# vim /etc/pki/tls/openssl.cnf
default_days    = 3650
countryName_default             = CN
stateOrProvinceName_default     = BeiJing
localityName_default            = BeiJing
0.organizationName_default      = Company Ltd
organizationalUnitName_default  = IT
  • 清空/etc/pki/CA(否则创建时会自动退出,且无报错)
# rm -fr /etc/pki/CA/*
  • 创建CA
# cd /etc/pki/tls/misc

# ./CA.pl -newca
Enter PEM pass phrase: 输入CA密码
Verifying - Enter PEM pass phrase: 重复CA密码
......
Country Name (2 letter code) [GB]: CN
State or Province Name (full name) [Berkshire]:BeiJing
Locality Name (eg, city) [Newbury]:BeiJing
Organization Name (eg, company) [My Company Ltd]:Company Ltd
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:domain.com
Email Address []:[email protected]
......
Enter pass phrase for /etc/pki/CA/private/cakey.pem:输入CA密码
......

注:Common Name一定要输入目标机器的fully qualified name

签发证书

  • 创建证书请求
# ./CA.pl -newreq-nodes
......
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:BeiJing
Locality Name (eg, city) [Newbury]:BeiJing
Organization Name (eg, company) [My Company Ltd]:Company Ltd
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:your.domain.com
Email Address []:[email protected]
......
  • CA签发证书
# ./CA.pl -sign
......
Enter pass phrase for /etc/pki/CA/private/cakey.pem: 输入CA密码
......
Sign the certificate? [y/n]:y
......
1 out of 1 certificate requests certified, commit? [y/n]y
......

当前目录下会生成3个文件
newreq.pem证书请求文件,可删除
newcert.pemCA签发的证书
newkey.pem证书对应的私钥

  • 重命名证书和私钥
# rm -f newreq.pem
# mv newcert.pem your.domain.com.cert
# mv newkey.pem your.domain.com.key
  • 把证书your.domain.com.cert和私钥your.domain.com.key传输给所需服务器

你可能感兴趣的:(自建CA,颁发SSL证书)