Centos 7自签发根证书+https证书

颁发根证书

#可以通过openssl version -a查看配置文件位置及版本信息
[root@rserver ~]# openssl version -a
OpenSSL 1.0.2k-fips  26 Jan 2017
built on: reproducible build, date unspecified
platform: linux-x86_64
options:  bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx) 
compiler: gcc -I. -I.. -I../include  -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches   -m64 -mtune=generic -Wa,--noexecstack -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM
OPENSSLDIR: "/etc/pki/tls"
engines:  rdrand dynamic 
#编辑配置文件
[root@rserver ~]# vim /etc/pki/tls/openssl.cnf 
#修改42行
dir = /CA
#修改85-90行
[ policy_match ]
countryName             = optional
stateOrProvinceName     = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = optional
emailAddress            = optional
#创建目录结构
[root@rserver ~]# mkdir /CA
[root@rserver ~]# 
[root@rserver ~]# cd /CA
[root@rserver CA]# mkdir newcerts certs private
[root@rserver CA]# touch index.txt
[root@rserver CA]# echo 1000 > serial
#生成根证书私钥
[root@rserver CA]# openssl genrsa -out cakey.pem 4096
Generating RSA private key, 4096 bit long modulus
.................................................++
...........................................................++
e is 65537 (0x10001)
[root@rserver CA]# 
[root@rserver CA]# openssl req -new -x509 -key cakey.pem -out cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:cc
Locality Name (eg, city) [Default City]:cc
Organization Name (eg, company) [Default Company Ltd]:Inc
Organizational Unit Name (eg, section) []:www.skills.com
Common Name (eg, your name or your server's hostname) []:Skill Global Root CA
Email Address []:
#信任根证书
[root@rserver CA]# cp cacert.pem /etc/pki/ca-trust/source/anchors/cacert.pem
[root@rserver CA]# update-ca-trust
[root@rserver CA]# mv cakey.pem ./private

颁发https证书

[root@rserver CA]# openssl genrsa -out https.key 4096
Generating RSA private key, 4096 
[root@rserver CA]# openssl req -new -key https.key -out https.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:China
Locality Name (eg, city) [Default City]:ShangDong
Organization Name (eg, company) [Default Company Ltd]:skills
Organizational Unit Name (eg, section) []:Operations Departments
Common Name (eg, your name or your server's hostname) []:*.sdskills.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

[root@rserver CA]# openssl ca -in https.csr -out https.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 4096 (0x1000)
        Validity
            Not Before: Apr  2 06:43:37 2022 GMT
            Not After : Apr  2 06:43:37 2023 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = China
            organizationName          = skills
            organizationalUnitName    = Operations Departments
            commonName                = *.sdskills.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                F5:9A:79:A8:14:7E:7A:87:22:81:6D:C7:1B:AB:C1:89:D1:80:BC:53
            X509v3 Authority Key Identifier: 
                keyid:79:17:4C:23:4B:38:02:9A:8E:83:FE:23:AE:2D:3B:78:86:15:67:29

Certificate is to be certified until Apr  2 06:43:37 2023 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@rserver CA]# 

最后传送将根证书和服务器证书传送到服务器上,要使根证书信任

你可能感兴趣的:(Centos,https,linux,openssl)