如何在centos8上配置一个ca证书颁发机构并且颁发一个自签名证书【超详细！！！】

在CentOS 8上配置CA证书颁发机构并颁发自签名证书的步骤如下：

1. 安装OpenSSL

```

sudo dnf install openssl

```

2. 创建CA证书目录

```

sudo mkdir /etc/pki/CA/
sudo chmod 0700 /etc/pki/CA/

```

3. 创建CA证书数据库

```

sudo touch /etc/pki/CA/index.txt
sudo echo 1000 > /etc/pki/CA/serial

```

4. 创建CA证书配置文件

```

sudo vi /etc/pki/CA/ca.cnf

```

在文件中添加以下内容：```

[ ca ]
default_ca = myca

[ myca ]
dir = /etc/pki/CA
new_certs_dir = $dir/newcerts
database = $dir/index.txt
serial = $dir/serial
certificate = $dir/cacert.pem
private_key = $dir/private/cakey.pem
default_days = 365
default_md = sha256
policy = myca_policy
email_in_dn = no
name_opt = ca_default
cert_opt = ca_default
copy_extensions = copy

[ myca_policy ]
commonName = supplied
stateOrProvinceName = optional
countryName = optional
emailAddress = optional
organizationName = optional
organizationalUnitName = optional

[ req ]
default_bits = 2048
default_md = sha256
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
x509_extensions = v3_ca

[ req_distinguished_name ]
commonName = Common Name
stateOrProvinceName = State or Province Name
countryName = Country Name
emailAddress = Email Address
organizationName = Organization Name
organizationalUnitName = Organizational Unit Name

[ v3_ca ]
basicConstraints = CA:true
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
keyUsage = keyCertSign, cRLSign

```

5. 生成CA私钥

```

sudo openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048

```

6. 生成CA自签名证书

```

sudo openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -config /etc/pki/CA/ca.cnf

```

7. 配置证书颁发机构

```

sudo mkdir /etc/pki/CA/newcerts
sudo chmod 0700 /etc/pki/CA/newcerts
sudo touch /etc/pki/CA/index.txt.attr
sudo echo "unique_subject = no" > /etc/pki/CA/index.txt.attr

```

8. 配置证书签名请求文件

```

sudo vi /etc/pki/CA/csr.cnf

```

在文件中添加以下内容：```

[ req ]
default_bits = 2048
default_md = sha256
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
x509_extensions = v3_ca

[ req_distinguished_name ]
commonName = Common Name
stateOrProvinceName = State or Province Name
countryName = Country Name
emailAddress = Email Address
organizationName = Organization Name
organizationalUnitName = Organizational Unit Name

[ v3_ca ]
basicConstraints = CA:false
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
keyUsage = digitalSignature, keyEncipherment

```

9. 生成证书请求

```

sudo openssl req -new -keyout /etc/pki/CA/private/serverkey.pem -out /etc/pki/CA/servercert.csr -config /etc/pki/CA/csr.cnf

```

10. 颁发证书

```

sudo openssl ca -in /etc/pki/CA/servercert.csr -out /etc/pki/CA/servercert.pem -config /etc/pki/CA/ca.cnf

```

11. 配置SSL证书

```

sudo mkdir /etc/pki/tls/private/
sudo chmod 0700 /etc/pki/tls/private/
sudo cp /etc/pki/CA/servercert.pem /etc/pki/tls/certs/
sudo cp /etc/pki/CA/serverkey.pem /etc/pki/tls/private/
sudo chown root:root /etc/pki/tls/certs/servercert.pem
sudo chown root:root /etc/pki/tls/private/serverkey.pem
sudo chmod 0644 /etc/pki/tls/certs/servercert.pem
sudo chmod 0600 /etc/pki/tls/private/serverkey.pem

```

12. 配置Apache SSL虚拟主机

```

sudo vi /etc/httpd/conf.d/ssl.conf

```

添加以下内容：```

    ServerName example.com
    ServerAlias www.example.com
    DocumentRoot /var/www/html

    SSLEngine on
    SSLCertificateFile /etc/pki/tls/certs/servercert.pem
    SSLCertificateKeyFile /etc/pki/tls/private/serverkey.pem

```

13. 重启Apache服务

```

sudo systemctl restart httpd

```