做一个自签证证书过程
1 进入/etc/pki/CA/private 生成一个密钥文件
 [root@station40 certs]# cd /etc/pki/CA/private/
[root@station40 private]# ls
my.key
[root@station40 private]# openssl genrsa 2048 >cakey.pem
Generating RSA private key, 2048 bit long modulus
.............................+++
...............................................................+++
e is 65537 (0x10001)
[root@station40 private]# ls
cakey.pem
2 开始自签
-days CA证书的自签发时的有效期限
[root@station40 CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 2000
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:HN
Locality Name (eg, city) [Newbury]:ZZ
Organization Name (eg, company) [My Company Ltd]:ZZU
Organizational Unit Name (eg, section) []:DA
Common Name (eg, your name or your server's hostname) []:stations.example.com
Email Address []:root@stations.example.com
3 /etc/pki/tls/CA缺少3个文件,现在我们一次建立它们
[root@station40 CA]# mkdir newcerts
[root@station40 CA]# touch ./{index.txt,serial}
[root@station40 CA]# ll
total 32
-rw-r--r-- 1 root root 1058 Feb 25 22:43 cacert.pem
-rw-r--r-- 1 root root    0 Feb 25 22:59 index.txt
drwxr-xr-x 2 root root 4096 Feb 25 22:58 newcerts
drwx------ 2 root root 4096 Feb 25 22:32 private
-rw-r--r-- 1 root root    0 Feb 25 22:59 serial
进入serial添加一个二位数字
[root@station40 CA]#
4.修改/etc/pki/tls/openssl.conf 文件, 修改绝对路径,把【 CA default】的第一行 改为/etc/pki/CA
[ CA_default ]
 
dir             = /etc/pki/CA           # Where everything is kept
certs           = $dir/certs            # Where the issued certs are kept
crl_dir         = $dir/crl              # Where the issued crl are kept
database        = $dir/index.txt        # database index file.
#unique_subject = no                    # Set to 'no' to allow creation of
                                                                      45,15-2
申请证书过程                                                                                                                                                
1 生成一个密钥文件
[root@station40 text]# cd /etc/pki/tls/certs
[root@station40 certs]# ls
ca-bundle.crt  make-dummy-cert  Makefile
[root@station40 certs]# openssl genrsa 2048 >my.key
Generating RSA private key, 2048 bit long modulus
...........................................................+++
.................................................+++
e is 65537 (0x10001)
[root@station40 certs]#
2请求ca证书
[root@station40 certs]# openssl req -new -key my.key -out my.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:HN
Locality Name (eg, city) [Newbury]:ZZ
Organization Name (eg, company) [My Company Ltd]:ZZU
Organizational Unit Name (eg, section) []:DA
Common Name (eg, your name or your server's hostname) []:stations
Email Address []:root@stations.example.com
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
3 生成证书
[root@station40 certs]# openssl ca -in my.csr -out my.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 0 (0x0)
        Validity
            Not Before: Feb 25 16:16:25 2010 GMT
            Not After : Feb 25 16:16:25 2011 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = HN
            organizationName          = ZZU
            organizationalUnitName    = DA
            commonName                = stations
            emailAddress              = root@stations.example.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                7B:77:F3:22:20:FD:F3:9D:FE:2B:D4:65:58:E0:19:47:AF:05:BA:6A
            X509v3 Authority Key Identifier:
                keyid:7C:A6:0E:49:DC:87:64:8F:2E:20:DB:25:0A:4A:6B:7D:E1:3F:BA:95
 
Certificate is to be certified until Feb 25 16:16:25 2011 GMT (365 days)
Sign the certificate? [y/n]:y
 
 
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@station40 certs]#
4.很简单吧 下面就可以使用命令查看一下你的证书啦
[root@station40 certs]# openssl x509 -in my.crt -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 0 (0x0)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=CN, ST=HN, L=ZZ, O=ZZU, OU=DA, CN=stations.example.com/emailAddress=root@stations.example.com
        Validity
            Not Before: Feb 25 16:16:25 2010 GMT
            Not After : Feb 25 16:16:25 2011 GMT
        Subject: C=CN, ST=HN, O=ZZU, OU=DA, CN=stations/emailAddress=root@stations.example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:cc:98:a7:17:8f:a1:06:74:18:53:68:92:48:4a:
                    45:7e:7a:ae:7a:ca:0f:8f:29:ca:19:72:fb:aa:a5:
                    94:b9:2d:92:75:6d:a5:42:14:33:3f:ee:a1:81:f3:
                    8a:55:94:fc:31:fd:f0:77:7d:f6:ab:0b:ec:4e:6a:
                    16:ee:63:9a:33:91:7f:eb:ca:40:8c:49:b4:2f:78:
                    a8:db:c2:49:91:d2:5b:85:99:3f:22:7a:4d:99:b9:
                    f6:89:95:5d:46:9c:43:80:76:ee:f2:16:17:69:f7:
                    be:76:a6:4b:65:34:ee:bc:58:56:77:21:85:31:d5:
                    0e:ed:cf:73:c2:f9:0e:a9:cf:0c:ab:67:e1:9d:55:
                    dc:77:ce:5a:94:fa:5b:d2:f9:33:7a:81:eb:61:8f:
                    86:ea:0b:0a:ef:d5:ee:0f:ee:96:22:46:21:98:1f:
                    f1:c2:d3:4b:89:9c:e4:db:90:28:32:ef:86:bf:5d:
                    ab:e4:85:23:1c:93:8e:db:12:8d:39:6a:f0:a0:db:
                    e4:90:82:68:8b:08:f7:df:b2:c9:93:da:69:e9:5a:
                    30:bf:b0:00:b1:b1:1f:9e:70:89:3c:3e:eb:ff:41:
                    b6:9f:e0:a8:1c:68:1d:c2:40:ff:6d:c5:5b:e9:71:
                    89:10:6f:a3:b6:30:e1:81:df:22:c3:ce:36:53:71:
                    a1:dd
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                7B:77:F3:22:20:FD:F3:9D:FE:2B:D4:65:58:E0:19:47:AF:05:BA:6A
            X509v3 Authority Key Identifier:
                keyid:7C:A6:0E:49:DC:87:64:8F:2E:20:DB:25:0A:4A:6B:7D:E1:3F:BA:95
 
    Signature Algorithm: sha1WithRSAEncryption
        c8:af:63:9c:bd:89:f8:7b:5e:a3:bd:f8:46:fd:f8:3c:d0:bd:
        86:a5:d8:7e:d1:8c:c9:77:66:f9:a2:33:f8:62:45:6a:f6:73:
        e8:a7:fe:1b:9b:ac:de:43:83:e2:d2:92:c7:4c:27:73:75:ed:
        70:ac:6e:9b:ed:1e:51:0d:d2:20:a7:c6:dd:1c:ac:50:f3:c8:
        62:61:a1:25:67:4e:a7:d0:37:e9:a6:48:59:08:51:71:b3:f4:
        84:18:bf:16:8d:f1:bb:8f:5e:c9:f9:4d:72:19:45:8f:8d:5f:
        1c:50:ad:11:40:c9:35:55:b3:22:11:fa:22:9e:ad:9f:93:4e:
        31:60:03:21:0f:39:47:11:7a:34:0c:7d:c5:2f:6f:79:69:47:
        35:e4:ab:2e:f0:d3:9e:41:96:b1:94:f8:e0:57:13:4f:85:7d:
        00:45:fa:14:c9:d8:33:11:a5:1c:16:9d:fc:27:6f:df:1d:6f:
        8a:24:de:23:ac:4d:9d:67:5e:38:76:0e:a5:d7:e0:f7:52:c7:
        31:1a:23:e8:91:84:a8:b2:89:b7:31:5a:fb:3a:76:59:9b:50:
        75:94:c0:fa:33:a2:85:d1:e5:80:4f:c1:67:18:62:5b:47:6a:
        a1:18:be:6e:fe:98:7c:15:ff:c6:26:ba:22:91:99:ae:d0:cd:
        e4:cd:f5:d2
[root@station40 certs]#