


- 安装apache环境依赖

[root@qmfz ~]# yum -y install mod_ssl openssl httpd
Loading mirror speeds from cached hostfile
 * base: mirrors.aliyun.com
 * extras: mirrors.aliyun.com
 * updates: mirrors.163.com
base                                                     | 3.6 kB     00:00
extras                                                   | 2.9 kB     00:00
updates                                                  | 2.9 kB     00:00
软件包 1:mod_ssl-2.4.6-97.el7.centos.x86_64 已安装并且是最新版本
软件包 1:openssl-1.0.2k-19.el7.x86_64 已安装并且是最新版本
软件包 httpd-2.4.6-97.el7.centos.x86_64 已安装并且是最新版本
  • 用mkdir命令在/etc/httpd下创建CA证书存放目录ca
[root@qmfz ~]# cd /etc/httpd
[root@qmfz httpd]# ll
总用量 0
drwxr-xr-x. 2 root root 177 11月 28 21:11 ca
drwxr-xr-x. 2 root root  37 11月 28 21:15 conf
drwxr-xr-x. 2 root root  98 11月 28 21:30 conf.d
drwxr-xr-x. 2 root root 165 11月 28 18:10 conf.modules.d
lrwxrwxrwx. 1 root root  19 11月 26 19:27 logs -> ../../var/log/httpd
lrwxrwxrwx. 1 root root  29 11月 26 19:27 modules -> ../../usr/lib64/httpd/modules
lrwxrwxrwx. 1 root root  10 11月 26 19:27 run -> /run/httpd

- 创建的CA证书

[root@qmfz ca]# cd /etc/httpd/ca
[root@qmfz ca]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 1000(天数可以随意) -out ca.crt
Generating a 4096 bit RSA private key
writing new private key to 'ca.key'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [XX]:CN #中国
State or Province Name (full name) []:GD #广东
Locality Name (eg, city) [Default City]:QY #市区
Organization Name (eg, company) [Default Company Ltd]:QMFZ #企业名字
Organizational Unit Name (eg, section) []:YWB #部门名字
Common Name (eg, your name or your server's hostname) []:chenshuyi.top #所属服务器名字
Email Address []:Iwillshine0815@163.com #邮箱

- 创建CA证书签名请求

[root@qmfz ca]#  openssl req -newkey rsa:4096 -nodes -sha256 -keyout chenshuyi.top.key -x509 -days 1000 -out chenshuyi.top.csr
Generating a 4096 bit RSA private key
writing new private key to 'chenshuyi.top.key'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:GD
Locality Name (eg, city) [Default City]:QY
Organization Name (eg, company) [Default Company Ltd]:QMFZ
Organizational Unit Name (eg, section) []:YWB
Common Name (eg, your name or your server's hostname) []:chenshuyi.top
Email Address []:Iwillshine0815@163.com

- 创建注册主机的证书

[root@qmfz ca]#  openssl x509 -req -days 365 -in chenshuyi.top.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out chenshuyi.top.crt
Signature ok
Getting CA Private Key


[root@qmfz ca]# ll
总用量 32
-rw-r--r--. 1 root root 2032 11月 28 21:11 2_api.biuayi.cn.crt
-rw-r--r--. 1 root root 1700 11月 28 21:11 3_api.biuayi.cn.key
-rw-r--r--. 1 root root 2098 11月 28 20:29 ca.crt
-rw-r--r--. 1 root root 3272 11月 28 20:29 ca.key
-rw-r--r--. 1 root root   17 11月 29 17:06 ca.srl
-rw-r--r--. 1 root root 1980 11月 29 17:06 chenshuyi.top.crt
-rw-r--r--. 1 root root 1797 11月 28 20:32 chenshuyi.top.csr
-rw-r--r--. 1 root root 3272 11月 28 20:32 chenshuyi.top.key