~~~本自签证书只为练习使用 ~~~
首先确定你已经安装了openssl,使用
- [root@localhost ~]# rpm -qa openssl
规定/etc/pki_my下:
myCA 是CA家目录
myCA/certs 是服务证书存放目录
myCA/newcerts 是签署的新证书目录
myCA/crl 是吊销证书目录
myCA/private 是我们私钥存放目录
执行以下脚本即可
- #!/bin/bash
- #
- [ -d /etc/pki_my ] && mv /etc/pki_my /tmp/pki_my_`date "%F"` mkdir -m 0755 /etc/pki_my || mkdir -m 0755 /etc/pki_my
- mkdir -pm 0755 /etc/pki_my/myCA/{private,certs,newcerts,crl}
- cp /etc/pki/tls/openssl.cnf /etc/pki_my/myCA/openssl.my.cnf
- chmod 0600 /etc/pki_my/myCA/openssl.my.cnf
- touch /etc/pki_my/myCA/index.txt
- echo 01 > /etc/pki_my/myCA/serial
- cd /etc/pki_my/myCA
- sed -i 's@\(^dir.*= \).*@\1/etc/pki_my/myCA@'g openssl.my.cnf
- sed -i 's@\(^countryName_default.*= \).*@\1CN@'g openssl.my.cnf
- sed -i 's@\(^stateOrProvinceName_default.*= \).*@\1HA@'g openssl.my.cnf
- sed -i 's@\(^localityName_default.*= \).*@\1Zhengzhou@'g openssl.my.cnf
- sed -i 's@\(^0.organizationName_default.*= \).*@\1RHCE@'g openssl.my.cnf
- openssl req -config openssl.my.cnf -new -x509 -extensions v3_ca -keyout private/myca.key -out certs/myca.crt -days 3650
- chmod 0400 /etc/pki_my/myCA/private/myca.key
其中在
| # Enter PEM pass phrase: |
处填写一串字符为创建你的私钥
在
Country Name (2 letter code) [CN]: State or Province Name (full name) [HA]: Locality Name (eg, city) [Zhenghzou]: Organization Name (eg, company) [My Company Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:Email Address []: |
填上你CA相关信息即可
……………………
以后你想为自己的服务申请证书时,只需用类似下面两条命令即可
- openssl genrsa 2048 >your_server_name.key
- openssl req -new -config openssl.my.cnf -key youe_server_name.key -out your_server_name.csr -days 3650
