配置文件:
1 [root@appsrv ~]# vim /etc/pki/tls/openssl.cnf
2 #修改42行,dir = /csk-rootca
3 #修改84行到90行,将mastch、supplied更改为optional
4 #底行模式替换 - :85,88s/mastch/optional
5 #将98行复制到87行 yy复制 p粘贴
创建证书必要文件:
1 [root@appsrv ~]# mkdir /csk-rootca
2 [root@appsrv ~]# cd /csk-rootca/
3 [root@appsrv csk-rootca]# mkdir private newcerts
4 [root@appsrv csk-rootca]# touch index.txt
5 [root@appsrv csk-rootca]# echo 01 > serial
6 [root@appsrv csk-rootca]#
生成密钥:
1 [root@appsrv csk-rootca]# openssl genrsa -out private/cakey.pem
2 Generating RSA private key, 2048 bit long modulus
3 .......................................................................................
.....................................+++
4 ......+++
5 e is 65537 (0x10001)
6 [root@appsrv csk-rootca]#
生成根证书:
1 [root@appsrv csk-rootca]# openssl req -new -x509 -key private/cakey.pem -out csk-ca.pem
2 You are about to be asked to enter information that will be incorporated
3 into your certificate request.
4 What you are about to enter is what is called a Distinguished Name or a DN.
5 There are quite a few fields but you can leave some blank
6 For some fields there will be a default value,7 If you enter '.', the field will be left blank.
8 -----
9 Country Name (2 letter code) [XX]:CN
10 State or Province Name (full name) []:China
11 Locality Name (eg, city) [Default City]:BeiJing
12 Organization Name (eg, company) [Default Company Ltd]:skills
13 Organizational Unit Name (eg, section) []:Operations Departments
14 Common Name (eg, your name or your server's hostname) []:CSK Global Root CA
15 Email Address []:
16 [root@appsrv csk-rootca]#
生成web的密钥:
1 [root@appsrv CA]# openssl genrsa -out httpd.key
2 Generating RSA private key, 2048 bit long modulus
3 ..............+++
4 .............................................................................+++
5 e is 65537 (0x10001)
6 [root@appsrv CA]#
生成web证书;
1 [root@appsrv CA]# openssl req -new -key httpd.key -out httpd.csr
2 You are about to be asked to enter information that will be incorporated
3 into your certificate request.
4 What you are about to enter is what is called a Distinguished Name or a DN.
5 There are quite a few fields but you can leave some blank
6 For some fields there will be a default value,
7 If you enter '.', the field will be left blank.
8 -----
9 Country Name (2 letter code) [XX]:CN
10 State or Province Name (full name) []:China
11 Locality Name (eg, city) [Default City]:BeiJing
12 Organization Name (eg, company) [Default Company Ltd]:skills
13 Organizational Unit Name (eg, section) []:Operations Departments
14 Common Name (eg, your name or your server's hostname) []:*.www.chinaskills.cn
15 Email Address []:16
17 Please enter the following 'extra' attributes
18 to be sent with your certificate request
19 A challenge password []:
20 An optional company name []:
21 [root@appsrv CA]#
web证书与根证书绑定:
1 [root@appsrv CA]# openssl ca -keyfile private/cakey.pem -cert csk-ca.pem -in httpd.csr
-out httpd.crt
2 Using configuration from /etc/pki/tls/openssl.cnf
3 Check that the request matches the signature
4 Signature ok
5 Certificate Details:
6 Serial Number: 1 (0x1)
7 Validity
8 Not Before: Apr 14 09:38:23 2022 GMT
9 Not After : Apr 14 09:38:23 2023 GMT
10 Subject:
11 countryName = CN
12 stateOrProvinceName = China
13 localityName = BeiJing
14 organizationName = skills
15 organizationalUnitName = Operations Departments
16 commonName = *.chinaskills.cn
17 X509v3 extensions:
18 X509v3 Basic Constraints:
19 CA:FALSE
20 Netscape Comment:
21 OpenSSL Generated Certificate
22 X509v3 Subject Key Identifier:
23 41:5E:AE:2B:9F:5B:5D:8E:FF:8F:BC:93:3E:0D:50:C9:63:E5:AC:EE
24 X509v3 Authority Key Identifier:
25 keyid:03:AD:1B:0E:37:5D:70:71:0A:61:01:8A:E2:9B:FB:7D:48:8B:E4:8A
26
27 Certificate is to be certified until Apr 14 09:38:23 2023 GMT (365 days)
28 Sign the certificate? [y/n]:y
2930
31 1 out of 1 certificate requests certified, commit? [y/n]y
32 Write out database with 1 new entries
33 Data Base Updated