https服务器的配置(三)创建私有CA和证书

首先在其他主机上创建一个私有的CA


假如我我现在就另外开一台虚拟机


登录进去

一、生存一对密钥(私钥和公钥,公钥可以在私钥中提取因此创建私钥就可以了)

[root@CentOS6 ~]#cd/etc/pki/CA

[root@CentOS6 CA]#(umask 077; opensslgenrsa –out private/cakey.pem 2048)

 

二、生成CA的证书


[root@CentOS6 CA]# openssl req -new -x509-key private/cakey.pem -out cacert.pem

 

You are about to be asked to enterinformation that will be incorporated

into your certificate request.

What you are about to enter is what iscalled a Distinguished Name or a DN.

There are quite a few fields but you canleave some blank

For some fields there will be a defaultvalue,

If you enter ‘.‘, the field will be leftblank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:Henan

Locality Name (eg, city) [DefaultCity]:Zhengzhou

Organization Name (eg, company) [DefaultCompany Ltd]:HuangBY

Organizational Unit Name (eg, section)[]:Tech

Common Name (eg, your name or your server‘shostname) []:www.huangbaoying.com

Email Address []:[email protected]

 

Please enter the following ‘extra‘attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

[root@CentOS6 CA]# mkdir certs newcerts crl

[root@CentOS6 CA]# touch index.txt

[root@CentOS6 CA]# touch serial

[root@CentOS6 CA]# echo 01 > serial

OK准备给人家签证吧

 

三、好了,现在在httpd服务器的主机上

[root@CentOS6 ~]# cd /etc/httpd/

[root@CentOS6 httpd]# mkdir ssl

[root@CentOS6 httpd]#cd ssl

创建私钥

[root@CentOS6 ssl]# (umask 077; opensslgenrsa –out httpd.key 1024)

创建证书

[root@CentOS6 CA]# openssl req –new -key httpd.key-out httpd.csr

 

把证书发给CA

 

现在我们切换到CA如果你在同一台主机上就不再切换了

四、签证

[root@CentOS6 ~]#openssl ca –in httpd.csr –outhttpd.crt –days 3650

好了签证完毕把httpd.crt发给httpd的服务器主机

 

五、登录到httpd的服务器主机

将收到的httpd.crt放到/etc/httpd/ssl/下面去备用


本文出自 “奔向互联网” 博客,请务必保留此出处http://huangbaoying.blog.51cto.com/9267029/1604725

郑重声明:本站内容如果来自互联网及其他传播媒体,其版权均属原媒体及文章作者所有。转载目的在于传递更多信息及用于网络分享,并不代表本站赞同其观点和对其真实性负责,也不构成任何其他建议。