在主机上生成密钥,保存至应用此证书的服务的配置文件目录下;
mkdir /etc/httpd/ssl
cd /etc/httpd/ssl
[root@localhost ssl]# (umask 077; openssl genrsa -out httpd.key 1024)
Generating RSA private key, 1024 bit long modulus
.++++++
........++++++
e is 65537 (0x10001)
[root@localhost ssl]# ls
httpd.key
[root@localhost ssl]#
5、生成证书签署请求:
[root@localhost ssl]# openssl req -new -key httpd.key -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BJ
Locality Name (eg, city) [Default City]:BJ
Organization Name (eg, company) [Default Company Ltd]:Ouyang
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:ca.ouyang.com
Email Address []:caadmin@ouyang.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:RedHat
An optional company name []:redhat
(Client端所填的信息要与服务器一致)
6、Clientc端将请求文件发往Server端;
scp httpd.csr 172.16.34.200:/tmp
7、CA签署Client发来的证书申请;
openssl ca -in /tmp/httpd.csr -out /tmp/httpd.csr -days 3655
8、签署完全后将证书发回申请者;
scp httpd.crt 172.16.34.20:/etc/httpd/ssl
9、吊销证书;吊销证书要到Server端;
openssl ca -revoke /tmp/httpd.crt