[root@CA ~]# ls /etc/CA/private/cakey.pem #CA私钥
[root@CA ~]# ls /etc/CA/cacert.pem #CA证书
[root@CA ~]# ls /etc/CA/careq.pem #CA证书请求
配置web服务器
===============================================================
web 生成自己的私钥
[root@www ~]# openssl genrsa -des3 -out /etc/httpd/conf.d/server.key #使用des3保护私钥
Generating RSA private key, 512 bit long modulus
.........++++++++++++
......................++++++++++++
e is 65537 (0x10001)
Enter pass phrase for /etc/httpd/conf.d/server.key:123456
Verifying - Enter pass phrase for /etc/httpd/conf.d/server.key:123456
生成证书请求(使用身份标识+公钥)
[root@www ~]# openssl req -new -key /etc/httpd/conf.d/server.key -out /tmp/server.csr
Enter pass phrase for /etc/httpd/conf.d/server.key:123456
You are about to be asked to enter information that will be incorporated into your certificate
request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
-------------------------------------------------------------------------------
Country Name (2 letter code) [GB]:CN #这部分信息要与CA一致 !!!
State or Province Name (full name) [Berkshire]:BEIJING
Locality Name (eg, city) [Newbury]:HD
Organization Name (eg, company) [My Company Ltd]:linuxidc
Organizational Unit Name (eg, section) []:IT
-------------------------------------------------------------------------------
Common Name (eg, your name or your server's hostname) []:
Email Address []:www@linuxidc.com
Please enter the following 'extra' attributes to be sent with your certificate request
A challenge password []:
An optional company name []:
将证书请求发送给CA
[root@www ~]# scp /tmp/server.csr CA.linuxidc.com:/tmp/
CA服务器对证书请求进行数字签名
=============================================================================
[root@CA ~]# openssl ca -keyfile /etc/CA/private/cakey.pem -cert /etc/CA/cacert.pem -in /tmp/server.csr -out /tmp/server.crt
/etc/CA/private/cakey.pem (这是ca的私钥)
/tmp/server.csr (httpserver的证书请求文件)
/etc/CA/cacert.pem (ca的证书)
/tmp/server.crt (生成的httpserver的证书的名字)
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Mar 5 02:20:56 2012 GMT
Not After : Mar 5 02:20:56 2013 GMT
Subject:
countryName = CN
stateOrProvinceName = BEIJING
organizationName = linuxidc
organizationalUnitName = IT
commonName =
emailAddress = www@linuxidc.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:TRUE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
D0:6E:C7:7D:FC:BE:0D:62:CA:B9:A2:E0:2A:9A:27:32:39:0B:91:F8
X509v3 Authority Key Identifier:
keyid:61:D5:3A:C7:5C:0F:66:FE:D5:EF:5D:A1:94:8F:FD:C2:E5:94:7D:D3
Certificate is to be certified until Mar 5 02:20:56 2013 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
将签名后的数字证书颁发给web
[root@CA ~]# scp /tmp/server.crt :/etc/httpd/conf.d/