環(huán)境
系統(tǒng):CentOS 6.6
準(zhǔn)備
- 安裝依賴包
# yum install openssl openssl-perl
創(chuàng)建CA
- 編輯
openssl.cnf(修改默認(rèn)配置,非必需)
# vim /etc/pki/tls/openssl.cnf
default_days = 3650
countryName_default = CN
stateOrProvinceName_default = BeiJing
localityName_default = BeiJing
0.organizationName_default = Company Ltd
organizationalUnitName_default = IT
- 清空
/etc/pki/CA(否則創(chuàng)建時(shí)會(huì)自動(dòng)退出洒放,且無報(bào)錯(cuò))
# rm -fr /etc/pki/CA/*
- 創(chuàng)建CA
# cd /etc/pki/tls/misc
# ./CA.pl -newca
Enter PEM pass phrase: 輸入CA密碼
Verifying - Enter PEM pass phrase: 重復(fù)CA密碼
......
Country Name (2 letter code) [GB]: CN
State or Province Name (full name) [Berkshire]:BeiJing
Locality Name (eg, city) [Newbury]:BeiJing
Organization Name (eg, company) [My Company Ltd]:Company Ltd
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:domain.com
Email Address []:email@126.com
......
Enter pass phrase for /etc/pki/CA/private/cakey.pem:輸入CA密碼
......
注:Common Name一定要輸入目標(biāo)機(jī)器的fully qualified name
簽發(fā)證書
- 創(chuàng)建證書請(qǐng)求
# ./CA.pl -newreq-nodes
......
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:BeiJing
Locality Name (eg, city) [Newbury]:BeiJing
Organization Name (eg, company) [My Company Ltd]:Company Ltd
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:your.domain.com
Email Address []:email@126.com
......
- CA簽發(fā)證書
# ./CA.pl -sign
......
Enter pass phrase for /etc/pki/CA/private/cakey.pem: 輸入CA密碼
......
Sign the certificate? [y/n]:y
......
1 out of 1 certificate requests certified, commit? [y/n]y
......
當(dāng)前目錄下會(huì)生成3個(gè)文件
newreq.pem證書請(qǐng)求文件,可刪除
newcert.pemCA簽發(fā)的證書
newkey.pem證書對(duì)應(yīng)的私鑰
- 重命名證書和私鑰
# rm -f newreq.pem
# mv newcert.pem your.domain.com.cert
# mv newkey.pem your.domain.com.key
- 把證書
your.domain.com.cert和私鑰your.domain.com.key傳輸給所需服務(wù)器
