创建CA自签证书

1，创建CA服务器的私钥：

(umask 0077;openssl genrsa -out cakey.pem 2048)

注意：将私钥放在目录下

/etc/pki/CA/private

2，创建CA服务器自签证书：

[[email protected] CA]# openssl req -new -x509 -key cakey.pem -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BeiJing
Locality Name (eg, city) [Default City]:BeiJing
Organization Name (eg, company) [Default Company Ltd]:liubin
Organizational Unit Name (eg, section) []:ops
Common Name (eg, your name or your server‘s hostname) []:www1.stu12.com
Email Address []:

3，创建文件：

[root@localhost CA]# touch index.txt
[root@localhost CA]# echo 01 > serial

4，创建服务器私钥：
创建存放私钥和证书位置：

mkdir -pv /www/html/ssl

[root@localhost /www/ssl]#(umask 0077;openssl genrsa -out httpd_key.pem)

5，创建服务器自签证书：

[[email protected] /www/ssl]#openssl req -new -key httpd_key.pem -out httpd_csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BeiJing
Locality Name (eg, city) [Default City]:BeiJing
Organization Name (eg, company) [Default Company Ltd]:liubin
Organizational Unit Name (eg, section) []:ops
Common Name (eg, your name or your server‘s hostname) []:www1.stu12.com
Email Address []:

Please enter the following ‘extra‘ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

6，将服务器的证书传送到CA服务器上：

scp httpd_csr [email protected]172.16.12.21:/root

7，在CA服务器上对证书进行签署：

[[email protected] CA]# openssl ca -in httpd_csr -out httpd_crt.pem
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Jun  1 21:04:37 2017 GMT
            Not After : Jun  1 21:04:37 2018 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = BeiJing
            organizationName          = liubin
            organizationalUnitName    = ops
            commonName                = www1.stu12.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                51:B2:FC:C3:77:C2:CB:A1:4A:43:53:EA:D9:F8:C8:83:0A:59:91:41
            X509v3 Authority Key Identifier:
                keyid:F3:0E:EB:57:25:77:45:EC:98:41:8F:D1:54:A9:DA:4C:9C:FA:04:3D

Certificate is to be certified until Jun  1 21:04:37 2018 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

8，将证书传回服务器：

scp httpd_crt.pem root@172.16.12.11:/www/ssl/

9，在服务器安装ssl模块：

yum -y install mod_ssl

10修改ssl配置文件：

SSLCertificateFile /www/ssl/httpd_crt.pem
SSLCertificateKeyFile /www/ssl/httpd_key.pem

时间： 2024-10-03 18:38:14

创建CA自签证书的相关文章

Openssl 创建CA和申请证书

Openssl 创建CA和申请证书 =============================================================================== 概述: 本章是上篇加密解密技术的续,主要介绍Openssl创建CA.申请证书.办法证书的整个操作,具体内容如下: 创建私有CA: 给节点颁发证书: 吊销证书详情查看上篇加密解密技术:http://1992tao.blog.51cto.com/11606804/1856438 ============

架设CA服务器实现https通信,web服务器使用CA自签证书与https通信

. 教程目标:web服务器使用CA自签证书与https通信日期:2015年08月19日联系邮箱:[email protected] Q Q 群:1851 15701 51CTO博客首页:http://990487026.blog.51cto.com 做一个对读者负责的博主. ====================================================准备: 系统环境:CentOS 6.6 X64 Desktop安装,附加开发工具包的安装本机作为签证机构

使用OpenSSL创建CA和申请证书

OpenSSL简介 OpenSSL是一种加密工具套件,可实现安全套接字层(SSL v2 / v3)和传输层安全性(TLS v1)网络协议以及它们所需的相关加密标准. openssl命令行工具用于从shell程序使用OpenSSL加密库的各种加密功能. 它可以用于: 创建和管理私钥,公钥和参数公钥加密操作创建X.509证书,CSR和CRL 消息摘要的计算使用密码进行加密和解密 SSL / TLS客户端和服务器测试处理S / MIME签名或加密的邮件时间戳记请求,生成和验证 openssl

Centos7.3创建CA和申请证书

Centos7.3创建CA和申请证书 openssl 的配置文件:/etc/pki/tls/openssl.cnf 重要参数配置路径 dir = /etc/pki/CA # Where everything is kept certs = /etc/pki/CA/certs # Where the issued certs are kept database = /etc/pki/CA/index.txt # dat

Centos7创建CA和申请证书转自https://www.cnblogs.com/mingzhang/p/8949541.html

模拟CA自签证书

第一部分,配置CA的工作环境 1. 配置CA工作配置文件 vim /etc/pki/tls/openssl.cnf [ CA_default ] # CA的配置信息 dir = /etc/pki/CA # Where everything is kept ,CA的工作目录 certs = $dir/certs # Where the issued certs are kept, 证书的保持目录 crl_dir = $dir/crl # Where the issued crl are kept

半自动化创建CA和申请证书

1 概述本文之所以称之为半自动化,是因为证书的申请并非日常工作,只是一段时间才需要申请,同时,在创建证书和办法证书的时候,有些参数需要根据用户的需求自己调整,如证书的有效时间,还有,是否给私钥加密等等,因为叫脚本设置为半自动化,手动输入一些参数,到达用户的需求.当然如果环境是固定,参数也是固定,有效时间固定,该脚本配合crontab也可以实现自动化申请和颁发等操作 CA中心又称CA机构,即证书授权中心(Certificate Authority ),或称证书授权机构.本文将介绍通过openss

openssl创建CA、申请证书及其给web服务颁发证书

一.创建私有的CA 1)查看openssl的配置文件:/etc/pki/tls/openssl.cnf 2)创建所需的文件 touch /etc/pki/CA/index.txt echo 01 >/etc/pki/CA/serial 3)CA自签证书生成私钥 cd /etc/pki/CA (umask 066;openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048) 4)生成自签名证书 openssl req -new -x50

Openssl应用实例：创建私有CA并申请证书

一:实验环境 CA:centos6 172.17.252.226 客户端:centos7 172.17.252.188 二:阅读CA相关配置文件 CA配置文件路径:/etc/pki/tls/openssl.cnf 图一图二图三三:证书申请及签署步骤 1.生成申请请求 2.RA核验 3.CA签署 4.获取证书具体实验步骤一:创建私有CA(certificate autrority 签证机构) ##操作环境:centos6 1.创建所需要的文件 (如图一所示) ①生成证书索引