标签:field sub erp try nta serial traints serve hostname
**CA主机执行命令**
[root@centos7 ~]# cd /etc/pki/CA
[root@centos7 CA]# touch index.txt
[root@centos7 CA]# echo 01 > serial
生成私钥文件
[root@centos7 CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
.......................................+++
.....................................................................+++
e is 65537 (0x10001)
[root@centos7 CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:magedu.com
Organizational Unit Name (eg, section) []:Opt
Common Name (eg, your name or your server‘s hostname) []:ca.magedu.com **颁发者名**
Email Address []:admin@magedu.com
[root@centos7 CA]# tree .
.
├── cacert.pem
├── certs
├── crl
├── httpd.csr
├── index.txt
├── newcerts
├── private
│?? └── cakey.pem
└── serial
4 directories, 5 files
[root@centos7 CA]# openssl ca -in httpd.csr -out certs/httpd.crt -days 700
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jan 27 19:08:15 2018 GMT
Not After : Dec 28 19:08:15 2019 GMT
Subject:
countryName = CN
stateOrProvinceName = beijing
organizationName = magedu.com
organizationalUnitName = Opt
commonName = *.magedu.com
emailAddress = admin@magedu.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
17:2B:8B:4F:9D:7A:0C:6B:33:05:1B:8A:49:94:A5:B2:41:72:47:1C
X509v3 Authority Key Identifier:
keyid:EA:25:41:70:B4:61:A0:15:29:97:C6:60:4B:E9:B4:C1:8A:FA:3D:B7
Certificate is to be certified until Dec 28 19:08:15 2019 GMT (700 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@centos7 CA]# scp c
cacert.pem certs/ crl/
[root@centos7 CA]# scp certs/httpd.crt 192.168.64.103:/etc/httpd/conf.d/ssl
The authenticity of host ‘192.168.64.103 (192.168.64.103)‘ can‘t be established.
RSA key fingerprint is SHA256:9m0dbsLLKTd4m4JYuBNwUB9D6Zk8jLIO5ySUs9nhCRc.
RSA key fingerprint is MD5:1a:f2:be:d3:9e:6e:df:83:a8:a4:1f:a8:c0:33:cd:b8.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘192.168.64.103‘ (RSA) to the list of known hosts.
root@192.168.64.103‘s password:
httpd.crt 100% 3870 6.4MB/s 00:00
[root@centos7 CA]# tree .
.
├── cacert.pem
├── certs
│?? └── httpd.crt
├── crl
├── httpd.csr
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│?? └── 01.pem
├── private
│?? └── cakey.pem
├── serial
└── serial.old
4 directories, 10 files
[root@centos7 CA]# scp cacert.pem 192.168.64.103:/etc/httpd/conf.d/ssl
root@192.168.64.103‘s password:
Permission denied, please try again.
root@192.168.64.103‘s password:
cacert.pem 100% 1424 3.2MB/s 00:00
**webserver主机执行命令**
[root@cent6OS CA]# mkdir /etc/httpd/conf.d/ssl
[root@cent6OS CA]# cd /etc/httpd/conf.d/ssl
[root@cent6OS ssl]# (umask 077;openssl genrsa -out httpd.key)
Generating RSA private key, 1024 bit long modulus
...........++++++
....++++++
e is 65537 (0x10001)
[root@cent6OS ssl]# openssl req -new -key httpd.key -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:bj
Organization Name (eg, company) [Default Company Ltd]:magedu.com
Organizational Unit Name (eg, section) []:Opt
Common Name (eg, your name or your server‘s hostname) []:*.magedu.com **webserver服务名,即是颁发给**
Email Address []:admin@magedu.com
Please enter the following ‘extra‘ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@cent6OS ssl]# scp httpd.csr 192.168.64.104:/etc/pki/CA
root@192.168.64.104‘s password:
httpd.csr 100% 696 0.7KB/s 00:00
[root@cent6OS ssl]# tree .
.
├── cacert.pem
├── httpd.crt
├── httpd.csr
└── httpd.key
0 directories, 4 files
vim /etc/httpd/conf.d/ssl.conf
servername www.magedu.com:443
SSLCertificateKeyFile /etc/httpd/conf.d/ssl/httpd.key
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
SSLCACertificateFile /etc/httpd/conf.d/ssl/cacert.pem
标签:field sub erp try nta serial traints serve hostname
原文地址:http://blog.51cto.com/11034229/2065872
