搭建CA认证中心
配置一个自己的CA认证中心
[root@centos ~]# vim /etc/pki/tls/openssl.cnf +172 #直接定位到172行
basicConstraints=CA:FALSE # 把FALSE改成TRUE 把本机变成CA认证中心
配置认证中心,生成私钥与根证书
[root@centos ~]# /etc/pki/tls/misc/CA -newca
[root@centos ~]# cd /etc/pki/tls/certs/
[root@centos certs]# openssl genrsa -out server.key
Generating RSA private key, 2048 bit long modulus
.......+++
..+++
e is 65537 (0x10001)
[root@centos certs]# openssl req -new -key server.key -out server.csr
[root@centos certs]# touch index.txt
[root@centos certs]# openssl ca -keyfile /etc/pki/CA/private/cakey.pem -cert /etc/pki/CA/cacert.pem -in server.csr -out server.crt
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
94:05:59:15:3b:a7:45:8b
Validity
Not Before: Dec 18 04:31:39 2019 GMT
Not After : Dec 17 04:31:39 2020 GMT
Subject:
countryName = CN
stateOrProvinceName = JS
organizationName = ISN
organizationalUnitName = canet
commonName = canet.org
emailAddress = canet@canet.org
X509v3 extensions:
X509v3 Basic Constraints:
CA:TRUE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
1B:93:9F:9E:02:C3:EE:EE:F1:0B:96:63:B8:16:74:A2:04:50:76:F8
X509v3 Authority Key Identifier:
keyid:39:50:F8:11:F5:CE:AC:AE:97:D4:34:38:F1:03:24:E9:7D:F8:0C:EB
Certificate is to be certified until Dec 17 04:31:39 2020 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@centos certs]# cat server.key server.crt >server.pem
[root@centos certs]#
参考:https://www.cnblogs.com/bigdevilking/p/9434444.html