1
2
3
4
5
6
|
[root@localhost CA]# cd /etc/pki/CA/
[root@localhost CA]# (umask
077
;openssl genrsa -out
private
/cakey
.
pem
1024
)
Generating RSA
private
key,
1024
bit long modulus
...............++++++
....++++++
e
is
65537
(0x10001)
|
1
|
openssl req -new -x
509
-key private/cakey.pem -out cacert.crt -days
3089
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
ll /etc/pki/tls/openssl
.
cnf
dir = /etc/pki/CA # Where everything
is
kept
certs =
$dir
/certs # Where the issued certs are kept
crl_dir =
$dir
/crl # Where the issued crl are kept
database =
$dir
/index
.
txt # database index
file
.
#unique_subject = no #
Set
to
'no'
to
allow creation
of
# several ctificates
with
same subject.
new_certs_dir =
$dir
/newcerts # default place
for
new certs.
certificate =
$dir
/cacert
.
pem # The CA certificate
serial =
$dir
/serial # The current serial number
crlnumber =
$dir
/crlnumber # the current crl number
# must be commented out
to
leave a V1 CRL
crl =
$dir
/crl
.
pem # The current CRL
private_key =
$dir
/
private
/cakey
.
pem# The
private
key
RANDFILE =
$dir
/
private
/.rand #
private
random number
file
|
1
2
|
cakey
.
pem :ca的私钥(可提取出公钥)
cacert
.
crt:ca自签名证书
|
1
|
openssl genrsa -out http
1
.key
2048
|
1
|
openssl req -
new
-key http1.key -out http1.csr
|
1
|
openssl ca -
in
http1.csr -out httpd.crt -days 3650
|