颁发根证书
#可以通过openssl version -a查看配置文件位置及版本信息
[root@rserver ~]# openssl version -a
OpenSSL 1.0.2k-fips 26 Jan 2017
built on: reproducible build, date unspecified
platform: linux-x86_64
options: bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx)
compiler: gcc -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -Wa,--noexecstack -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM
OPENSSLDIR: "/etc/pki/tls"
engines: rdrand dynamic
#编辑配置文件
[root@rserver ~]# vim /etc/pki/tls/openssl.cnf
#修改42行
dir = /CA
#修改85-90行
[ policy_match ]
countryName = optional
stateOrProvinceName = optional
organizationName = optional
organizationalUnitName = optional
commonName = optional
emailAddress = optional
#创建目录结构
[root@rserver ~]# mkdir /CA
[root@rserver ~]#
[root@rserver ~]# cd /CA
[root@rserver CA]# mkdir newcerts certs private
[root@rserver CA]# touch index.txt
[root@rserver CA]# echo 1000 > serial
#生成根证书私钥
[root@rserver CA]# openssl genrsa -out cakey.pem 4096
Generating RSA private key, 4096 bit long modulus
.................................................++
...........................................................++
e is 65537 (0x10001)
[root@rserver CA]#
[root@rserver CA]# openssl req -new -x509 -key cakey.pem -out cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:cc
Locality Name (eg, city) [Default City]:cc
Organization Name (eg, company) [Default Company Ltd]:Inc
Organizational Unit Name (eg, section) []:www.skills.com
Common Name (eg, your name or your server's hostname) []:Skill Global Root CA
Email Address []:
#信任根证书
[root@rserver CA]# cp cacert.pem /etc/pki/ca-trust/source/anchors/cacert.pem
[root@rserver CA]# update-ca-trust
[root@rserver CA]# mv cakey.pem ./private
颁发https证书
[root@rserver CA]# openssl genrsa -out https.key 4096
Generating RSA private key, 4096
[root@rserver CA]# openssl req -new -key https.key -out https.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:China
Locality Name (eg, city) [Default City]:ShangDong
Organization Name (eg, company) [Default Company Ltd]:skills
Organizational Unit Name (eg, section) []:Operations Departments
Common Name (eg, your name or your server's hostname) []:*.sdskills.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@rserver CA]# openssl ca -in https.csr -out https.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 4096 (0x1000)
Validity
Not Before: Apr 2 06:43:37 2022 GMT
Not After : Apr 2 06:43:37 2023 GMT
Subject:
countryName = CN
stateOrProvinceName = China
organizationName = skills
organizationalUnitName = Operations Departments
commonName = *.sdskills.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
F5:9A:79:A8:14:7E:7A:87:22:81:6D:C7:1B:AB:C1:89:D1:80:BC:53
X509v3 Authority Key Identifier:
keyid:79:17:4C:23:4B:38:02:9A:8E:83:FE:23:AE:2D:3B:78:86:15:67:29
Certificate is to be certified until Apr 2 06:43:37 2023 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@rserver CA]#
最后传送将根证书和服务器证书传送到服务器上,要使根证书信任