[root@*** easyrsa3]# ls
easyrsa openssl-1.0.cnf vars vars.example x509-types
[root@*** easyrsa3]# ./easyrsa init-pki
Note: using Easy-RSA configuration from: ./vars
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /usr/local/open***/easy-rsa/easyrsa3/pki
(2)创建根证书
[root@*** easyrsa3]# ./easyrsa build-ca
Note: using Easy-RSAconfiguration from: ./vars
Generating a 2048 bit RSA privatekey
..+++
..........................+++
writing new private key to'/usr/local/open***/easy-rsa/easyrsa3/pki/private/ca.key.SueAMWTlxi'
Enter PEM pass phrase: #输入密码,此密码用途证书签名
Verifying - Enter PEM passphrase: #再次输入密码
-----
You are about to be asked toenter information that will be incorporated
into your certificate request.
What you are about to enter iswhat is called a Distinguished Name or a DN.
There are quite a few fields butyou can leave some blank
For some fields there will be adefault value,
If you enter '.', the field willbe left blank.
-----
Common Name (eg: your user, host,or server name) [Easy-RSA CA]:ylsh #输入一个Common Name
CA creation complete and you maynow import and sign cert requests.
Your new CA certificate file forpublishing is at:
/usr/local/open***/easy-rsa/easyrsa3/pki/ca.crt
(3)创建服务器端证书
[root@*** easyrsa3]# ./easyrsa gen-req server nopass
Note: using Easy-RSAconfiguration from: ./vars
Generating a 2048 bit RSA privatekey
.......................................+++
......................................+++
writing new private key to '/usr/local/open***/easy-rsa/easyrsa3/pki/private/server.key.YyWK7tSjws'
-----
You are about to be asked toenter information that will be incorporated
into your certificate request.
What you are about to enter iswhat is called a Distinguished Name or a DN.
There are quite a few fields butyou can leave some blank
For some fields there will be adefault value,
If you enter '.', the field willbe left blank.
-----
Common Name (eg: your user, host,or server name) [server]:ylsh-BJ #该Common Name一定不要与创建根证书时的一样 !!!
Keypair and certificate requestcompleted. Your files are:
req: /usr/local/open***/easy-rsa/easyrsa3/pki/reqs/server.req
key: /usr/local/open***/easy-rsa/easyrsa3/pki/private/server.key
(4)签约服务器端证书
[root@*** easyrsa3]# ./easyrsa sign server server
Note: using Easy-RSAconfiguration from: ./vars
You are about to sign thefollowing certificate.
Please check over the detailsshown below for accuracy. Note that this request
has not been cryptographicallyverified. Please be sure it came from a trusted
source or that you have verifiedthe request checksum with the sender.
Request subject, to be signed asa server certificate for 3650 days:
subject=
commonName = ylsh-BJ
Type the word 'yes' to continue,or any other input to abort.
Confirm request details:yes #输入yes继续
Using configuration from /usr/local/open***/easy-rsa/easyrsa3/openssl-1.0.cnf
Enter pass phrase for /usr/local/open***/easy-rsa/easyrsa3/pki/private/ca.key: #输入刚才创建根证书时的密码
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :PRINTABLE:'ylsh-BJ'
Certificate is to be certified until Jun 11 04:01:47 2026 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /usr/local/open***/easy-rsa/easyrsa3/pki/issued/server.crt
(5)创建Diffie-Hellman,确保key穿越不安全网络的命令:
[root@*** easyrsa3]# ./easyrsa gen-dh
Note: using Easy-RSAconfiguration from: ./vars
Generating DH parameters, 2048bit long safe prime, generator 2
This is going to take a long time
..........................................................................+...........................+.............................................................+...........................+.................................................................................................................................................................................................................................................+...............................................................................................................................+..+.................................................................+..........................................................................................+..............+...............................................................................................................................................................................+........................................................................................+...............................................................................+................................................+..........++*++*
DH parameters of size 2048 created at /usr/local/open***/easy-rsa/easyrsa3/pki/dh.pem
[root@*** ~]# cd client/easy-rsa/easyrsa3/
[root@*** easyrsa3]# ./easyrsa init-pki
Note: using Easy-RSA configuration from: ./vars
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /root/client/easy-rsa/easyrsa3/pki
(3)创建客户端key及生成证书
[root@*** easyrsa3]# ./easyrsa gen-req qiangsh
Generating a 2048 bit RSA privatekey
.......................+++
........................................................+++
writing new private key to'/root/client/easy-rsa/easyrsa3/pki/private/qiangsh.key.LD7Wk6hmQq'
Enter PEM pass phrase: #输入密码
Verifying - Enter PEM passphrase: #再次输入密码
-----
You are about to be asked toenter information that will be incorporated
into your certificate request.
What you are about to enter iswhat is called a Distinguished Name or a DN.
There are quite a few fields butyou can leave some blank
For some fields there will be adefault value,
If you enter '.', the field willbe left blank.
-----
Common Name (eg: your user, host,or server name) [qiangsh]:qiangsh #输入qiangsh
Keypair and certificate request completed.Your files are:
req:/root/client/easy-rsa/easyrsa3/pki/reqs/qiangsh.req
key:/root/client/easy-rsa/easyrsa3/pki/private/qiangsh.key
(4)将得到的qiangsh.req导入并签约证书
[root@*** ~]# cd /usr/local/open***/easy-rsa/easyrsa3/
[root@*** easyrsa3]#./easyrsa import-req /root/client/easy-rsa/easyrsa3/pki/reqs/qiangsh.req qiangsh #导入req
Note: using Easy-RSAconfiguration from: ./vars
The request has been successfullyimported with a short name of: qiangsh
You may now use this name toperform signing operations on this request.
[root@*** easyrsa3]# ./easyrsa sign client qiangsh #签约证书
Note: using Easy-RSAconfiguration from: ./vars
You are about to sign thefollowing certificate.
Please check over the detailsshown below for accuracy. Note that this request
has not been cryptographicallyverified. Please be sure it came from a trusted
source or that you have verifiedthe request checksum with the sender.
Request subject, to be signed asa client certificate for 3650 days:
subject=
commonName = qiangsh
Type the word 'yes' to continue,or any other input to abort.
Confirm request details:yes #输入yes
Using configuration from/usr/local/share/doc/open***/easy-rsa/easyrsa3/openssl-1.0.cnf
Enter pass phrase for/usr/local/share/doc/open***/easy-rsa/easyrsa3/pki/private/ca.key: #输入创建根证书时的密码
Check that the request matchesthe signature
Signature ok
The Subject's Distinguished Nameis as follows
commonName :PRINTABLE:'qiangsh'
Certificate is to be certifieduntil Jun 6 07:50:02 2026 GMT (3650 days)
Write out database with 1 newentries
Data Base Updated
Certificate created at:/usr/local/share/doc/open***/easy-rsa/easyrsa3/pki/issued/qiangsh.crt #
签约成功