转载自 向阳 http://www.hot-linux.com/

 

 
1,安装openssl,
[root@station3 ~]# yum -y install openssl
2,编辑配置文件
[root@station3 ~]# vim /etc/pki/tls/openssl.cnf
3,如下:
[ CA_default ]
 
dir             = /etc/pki/CA           # Where everything is kept
certs           = $dir/certs            # Where the issued certs are kept
crl_dir         = $dir/crl              # Where the issued crl are kept
database        = $dir/index.txt        # database index file.
new_certs_dir   = $dir/newcerts         # default place for new certs.
certificate     = $dir/my-ca.crt        # The CA certificate
serial          = $dir/serial           # The current serial number
crlnumber       = $dir/crlnumber        # the current crl number
crl             = $dir/my-ca.crl        # The current CRL
private_key     = $dir/private/my-ca.key # The private key
RANDFILE        = $dir/private/.rand    # private random number file
x509_extensions = usr_cert              # The extentions to add to the cert
name_opt        = ca_default            # Subject Name options
cert_opt        = ca_default            # Certificate field options
default_days    = 365                   # how long to certify for
default_crl_days= 30                    # how long before next CRL
default_md      = sha1                  # which md to use.
preserve        = no                    # keep passed DN ordering
policy          = policy_match
[ policy_match ]
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional
[ policy_anything ]
countryName             = optional
stateOrProvinceName     = optional[ policy_anything ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional
 
####################################################################
[ req ]
default_bits            = 1024
default_md              = sha1
default_keyfile         = privkey.pem
distinguished_name      = req_distinguished_name
attributes              = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
 
string_mask = MASK:0×2002
 
 
[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
countryName_default             = CN
countryName_min                 = 2
countryName_max                 = 2
 
stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = hubei
 
 
localityName                    = Locality Name (eg, city)
localityName_default            = wuhan
 
0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = Example, Inc.
 
3,因为配置文件中定义了其目录,所以:
[root@station3 ~]# cd /etc/pki/CA/
4,创建文件:
[root@station3 ~]# mkdir {certs,crl,newcerts}
[root@station3 CA]# echo 01 > serial
[root@station3 CA]# touch index.txt 
5,生成私钥
[root@station3 CA]# (umask 077; opessl genrsa -out private/my-ca.key)
[root@station3 CA]# cd private/
[root@station3 private]# ll
total 8
-rw——- 1 root root 493 Mar 27 22:06 my-ca.key
这里可以看到这个私钥的权限,这里的私钥一定不能被别人拿去
6,根据上面的私钥,生成一把公钥
 
[root@station3 CA]# openssl req -new -x509 -key private/my-ca.key -days 365 > my-ca.crt 
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
—–
Country Name (2 letter code) [CN]:
State or Province Name (full name) [hubei]:
Locality Name (eg, city) [wuhan]:
Organization Name (eg, company) [Example, Inc.]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:
7,上面的公钥是要发给别人的,所以只要将上面的公钥给LDAP服务器就可以了
 
 
 
 
 
 
 转载自 向阳  http://www.hot-linux.com/