1.建立ROOT CA
/etc/pki/tls/openssl.cnf
1)生成私钥 /etc/pki/CA/private
openssl genrsa -out /etc/pki/CA/private/cakey.pem 4096
2)自签名证书
openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3650
CN
beijing
beijing
lzsj
m30
www.ca.com
2.用户或服务器
1)生成私钥
(umask 077;openssl genrsa -out /cx/app.key 1024)
(umask 077;openssl genrsa -out /cx/app.key -aes256 1024 )
2)生成证书申请文件
openssl req -new -key app.key -out app.csr
CN
beijing
beijing
magedu
m30
www.changxing.com
3)将申请文件发给CA
CA服务器操作
touch /etc/pki/CA/index.txt
echo 0F > /etc/pki/CA/serial
3.CA颁发证书
openssl ca -in app.csr -out /etc/pki/CA/certs/app.crt -days 365
(格式转换openssl x509 -in mycert.crt -out mycert.pem -outform PE)
4.证书发送客户端
5.应用软件使用证书