1.产看CA证书配置文件
vim /etc/pki/tls/openssl.cnf
2.准备环境
创建第一个文件命令:touch /etc/pki/CA/index.txt ;这个文件是用来存放认证的认证数据库,如果不创建会在认证的时候报错,这里可以先创建也可以看到报错信息后在创建
创建第二个文件命令:echo 01 > /etc/pki/CA/serial ;这里存放认证起始编号;用来表示下一个认证的编号是什么
3.创建CA颁发中心
这步模仿我们创建一个CA证书中心,我们需要创建一个私钥,一个根证书,至于这两点作用,请看我的上篇https原理
第一步:生成私钥
(umask 066; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
第二步:利用私钥生成根证书 cacert.pem
openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 7300 -out /etc/pki/CA/cacert.pem
req表示申请证书;
-new 表示生成新证书签署请求;
-x509表示是自签证书;
-key后面接的是申请证书用到的私钥;
-days表示证书有效期
-out 后面接的是证书保存位置
如下内容请务必看明白
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN 注:国家 务必保持一致
State or Province Name (full name) []:henan 注 省份 务必保持一致
Locality Name (eg, city) [Default City]:xinyang 注 城市 可以不一致
Organization Name (eg, company) [Default Company Ltd]:lenovo 注 组织 务必保持一致
Organizational Unit Name (eg, section) []:test 注 组织机构,可以不一致
Common Name (eg, your name or your server's hostname) []:liuwei.com 注:域名
Email Address []: k 注:可以不用填
4.申请证书
假设test.com想要申请一个证书,那么这边需要准备私钥,公钥,以及向我们刚刚创建的CA颁发中心,申请证书的申请稿
mkdir /home/nicholas/myserver
cd /home/nicholas/myserver
生成私钥
(umask 066; openssl genrsa -out myserver-private.key 2048)
生成申请证书的请求文件,注意这一步同时创建了公钥,我们就要把 myserver-private.csr给我们的刚创建的CA颁发中心
openssl req -new -key myserver-private.key -days 365 -out myserver-private.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN 不变
State or Province Name (full name) []:henan 不变
Locality Name (eg, city) [Default City]:xinyang 可以变
Organization Name (eg, company) [Default Company Ltd]:lenovo 不变
Organizational Unit Name (eg, section) []:test1 可以变
Common Name (eg, your name or your server's hostname) []:test.com 我们域名
Email Address []:
5.CA中心颁发证书
证书:myserver-private.crt生成了,哈哈,颁发了10年
openssl ca -in myserver-private.csr -out myserver-private.crt -days 3650
6.将根证书上传到IE浏览器
将我们刚创建根证书cacert.pem 上传到我们IE浏览器,接下来我们使用创建 myserver-private.crt myserver-private.key 构建我们的https服务器,然后一定要使用IE浏览器访问,发现是安全的。记得更改hosts文件哦