CA的配置文件:/etc/pki/tls/openssl.cnf
创建CA目录
```
[root@zhenzhu ~]# ls /etc/pki
ca-trust java rpm-gpg rsyslog tls
[root@zhenzhu ~]# mkdir /etc/pki/CA
[root@zhenzhu ~]# cd /etc/pki/CA
[root@zhenzhu CA]# pwd
/etc/pki/CA
[root@zhenzhu CA]#
```
CA生成一对密钥
```
[root@zhenzhu ~]# mkdir /etc/pki/CA
[root@zhenzhu ~]# cd /etc/pki/CA
[root@zhenzhu CA]# pwd
/etc/pki/CA
[root@zhenzhu CA]# mkdir -p /etc/pki/CA/private
[root@zhenzhu CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
.................................................+++++
.....................................................................................................................................................+++++
e is 65537 (0x010001)
[root@zhenzhu CA]# ls
private
[root@zhenzhu CA]# ls
private
[root@zhenzhu CA]# ll private/
total 4
-rw------- 1 root root 1679 Dec 26 17:29 cakey.pem
[root@zhenzhu CA]# openssl rsa -in private/cakey.pem -pubout
writing RSA key
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0fywzxjwO1zK9Ltk5D9Q
2/kpWb5GZcFZeSEM4dqjkhG57qlod2F7VhDipV/RlL0hYoU7EvzKpFV/Of4oOC++
/Yb6IUw0bnqsJIymAGcbBFwdtYK2Az1cyM0PeLU6UOXCj1ELD1IxmpgBSe5IAfHT
zizMkXxb4g6Jguloe1hmWsMCq/Ii6gFyHZ2mUgra4++m7+9vM6+i5lb6KaLINc3G
LxdUiEyYGv9szBzp35KfSIRe+dRbsBL/YY9I7DbNEDM4yTVn+rR3iwUrCyGgGcAl
EwRd6wTcdbnPJdV+spBmKIoL7iAsO1iQiRznEAinOcjaH7ZTQnl0O+qcz4b6eqQf
/QIDAQAB
-----END PUBLIC KEY-----
[root@zhenzhu CA]#
```
CA生成自签署证书
```
[root@zhenzhu CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN //两个字母表示国家
State or Province Name (full name) []:HB //省份
Locality Name (eg, city) [Default City]:WH //城市
Organization Name (eg, company) [Default Company Ltd]:runtime //公司
Organizational Unit Name (eg, section) []:runtime //组织单元名称
Common Name (eg, your name or your server's hostname) []:www.zhenzhu.com //你证书的域名
Email Address []:1@2.com //邮箱
[root@zhenzhu CA]# ls
cacert.pem private
[root@zhenzhu CA]#
```
创建空目录和文件
```
[root@zhenzhu CA]# mkdir certs newcerts crl
[root@zhenzhu CA]# touch index.txt && echo 01 > serial
[root@zhenzhu CA]# ls
cacert.pem certs crl index.txt newcerts private serial
[root@zhenzhu CA]# cat serial
01
[root@zhenzhu CA]#
```
创建目录来放置证书
```
[root@zhenzhu ~]# mkdir -p /usr/local/apache/conf/ssl
[root@zhenzhu ~]# cd /usr/local/apache/conf/ssl
[root@zhenzhu ssl]# ls
[root@zhenzhu ssl]#
```
生成自生的密钥
```
[root@zhenzhu ssl]# (umask 077;openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
.....+++++
.............................+++++
e is 65537 (0x010001)
[root@zhenzhu ssl]# ls
httpd.key
[root@zhenzhu ssl]#
```
客户端生成证书请求
```
[root@zhenzhu ssl]# openssl req -new -key httpd.key -days 365 -out httpd.csr
Ignoring -days; not generating a certificate
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:runtime
Organizational Unit Name (eg, section) []:runtime
Common Name (eg, your name or your server's hostname) []:www.zhenzhu.com
Email Address []:1@2.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: //加密,一般情况不需要加密
An optional company name []:
[root@zhenzhu ssl]#
```
CA签署证书
```
[root@zhenzhu ssl]# openssl ca -in httpd.csr -out httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Dec 26 10:05:25 2022 GMT
Not After : Dec 26 10:05:25 2023 GMT
Subject:
countryName = CN
stateOrProvinceName = HB
organizationName = runtime
organizationalUnitName = runtime
commonName = www.zhenzhu.com
emailAddress = 1@2.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
0A:F5:CA:9A:EB:6B:BD:C5:14:64:71:46:D6:5D:B4:D8:E6:09:C6:CE
X509v3 Authority Key Identifier:
keyid:D2:83:09:04:CA:C3:D1:0C:C6:F7:E9:8A:2F:B8:1F:27:12:A4:6C:12
Certificate is to be certified until Dec 26 10:05:25 2023 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@zhenzhu ssl]# ls
httpd.crt httpd.csr httpd.key
[root@zhenzhu ssl]#
```