1.修改Openssl配置文件CA目录
多数操作系统默认不需要修改
cat /etc/pki/tls/openssl.cnf
dir = /etc/pki/CA
2.生成根证书及私钥
cd /etc/pki/CA
#新建证书存放目录
mkdir private crl certs newcerts
#新建serial文件并写入初始序列号00
echo '00' > serial
#新建index.txt空文件
touch index.txt
#生成CA根证书私钥
openssl genrsa -out private/cakey.pem 2048
#生成CA根证书
openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650
3.生成服务器证书私钥、证书请求
cd /etc/nginx
#生成网站私钥
openssl genrsa -out m.ipcpu.com.key 2048
#生成证书请求文件
openssl req -new -key m.ipcpu.com.key -out m.ipcpu.com.csr
4.使用本地CA签发证书
openssl ca -in m.ipcpu.com.csr -out m.ipcpu.com.crt -days 365
签发成功后会提示数据库已经更新
[root@ip-172-31-32-208 nginx]# openssl ca -in m.ipcpu.com.csr -out m.ipcpu.com.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Dec 20 15:20:03 2014 GMT
Not After : Dec 20 15:20:03 2015 GMT
Subject:
countryName = CN
stateOrProvinceName = Beijing
organizationName = ipcpu.com
organizationalUnitName = ops
commonName = m.ipcpu.com
emailAddress = m@ipcpu.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
AA:00:B2:61:9F:55:D1:C6:67:69:75:B4:BF:5D:3C:A3:DC:A8:82:94
X509v3 Authority Key Identifier: keyid:87:73:06:6C:EF:01:EB:9B:47:3B:69:4E:26:21:76:9A:61:F3:E2:A5
Certificate is to be certified until Dec 20 15:20:03 2015 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
此时CA目录下的serial和index.txt均有更新。
[root@ip-172-31-32-208 CA]# cat serial
01
[root@ip-172-31-32-208 CA]# cat index.txt
V 151220152003Z 00 unknown /C=CN/ST=Beijing/O=ipcpu.com/OU=ops/CN=m.ipcpu.com/emailAddress=m@ipcpu.com
[root@ip-172-31-32-208 CA]#
参考文章: http://www.haiyun.me/archives/openssl-ca-cert.html
转载请注明:IPCPU-网络之路 » Openssl生成根证书、服务器证书并签核证书