首先在其他主機上創建一個私有的CA
假如我我現在就另外開一臺虛擬機
登錄進去
一、生存一對密鑰(私鑰和公鑰,公鑰可以在私鑰中提取因此創建私鑰就可以了)
[root@CentOS6 ~]#cd/etc/pki/CA
[root@CentOS6 CA]#(umask 077; opensslgenrsa –out private/cakey.pem 2048)
二、生成CA的證書
[root@CentOS6 CA]# openssl req -new -x509-key private/cakey.pem -out cacert.pem
You are about to be asked to enterinformation that will be incorporated
into your certificate request.
What you are about to enter is what iscalled a Distinguished Name or a DN.
There are quite a few fields but you canleave some blank
For some fields there will be a defaultvalue,
If you enter '.', the field will be leftblank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Henan
Locality Name (eg, city) [DefaultCity]:Zhengzhou
Organization Name (eg, company) [DefaultCompany Ltd]:HuangBY
Organizational Unit Name (eg, section)[]:Tech
Common Name (eg, your name or your server'shostname) []:www.huangbaoying.com
Email Address []:[email protected]
Please enter the following 'extra'attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@CentOS6 CA]# mkdir certs newcerts crl
[root@CentOS6 CA]# touch index.txt
[root@CentOS6 CA]# touch serial
[root@CentOS6 CA]# echo 01 > serial
OK準備給人家簽證吧
三、好了,現在在httpd服務器的主機上
[root@CentOS6 ~]# cd /etc/httpd/
[root@CentOS6 httpd]# mkdir ssl
[root@CentOS6 httpd]#cd ssl
創建私鑰
[root@CentOS6 ssl]# (umask 077; opensslgenrsa –out httpd.key 1024)
創建證書
[root@CentOS6 CA]# openssl req –new -key httpd.key-out httpd.csr
把證書發給CA
現在我們切換到CA如果你在同一臺主機上就不再切換了
四、簽證
[root@CentOS6 ~]#openssl ca –in httpd.csr –outhttpd.crt –days 3650
好了簽證完畢把httpd.crt發給httpd的服務器主機
五、登錄到httpd的服務器主機
將收到的httpd.crt放到/etc/httpd/ssl/下面去備用