试验环境介绍(CA的主机为192.168.23.10、httpd的主机为:192.168.23.11)
1:新建一台web服务器,主机名为www
yum install -y httpd
2:生成私钥
mkdir /etc/httpd/ssl
cd /etc/httpd/ssl
(umask 077;openssl genrsa -out /etc/httpd/ssl/httpd.key 2048)
3:生成证书签署请求
openssl req -new -key /etc/httpd/ssl/httpd.key -out httpd.csr -days 365
证书请求内容如下:
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:uplooking
Organizational Unit Name (eg, section) []:ops
Common Name (eg, your name or your server's hostname) []:www.uplooking.com
Email Address []:yinhuanyi@uplooking.com
4:将证书请求通过scp发送给CA主机
scp httpd.csr root@192.168.23.10:/root/
5:在CA主机上签署证书(在CA主机上操作),将签署了的证书先保存在/etc/pki/CA/certs/目录下
openssl ca -in /root/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365
6:将证书发送给web服务器
scp /etc/pki/CA/certs/httpd.crt root@192.168.23.11:/etc/httpd/ssl/
7:查看证书中的信息
openssl x509 -in /etc/httpd/ssl/httpd.crt -noout -serial -subject