[root@lzn ~]# vim /etc/pki/tls/openssl.cnf
45 dir = /etc/pki/CA # Where everything is kept
48 database = $dir/index.txt # database index file.
53 certificate = $dir/ca.crt # The CA certificate
58 private_key = $dir/private/ca.key
136 countryName_default = CN
141 stateOrProvinceName_default = BeiJing
144 localityName_default = HaiDian
154 organizationalUnitName_default = GNOME
160 emailAddress_default =admin@linzhennan.cn手动添加的行!
------------
[root@lzn ~]# mkdir /etc/pki/CA
[root@lzn ~]# mkdir -p /etc/pki/CA/{certs,crl,newcerts,private}
[root@lzn ~]# touch /etc/pki/CA/index.txt
[root@lzn ~]# echo 00 > /etc/pki/CA/serial
---------------------------------------------
生成CA自己的私钥:私钥存放的位置应该与/etc/pki/tls/openssl.cnf里定义的对应
[root@lzn ~]# (umask 077 ; openssl genrsa -out /etc/pki/CA/private/ca.key)
Generating RSA private key, 512 bit long modulus
.......++++++++++++
.++++++++++++
e is 65537 (0x10001)
[root@lzn ~]# ls -l /etc/pki/CA/private/ca.key
-rw------- 1 root root 493 05-03 09:56 /etc/pki/CA/private/ca.key
[root@lzn ~]#
CA自签名生成自己的证书
[root@lzn ~]# openssl req -new -x509 -days 365 -key /etc/pki/CA/private/ca.key -out /etc/pki/CA/ca.crt
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BeiJing]:
Locality Name (eg, city) [HaiDian]:
Organization Name (eg, company) [Lzn Ltd]:
Organizational Unit Name (eg, section) [GNOME]:
Common Name (eg, your name or your server's hostname) []:CAHOST
Email Address [admin@linzhennan]:
[root@lzn ~]# file /etc/pki/CA/ca.crt
/etc/pki/CA/ca.crt: ASCII text
++++++++++++++++++++++++++++++++++
https server:
1)生成自己的私钥
openssl genrsa -out /etc/httpd/conf.d/httpserver.key
2)生成自己的证书请求文件
[root@lzn misc]# openssl req -new -key /etc/httpd/conf.d/httpserver.key -out /tmp/server.csr
3)将证书请求文件拷给CA,CA上直接用如下命令签名,生成server的证书
]# openssl ca -in /tmp/server.csr -out /etc/httpd/conf.d/httpserver.crt
----配置HTTPS------------
[root@lzn misc]# rpm -q mod_ssl
mod_ssl-2.2.3-63.el5
[root@lzn misc]# grep -n httpserver /etc/httpd/conf.d/ssl.conf
112:SSLCertificateFile /etc/httpd/conf.d/httpserver.crt
119:SSLCertificateKeyFile /etc/httpd/conf.d/httpserver.key
[root@lzn misc]#
[root@lzn misc]# service httpd restart
停止 httpd: [失败]
启动 httpd:httpd: bad user name apache
[失败]
[root@lzn misc]# getenforce
Enforcing
[root@lzn misc]# setenforce 0
[root@lzn misc]# service httpd restart
停止 httpd: [失败]
启动 httpd: [确定]
[root@lzn misc]#
还没有评论,快来抢沙发!