[iyunv@www ~]# cd /etc/pki/CA/
[iyunv@www CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
......+++
......................+++
e is 65537 (0x10001)
b.生成自签署证书:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
[iyunv@www CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HA
Locality Name (eg, city) [Default City]:ZZ
Organization Name (eg, company) [Default Company Ltd]:sut31
Organizational Unit Name (eg, section) []:ops
Common Name (eg, your name or your server's hostname) []:www.stu31.com
Email Address []:admin@stu31.com
c.生成索引数据库文件及序列号文件:
1
2
3
4
[iyunv@www CA]# touch index.txt
[iyunv@www CA]# echo 01 >serial
[iyunv@www CA]# ls
cacert.pem certs crl index.txt newcerts private serial
2.为bbs.stu31.com网站生成证书
a.web服务器生成私钥
1
2
3
4
5
6
7
[iyunv@www CA]# mkdir /etc/nginx/certs
[iyunv@www CA]# cd /etc/nginx/certs
[iyunv@www certs]# (umask 077; openssl genrsa -out nginx.key 2048)
Generating RSA private key, 2048 bit long modulus
.....................................................+++
................................................................+++
e is 65537 (0x10001)
b.生成证书签署请求文件
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
[iyunv@www certs]# openssl req -new -key nginx.key -out nginx.csr -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HA
Locality Name (eg, city) [Default City]:ZZ
Organization Name (eg, company) [Default Company Ltd]:sut31
Organizational Unit Name (eg, section) []:ops
Common Name (eg, your name or your server's hostname) []:bbs.stu31.com
Email Address []:admin@stu31.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[iyunv@www certs]# openssl ca -in nginx.csr -out nginx.crt -days 3650
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Dec 27 23:11:47 2014 GMT
Not After : Dec 24 23:11:47 2024 GMT
Subject:
countryName = CN
stateOrProvinceName = HA
organizationName = sut31
organizationalUnitName = ops
commonName = bbs.stu31.com
emailAddress = admin@stu31.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
16:5B:54:BF:51:25:DF:8A:0D:9C:FE:09:B1:65:E1:AB:A6:CA:9E:2A
X509v3 Authority Key Identifier:
keyid:36:8D:23:60:59:82:3E:EA:ED:F6:02:DC:09:EB:17:04:A4:AB:06:51
Certificate is to be certified until Dec 24 23:11:47 2024 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
1
2
[iyunv@www ~]# ls /etc/nginx/certs/
nginx.crt nginx.csr nginx.key
[iyunv@www ~]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
重启nginx
1
2
3
4
5
[iyunv@www ~]# service nginx restart
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
Stopping nginx: [ OK ]
Starting nginx: [ OK ]