题目要求:
• CA根证书路径/CA/cacert.pem;
• 签发数字证书,颁发者信息:
国家 = CN
单位 = Inc
组织机构 = www.skills.com
公用名 = Skill Global Root CA
SSL使用颁发的证书, 颁发给:
C = CN
ST = China
L = ShangDong
O = skills
OU = Operations Departments
CN = *.sdskills.com
签发数字证书,颁发者:
C = CN;
O = Inc
OU = www.skills.com
CN = skill Global Root CA
配置:
修改证书配置文件:
vi /etc/pki/tls/openssl.cnf
修改42行为:
修改85行到90行,将mastch和supplied更改为optional
86行回车空一行将99行复制到空87行中:
创建证书必要的文件:
mkdir /CA
cd /CA
mkdir private newcerts
touch index.txt
echo 01 > serial
生成密钥:
openssl genrsa -out private/cakey.pem
生成根证书:
openssl req -new -x509 -key private/cakey.pem -out cacert.pem
或:
openssl req -new -x509 -key private/cakey.pem -out cacert.pem \ -subj '/C=CN/O=Inc/OU=www.skills.com/CN=Skill Global Root CA'
生成web服务的密钥
openssl genrsa -out httpd.key
生成web证书:
openssl req -new -key httpd.key -out httpd.csr
或:
openssl req -new -key httpd.key -out httpd.csr \ -subj '/C=CN/ST=China/L=ShangDong/O=skills/OU=Operations Departments/CN=*.sdskills.com'
web证书与根证书绑定:
openssl ca -keyfile private/cakey.pem -cert cacert.pem -in httpd.csr -out httpd.pem
如要将证书传给另一台pc使用则:
新pc需创建:
mkdir /etc/httpd/ssl
只需在主机向pc发送如pc的ip为(1.9)则:
scp cacert.pem httpd.key httpd.pem root@192.168.1.9:/etc/httpd/ssl
输入密码即可传送:
1.9的pc查看:
ll /etc/httpd/ssl