1. Generate a self-signed CA certificate
1.1 Generate CA private key
# openssl genrsa -out ca.key 20481.2 Generate CA self-signed certificate based on CA private key
# openssl req -new -x509 -days 3650 -key ca.key -out ca.crt -config /etc/pki/tls/openssl.cnf2. Issue a certificate to the server through a CA self-signed certificate
2.1 Generate server private key
# openssl genrsa -out server.key 20482.2 Generate a server certificate signing application based on the server private key (used to issue a certificate)
# openssl req -new -out server.csr -key server.key -config /etc/pki/tls/openssl.cnf2.3 Sign the application based on the CA certificate and the server certificate, and issue a certificate for the server
Before issuing a certificate, the database file index.txt and serial file serial of the certificate must be created.
And the serial number file must first give a serial number, such as "01"
# touch /etc/pki/CA/index.txt # echo "01" >> /etc/pki/CA/serialofficial certificate
# openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key -config /etc/pki/tls/openssl.cnfThen, the final server.crt is the server's certificate!