Use OpenSSL to create a certificate. OS is used CentOS7.
1. Modify the OpenSSL configuration file
vim /etc/pki/tls/openssl.cnf
[ CA_default ] dir = /etc/pki/CA # Where everything is kept certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. #unique_subject = no # Set to 'no' to allow creation of # several ctificates with same subject. new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/my-ca.crt # The CA certificate serial = $dir/serial # The current serial number crlnumber = $dir/crlnumber # the current crl number # must be commented out to leave a V1 CRL crl = $dir/crl.pem # The current CRL private_key = $dir/private/my-ca.key # The private key RANDFILE = $dir/private/.rand # private random number file x509_extensions = usr_cert # The extentions to add to the cert
2. Prepare the file directory
cd /etc/pki/CA rm -rf * cd /etc/pki/tls/misc ./CA -newca
ctrl-c
Creating Serial file
cd /etc/pki/CA
echo 00 > serial
3. The root key generation
cd /etc/pki/CA
openssl genrsa -out private/my-ca.key
or
( umask 077; openssl genrsa -out private/cakey.pem )
4. The root certificate generation
openssl req -new -x509 -key private/my-ca.key -out my-ca.crt
5. Create user certificate key and certificate request file
cd /root openssl genrsa -out nginx.key openssl req -new -key nginx.key -out nginx.csr
6. A certificate signed by CA
openssl ca -in nginx.csr -out nginx.crt
In this way, the certificate is created successfully.