1 Create a private CA
openssl configuration file:
/etc/pki/tls/openssl.cnf
CA 1.1 Create a file needed
#生成证书索引数据库文件
touch /etc/pki/CA/index.txt
# 指定第一个颁发证书的序列号
echo 01 > /etc/pki/CA/serial
1.2 CA private key generation
cd /etc/pki/CA/
(umask 066;openssl genrsa -out private/cakry.pem 2048)
CA 1.3 generates a self-signed certificate
openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out
/etc/pki/CA/cacert.pem
2 to request a certificate and a certificate
2.1 application request generated
Create a certificate request rsa private key needed to request:
(umask 066; openssl genrsa -out app.key 2048)
2.2 RA verification
Create a certificate request generated using the private key you just created:
openssl req -new -key app.key -out app.csr
In turn fill in the relevant information
2.3 CA signed
Using the CA's certificate to sign the certificate application request:
openssl ca -in app.csr -out /etc/pki/CA/certs/app.crt -days 100
2.4 to obtain a certificate
After the signing of success, look at the file in the CA path, which is app.crt certificates and newcerts after the signing of the success / 01.pem
tree /etc/pki/CA/
Compare two files
diff /etc/pki/CA/certs/app.crt /etc/pki/CA/newcerts/01.pem
openssl x509 -in /etc/pki/CA/certs/app.crt -noout -text
