环境：centos6.5

两台主机，一个是CA签证 一个是apache服务器

第一步：apache上安装ssl支持

yum install -y mod_ssl

然后httpd -M就能看到ssl模块了

ssl_module (shared)

第二步：在CA机器上生成自签证书

先生成私钥

[root@slave CA]# cd /etc/pki/CA

[root@slave CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)

Generating RSA private key, 2048 bit long modulus

..........................................................+++

...................................................................+++

e is 65537 (0x10001)

这样就是成功了

生成自签证书

[root@slave CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:GD

Locality Name (eg, city) [Default City]:gz

Organization Name (eg, company) [Default Company Ltd]:hu

Organizational Unit Name (eg, section) []:hu

Common Name (eg, your name or your server's hostname) []:ca.8.com

Email Address []:a

[root@slave CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:gd

Locality Name (eg, city) [Default City]:gz

Organization Name (eg, company) [Default Company Ltd]:hu

Organizational Unit Name (eg, section) []:hu

Common Name (eg, your name or your server's hostname) []:ca.920.com

Email Address []:admin@920.com

到这里，自签证书就生成完毕了

第三步：新建证书数据库

[root@slave CA]# touch index.txt        #证书数据库

[root@slave CA]# echo 01 serial         #序列号

第四步：在apache机器上生成一堆密钥

[root@nginx ~]# mkdir /etc/httpd/ssl

[root@nginx ~]# (umask 077;openssl genrsa 1024 > httpd.key)

Generating RSA private key, 1024 bit long modulus

....++++++

.......++++++

e is 65537 (0x10001)

生成CA证书请求

注意，这里一定要跟CA上面输入的一直，hostname例外

[root@nginx ssl]# openssl req -new -key httpd.key -out http.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:GD

Locality Name (eg, city) [Default City]:^C

[root@nginx ssl]# openssl req -new -key httpd.key -out http.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:gd

Locality Name (eg, city) [Default City]:gz

Organization Name (eg, company) [Default Company Ltd]:hu

Organizational Unit Name (eg, section) []:hu

Common Name (eg, your name or your server's hostname) []:qq.com

Email Address []:admin@qq.com

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

然后将此http.csr拷贝到CA服务器上签名

第五步：在CA上签名

[root@slave CA]# openssl ca -in /tmp/http.csr -out /tmp/http.rt -days 3650

Using configuration from /etc/pki/tls/openssl.cnf

Check that the request matches the signature

Signature ok

Certificate Details:

Serial Number: 1 (0x1)

Validity

Not Before: Feb 13 10:03:52 2015 GMT

Not After : Feb 10 10:03:52 2025 GMT

Subject:

countryName               = CN

stateOrProvinceName       = gd

organizationName          = hu

organizationalUnitName    = hu

commonName                = qq.com

emailAddress              = admin@qq.com

X509v3 extensions:

X509v3 Basic Constraints:

CA:FALSE

Netscape Comment:

OpenSSL Generated Certificate

X509v3 Subject Key Identifier:

A5:7E:50:2A:8C:4D:B5:E3:DB:72:D7:F8:CE:E2:20:B0:F9:FD:18:0D

X509v3 Authority Key Identifier:

keyid:45:71:85:FA:99:EE:F1:0E:0F:EC:AB:6D:8C:F7:1F:A2:32:DF:31:6A

Certificate is to be certified until Feb 10 10:03:52 2025 GMT (3650 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

签名成功

[root@slave CA]# cat /etc/pki/CA/index.txt

V       250210100352Z           01      unknown /C=CN/ST=gd/O=hu/OU=hu/CN=qq.com/emailAddress=admin@qq.com

可以看到数据库更新了