cp /usr/share/ssl/openssl.cnf ./demoCA
vi ./demoCA/openssl.cnf and edit the dir configuration of CA_default from ./demoCA to .
mkdir demoCA/certs
mkdir demoCA/crl
mkdir demoCA/newcerts
mkdir demoCA/private
echo "01" > demoCA/serial
touch demoCA/index.txt
cd demoCA
openssl req -new -x509 -keyout ./private/cakey.pem -out ./cacert.pem -days 3650(password input twice, 该密码多次用到,HTTPD启动也须用到, 10年有效期)
Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:CA
Locality Name (eg, city) [Newbury]:San Clara
Organization Name (eg, company) [My Company Ltd]:Cisco
Organizational Unit Name (eg, section) []:WebEx
Common Name (eg, your name or your server's hostname) []:ServerDNSName(最好跟你SERVER名字一样)
Email Address []:
openssl genrsa -des3 -out server.key 1024
openssl req -new -key server.key -out server.csr
Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:CA
Locality Name (eg, city) [Newbury]:San Clara
Organization Name (eg, company) [My Company Ltd]:Cisco
Organizational Unit Name (eg, section) []:WebEx
Common Name (eg, your name or your server's hostname) []:ServerDNSName
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:Cisco-WebEx Communication Inc.
mv server.csr newreq.pem
openssl ca -config ./openssl.cnf -policy policy_anything -out newcert.pem -infiles newreq.pem
mv newcert.pem server.crt
vi /etc/httpd/conf.d/ssl.conf并改变以下四行并确保没被注释。
SSLCertificateFile /etc/httpd/conf.d/demoCA/server.crt
SSLCertificateKeyFile /etc/httpd/conf.d/demoCA/server.key
SSLCACertificatePath /etc/httpd/conf.d/demoCA
SSLCACertificateFile /etc/httpd/conf.d/demoCA/cacert.pem
#SSLVerifyClient require
#SSLVerifyDepth 10
#SSLVerifyClient none(by default)
如果需要第三方签你的根证书,需把你的cacert.pem证书交与第三方认证机构进行签证。