[root@ca-server ~]\# cd /etc/pki/CA/
[root@ca-server CA]\# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
..................................................+++
[root@ca-server CA]\# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Jinan
Locality Name (eg, city) [Default City]:Jinan
Organization Name (eg, company) [Default Company Ltd]:agou
Organizational Unit Name (eg, section) []:agou
Common Name (eg, your name or your server's hostname) []:ca.agou-ops.com
[root@ca-server CA]\# touch index.txt
[root@ca-server CA]\# echo 01 > serial
[root@master /]\# cd /etc/pki/nginx/private/
[root@master private]\# (umask 077;openssl genrsa -out ngx.key 2048) # 生成私钥
Generating RSA private key, 2048 bit long modulus
...........................................................................................+++
[root@master private]\# openssl req -new -key ngx.key -out ngx.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Jinan
Locality Name (eg, city) [Default City]:Jinan
Organization Name (eg, company) [Default Company Ltd]:agou
Organizational Unit Name (eg, section) []:agou
Common Name (eg, your name or your server's hostname) []:www.agou-ops.com
Please enter the following 'extra' attributes
to be sent with your certificate request
An optional company name []:
[root@master private]\# scp ngx.csr root@172.16.1.135:/root # 发送到ca主机签署
ngx.csr 100% 1001 541.8KB/s 00:00
[root@ca-server ~]\# openssl ca -in ngx.csr -out /etc/pki/CA/certs/ngx.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Not Before: Apr 4 12:36:18 2020 GMT
Not After : Apr 4 12:36:18 2021 GMT
stateOrProvinceName = Jinan
organizationalUnitName = agou
commonName = www.agou-ops.com
X509v3 Basic Constraints:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
8B:23:27:C4:7C:B0:A3:71:72:00:88:1E:9D:8F:BA:B6:52:DC:30:3C
X509v3 Authority Key Identifier:
keyid:19:60:32:59:F6:8A:49:04:C9:A6:07:41:62:DF:7B:3A:3D:FC:83:86
Certificate is to be certified until Apr 4 12:36:18 2021 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
[root@ca-server ~]\# scp /etc/pki/CA/certs/ngx.crt root@172.16.1.134:/etc/pki/nginx/ # 将生成的crt发送给客户机
ngx.crt 100% 4450 2.3MB/s 00:00