1、生成私钥
[root@localhost cert]# openssl genrsa -des3 -out server.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
...................................+++++
..............+++++
e is 65537 (0x010001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
#提示输入私钥密码,两次输入一致即可
[root@localhost cert]# ll
总用量 4
-rw------- 1 root root 1751 9月 10 22:26 server.key
2、生成证书请求
[root@localhost cert]# openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key: #输入上面的私钥密码
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN #国家名
State or Province Name (full name) [Some-State]:JS #省名
Locality Name (eg, city) []:NJ #城市名
Organization Name (eg, company) [Internet Widgits Pty Ltd]:test #组织名
Organizational Unit Name (eg, section) []:test #机构名
Common Name (e.g. server FQDN or YOUR name) []:www.test.com #域名
Email Address []:1255109811@qq.com #邮箱名
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: #是否需要改变密码(不需要直接enter)
An optional company name []: #公司名称(不需要直接enter)
[root@localhost cert]# ll
总用量 8
-rw-r--r-- 1 root root 1033 9月 10 22:36 server.csr
-rw------- 1 root root 1751 9月 10 22:26 server.key
3、备份私钥
[root@localhost cert]# cp server.key server.key.org
[root@localhost cert]# ll
总用量 12
-rw-r--r-- 1 root root 1033 9月 10 22:36 server.csr
-rw------- 1 root root 1751 9月 10 22:26 server.key
-rw------- 1 root root 1751 9月 10 22:44 server.key.org
4、退掉私钥的密码
#在第1步创建私钥的过程中,由于必须要指定一个密码。而这个密码会带来一个副作用,那就是在每次启动Web服务时,都会要求输入密码,这显然非常不方便。
[root@localhost cert]# openssl rsa -in server.key.org -out server.key
Enter pass phrase for server.key.org: #输入上面私钥的密码
writing RSA key
[root@localhost cert]# ll
总用量 12
-rw-r--r-- 1 root root 1033 9月 10 22:36 server.csr
-rw------- 1 root root 1679 9月 10 22:50 server.key
-rw------- 1 root root 1751 9月 10 22:44 server.key.org
5、使用秘钥和CSR正式进行签名
[root@localhost cert]# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=C = CN, ST = JS, L = NJ, O = test, OU = test, CN = www.test.com, emailAddress = 1255109811@qq.com
Getting Private key
[root@localhost cert]# ll
总用量 16
-rw-r--r-- 1 root root 1277 9月 10 22:53 server.crt
-rw-r--r-- 1 root root 1033 9月 10 22:36 server.csr
-rw------- 1 root root 1679 9月 10 22:50 server.key
-rw------- 1 root root 1751 9月 10 22:44 server.key.org
6、加权限
[root@localhost cert]# chmod a+x *
[root@localhost cert]# ll
总用量 16
-rwxr-xr-x 1 root root 1277 9月 10 22:53 server.crt
-rwxr-xr-x 1 root root 1033 9月 10 22:36 server.csr
-rwx--x--x 1 root root 1679 9月 10 22:50 server.key
-rwx--x--x 1 root root 1751 9月 10 22:44 server.key.org
全部评论