Configuring a private CA
CA configuration Information/ETC/PKI/TLS/OPENSSL.CNF
1. Create the required files
Touch/etc/pki/ca/index.txt Store the certificate database file, you need to create it manually
Echo >/etc/pki/ca/serial Specify a 16-bit certificate label
2.CENTOS7, build a CA into a private key.
(Umask 066;openssl genrsa-out private/cakey.pem-des 2048)
3 OpenSSL Req-new-x509-key/etc/pki/ca/private/cakey.pem (own private key address)-days 7300-OUT/ETC/PKI/CA/CACERT.PEM (generated certificate address)
Generate a self-signed certificate
Req Request
-x509 Self-signed certificate
Add this to yourself and sign yourself.
Do not add this to request a certificate
4 Clients request a certificate, they must first have a private key file
The final CENTOS6 client will have 3 files, a private key file, an application file, an issued certificate
The certificate of application is generally placed under the directory of the application such as CONF.D
Generate private key (Umask066;openssl genrsa-out App.key 1024)
Generate certificate Request OpenSSL Req-new-key app.key-out App.pem time and x509 can be used without adding
To upload a certificate request to a CA (CENTOS7 server)
Scp
5 CA Generate Certificate
OpenSSL ca-in app.csr-out certs/app.crt-days 730
-out is followed by the address of the generated certificate, the configuration file does not change
No need for touch index.txt
Number echo > Serial are all in the CA directory
Configuring a private CA