HTTPS CA self-signed certificate and issue certificate to webserver

Source: Internet
Author: User
Tags modulus

**CA host Execution Command **[[email protected] ~]# cd/etc/pki/ca[[email protected] ca]# touch index.txt[[email  Protected] ca]# echo > Serial generate private key file [[email protected] ca]# (umask 077;openssl genrsa-out PRIVATE/CAKEY.PEM 204 8) Generating RSA private key, 2048 bit long modulus.......................................+++ ..... ..... .... +++e is 65537 (0x10001) [[email , ... ..... ..... .... .... ..... .... .....----------the-------the---- Protected] ca]# OpenSSL req-new-x509-key private/cakey.pem-out cacert.pem-days 3650You is about to being asked to enter Information that'll be incorporatedinto your certificate request. What's about-to-enter is called a distinguished Name or a DN. There is quite a few fields but can leave some blankfor some fields there would be a default value,if you enter '. ', t He field would be a left blank.-----Country Name (2 letter code) [XX]:CN State or province name (full name) []:beijinglocalit Y name (eg, city) [Default city]:beijingorganization name (EG, company) [Default company ltd]:magedu.comorganizational Unit Name (eg, sections) []:optcommon name (eg, your name or you R server ' s hostname) []:ca.magedu.com * issuer name **email Address []:[email protected][[email protected] ca]# Tree .. ├──cacert.pem├──certs├──crl├──httpd.csr├──index.txt├──newcerts├──private│?? └──cakey.pem└──serial4 directories, 5 files[[email protected] ca]# OpenSSL ca-in httpd.csr-out certs/httpd.crt-d Ays 700Using configuration from/etc/pki/tls/openssl.cnfcheck that the request matches the Signaturesignature Okcertifica Te details:serial number:1 (0x1) Validity not Before:jan 19:08:15 2018 GMT not after:dec 19:08:15 2019 GMT Subj Ect:countryname = CN Stateorprovincename = Beijing OrganizationName = magedu.com Organizationalunitname = Opt commonName = *.magedu.com EmailAddress = [email protected] x509v3 extensions:x509v3 Basic Constraints:CA:FALSE Netscape commen T:openssl Generated Certificate x509v3 Subject Key identifier:17:2b:8b:4f:9d:7a:0c:6b:33:05:1b:8a:49:94:a5:b2:41:72:47:1c x509v3 Authority Key identifier:keyid:ea:25:41:70:b4:61 : A0:15:29:97:c6:60:4b:e9:b4:c1:8a:fa:3d:b7certificate is to be certified until DEC 19:08:15 2019 GMT Certificate? [Y/n]:y1 out of 1 certificate requests certified, commit? [Y/n]ywrite out database with 1 new entriesdata Base updated[[email protected] ca]# SCP CCACERT.PEM certs/crl/[[EMA Il protected] ca]# SCP certs/httpd.crt 192.168.64.103:/etc/httpd/conf.d/sslthe authenticity of host ' 192.168.64.103 (192.168.64.103) ' can ' t be established. RSA key fingerprint is Sha256:9m0dbsllktd4m4jyubnwub9d6zk8jlio5ysus9nhcrc.rsa key fingerprint is MD5:1a:f2:be:d3:9e:6e :d F:83:a8:a4:1f:a8:c0:33:cd:b8. Is you sure want to continue connecting (yes/no)? yeswarning:permanently added ' 192.168.64.103 ' (RSA) to the list of known hosts. [email protected] ' s password:httpd.crt 100% 3870 6.4mb/s 00:00 [[email protected] ca]# tree. ├──cacert.pem├──ceRts│?? └──httpd.crt├──crl├──httpd.csr├──index.txt├──index.txt.attr├──index.txt.old├──newcerts│?? └──01.pem├──private│?? └──cakey.pem├──serial└──serial.old4 directories, files[[email protected] ca]# SCP Cacert.pem 192.168.64.103:/ Etc/httpd/conf.d/ssl[email protected] ' s password:permission denied, please try again. [email protected] ' s PASSWORD:CACERT.PEM 100% 1424 3.2mb/s 00:00 **webserver host execute command **[[email protected] CA]# Mkdir/etc/httpd/conf.d/ssl[[email protected] ca]# cd/etc/httpd/conf.d/ssl[[email protected] ssl]# (umask 077;openssl genrsa-out Httpd.key) generating RSA private key, 1024x768 bit long modulus...........++++++....++++++e is 65537 ( 0X10001) [[email protected] ssl]# OpenSSL req-new-key httpd.key-out httpd.csryou is about to being asked to enter INF Ormation that'll be incorporatedinto your certificate request. What's about-to-enter is called a distinguished Name or a DN. There is quite a few fields and you can LEave Some blankfor some fields there would be a default value,if you enter '. ', the field would be a blank.-----Country N Ame (2 letter code) [XX]:CN State or province name (full name) []:beijinglocality name (eg, city) [Default City]:bjorganiz ation name [eg, company] [Default company ltd]:magedu.comorganizational Unit name (eg, sections) []:optcommon name (eg, you R name or your server ' s hostname) []:*. magedu.com **webserver service Name, which is issued to **email Address []:[email protected]please Enter the following ' extra ' attributesto is sent with your certificate Requesta challenge password []:an Optional Company Name []:[[email protected] ssl]# SCP HTTPD.CSR 192.168.64.104:/etc/pki/ca[email protected] ' s password: HTTPD.CSR 100% 696 0.7kb/s 00:00[[email protected] ssl]# tree. ├──cacert.pem├──httpd.crt├──httpd.csr└──httpd.key0 directories, 4 filesvim/etc/httpd/conf.d/ssl.conf servername www . magedu.com:443sslcertificatekeyfile/etc/httpd/conf.d/ssl/httpd.key# Server Certificate Chain:# point Sslcertificatechainfile at a file containing the# concatenation of PEM encoded CA certificates which form the# Certificate chain for the server certificate. alternatively# the referenced file can be a same as sslcertificatefile# when the CA certificates is directly appended T o the server# certificate for convinience. #SSLCertificateChainFile/etc/pki/tls/certs/server-chain.crt# Certificate Authority (CA): # Set The CA Certificate verification path where to find ca# certificates for client authentication or Alte rnatively one# huge file containing all of the them (file must be PEM encoded) sslcacertificatefile/etc/httpd/conf.d/ssl/cacer T.pem

HTTPS CA self-signed certificate and issue certificate to webserver

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.