**CA host Execution Command **[[email protected] ~]# cd/etc/pki/ca[[email protected] ca]# touch index.txt[[email Protected] ca]# echo > Serial generate private key file [[email protected] ca]# (umask 077;openssl genrsa-out PRIVATE/CAKEY.PEM 204 8) Generating RSA private key, 2048 bit long modulus.......................................+++ ..... ..... .... +++e is 65537 (0x10001) [[email , ... ..... ..... .... .... ..... .... .....----------the-------the---- Protected] ca]# OpenSSL req-new-x509-key private/cakey.pem-out cacert.pem-days 3650You is about to being asked to enter Information that'll be incorporatedinto your certificate request. What's about-to-enter is called a distinguished Name or a DN. There is quite a few fields but can leave some blankfor some fields there would be a default value,if you enter '. ', t He field would be a left blank.-----Country Name (2 letter code) [XX]:CN State or province name (full name) []:beijinglocalit Y name (eg, city) [Default city]:beijingorganization name (EG, company) [Default company ltd]:magedu.comorganizational Unit Name (eg, sections) []:optcommon name (eg, your name or you R server ' s hostname) []:ca.magedu.com * issuer name **email Address []:[email protected][[email protected] ca]# Tree .. ├──cacert.pem├──certs├──crl├──httpd.csr├──index.txt├──newcerts├──private│?? └──cakey.pem└──serial4 directories, 5 files[[email protected] ca]# OpenSSL ca-in httpd.csr-out certs/httpd.crt-d Ays 700Using configuration from/etc/pki/tls/openssl.cnfcheck that the request matches the Signaturesignature Okcertifica Te details:serial number:1 (0x1) Validity not Before:jan 19:08:15 2018 GMT not after:dec 19:08:15 2019 GMT Subj Ect:countryname = CN Stateorprovincename = Beijing OrganizationName = magedu.com Organizationalunitname = Opt commonName = *.magedu.com EmailAddress = [email protected] x509v3 extensions:x509v3 Basic Constraints:CA:FALSE Netscape commen T:openssl Generated Certificate x509v3 Subject Key identifier:17:2b:8b:4f:9d:7a:0c:6b:33:05:1b:8a:49:94:a5:b2:41:72:47:1c x509v3 Authority Key identifier:keyid:ea:25:41:70:b4:61 : A0:15:29:97:c6:60:4b:e9:b4:c1:8a:fa:3d:b7certificate is to be certified until DEC 19:08:15 2019 GMT Certificate? [Y/n]:y1 out of 1 certificate requests certified, commit? [Y/n]ywrite out database with 1 new entriesdata Base updated[[email protected] ca]# SCP CCACERT.PEM certs/crl/[[EMA Il protected] ca]# SCP certs/httpd.crt 192.168.64.103:/etc/httpd/conf.d/sslthe authenticity of host ' 192.168.64.103 (192.168.64.103) ' can ' t be established. RSA key fingerprint is Sha256:9m0dbsllktd4m4jyubnwub9d6zk8jlio5ysus9nhcrc.rsa key fingerprint is MD5:1a:f2:be:d3:9e:6e :d F:83:a8:a4:1f:a8:c0:33:cd:b8. Is you sure want to continue connecting (yes/no)? yeswarning:permanently added ' 192.168.64.103 ' (RSA) to the list of known hosts. [email protected] ' s password:httpd.crt 100% 3870 6.4mb/s 00:00 [[email protected] ca]# tree. ├──cacert.pem├──ceRts│?? └──httpd.crt├──crl├──httpd.csr├──index.txt├──index.txt.attr├──index.txt.old├──newcerts│?? └──01.pem├──private│?? └──cakey.pem├──serial└──serial.old4 directories, files[[email protected] ca]# SCP Cacert.pem 192.168.64.103:/ Etc/httpd/conf.d/ssl[email protected] ' s password:permission denied, please try again. [email protected] ' s PASSWORD:CACERT.PEM 100% 1424 3.2mb/s 00:00 **webserver host execute command **[[email protected] CA]# Mkdir/etc/httpd/conf.d/ssl[[email protected] ca]# cd/etc/httpd/conf.d/ssl[[email protected] ssl]# (umask 077;openssl genrsa-out Httpd.key) generating RSA private key, 1024x768 bit long modulus...........++++++....++++++e is 65537 ( 0X10001) [[email protected] ssl]# OpenSSL req-new-key httpd.key-out httpd.csryou is about to being asked to enter INF Ormation that'll be incorporatedinto your certificate request. What's about-to-enter is called a distinguished Name or a DN. There is quite a few fields and you can LEave Some blankfor some fields there would be a default value,if you enter '. ', the field would be a blank.-----Country N Ame (2 letter code) [XX]:CN State or province name (full name) []:beijinglocality name (eg, city) [Default City]:bjorganiz ation name [eg, company] [Default company ltd]:magedu.comorganizational Unit name (eg, sections) []:optcommon name (eg, you R name or your server ' s hostname) []:*. magedu.com **webserver service Name, which is issued to **email Address []:[email protected]please Enter the following ' extra ' attributesto is sent with your certificate Requesta challenge password []:an Optional Company Name []:[[email protected] ssl]# SCP HTTPD.CSR 192.168.64.104:/etc/pki/ca[email protected] ' s password: HTTPD.CSR 100% 696 0.7kb/s 00:00[[email protected] ssl]# tree. ├──cacert.pem├──httpd.crt├──httpd.csr└──httpd.key0 directories, 4 filesvim/etc/httpd/conf.d/ssl.conf servername www . magedu.com:443sslcertificatekeyfile/etc/httpd/conf.d/ssl/httpd.key# Server Certificate Chain:# point Sslcertificatechainfile at a file containing the# concatenation of PEM encoded CA certificates which form the# Certificate chain for the server certificate. alternatively# the referenced file can be a same as sslcertificatefile# when the CA certificates is directly appended T o the server# certificate for convinience. #SSLCertificateChainFile/etc/pki/tls/certs/server-chain.crt# Certificate Authority (CA): # Set The CA Certificate verification path where to find ca# certificates for client authentication or Alte rnatively one# huge file containing all of the them (file must be PEM encoded) sslcacertificatefile/etc/httpd/conf.d/ssl/cacer T.pem
HTTPS CA self-signed certificate and issue certificate to webserver