[iyunv@node3 ~]# (umask 077; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
................+++
..................................+++
[iyunv@node3 newcerts]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:tz.company
Organizational Unit Name (eg, section) []:ops
Common Name (eg, your name or your server's hostname) []:tzca.com
Email Address []:
[iyunv@node3 CA]# touch {serial,index.txt}
[iyunv@node3 CA]# echo 01 > serial
[iyunv@node4 nginx]# mkdir ssl
[iyunv@node4 nginx]# cd ssl/
[iyunv@node4 ssl]# (umask 077; openssl genrsa -out nginx.key 1024)
Generating RSA private key, 1024 bit long modulus
.................................++++++
........................++++++
e is 65537 (0x10001)
[iyunv@node4 ssl]# openssl req -new -key nginx.key -out nginx.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:tz.company
Organizational Unit Name (eg, section) []:ops
Common Name (eg, your name or your server's hostname) []:www.tz.com
Email Address []:tz66@gmail.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[iyunv@node4 ssl]# scp nginx.csr root@172.16.61.5:/tmp root@172.16.61.5's password:
nginx.csr 100% 696 0.7KB/s 00:00
[iyunv@node3 CA]# openssl ca -in /tmp/nginx.csr -out certs/nginx.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Feb 29 13:11:28 2016 GMT
Not After : Feb 28 13:11:28 2017 GMT
Subject:
countryName = CN
stateOrProvinceName = beijing
organizationName = tz.company
organizationalUnitName = ops
commonName = www.tz.com
emailAddress = tz66@gmail.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
E5:01:2E:03:DE:39:5E:71:3B:9C:E3:D9:60:00:97:16:95:42:16:EB
X509v3 Authority Key Identifier:
keyid:12:C5:01:DB:D3:6C:F6:67:3D:3B:60:99:D8:AD:7E:21:90:46:22:62
Certificate is to be certified until Feb 28 13:11:28 2017 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[iyunv@node3 certs]# scp nginx.crt root@172.16.61.4:/etc/nginx/ssl
The authenticity of host '172.16.61.4 (172.16.61.4)' can't be established.
ECDSA key fingerprint is 88:93:ff:8b:6e:ac:a0:c1:10:1f:4b:7d:ac:44:85:f0.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.16.61.4' (ECDSA) to the list of known hosts. root@172.16.61.4's password:
nginx.crt 100% 3774 3.7KB/s 00:0