openssl的配置文件： /etc/pki/tls/openssl.cnf，這個文件包含了很多關(guān)于CA的配置。

[root@CentOS7 ~]#vim /etc/pki/tls/openssl.cnf 

...部分略

####################################################################
[ ca ]
default_ca      = CA_default            # 默認的CA

####################################################################
[ CA_default ]                          # CA默認的配置

dir             = /etc/pki/CA           # 定義CA文件總目錄
certs           = $dir/certs            # 保存發(fā)布的證書的目錄
crl_dir         = $dir/crl              # 保存證書吊銷列表的目錄
database        = $dir/index.txt        # 證書索引數(shù)據(jù)庫
#unique_subject = no                    # 是否允許多個證書使用一個subject
                                       
new_certs_dir   = $dir/newcerts         # 新證書目錄

certificate     = $dir/cacert.pem       # CA自己本身的證書（自簽名的證書）
serial          = $dir/serial           # 下一個證書的序列號
crlnumber       = $dir/crlnumber        # 下一個吊銷證書的序列號
crl             = $dir/crl.pem          # 已吊銷的證書的目錄
private_key     = $dir/private/cakey.pem# CA的私鑰
RANDFILE        = $dir/private/.rand    # 私鑰隨機數(shù)文件

x509_extensions = usr_cert              # 數(shù)字證書擴展
...
default_days    = 365                   # 證書有效期
default_crl_days= 30                    # 證書吊銷列表發(fā)布更新時間
default_md      = sha256                # 使用的hash算法
preserve        = no                    # keep passed DN ordering
...
policy          = policy_match          #使用的CA策略

# For the CA policy
[ policy_match ]                        #CA策略policy_match的定義
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]                    #CA策略policy_anything的定義
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied

1、創(chuàng)建私有CA的私鑰
按照配置上述的配置文件的定義，CA私鑰保存在/etc/pki/CA/private/cakey.pem

[root@CentOS7 ~]#(umask 066;openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
...........................................+++
.............................................................+++
e is 65537 (0x10001)
[root@CentOS7 ~]#tree /etc/pki/CA
/etc/pki/CA
├── certs
├── crl
├── newcerts
└── private
    └── cakey.pem

4 directories, 1 file

上面的命令，()是打開一個子進程，臨時設置umask。這樣我們創(chuàng)建的私鑰文件權(quán)限也同時設定成600了。

2、生成自簽名證書
用上一步CA的私鑰，生成自簽名證書：/etc/pki/CA/cacert.pem
有效期為十年。-x509選項用于生成自簽名證書。

[root@CentOS7 ~]#openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3650

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:GUANGDONG
Locality Name (eg, city) [Default City]:SHENZHEN
Organization Name (eg, company) [Default Company Ltd]:Magedu.com        
Organizational Unit Name (eg, section) []:M24
Common Name (eg, your name or your server's hostname) []:ca.magedu.com
Email Address []:

[root@CentOS7 ~]#tree /etc/pki/CA
/etc/pki/CA
├── cacert.pem
├── certs
├── crl
├── newcerts
└── private
    └── cakey.pem

4 directories, 2 files

用以下命令可以查看簽名證書的信息

[root@CentOS7 ~]#openssl x509 -in /etc/pki/CA/cacert.pem -noout -text

3、

[root@CentOS7 ~]#touch /etc/pki/CA/index.txt
#生成證書索引數(shù)據(jù)庫文件
[root@CentOS7 ~]#echo 01 >  /etc/pki/CA/serial
#指定頒發(fā)證書的第一個序列號
[root@CentOS7 ~]#mkdir /etc/pki/CA/csr/

客戶端：

1、生成私鑰
與CA服務端不同，CA客戶端的私鑰路徑可以自定義。

[root@CentOS6 ~]#(umask 066;openssl genrsa -out /app/service.key 2048)
Generating RSA private key, 2048 bit long modulus
........+++
..................+++
e is 65537 (0x10001)
[root@CentOS6 ~]#ll /app
total 4
-rw-------. 1 root root 1675 Jul 15 09:16 service.key

2、在需要使用證書的主機生成證書請求文件

[root@CentOS6 ~]#openssl req -new -key /app/service.key -out /app/service.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:GUANGDONG
Locality Name (eg, city) [Default City]:SHENZHEN
Organization Name (eg, company) [Default Company Ltd]:Magedu.com
Organizational Unit Name (eg, section) []:beiguoxia
Common Name (eg, your name or your server's hostname) []:www.magedu.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

3、

[root@CentOS6 ~]#scp /app/service.csr 192.168.5.133:/etc/pki/CA/csr
root@192.168.5.133's password: 
service.csr                                        100% 1025     1.0KB/s   00:00    

在CA服務端頒發(fā)證書：

[root@CentOS7 CA]#openssl ca -in /etc/pki/CA/csr/service.csr -out /etc/pki/CA/certs/service.cer -days 100
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Jul 17 12:43:54 2017 GMT
            Not After : Oct 25 12:43:54 2017 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = GUANGDONG
            organizationName          = Magedu.com
            organizationalUnitName    = beiguoxia
            commonName                = www.magedu.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                AA:35:D0:2E:EF:8C:91:59:98:FD:7A:96:6A:75:36:4E:97:1D:3A:30
            X509v3 Authority Key Identifier: 
                keyid:91:B1:F6:B0:EA:2A:3F:A2:F8:93:A7:11:75:44:D4:2C:67:2E:2E:31

Certificate is to be certified until Oct 25 12:43:54 2017 GMT (100 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

系統(tǒng)提示已生成證書，并更新了數(shù)據(jù)庫。我們可以看一下

[root@CentOS7 CA]#tree `/etc/pki/CA`
-bash: /etc/pki/CA: Is a directory
.
├── cacert.pem
├── certs
│   └── service.cer
├── crl
├── csr
│   └── service.csr
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│   └── 01.pem
├── private
│   └── cakey.pem
├── serial
└── serial.old
[root@CentOS7 CA]#cat serial
02

可以看到，serial文件的下一個證書序列號從01，變成02了。