1.安裝openssl
yum install -y openssl
2.修改配置文件
在/etc/pki/tls/openssl.conf的172行
basicConstraints=CA:TRUE，打開CA
3.創(chuàng)建CA

[root@slavedb ~]# /etc/pki/tls/misc/CA -newca
CA certificate filename (or enter to create)

Making CA certificate ...
Generating a 2048 bit RSA private key
..............................................................................................+++
...............+++
writing new private key to '/etc/pki/CA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:haidian
Organization Name (eg, company) [Default Company Ltd]:xuegod
Organizational Unit Name (eg, section) []:IT     
Common Name (eg, your name or your server's hostname) []:slavedb   
Email Address []:1@163.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/./cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
            f4:5a:65:88:11:9f:46:b6
        Validity
            Not Before: Sep 14 01:45:15 2019 GMT
            Not After : Sep 13 01:45:15 2022 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = beijing
            organizationName          = xuegod
            organizationalUnitName    = IT
            commonName                = slavedb
            emailAddress              = 1@163.com
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                9A:A5:C3:EA:07:80:4B:E0:08:7E:AF:E5:A8:17:A7:41:1D:10:C5:CD
            X509v3 Authority Key Identifier: 
                keyid:9A:A5:C3:EA:07:80:4B:E0:08:7E:AF:E5:A8:17:A7:41:1D:10:C5:CD

            X509v3 Basic Constraints: 
                CA:TRUE
Certificate is to be certified until Sep 13 01:45:15 2022 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated

CA公鑰路徑
/etc/pki/CA/cacert.pem
CA私鑰路徑
/etc/pki/CA/private/cakey.pem

3.使用證書創(chuàng)建https
echo '<h1> https test page </h1>' > /var/www/html/index.html
生成ssl私鑰，此時公鑰還未創(chuàng)建

[root@slavedb ~]# openssl genrsa -des3 -out /etc/httpd/conf.d/server.key
Generating RSA private key, 2048 bit long modulus
.................+++
..+++
e is 65537 (0x10001)
Enter pass phrase for /etc/httpd/conf.d/server.key:
Verifying - Enter pass phrase for /etc/httpd/conf.d/server.key:

這里輸入的是保護私鑰的密碼:123456，輸2次

創(chuàng)建服務器公鑰

[root@slavedb ~]# openssl req -new -key /etc/httpd/conf.d/server.key -out /server.csr
Enter pass phrase for /etc/httpd/conf.d/server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:haidian
Organization Name (eg, company) [Default Company Ltd]:xuegod
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:masterdb #如果不基于ip訪問，此處的要與url一致
Email Address []:1@163.com 

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:          
An optional company name []:

將公鑰推送給CA服務器
scp /server.csr 10.10.10.21:/tmp/

CA簽名

[root@slavedb ~]# openssl ca -keyfile /etc/pki/CA/private/cakey.pem -cert /etc/pki/CA/cacert.pem -in /tmp/server.csr -out /server.crt
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
            f4:5a:65:88:11:9f:46:b8
        Validity
            Not Before: Sep 14 02:56:29 2019 GMT
            Not After : Sep 13 02:56:29 2020 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = beijing
            organizationName          = xuegod
            organizationalUnitName    = IT
            commonName                = masterdb
            emailAddress              = 1@163.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:TRUE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                E1:3C:CE:05:C8:B3:38:43:57:FF:85:CB:6B:C5:5C:BE:11:0D:AD:B6
            X509v3 Authority Key Identifier: 
                keyid:50:11:77:D6:09:B0:94:29:16:A5:5D:09:FA:0A:2A:83:58:46:6E:5A

Certificate is to be certified until Sep 13 02:56:29 2020 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

CA發(fā)送已簽的server.crt給服務器
scp /server.crt 10.10.10.25:/
到此證書簽名完成

yum install mode-ssl
cp /server.crt /etc/httpd/conf.d/
在/etc/httpd/conf.d/ssl.conf里100行修改
SSLCertificateFile /etc/httpd/conf.d/server.crt
SSLCertificateKeyFile /etc/httpd/conf.d/server.key
重啟httpd
訪問ip
在生產(chǎn)中實現(xiàn)https只需要生成的server.csr推送給CA，再部署server.crt