您当前的位置: 首页 > 学无止境 > 心得笔记 网站首页心得笔记
马哥linux运维学习笔记-ssl协议、openssl及创建私有CA
发布时间:2018-11-25 16:24:33编辑:雪饮阅读()
rpm -ql:
查看rpm包安装后所生成的相关文件路径详情
示例:rpm -ql openssl
查看openssl的rpm包安装后的相关文件路径信息
openssl version:
查看openssl版本信息
[root@localhost ~]# openssl version
OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
openssl speed des:
使用openssl查看des算法在当前系统中的性能
[root@localhost ~]# openssl speed des
Doing des cbc for 3s on 16 size blocks: 9580315 des cbc's in 2.86s
Doing des cbc for 3s on 64 size blocks: 2474778 des cbc's in 2.89s
Doing des cbc for 3s on 256 size blocks: 620824 des cbc's in 2.88s
Doing des cbc for 3s on 1024 size blocks: 157210 des cbc's in 2.89s
Doing des cbc for 3s on 8192 size blocks: 19444 des cbc's in 2.88s
Doing des ede3 for 3s on 16 size blocks: 3665694 des ede3's in 2.88s
Doing des ede3 for 3s on 64 size blocks: 906174 des ede3's in 2.88s
Doing des ede3 for 3s on 256 size blocks: 231390 des ede3's in 2.87s
Doing des ede3 for 3s on 1024 size blocks: 57769 des ede3's in 2.89s
Doing des ede3 for 3s on 8192 size blocks: 7164 des ede3's in 2.87s
OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
built on: Wed Jan 18 10:10:45 EST 2012
options:bn(64,64) md2(int) rc4(ptr,int) des(idx,cisc,16,int) aes(partial) blowfish(ptr2)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -I/usr/kerberos/include -DL_ENDIAN -DTERMIO -Wall -DMD32_REG_T=int -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -Wa,--noexecstack -DOPENSSL_USE_NEW_FUNCTIONS -fno-strict-aliasing -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM
available timing options: TIMES TIMEB HZ=100 [sysconf value]
timing function used: times
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
des cbc 53596.17k 54804.77k 55184.36k 55703.47k 55307.38k
des ede3 20364.97k 20137.20k 20639.67k 20469.02k 20448.60k
openssl enc:
openssl提供了N多的对称加密算法指令,enc就是把这些N多的对称的加密算法指令统一集成到enc指令中。当用户使用时,只需使用enc,指定加密算法,就是完成单独的加密算法指令完成的操作。而且,enc中可以指定的对称加密算法指令可能并没有以单独指令的形式存在。所有笔者建议使用enc这种方式。
示例:
[root@localhost ~]# openssl enc -des3 -salt -a -in test -out test.des3
enter des-ede3-cbc encryption password:
Verifying - enter des-ede3-cbc encryption password:
[root@localhost ~]# cat test.des3
U2FsdGVkX18HY3X22RVW8NMaNZ/LyeTqJrRWP6HdPLbUSgKXD+fN+YNuA/VWStn7
-a:
由于文件加密后是二进制形式,不方便查看,使用该参数可以使加密后的内容经过base64编码,使其可读;同样,解密时需要先进行base64解编码,然后进行解密操作。
-des3:
使用des3加密算法
-in:
待加密的文件
-out:加密后输出的文件路径
注意:交互过程中第一次输入的是密码,第二次输入的盐
openssl enc的解密:
[root@localhost ~]# openssl enc -des3 -d -salt -a -in test.des3 -out test.jiemi
enter des-ede3-cbc decryption password:
[root@localhost ~]# cat test.jiemi
bzrxsgq
nyrsbuqqajaskkjajsd
传统的md5与sha1生成文件的数据指纹:
[root@localhost ~]# md5sum test
d5c05cb799acee79d107d6d3181c2356 test
[root@localhost ~]# sha1sum test
1febb847817e02dfeb4bfcf26a7d9db3e2addd0b test
openssl dgst
openssl的dgst提供了对数据进行摘要和签名的实现
关于数据摘要:
1、输出长度固定。即输出长度和输入长度无关。
2、不可逆。即由输出数据理论上不能推导出输入数据
4、对输入数据敏感。当输入数据变化极小时,输出数据也会发生明显的变化
5、防碰撞。即不同的数据数据得到相同输出数据的可能性极低。
由于信息摘要有上述特点,一般保证数据的完整性,对一个大文件进行摘要运算,得到其摘要值。通过网络或者其他渠道传输后,通过验证其摘要值,确定大文件本身有没有发生变化。
数字签名:数字签名其实分成两步,首先对原始文件进行摘要运算,得到摘要值,然后使用公开密钥算法中的私钥对摘要值进行加密。其签名和验证过程如下图所示
使用openssl的dgst为sha1和md5生成摘要
[root@localhost ~]# openssl dgst -sha1 test
SHA1(test)= 1febb847817e02dfeb4bfcf26a7d9db3e2addd0b
[root@localhost ~]# openssl dgst -md5 test
MD5(test)= d5c05cb799acee79d107d6d3181c2356
openssl passwd
该伪命令用于生成加密的密码。
示例:
[root@localhost ~]# openssl passwd -1 -salt sdssd
Password:
$1$sdssd$DImN7UKmHxWYle6AnZxMp0
-1:openssl算法代码的一种,-1是md5,
openssl rand
openssl rand 用于产生指定长度个bytes的随机字符。
示例:
[root@localhost ~]# openssl rand -base64 100
qURn3nmlYp0OXMdSIF6dEWmOB75HW1vjs+5enBcTe42FSIY3+HTEhbOwRkNhivZe
J/y5sRPGwyNBnB1k3ewa0oOLhnj5ftdjaxZUIsez7jz+gBVrwHo3Xme10P48BF3E
M27kPQ==
这里生成了100长度个bytes的随机字符,并以base64结果呈现。
openssl genrsa
openssl的genrsa是用来生成一个私钥的
示例:
[root@localhost ~]# openssl genrsa
Generating RSA private key, 512 bit long modulus
...........++++++++++++
..............++++++++++++
e is 65537 (0x10001)
-----BEGIN RSA PRIVATE KEY-----
MIIBOwIBAAJBALvmxei7kFsDGM5MgOJdm+7W19TjXt4Wz5ffqyLvQycG/2JxfO/9
Uhl56M7bvtB9UDAq94TV4fiLhwrG8l8eHW0CAwEAAQJAZ+AN7Lkz9nxhzDpSzdE+
EO1IZ/JCUbh+jtEhhLCMiRfMtchDzon36UssUPfXWH9xO+FKY1e1BzMRs92Eu19v
KQIhAN6FSBPvCt6BX5Jepobz8gFD8dszAGEr3d1e473Em9Z/AiEA2CwU6/kI52y5
bHDUHY9ARQVja3Q6/v3Fo2eF0UONzhMCIDEYvzqGt6M4cFnfQGbuVCsrTqXKrv7B
qwY49Y7dXnUJAiEAx0VTf/dQUu0xvJoBnsIXz8hYzowVekt67deXTsGELcsCIQC+
Xy5Czb6ETqR6qWBMFsGZZYDsbGWGao8JG+clhAxg4w==
-----END RSA PRIVATE KEY-----
使用openssl的genrsa生成指定长度的私钥
[root@localhost ~]# openssl genrsa 128
Generating RSA private key, 128 bit long modulus
.......+++++++++++++++++++++++++++
.+++++++++++++++++++++++++++
e is 65537 (0x10001)
-----BEGIN RSA PRIVATE KEY-----
MGMCAQACEQDW9YsL5b0US3Yw16dqP/9PAgMBAAECEQCul7UeLrVKexsXdBcq6Coh
AgkA738wUBa9dqkCCQDlxYA4GW0ZNwIINqth6+ZE+YECCQCseEBTW7qJpwIIG9mF
eK/wG1Q=
-----END RSA PRIVATE KEY-----
结合umask使用openssl的genrsa生成指定长度指定输出路径的私钥
(umask 077; openssl genrsa -out server1024.key 1024)
解析:
umask 077:一个补码授权,这里不是完整的写法而是简写,完整的写法应形如0022,一般有效数值就是后3位。
1、针对目录来说x权限代表可以进入该目录,所以说对于这个权限初始赋值是没什么问题的;
2、针对文件的x的权限代表执行,这个风险太高,所以一般权限初始赋值必须去掉x的;
[root@www ~]# umask
0022
这四个字母代表什么?
首先说明一点,上面四个数字代表是赋值初始化准备丢弃的权限。(相对应文件来说,x权限就算没说明出来丢弃一样必须默认丢弃)
第一个0代表suid 丢弃的权限;
第二个0代表本文件/目录拥有者什么权限都没丢弃(如果是文件,x权限除外,为什么看看上面解释);
第三个2代表本文件/目录的用户组丢弃了w权限(如果是文件那么它的x权限也丢弃);
第三个2代表本文件/目录的其他用户能使用的权限只有有r和x(文件除外)。
使用openssl的rsa从私钥中提取公钥
[root@localhost ~]# openssl rsa -in server1024.key -pubout
writing RSA key
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC22uNERQU0nlYwgE1UO5FyDque
Fr8OhxZbq13TcLcX1lxR5MI1rybbyEARMxBlb+tXS8hreZS1spsLz51cpT7dscUO
p1YfxNcq0G8In5GvmJa8R1i01F6sh4m8qSfxpyCPoAR3XQ5EMLlw+suHZHu6pq6G
+KfL/y/2q69Bc0DqywIDAQAB
-----END PUBLIC KEY-----
解析:
rsa:可解openssl的genrsa生成的私钥
-in:当有-pubout选项时代表指定一个私钥文件
生成一个自签CA证书:
[root@localhost ~]# openssl req -new -x509 -key server1024.key -out server.crt -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:cn
State or Province Name (full name) [Berkshire]:beijing
Locality Name (eg, city) [Newbury]:beijing
Organization Name (eg, company) [My Company Ltd]:shenBoLanXin
Organizational Unit Name (eg, section) []:php
Common Name (eg, your name or your server's hostname) []:www.gaojiupan.cn
Email Address []:1509272975@qq.com
解析:
req:可生成证书文件和请求文件(例如申请证书的请求)
-new: 创建一个证书请求文件,会交互式提醒输入一些信息
-x509: 指定该选项时,将生成一个自签署证书,而不是创建证书请求。一般用于测试或者为根CA创建自签名证书
-key:生成自签CA证书需要一个私钥文件,该选项为了指定该私钥文件路径
-out:指定证书创建完毕后的输出文件路径
-days:指定创建的证书的有效时间,单位是天
查看CA证书
[root@localhost ~]# openssl x509 -text -in server.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
f1:33:fb:07:76:b7:68:9d
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=cn, ST=beijing, L=beijing, O=shenBoLanXin, OU=php, CN=www.gaojiupan.cn/emailAddress=1509272975@qq.com
Validity
Not Before: Nov 18 16:30:05 2018 GMT
Not After : Nov 18 16:30:05 2019 GMT
Subject: C=cn, ST=beijing, L=beijing, O=shenBoLanXin, OU=php, CN=www.gaojiupan.cn/emailAddress=1509272975@qq.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:b6:da:e3:44:45:05:34:9e:56:30:80:4d:54:3b:
91:72:0e:ab:9e:16:bf:0e:87:16:5b:ab:5d:d3:70:
b7:17:d6:5c:51:e4:c2:35:af:26:db:c8:40:11:33:
10:65:6f:eb:57:4b:c8:6b:79:94:b5:b2:9b:0b:cf:
9d:5c:a5:3e:dd:b1:c5:0e:a7:56:1f:c4:d7:2a:d0:
6f:08:9f:91:af:98:96:bc:47:58:b4:d4:5e:ac:87:
89:bc:a9:27:f1:a7:20:8f:a0:04:77:5d:0e:44:30:
b9:70:fa:cb:87:64:7b:ba:a6:ae:86:f8:a7:cb:ff:
2f:f6:ab:af:41:73:40:ea:cb
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
74:9D:01:24:19:BC:52:22:68:07:13:63:2A:7C:25:2A:7E:8B:0B:BE
X509v3 Authority Key Identifier:
keyid:74:9D:01:24:19:BC:52:22:68:07:13:63:2A:7C:25:2A:7E:8B:0B:BE
DirName:/C=cn/ST=beijing/L=beijing/O=shenBoLanXin/OU=php/CN=www.gaojiupan.cn/emailAddress=1509272975@qq.com
serial:F1:33:FB:07:76:B7:68:9D
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha1WithRSAEncryption
81:71:33:3e:15:22:11:ed:ed:32:cf:bb:71:57:63:88:46:4a:
52:fc:fa:b1:7f:06:4e:66:ed:ba:86:49:81:e9:7d:69:c1:26:
2f:e9:f3:c4:34:53:12:65:42:26:3f:27:07:af:ef:d4:4b:8a:
2c:8a:50:a9:d6:64:cc:54:30:f6:d9:ca:53:7b:ef:51:20:7f:
7b:d7:8a:4f:59:31:12:95:20:7f:46:a9:5b:7b:25:46:ea:f4:
cf:63:c7:21:59:8c:31:78:65:34:a0:a8:ef:70:32:27:da:8c:
e5:4a:34:9e:fb:6d:36:bb:3b:0b:4e:9a:fb:3b:91:76:41:d1:
b7:b4
-----BEGIN CERTIFICATE-----
MIIDojCCAwugAwIBAgIJAPEz+wd2t2idMA0GCSqGSIb3DQEBBQUAMIGTMQswCQYD
VQQGEwJjbjEQMA4GA1UECBMHYmVpamluZzEQMA4GA1UEBxMHYmVpamluZzEVMBMG
A1UEChMMc2hlbkJvTGFuWGluMQwwCgYDVQQLEwNwaHAxGTAXBgNVBAMTEHd3dy5n
YW9qaXVwYW4uY24xIDAeBgkqhkiG9w0BCQEWETE1MDkyNzI5NzVAcXEuY29tMB4X
DTE4MTExODE2MzAwNVoXDTE5MTExODE2MzAwNVowgZMxCzAJBgNVBAYTAmNuMRAw
DgYDVQQIEwdiZWlqaW5nMRAwDgYDVQQHEwdiZWlqaW5nMRUwEwYDVQQKEwxzaGVu
Qm9MYW5YaW4xDDAKBgNVBAsTA3BocDEZMBcGA1UEAxMQd3d3Lmdhb2ppdXBhbi5j
bjEgMB4GCSqGSIb3DQEJARYRMTUwOTI3Mjk3NUBxcS5jb20wgZ8wDQYJKoZIhvcN
AQEBBQADgY0AMIGJAoGBALba40RFBTSeVjCATVQ7kXIOq54Wvw6HFlurXdNwtxfW
XFHkwjWvJtvIQBEzEGVv61dLyGt5lLWymwvPnVylPt2xxQ6nVh/E1yrQbwifka+Y
lrxHWLTUXqyHibypJ/GnII+gBHddDkQwuXD6y4dke7qmrob4p8v/L/arr0FzQOrL
AgMBAAGjgfswgfgwHQYDVR0OBBYEFHSdASQZvFIiaAcTYyp8JSp+iwu+MIHIBgNV
HSMEgcAwgb2AFHSdASQZvFIiaAcTYyp8JSp+iwu+oYGZpIGWMIGTMQswCQYDVQQG
EwJjbjEQMA4GA1UECBMHYmVpamluZzEQMA4GA1UEBxMHYmVpamluZzEVMBMGA1UE
ChMMc2hlbkJvTGFuWGluMQwwCgYDVQQLEwNwaHAxGTAXBgNVBAMTEHd3dy5nYW9q
aXVwYW4uY24xIDAeBgkqhkiG9w0BCQEWETE1MDkyNzI5NzVAcXEuY29tggkA8TP7
B3a3aJ0wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQCBcTM+FSIR7e0y
z7txV2OIRkpS/PqxfwZOZu26hkmB6X1pwSYv6fPENFMSZUImPycHr+/US4osilCp
1mTMVDD22cpTe+9RIH9714pPWTESlSB/RqlbeyVG6vTPY8chWYwxeGU0oKjvcDIn
2ozlSjSe+202uzsLTpr7O5F2QdG3tA==
-----END CERTIFICATE-----
解析:
x509: x509指令是一个功能很丰富的证书处理工具。可以用来显示证书的内容,转换其格式,给CSR签名等
-text: 以文本格式输出证书
-in:指定要查看的证书文件路径
CA证书的标准化操作流程
(1)建立CA证书颁发机构
修改openssl配置文件/etc/pki/tls/openssl.cnf中[ CA_default ]组中的dir的值为绝对路径/etc/pki/CA
进入目录/etc/pki/CA中生成私钥
[root@localhost CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
..+++
.................................................................................................................................+++
e is 65537 (0x10001)
[root@localhost CA]# ls -l private/
total 8
-rw------- 1 root root 1679 Nov 19 01:01 cakey.pem
同级目录生成CA证书
[root@localhost CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:cn
State or Province Name (full name) [Berkshire]:beiJing
Locality Name (eg, city) [Newbury]:BeiJing
Organization Name (eg, company) [My Company Ltd]:shenBoLanXin
Organizational Unit Name (eg, section) []:tech
Common Name (eg, your name or your server's hostname) []:www.gaojiupan.cn
Email Address []:1509272975@qq.com
同级目录下准备常用文件目录并初始化一个序列号存储于用于存储序列化数据的文件中
[root@localhost CA]# mkdir certs newcerts crl
[root@localhost CA]# touch index.txt
[root@localhost CA]# touch serial
[root@localhost CA]# echo 01 > serial
(2)模拟证书申请
模拟web服务项目申请证书:
准备创建web项目与证书相关目录
[root@localhost CA]# cd
[root@localhost ~]# mkdir /etc/httpd
[root@localhost ~]# cd /etc/httpd/
[root@localhost httpd]# mkdir ssl
[root@localhost httpd]# cd ssl
[root@localhost ssl]#
创建用于web项目申请证书的私钥
[root@localhost ssl]# (umask 077;openssl genrsa -out httpd.key 1024)
Generating RSA private key, 1024 bit long modulus
............++++++
............................++++++
e is 65537 (0x10001)
为web项目创建证书申请请求文件
[root@localhost ssl]# openssl req -new -key httpd.key -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:cn
State or Province Name (full name) [Berkshire]:beiJing
Locality Name (eg, city) [Newbury]:BeiJing
Organization Name (eg, company) [My Company Ltd]:shenBoLanXin
Organizational Unit Name (eg, section) []:wr
Common Name (eg, your name or your server's hostname) []:w
Email Address []:w
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
注意:
标红的地方是必须注意的,由于我们要在我们自己刚才上面所创建的CA证书颁发机构为我们自己这个web项目的证书进行签署,所以这几个字段必须和我们所要请求的CA证书颁发机构的一致。
这里后面有个让你输入密码的交互,意思是问你是否需要对该请求加密存储,这个是可选的,最后一个交互也类似一种扩展属性,类似备注之类功能,也是可选。
(3)证书签署
为web服务器的证书申请进行证书签署(由于CA机构和WEB服务器项目都在同一个服务器,所以就直接进行签署)
[root@localhost ssl]# openssl ca -in httpd.csr -out httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Nov 18 17:41:31 2018 GMT
Not After : Nov 18 17:41:31 2019 GMT
Subject:
countryName = cn
stateOrProvinceName = beiJing
organizationName = shenBoLanXin
organizationalUnitName = wr
commonName = w
emailAddress = w
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
51:CB:F1:5E:7E:4B:09:7D:C9:A5:89:D1:F3:F8:7A:91:01:61:DE:49
X509v3 Authority Key Identifier:
keyid:E7:68:93:3B:AB:94:E7:56:BC:C9:B4:1F:B5:75:D1:4B:AD:35:6C:76
Certificate is to be certified until Nov 18 17:41:31 2019 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
注意:这里后面有两个提问交互,第一个是问你确定要签名?第二个是问你确定要提交本次证书签署
这里签署后输出的证书文件就是可用的证书文件,web项目端可以下载过去使用了。
(4)证书签署后
回到CA机构处会发现证书签署后就会新增一条证书签署记录
[root@localhost ssl]# cd /etc/pki/CA
[root@localhost CA]# cat index.txt
V 191118174131Z 01 unknown /C=cn/ST=beiJing/O=shenBoLanXin/OU=wr/CN=w/emailAddress=w
(5)测试证书
CA机构还可以生成用于测试的证书,不可用于生产环境的证书,正常走过上面的流程的证书都是可以使用于正常生产环境的,而该测试证书是不可以的。
进入目录
/etc/pki/tls/certs
生成测试证书
[root@localhost certs]# make httpd.pem
umask 77 ; \
PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
/usr/bin/openssl req -utf8 -newkey rsa:2048 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2 -set_serial 0 ; \
cat $PEM1 > httpd.pem ; \
echo "" >> httpd.pem ; \
cat $PEM2 >> httpd.pem ; \
rm -f $PEM1 $PEM2
Generating a 2048 bit RSA private key
.....+++
........................................+++
writing new private key to '/tmp/openssl.H32336'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:cn
State or Province Name (full name) [Berkshire]:bj
Locality Name (eg, city) [Newbury]:bj
Organization Name (eg, company) [My Company Ltd]:sblx
Organizational Unit Name (eg, section) []:php
Common Name (eg, your name or your server's hostname) []:www
Email Address []:123
[root@localhost certs]# ls
ca-bundle.crt httpd.pem make-dummy-cert Makefile
关键字词:ssl,openssl,ca