20.8. 创建自签的证书

你可以创建自签的证书。请注意,自签的证书将不会提供由 CA 签发的证书所提供的安全担保。关于证书的详细信息,请参阅第 20.5 节

如果你想制作自签的证书,你首先需要按照 第 20.6 节中提供的指示来创建随机钥匙。一旦创建了钥匙,请确定你位于 /usr/share/ssl/certs 目录中,再键入下面的命令:

make testcert

你将会看到以下输出,你会被提示输入口令句(除非你生成了无口令的钥匙):

umask 77 ; \
/usr/bin/openssl req -new -key /etc/httpd/conf/ssl.key/server.key 
-x509 -days 365 -out /etc/httpd/conf/ssl.crt/server.crt
Using configuration from /usr/share/ssl/openssl.cnf
Enter PEM pass phrase:

输入口令句后(如果你创建了无口令的钥匙则没有提示),你会被要求输入更多信息。计算机的输出以及一组示例输入与以下的显示相仿(你需要为你的主机和机构提供正确的信息):

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a
DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:US      
State or Province Name (full name) [Berkshire]:North Carolina
Locality Name (eg, city) [Newbury]:Raleigh
Organization Name (eg, company) [My Company Ltd]:My Company, Inc.
Organizational Unit Name (eg, section) []:Documentation
Common Name (your name or server's hostname) []:myhost.example.com
Email Address []:myemail@example.com

提供了正确信息后,自签的证书就会在 /etc/httpd/conf/ssl.crt/server.crt 中被创建。生成证书后,你需要使用以下命令来重新启动安全服务器:

/sbin/service httpd restart