[root@lzn ~]# vim /etc/pki/tls/openssl.cnf
45 dir             = /etc/pki/CA           # Where everything is kept
48 database        = $dir/index.txt        # database index file.
53 certificate     = $dir/ca.crt   # The CA certificate
58 private_key     = $dir/private/ca.key
136 countryName_default         = CN
141 stateOrProvinceName_default = BeiJing
144 localityName_default                = HaiDian
154 organizationalUnitName_default      = GNOME
160 emailAddress_default                =admin@linzhennan.cn手动添加的行！
－－－－－－－－－－－－
[root@lzn ~]# mkdir  /etc/pki/CA
[root@lzn ~]# mkdir -p /etc/pki/CA/{certs,crl,newcerts,private}
[root@lzn ~]# touch /etc/pki/CA/index.txt
[root@lzn ~]# echo 00 > /etc/pki/CA/serial
---------------------------------------------
生成CA自己的私钥：私钥存放的位置应该与/etc/pki/tls/openssl.cnf里定义的对应
[root@lzn ~]# (umask 077 ; openssl genrsa  -out /etc/pki/CA/private/ca.key)
Generating RSA private key, 512 bit long modulus
.......++++++++++++
.++++++++++++
e is 65537 (0x10001)
[root@lzn ~]# ls -l /etc/pki/CA/private/ca.key
-rw------- 1 root root 493 05-03 09:56 /etc/pki/CA/private/ca.key
[root@lzn ~]#
ＣＡ自签名生成自己的证书
[root@lzn ~]# openssl req -new  -x509 -days 365 -key /etc/pki/CA/private/ca.key -out  /etc/pki/CA/ca.crt
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BeiJing]:
Locality Name (eg, city) [HaiDian]:
Organization Name (eg, company) [Lzn Ltd]:
Organizational Unit Name (eg, section) [GNOME]:
Common Name (eg, your name or your server's hostname) []:CAHOST
Email Address [admin@linzhennan]:
[root@lzn ~]# file /etc/pki/CA/ca.crt
/etc/pki/CA/ca.crt: ASCII text

＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋

https server：
１）生成自己的私钥
openssl genrsa -out /etc/httpd/conf.d/httpserver.key
２）生成自己的证书请求文件
[root@lzn misc]# openssl  req  -new -key /etc/httpd/conf.d/httpserver.key -out /tmp/server.csr
３）将证书请求文件拷给ＣＡ，ＣＡ上直接用如下命令签名，生成server的证书
]#  openssl ca -in /tmp/server.csr   -out /etc/httpd/conf.d/httpserver.crt
－－－－配置ＨＴＴＰＳ－－－－－－－－－－－－
[root@lzn misc]# rpm -q mod_ssl
mod_ssl-2.2.3-63.el5
[root@lzn misc]# grep -n  httpserver /etc/httpd/conf.d/ssl.conf
112:SSLCertificateFile /etc/httpd/conf.d/httpserver.crt
119:SSLCertificateKeyFile /etc/httpd/conf.d/httpserver.key
[root@lzn misc]#
[root@lzn misc]# service httpd restart
停止 httpd：                                               [失败]
启动 httpd：httpd: bad user name apache
                                                           [失败]
[root@lzn misc]# getenforce
Enforcing
[root@lzn misc]# setenforce 0
[root@lzn misc]# service httpd restart
停止 httpd：                                               [失败]
启动 httpd：                                               [确定]
[root@lzn misc]#