20.8. 建立一個自我簽署的憑證

您可以建立您自我簽署的憑證,請注意一個自我簽署的憑證並不提供像一個 CA 簽署之憑證的安全性保證。 請參考 菴 20.5 節 以取得關於憑證的更詳細資訊。

假如您想要建立您自我簽署的憑證,首先您必須按照 菴 20.6 節 所提供的指示建立一個亂數金鑰。 一旦您擁有金鑰後,請確定您是位於 /usr/share/ssl/certs 目錄,然後輸入下列的指令:

make testcert

您將會看到如下的輸出,而且您將會被提示輸入您的通行密碼(除非您產生的金鑰不含通行密碼):

umask 77 ; \
/usr/bin/openssl req -new -key /etc/httpd/conf/ssl.key/server.key 
-x509 -days 365 -out /etc/httpd/conf/ssl.crt/server.crt
Using configuration from /usr/share/ssl/openssl.cnf
Enter PEM pass phrase:

在輸入您的通行密碼後(或者假如您建立的金鑰不含通行密碼),您將會被問及以提供更多的資訊,電腦的輸出以及一組輸出將會如下所示(您必須提供關於您的組織與主機的正確資訊):

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a
DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:US      
State or Province Name (full name) [Berkshire]:North Carolina
Locality Name (eg, city) [Newbury]:Raleigh
Organization Name (eg, company) [My Company Ltd]:My Company, Inc.
Organizational Unit Name (eg, section) []:Documentation
Common Name (your name or server's hostname) []:myhost.example.com
Email Address []:myemail@example.com

在您提供完正確的資訊後,一個自我簽署的憑證將會建立在 /etc/httpd/conf/ssl.crt/server.crt 檔案。 在建立這個憑證之後,您必須使用下列指令來重新啟動您的安全伺服器:

/sbin/service httpd restart