[ca]default_ca = ca_default[ca_default]dir = /etc/ssl/diyca# Specifies the root directory of CAcerts = $dir/certs# Storage directory for issued certificatescrl_dir = $dir/crl# Directory for storing certificate revocation listsdatabase = $dir/index.txt# Database index file, used to store information about issued certificates.#unique_subject = no #Set to 'no' to allow the creation of multiple certificates with the same subject at the same time.new_certs_dir = $dir/newcerts# Set the default location for storing newly issued certificatesCertificate = $dir/cacert.pem# Specify the CA certificateserial = $dir/serial# Specify the file to store the current serial number, just write 00crl = $dir/crl.pem# Current CRLprivate_key = $dir/private/cakey.pem# CA private keydefault_md = md5RANDFILE = $dir/private/.rand# Specify a seed file used to generate a random key when reading and writing.policy= policy_match [ policy_match ] countryName= match stateOrProvinceName= match organizationName= match organizationalUnitName= optional commonName= supplied emailAddress= optional [ policy_anything ] countryName = optional stateOrProvinceName= optional localityName= optional organizationName = optional organizationalUnitName = optional commonName= supplied emailAddress= optional ```` # CA issues certificate:````shell openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key -days 3650 ``` server.pem is the signed certificate ```shell cp /etc/ssl/diyca/newcerts/00.pem server.pem
Take server.key and server.pem and deploy them on the web server. It should be noted that self-signed certificates may not be trusted by common browsers.