root@ubtdesk:/usr/local/openssl# vi openssl.cnf

####################################################################
[ ca ]
default_ca      = CA_default            # The default ca section

####################################################################
[ CA_default ]

dir             = /usr/local/openssl/CA # Where everything is kept
certs           = $dir/certs            # Where the issued certs are kept
crl_dir         = $dir/crl              # Where the issued crl are kept
database        = $dir/index.txt        # database index file.
#unique_subject = no                    # Set to 'no' to allow creation of
                                        # several ctificates with same subject.
new_certs_dir   = $dir/newcerts         # default place for new certs.

certificate     = $dir/ca.crt           # The CA certificate
serial          = $dir/serial           # The current serial number
crlnumber       = $dir/crlnumber        # the current crl number
                                        # must be commented out to leave a V1 CRL
crl             = $dir/crl.pem          # The current CRL
private_key     = $dir/private/ca.key   # The private key
RANDFILE        = $dir/private/.rand    # private random number file

x509_extensions = usr_cert              # The extentions to add to the cert

# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt        = ca_default            # Subject Name options
cert_opt        = ca_default            # Certificate field options

# Extension copying option: use with caution.
# copy_extensions = copy

# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions        = crl_ext

default_days    = 365                   # how long to certify for
default_crl_days= 30                    # how long before next CRL
default_md      = default               # use public key default MD
preserve        = no                    # keep passed DN ordering

# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy          = policy_match

# For the CA policy
[ policy_match ]
countryName             = match
#stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

root@ubtdesk:/usr/local/openssl/CA# openssl req -new -key private/ca.key -out ca.csr
Enter pass phrase for private/ca.key: CA키 비밀번호입력
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:KR
State or Province Name (full name) [Some-State]:Seoul
Locality Name (eg, city) []:Seoul
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Soongsil University
Organizational Unit Name (eg, section) []:Network Security Laboratory
Common Name (eg, YOUR name) []:CA(Certificate Authority)
Email Address []:ca@memoz.net

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

root@ubtdesk:/usr/local/openssl/CA# openssl ca -in ca.csr -out ca.crt -selfsign -keyfile private/ca.key
Using configuration from /usr/local/openssl/openssl.cnf
Enter pass phrase for private/ca.key:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 0 (0x0)
        Validity
            Not Before: Apr 27 08:12:02 2010 GMT
            Not After : Apr 27 08:12:02 2011 GMT
        Subject:
            countryName               = KR
            organizationName          = Soongsil University
            organizationalUnitName    = Network Security Laboratory
            commonName                = CA(Certificate Authority)
            emailAddress              = ca@memoz.net
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                2B:38:40:8F:A6:FA:1D:79:BF:48:4F:E4:E2:3B:3C:D6:D1:0F:BB:D9
            X509v3 Authority Key Identifier:
                keyid:2B:38:40:8F:A6:FA:1D:79:BF:48:4F:E4:E2:3B:3C:D6:D1:0F:BB:D9

Certificate is to be certified until Apr 27 08:12:02 2011 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
root@ubtdesk:/usr/local/openssl/CA# cat serial
01
root@ubtdesk:/usr/local/openssl/CA# cat index.txt
V       110427081202Z           00      unknown /C=KR/O=Soongsil University/OU=Network Security Laboratory/CN=CA(Certificate Authority)/emailAddress=ca@memoz.net

root@ubtdesk:/usr/local/openssl/CA# ls -l newcerts/
합계 4
-rw-r--r-- 1 root root 3322 2010-04-27 17:12 00.pem