Issuing a Server Certificate Using the CA Certificate

Log in to the server where the CA certificate is generated.
Go to the cert_v3 directory, create the server directory at the same level of the ca directory, and go to the directory.
```
mkdir server
cd server
```

Create the OpenSSL configuration file server_cert.conf of the server certificate. The file content is as follows:

[ req ] 
distinguished_name     = req_distinguished_name 
prompt                 = no  
[ req_distinguished_name ]  
O                      = mxManufacture  
CN                     = xxx.huawei.com
[ v3_ca ]
authorityKeyIdentifier = keyid,issuer
basicConstraints = CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[ alt_names]
DNS.1 = xxx.huawei.com

The CN and DNS fields can be changed to the domain name or IP address of the server as required.

xxx.huawei.com is for reference only. Change xxx based on the site requirements, for example, mxmanufacture.huawei.com.

Create the private key file server.key of the server certificate.
```
openssl genrsa -aes256 -out server.key 4096
```
Set password strength properly. The password must contain at least eight characters and contain at least two types of the following characters: digits, uppercase letters, lowercase letters, and special characters.

Create the CSR request file server.csr of the server certificate.

openssl req -out server.csr -key server.key -new -config ./server_cert.conf

Use the CA certificate to issue the server certificate server.crt.

openssl x509 -req -in server.csr -out server.crt -sha256 -CAcreateserial -days 1000 -extfile ./server_cert.conf -extensions v3_ca -CA ../ca/ca.crt -CAkey ../ca/ca.key

Parent topic: Self-signed Certificate Creation Methods