生成自签ssl证书
目錄
一.手動生成單個ssl證書
1.創(chuàng)建CA和申請證書
二.腳本生成單個CA ssl證書
三.腳本自動生成通配符ssl證書
四.導出證書
一.手動生成單個ssl證書
1.創(chuàng)建CA和申請證書
使用openssl工具創(chuàng)建CA證書和申請證書時,需要先查看配置文件,因為配置文件中對證書的名稱和存放位置等相關信息都做了定義,具體可參考?/etc/pki/tls/openssl.cnf?文件。
[root@VM-0-114-centos ~]# vim /etc/pki/tls/openssl.cnf #################################################################### [ ca ] default_ca = CA_default # The default ca section#################################################################### [ CA_default ]dir = /etc/pki/CA # Where everything is kept certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. #unique_subject = no # Set to 'no' to allow creation of# several ctificates with same subject. new_certs_dir = $dir/newcerts # default place for new certs.certificate = $dir/cacert.pem # The CA certificate serial = $dir/serial # The current serial number crlnumber = $dir/crlnumber # the current crl number# must be commented out to leave a V1 CRL crl = $dir/crl.pem # The current CRL private_key = $dir/private/cakey.pem# The private key RANDFILE = $dir/private/.rand # private random number filex509_extensions = usr_cert # The extentions to add to the cert # Comment out the following two lines for the "traditional" # (and highly broken) format. name_opt = ca_default # Subject Name options cert_opt = ca_default # Certificate field options# Extension copying option: use with caution. # copy_extensions = copy# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs # so this is commented out by default to leave a V1 CRL. # crlnumber must also be commented out to leave a V1 CRL. # crl_extensions = crl_extdefault_days = 365 # how long to certify for default_crl_days= 30 # how long before next CRL default_md = sha256 # use SHA-256 by default preserve = no # keep passed DN ordering# A few difference way of specifying how similar the request should look # For type CA, the listed attributes must be the same, and the optional # and supplied fields are just that :-) policy = policy_match# For the CA policy [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional(1)、創(chuàng)建自簽證書
第一步:創(chuàng)建為 CA 提供所需的目錄及文件
[root@VM-0-114-centos CA]# mkdir -pv /etc/pki/CA/{certs,crl,newcerts,private} [root@VM-0-114-centos CA]# touch /etc/pki/CA/{serial,index.txt} [root@VM-0-114-centos CA]# tree . ├── certs ├── crl ├── index.txt ├── newcerts ├── private └── serial4 directories, 2 files第二步:指明證書的開始編號
]# echo 01 >> serial第三步:生成私鑰,私鑰的文件名與存放位置要與配置文件中的設置相匹配;
[root@VM-0-114-centos CA]# (umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 4096) Generating RSA private key, 4096 bit long modulus .....................................................................................................................................................................................................................++ ..........................................................++ e is 65537 (0x10001) [root@VM-0-114-centos CA]# ll private/ 總用量 4 -rw------- 1 root root 3243 10月 18 21:03 cakey.pem第四步:生成自簽證書,自簽證書的存放位置也要與配置文件中的設置相匹配,生成證書時需要填寫相應的信息;
[root@VM-0-114-centos CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3650 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:ShengZhen Locality Name (eg, city) [Default City]:shenzhen Organization Name (eg, company) [Default Company Ltd]:keyao Organizational Unit Name (eg, section) []:mage Common Name (eg, your name or your server's hostname) []:*.tapd.demo.com Email Address []:httpd@keyao.com [root@VM-0-114-centos CA]# ll /etc/pki/CA/cacert.pem -rw-r--r-- 1 root root 2118 10月 18 21:11 /etc/pki/CA/cacert.pem命令中用到的選項解釋:
-new:表示生成一個新證書簽署請求
-x509:專用于CA生成自簽證書,如果不是自簽證書則不需要此項
-key:生成請求時用到的私鑰文件
-out:證書的保存路徑
-days:證書的有效期限,單位是day(天),默認是365天
(2)頒發(fā)證書
在需要使用證書的主機上生成證書請求,以 httpd 服務為例,步驟如下:
第一步:在需要使用證書的主機上生成私鑰,這個私鑰文件的位置可以隨意定
第二步:生成證書簽署請求
第三步:將請求通過可靠方式發(fā)送給 CA 主機
[root@VM-0-114-centos test]# (umask 077;openssl genrsa -out httpd.key 4096) Generating RSA private key, 4096 bit long modulus ............................................................................................................................................................................................................................................++ ..........................++ e is 65537 (0x10001) [root@VM-0-114-centos test]# openssl req -new -key httpd.key -out httpd.csr -days 365 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:Shenzhen Locality Name (eg, city) [Default City]:shenzhen Organization Name (eg, company) [Default Company Ltd]:keyao Organizational Unit Name (eg, section) []:*.tapd.demo.com Common Name (eg, your name or your server's hostname) []:www.tapd.demo.com Email Address []:https@keyao.comPlease enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: [root@VM-0-114-centos test]# ll 總用量 8 -rw-r--r-- 1 root root 1765 10月 18 21:26 httpd.csr -rw------- 1 root root 3243 10月 18 21:23 httpd.key第四步:CA 服務器拿到證書簽署請求文件后頒發(fā)證書,這一步是在 CA 服務器上做的
[root@VM-0-114-centos /]# ls bin dev lost+found opt run storage usr boot etc lib media proc sbin sys var data home lib64 mnt root srv tmp[root@VM-0-114-centos /]# openssl ca -in /httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details:Serial Number: 2 (0x2)ValidityNot Before: Oct 19 13:28:38 2021 GMTNot After : Oct 19 13:28:38 2022 GMTSubject:countryName = CNstateOrProvinceName = ShenZhenorganizationName = keyaoorganizationalUnitName = yaoke.comcommonName = www.yaoke.comemailAddress = httpd@magedu.comX509v3 extensions:X509v3 Basic Constraints: CA:FALSENetscape Comment: OpenSSL Generated CertificateX509v3 Subject Key Identifier: A7:23:5A:30:09:64:4D:D8:51:3A:BB:C9:B6:E0:F6:80:87:5C:E0:2FX509v3 Authority Key Identifier: keyid:36:55:4C:EE:B6:FA:90:67:AF:91:71:77:25:D0:A9:91:54:B3:68:06Certificate is to be certified until Oct 19 13:28:38 2022 GMT (365 days) Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated [root@VM-0-114-centos /]# ls bin dev httpd.csr lost+found opt run storage usr boot etc lib media proc sbin sys var data home lib64 mnt root srv tmp查看證書信息的命令為:
[root@VM-0-114-centos /]# openssl x509 -in /etc/pki/CA/certs/httpd.crt -noout -serial -subject serial=02 subject= /C=CN/ST=ShenZhen/O=keyao/OU=yaoke.com/CN=www.yaoke.com/emailAddress=httpd@magedu.com(3)吊銷證書
吊銷證書的步驟也是在CA服務器上執(zhí)行的,以剛才新建的 httpd.crt 證書為例,吊銷步驟如下:
第一步:在客戶機上獲取要吊銷證書的?serial?和?subject?信息?
第二步:根據客戶機提交的?serial?和?subject?信息,對比其余本機數(shù)據庫?index.txt?中存儲的是否一致?
第三步:執(zhí)行吊銷操作
[root@VM-0-114-centos CA]# openssl ca -revoke /etc/pki/CA/newcerts/01.pem Using configuration from /etc/pki/tls/openssl.cnf Revoking Certificate 01. Data Base Updated第四步:生成吊銷證書的吊銷編號?(第一次吊銷證書時執(zhí)行)
]# echo 01 > /etc/pki/CA/crlnumber第五步:更新證書吊銷列表
]# openssl ca -gencrl -out /etc/pki/CA/crl/ca.crl查看 crl 文件命令:
]# openssl crl -in /etc/pki/CA/crl/ca.crl -noout -text二.腳本生成單個CA ssl證書
[root@VM-0-114-centos tapd_test_com_ca]# ls
generate_ca.sh? tapdCA.cnf? tapd.cer????????? tapd.pvk
tapdCA.cer????? tapdCA.pvk? tapdLocalExt.cnf? tapd.req
[root@VM-0-114-centos tapd_test_com_ca]# cat generate_ca.sh
#私有CA
openssl req -x509 -newkey rsa:2048 -out tapdCA.cer -outform PEM -keyout tapdCA.pvk -days 10000 -verbose -config tapdCA.cnf -nodes -sha256 -subj "/CN=TAPD CA"
#私鑰
openssl req -newkey rsa:2048 -keyout tapd.pvk -out tapd.req -subj "/CN=*.tapd.demo.com" -sha256 -nodes
#公鑰
openssl x509 -req -CA tapdCA.cer -CAkey tapdCA.pvk -in tapd.req -out tapd.cer -days 10000 -extfile tapdLocalExt.cnf -sha256 -set_serial 0x1113
注:該腳本修該的地方就是 enerate_ca.sh你的私鑰,tapdCA.cnf應答文件,tapdLocalExt.cnf你要解析的ip地址
三.腳本自動生成通配符ssl證書
新建文件 gencert.sh ,編輯并加入以下內容:#!/usr/bin/env bash # # Copyright 2020 Liu Hongyu (eliuhy@163.com) # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # set -eDOMAIN="$1" WORK_DIR="$(mktemp -d)"if [ -z "$DOMAIN" ]; thenecho "Domain name needed."exit 1 fiecho "Temporary working dir is $WORK_DIR " echo "Gernerating cert for $DOMAIN ..."# # Fix the following error: # -------------------------- # Cannot write random bytes: # 139695180550592:error:24070079:random number generator:RAND_write_file:Cannot open file:../crypto/rand/randfile.c:213:Filename=/home/eliu/.rnd # [ -f $HOME/.rnd ] || dd if=/dev/urandom of=$HOME/.rnd bs=256 count=1openssl genrsa -out $WORK_DIR/ca.key 4096openssl req -x509 -new -nodes -sha512 -days 3650 \-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=$DOMAIN" \-key $WORK_DIR/ca.key \-out $WORK_DIR/ca.crtopenssl genrsa -out $WORK_DIR/server.key 4096openssl req -sha512 -new \-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=$DOMAIN" \-key $WORK_DIR/server.key \-out $WORK_DIR/server.csrcat > $WORK_DIR/v3.ext <<-EOF authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names[alt_names] DNS.1=$DOMAIN DNS.2=*.$DOMAIN EOFopenssl x509 -req -sha512 -days 3650 \-extfile $WORK_DIR/v3.ext \-CA $WORK_DIR/ca.crt -CAkey $WORK_DIR/ca.key -CAcreateserial \-in $WORK_DIR/server.csr \-out $WORK_DIR/server.crtopenssl x509 -inform PEM -in $WORK_DIR/server.crt -out $WORK_DIR/$DOMAIN.certmkdir -p ./$DOMAIN cp $WORK_DIR/server.key $WORK_DIR/server.crt ./$DOMAIN假設我們要為 example.com 生成證書,執(zhí)行如下命令:
./gencert.sh example.com生成的后的目錄結構如下:
. ├── example.com │ ├── server.crt │ └── server.key └── gencert.sh然后查看通配符ssl
for i in `find . -maxdepth 2 -name "*.crt"`;do openssl x509 -in $i -text -noout;done四.導出證書
sz server.crt server.key
為域名快速生成自簽名證書 - 簡書
總結
- 上一篇: mysql与redis面试题
- 下一篇: linux的mysql修改用户密码与忘记