使用Openssl 自签发IP证书
日常交付项目中,总是有这样的场景,再使用一些融合通讯的业务时,需要HTTPS 环境,那就涉及到SSL 证书的签发
考虑到项目成本的问题,往往都是本地自签发IP 证书使用;使用openssl生成根证书,签发服务端证书,安装根证书使浏览器信任自签证书。
- 环境: centos7.9
- IP: 172.16.10.110 111.111.111.111
创建证书脚本:ssl.sh
[root@all ~]# mkdir ssl
[root@all ~]# cd ssl
[root@all ssl]# vim ssl.sh
证书脚本内容:
#!/bin/sh
# Generate the openssl configuration files.
echo "创建openssl.cnf------------------->"
cat > openssl.cnf << EOF
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = CN
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = HN
localityName = Locality Name (eg, city)
localityName_default = ZZ
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = tx
commonName = commonName
commonName_default = tx
commonName_max = 64
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:TRUE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
IP.1 = 172.16.10.110
IP.2 = 111.111.111.111
EOF
echo "创建v3.ext------------------->"
cat > v3.ext << EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage=digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName=@alt_names
[alt_names]
IP.1 = 172.16.10.110
IP.2 = 111.111.111.111
EOF
echo "创建CA 根证书------------------------->"
echo "创建私钥 ca.key"
openssl genrsa -out ca.key 2048
echo "创建CA证书 ca.crt"
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
echo "生成服务器证书----------------->"
echo "创建私钥 server.key"
openssl genrsa -out server.key 2048
echo "创建服务器证书请求文件 server.csr"
openssl req -new -days 3650 -key server.key -out server.csr -config openssl.cnf
echo "创建服务器证书 server.crt"
openssl x509 -days 3650 -req -sha256 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in server.csr -out server.crt
echo "创建pem------------------------>"
cat server.crt server.key > server.pem
echo "创建p12----------------------->"
openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -name "server"
签发证书
创建openssl.cnf------------------->
创建v3.ext------------------->
创建CA 根证书------------------------->
创建私钥 ca.key
Generating RSA private key, 2048 bit long modulus
.........................+++
.......+++
e is 65537 (0x10001)
创建CA证书 ca.crt
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:fx
Locality Name (eg, city) [Default City]:fx
Organization Name (eg, company) [Default Company Ltd]:fx
Organizational Unit Name (eg, section) []:fx
Common Name (eg, your name or your server's hostname) []:fx
Email Address []:
生成服务器证书----------------->
创建私钥 server.key
Generating RSA private key, 2048 bit long modulus
...................................................+++
....................+++
e is 65537 (0x10001)
创建服务器证书请求文件 server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:CN
State or Province Name (full name) [HN]:fx
Locality Name (eg, city) [ZZ]:fx
Organizational Unit Name (eg, section) [tx]:fx
commonName [tx]:fx
创建服务器证书 server.crt
Signature ok
subject=/C=CN/ST=fx/L=fx/OU=fx/CN=fx
Getting CA Private Key
创建pem------------------------>
创建p12----------------------->
Enter Export Password:
Verifying - Enter Export Password:
签发好的证书
日常交付项目中,总是有这样的场景,再使用一些融合通讯的业务时,需要HTTPS 环境,那就涉及到SSL 证书的签发
考虑到项目成本的问题,往往都是本地自签发IP 证书使用;使用openssl生成根证书,签发服务端证书,安装根证书使浏览器信任自签证书。
[root@all ~]# mkdir ssl
[root@all ~]# cd ssl
[root@all ssl]# vim ssl.sh证书脚本内容:
#!/bin/sh
# Generate the openssl configuration files.
echo "创建openssl.cnf------------------->"
cat > openssl.cnf << EOF
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = CN
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = HN
localityName = Locality Name (eg, city)
localityName_default = ZZ
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = tx
commonName = commonName
commonName_default = tx
commonName_max = 64
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:TRUE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
IP.1 = 172.16.10.110
IP.2 = 111.111.111.111
EOF
echo "创建v3.ext------------------->"
cat > v3.ext << EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage=digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName=@alt_names
[alt_names]
IP.1 = 172.16.10.110
IP.2 = 111.111.111.111
EOF
echo "创建CA 根证书------------------------->"
echo "创建私钥 ca.key"
openssl genrsa -out ca.key 2048
echo "创建CA证书 ca.crt"
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
echo "生成服务器证书----------------->"
echo "创建私钥 server.key"
openssl genrsa -out server.key 2048
echo "创建服务器证书请求文件 server.csr"
openssl req -new -days 3650 -key server.key -out server.csr -config openssl.cnf
echo "创建服务器证书 server.crt"
openssl x509 -days 3650 -req -sha256 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in server.csr -out server.crt
echo "创建pem------------------------>"
cat server.crt server.key > server.pem
echo "创建p12----------------------->"
openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -name "server"创建openssl.cnf------------------->
创建v3.ext------------------->
创建CA 根证书------------------------->
创建私钥 ca.key
Generating RSA private key, 2048 bit long modulus
.........................+++
.......+++
e is 65537 (0x10001)
创建CA证书 ca.crt
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:fx
Locality Name (eg, city) [Default City]:fx
Organization Name (eg, company) [Default Company Ltd]:fx
Organizational Unit Name (eg, section) []:fx
Common Name (eg, your name or your server's hostname) []:fx
Email Address []:
生成服务器证书----------------->
创建私钥 server.key
Generating RSA private key, 2048 bit long modulus
...................................................+++
....................+++
e is 65537 (0x10001)
创建服务器证书请求文件 server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:CN
State or Province Name (full name) [HN]:fx
Locality Name (eg, city) [ZZ]:fx
Organizational Unit Name (eg, section) [tx]:fx
commonName [tx]:fx
创建服务器证书 server.crt
Signature ok
subject=/C=CN/ST=fx/L=fx/OU=fx/CN=fx
Getting CA Private Key
创建pem------------------------>
创建p12----------------------->
Enter Export Password:
Verifying - Enter Export Password:签发好的证书
安装根证书使浏览器信任自签证书。
把刚刚生成的server.crt 导入到本地
导入帮助手册: https://jingyan.baidu.com/article/ca41422fda393f5faf99ed0d.html
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
暂无评论内容