OpenSSL自签发证书配置
1.修改openssl配置文件
vi /etc/pki/tls/openssl.cnf
# 确保req下存在以下2行(默认第一行是有的,第2行被注释了)
[ req ]
distinguished_name = req_distinguished_name
req_extensions = v3_req
# 确保req_distinguished_name下没有 0.xxx 的标签,有的话把0.xxx的0. 注释掉
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = CN
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = ShangHai
localityName = Locality Name (eg, city)
localityName_default = ShangHai
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = Domain Control Validated
commonName = Internet Widgits Ltd
commonName_max = 64
# 新增最后一行内容 subjectAltName = @alt_names(前2行默认存在)
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
# 新增 alt_names,注意括号前后的空格,IP.X和DNS.x 的数量可以自己加,如果没有域名则应全部使用IP.X
[ alt_names ]
IP.1 = 192.168.100.173
IP.2 = 192.168.100.114
DNS.1 = abc.example.com
DNS.2 = dfe.example.org
2. 创建初始文件及目录:
openssl.cnf 中会要求部分文件及目录存在:
cd /etc/pki/CA
mkdir -p {certs,crl,newcerts,private}
touch index.txt
echo 00 > serial
说明:
在跟客户端颁发证书的时候需要依赖两个文件/etc/pki/CA/index.txt和/etc/pki/CA/serial,前者文件主要存放已经颁发的证书信息,后者存放下一个将要颁发的证书的序列号。
这里说一下/etc/pki/CA下的各个文件和目录的作用吧,certs目录存放颁发证书的目录,crl存放吊销证书列表文件的目录,index.txt.attr存放证书subject信息是否唯一的配置信息,index.txt.old存放上一次颁发证书的信息,newcerts目录存放已经颁发的证书,并且以序列号命名的证书,每颁发一次证书,在我们指定的路径下生成指定名称的证书后,newcerts目录下会自动生成一个以序列号为名称的证书,这个证书同我们指定路径下存放的证书信息一模一样。private目录存放私钥文件。serial.old存放上一次颁发证书的序列号。
3. 创建CA自签名证书
3.1 创建密钥
密钥的位置必须为/etc/pki/CA/private/cakey.pem,这个是openssl.cnf中指定的路径
openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048
3.2 签发自签名证书
openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 7300
--------------------
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN # 国家名
State or Province Name (full name) []:SHANXI # 省份
Locality Name (eg, city) [Default City]:XIAN # 城市
Organizational Unit Name (eg, section) []:YINGDA # 部门
Common Name (eg, your name or your server's hostname) []:192.168.100.173 # 域名
Email Address []: # 可以为空
- -new: 生成新证书签署请求
- -x509: 专用于CA生成自签证书
- -key: 生成请求时用到的私钥文件
- -days n:证书的有效期限,单位:天
- -out /PATH/TO/SOMECERTFILE: 证书的保存路径
生成的cacert.pem文件即为根证书,在windows操作系统中,需要将该文件重命名为cacert.crt,双击即可正常导入到操作系统中。
4. 创建客户端证书
4.1 生成私钥信息
openssl genrsa -out app.key 2048
4.2 生成证书申请文件
openssl req -new -key app.key -out app.csr -config /etc/pki/tls/openssl.cnf
4.3 CA签署颁发此证书
openssl x509 -req -in app.csr -CA /etc/pki/CA/cacert.pem -CAkey /etc/pki/CA/private/cakey.pem -CAcreateserial -out /etc/pki/CA/certs/app.crt -days 7300 -sha256 -extensions v3_req -extfile /etc/pki/tls/openssl.cnf
------------------------------
Signature ok
subject=/C=CN/ST=SHANXI/L=XIAN/OU=YINGDA/CN=192.168.100.114
Getting CA Private Key
- Common Name (eg, your name or your server's hostname) 定义的是将要申请SSL证书的域名或子域名或主机名
4.4 生成个人证书
openssl pkcs12 -inkey app.key -in /etc/pki/CA/certs/app.crt -export -out /etc/pki/CA/certs/app.pfx
- 根据提示输入密码
4.5 在springboot中启用ssl
在application.yml配置文件中加入以下内容
server:
ssl:
key-store: app.pfx
key-store-password: password
key-store-type: PKCS12
内容来源于:
https://www.cnblogs.com/qiuhom-1874/p/12237944.html
https://www.cnblogs.com/f-ck-need-u/p/6091027.html
浙公网安备 33010602011771号