ssl自签名CA证书

ssl自签名CA证书

openssl.cnf基础配置

vim openssl.cnf
[req]
default_bits  = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
countryName = CN
stateOrProvinceName = ShangHai
localityName = MinHang
organizationName = CwFlinkTeam
commonName = SelfCA
[req_ext]
subjectAltName = @alt_names
[v3_req]
subjectAltName = @alt_names
[alt_names]
IP.1 = 192.168.33.22
DNS.1 = node-22
DNS.2 = mqtt-iot.com

生成自签名的CA key和证书

vim gen_ca.sh

#/bin/sh
rm -f ca.*
rm -f server.*
rm -f client.*
# 生成自签名的CA key和证书
openssl genrsa -out ca.key 2048
openssl req -x509 -new -config openssl.cnf -nodes -key ca.key -sha256 -days 3650 -out ca.pem
# openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 -out ca.pem -subj "/C=CN/ST=ShangHai/L=MinHang/O=CwFlinkTeam/CN=SelfCA"
#openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 -out ca.pem
 
# 生成服务器端的key和证书
openssl genrsa -out server.key 2048
openssl req -new -key ./server.key -config openssl.cnf -out server.csr
openssl x509 -req -in ./server.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out server.pem -days 3650 -sha256 -extensions v3_req -extfile openssl.cnf
 
 
# 生成客户端key和证书
openssl genrsa -out client.key 2048
openssl req -new -key client.key -out client.csr -subj "/C=CN/ST=ShangHai/L=MinHang/O=CwFlinkTeam/CN=node-22"
openssl x509 -req -days 3650 -in client.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out client.pem

证书授权
chmod -R 755 certs/
chmod -R 755 /root/emqx-v2/etc/certs/m2

生成客户端key和证书

openssl genrsa -out client-a.key 2048
openssl req -new -key client-a.key -out client-a.csr -subj "/C=CN/ST=ShangHai/L=MinHang/O=CwFlinkTeam/CN=node-22"
openssl x509 -req -days 3650 -in client-a.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out client-a.pem



m1  m2
:2464,2466s/m1/m2/g
:2464,2466s/m2/m1/g
docker restart emqx-v2

vim gen_clientKey.sh
#!/bin/bash

# Check if the 'client_name' argument is passed
if [ -n "$1" ]
then
    client_name=$1
else
    # Generate a random 5-digit number
    rand=$(printf "%05d" $(( RANDOM % 100000 )))

    # Concatenate 'client_' with the random number
    client_name="client_$rand"
fi

# Print the client_name
echo $client_name
openssl genrsa -out $client_name.key 2048
openssl req -new -key $client_name.key -out $client_name.csr -subj "/C=CN/ST=ShangHai/L=MinHang/O=CwFlinkTeam/CN=node-22"
openssl x509 -req -days 3650 -in $client_name.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out $client_name.pem


sh gen_clientKey2.sh client-a

https://zhuanlan.zhihu.com/p/98636736?utm_id=0

完整shell

#/bin/sh
rm -f ca.*
rm -f server.*
rm -f client.*
# 生成自签名的CA key和证书
openssl genrsa -out ca.key 2048
openssl req -x509 -new -config openssl.cnf -nodes -key ca.key -sha256 -days 3650 -out ca.pem
# openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 -out ca.pem -subj "/C=CN/ST=ShangHai/L=MinHang/O=CwFlinkTeam/CN=SelfCA"
#openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 -out ca.pem
 
# 生成服务器端的key和证书
openssl genrsa -out server.key 2048
openssl req -new -key ./server.key -config openssl.cnf -out server.csr
openssl x509 -req -in ./server.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out server.pem -days 3650 -sha256 -extensions v3_req -extfile openssl.cnf
 
 
# 生成客户端key和证书
openssl genrsa -out client.key 2048
openssl req -new -key client.key -out client.csr -subj "/C=CN/ST=ShangHai/L=MinHang/O=CwFlinkTeam/CN=node-22"
openssl x509 -req -days 3650 -in client.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out client.pem


vim gen_ca.sh


chmod -R 755 certs/
chmod -R 755 /root/emqx-v2/etc/certs/m2

vim openssl.cnf
[req]
default_bits  = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
countryName = CN
stateOrProvinceName = ShangHai
localityName = MinHang
organizationName = CwFlinkTeam
commonName = SelfCA
[req_ext]
subjectAltName = @alt_names
[v3_req]
subjectAltName = @alt_names
[alt_names]
IP.1 = 192.168.33.22
DNS.1 = node-22
DNS.2 = mqtt-iot.com