openssl签发证书
openssl签发证书
1、SSL证书配置使用者可选名称
- 修改openssl.conf
vim /etc/pki/tls/openssl.cnf
- 确保req下存在以下2行(默认第一行是有的,第2行被注释了)
[ req ]
distinguished_name = req_distinguished_name
req_extensions = v3_req
- 确保req_distinguished_name下没有 0.xxx 的标签,有的话把0.xxx的0. 去掉
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = CN
stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = ShangHai
localityName = Locality Name (eg, city)
localityName_default = ShangHai
organizationalUnitName = Organizational Unit Name (eg, section) organizationalUnitName_default = Domain Control Validated
commonName = Internet Widgits Ltd
commonName_max = 64
- 新增最后一行内容 subjectAltName = @alt_names(前2行默认存在)
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
- 新增 alt_names,注意括号前后的空格,DNS.x 的数量可以自己加
[ alt_names ]
DNS.1 = abc.example.com
DNS.2 = dfe.example.org
DNS.3 = ex.abcexpale.net
- 创建相关目录
mkdir -p /etc/pki/CA/{certs,crl,newcerts,private}
touch /etc/pki/CA/index.txt
echo 00 > /etc/pki/CA/serial
2、生成CA根证书ca.key并自签署
openssl req -new -x509 -days 3650 -keyout ca.key -out ca.crt -config /etc/pki/tls/openssl.cnf
3、生成RSA私钥server.key
openssl genrsa -des3 -out server.key 2048
4、生成服务器证书签名请求server.csr
openssl req -new -key server.key -out server.csr -config /etc/pki/tls/openssl.cnf
查看请求文件:
openssl req -in server.csr -noout -text
5、使用自签署的CA,签署server.scr
openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key -extensions v3_req -config /etc/pki/tls/openssl.cnf
参考文档连接
https://my.oschina.net/jsan/blog/643653
https://www.cnblogs.com/tugenhua0707/p/10927722.html
https://www.cnblogs.com/wyzhou/p/9738964.html
浙公网安备 33010602011771号