跳至主要內容

使用openssl自签证书

zhengcog...大约 4 分钟安全服务器证书SSL

简介

  • OpenSSL是SSL/TLS协议的实现工具
  • key是私钥文件,用于对发送给客户端的数据加密,以及对从客户端接收的数据进行解密。
  • csr是证书签名请求文件,用于提交给证书颁发机构(CA)对证书签名。
  • crt是由证书颁发机构(CA)签名后的证书,或者是开发者自签名的证书,包含证书持有人的信息,持有人的公钥,以及签署者的签名等信息

成为CA颁发机构(生成根证书)

自签CA证书,需要将证书安装在客户端

生成根证书私钥

openssl genrsa -des3 -out MySuperCA.origin.key 2048

提示

openssl genrsa 用于生成RSA私钥,不会生成公钥,因为公钥提取自私钥
-des3为加密方式
2048为生成秘钥长度
可以加上-nodes参数,禁止进行加密,即可不运行下面的消除密码

消除根证书私钥密码

openssl rsa -in MySuperCA.origin.key -out MySuperCA.key
# MySuperCA.key 为没有密码的私钥

生成根证书

openssl req -utf8 -x509 -new -nodes -key MySuperCA.key -sha256 -days 36500 -out MySuperCA.pem

完整生成根证书shell脚本

按照提示输入域名、私钥密码、组织、公用名等信息

vi genca.sh

# 贴入内容开始
#!/bin/sh

# 成为CA颁发机构

echo "成为CA颁发机构..."

openssl genrsa -des3 -out MySuperCA.origin.key 2048

echo "消除私钥key的密码..."

openssl rsa -in MySuperCA.origin.key -out MySuperCA.key

echo "生成pem文件..."

openssl req -utf8 -x509 -new -nodes -key MySuperCA.key -sha256 -days 36500 -out MySuperCA.pem

echo "已经成为CA颁发机构,请用MySuperCA.pem签发证书"
# 贴入内容结束

生成域名SSL证书

生成服务器域名证书私钥

openssl genrsa -des3 -out server.key 2048

Country Name (2 letter code) [AU]: 
State or Province Name (full name) []:
Locality Name (for example, city) []:
Organization Name (for example, company) []:
Organizational Unit Name (for example, section) []:
Common Name (e.g. server FQDN or YOUR name) []: 您的域名
Email Address []:

提示

Common Name必须输入,并且应该与域名保持一致,否则会引起浏览器警告,其他可选

创建服务器域名证书签名请求文件

openssl req -new -subj "/C=CN/ST=GD/L=GuangZhou/O=SuperNETWorkstation/CN=您的域名" -key server.key -out server.csr

移除域名证书私钥密码

mv server.key server.origin.key
openssl rsa -in server.origin.key -out server.key

创建域名证书扩展文件

>server.ext cat <<-EOF

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = www.baidu.com # Be sure to include the domain name here because Common Name is not so commonly honoured by itself
DNS.2 = www.sougou.com # Optionally, add additional domains (I've added a subdomain here)
IP.1 = 192.168.1.222 # Optionally, add an IP address (if the connection which you have planned requires it)
EOF

提示

chrome浏览器 会查看当前域名是否在证书中声明,该声明由 subjectAltName 字段设置

生成服务器域名SSL证书

openssl x509 -req -days 3650 -in server.csr -CA MySuperCA.pem -CAkey MySuperCA.key -CAcreateserial -out server.crt -sha256 -extfile server.ext

最后生成的server.key和server.crt文件就是域名ssl证书,部署到nginx等web服务器中即可

提示

需要将根证书MySuperCA.pem安装到客户端(浏览器等)中,并且设置信任证书即可,否则浏览器识别不了根证书,提示不安全,并且拦截请求

完整生成域名证书SSL脚本

根据输入提示输入域名、私钥密码、组织名、国家、省份、市、公用名等信息

vi genssl.sh

# 贴入内容开始
#!/bin/sh

# create self-signed server certificate:

read -p "Enter your domain [www.example.com]: " DOMAIN

echo "生成私钥..."

openssl genrsa -des3 -out $DOMAIN.key 2048

echo "Create server certificate signing request..."

#Common Name应该与域名保持一致,否则会引起浏览器警告

SUBJECT="/C=CN/ST=GD/L=GuangZhou/O=SuperNETWorkstation/CN=$DOMAIN"

openssl req -new -subj $SUBJECT -key $DOMAIN.key -out $DOMAIN.csr

echo "Remove password..."

mv $DOMAIN.key $DOMAIN.origin.key
openssl rsa -in $DOMAIN.origin.key -out $DOMAIN.key

echo "Create extention file..."

>$DOMAIN.ext cat <<-EOF

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
#DNS.1 = www.baidu.com # Be sure to include the domain name here because Common Name is not so commonly honoured by itself
#DNS.2 = www.sougou.com # Optionally, add additional domains (I've added a subdomain here)
IP.1 = $DOMAIN # Optionally, add an IP address (if the connection which you have planned requires it)
EOF

## chrome 会查看当前域名是否在证书中声明,该声明由 subjectAltName 字段设置。上述的生成步骤默认未设置该字段。

echo "Sign SSL certificate..."

openssl x509 -req -days 3650 -in $DOMAIN.csr -CA MySuperCA.pem -CAkey MySuperCA.key -CAcreateserial -out $DOMAIN.crt -sha256 -extfile $DOMAIN.ext

echo "TODO:"
echo "Copy $DOMAIN.crt to /etc/nginx/conf.d/ssl/$DOMAIN.crt"
echo "Copy $DOMAIN.key to /etc/nginx/conf.d/ssl/$DOMAIN.key"
echo "Add configuration in nginx:"
echo "server {"
echo "    ..."
echo "    listen 443 ssl;"
echo "    ssl_certificate     /etc/nginx/conf.d/ssl/$DOMAIN.crt;"
echo "    ssl_certificate_key /etc/nginx/conf.d/ssl/$DOMAIN.key;"
echo "}"
# 贴入内容结束

客户端安装根证书

mac

直接双击根证书(本文中的MySuperCA.pem)即可安装到钥匙串中,在钥匙串中选择信任该证书即可

linux

1. Debian/Ubuntu

  • 将你的证书复制到 /usr/local/share/ca-certificates/
sudo cp MySuperCA.pem /usr/local/share/ca-certificates/
  • 更新证书列表
sudo update-ca-certificates

2. RHEL/Fedora/CentOS

  • 将你的证书复制到 /etc/pki/ca-trust/source/anchors/
sudo cp MySuperCA.pem /etc/pki/ca-trust/source/anchors/
  • 更新证书列表
    sudo update-ca-trust

3. openSUSE/SUSE

  • 将你的证书复制到 /etc/pki/trust/anchors/
sudo cp MySuperCA.pem /etc/pki/trust/anchors/
  • 更新证书列表:
sudo update-ca-certificates

4. Alpine Linux

  • 将你的证书复制到 /etc/ssl/certs/
sudo cp MySuperCA.pem /etc/ssl/certs/
  • 更新证书列表:
sudo update-ca-certificates
上次编辑于:
贡献者: Hyman