生成自签名证书,首先要有一个根证书中心,本人选择一台centos6服务器作为CA中心
1.进入根目录
[root@SH-DEV1 SSL]# cd /etc/pki/CA/
2.编辑配置文件
[root@SH-DEV1 CA]# vim /etc/pki/tls/openssl.cnf
找到dir那一行,将其改成CA的具体路径
[ CA_default ]
dir = /etc/pki/CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
其中newcerts,index.txt,serial在CA目录下都不存在,需要手动建立
[root@SH-DEV1 CA]# mkdir newcerts
[root@SH-DEV1 CA]# vim index.txt
[root@SH-DEV1 CA]# echo 01 > /etc/pki/CA/serial
3.生成根密钥,生成过程中会提示输入密码,此处密码需要记住,之后签名时会用到
[root@SH-DEV1 CA]# openssl genrsa -des3 -out server.key 20484.生成根证书,生成中会让你填入上一步生成密钥时的密码,填入即可,其后会要求填入一些信息,相应填入即可
[root@SH-DEV1 CA]# openssl req -new -x509 -key server.key -out server.crt
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:shanghai
Locality Name (eg, city) [Newbury]:shanghai
Organization Name (eg, company) [My Company Ltd]:testcompany
Organizational Unit Name (eg, section) []:test
Common Name (eg, your name or your server's hostname) []:10.130.161.16
Email Address []:test@test.com5.到需要签名的证书所属服务器生成证书,本人这里因为是要给nginx用的,所以在另一台nginx服务器上生成了证书
同样是先生成密钥,再生成证书
[root@SH-JUSTICE ssl]# openssl genrsa -des3 -out nginx.key 2048
Generating RSA private key, 2048 bit long modulus
.........................................................................................................+++
...................+++
e is 65537 (0x10001)
Enter pass phrase for nginx.key:
Verifying - Enter pass phrase for nginx.key:
#执行这个命令后,NGINX引用此文件不需要输入密码
[root@SH-JUSTICE ssl]# openssl rsa -in nginx.key -out nginx.key
Enter pass phrase for nginx.key:
writing RSA key
[root@SH-JUSTICE ssl]# openssl req -days 3650 -new -key nginx.key -out nginx.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:shanghai
Locality Name (eg, city) [Newbury]:shanghai
Organization Name (eg, company) [My Company Ltd]:testcompany
Organizational Unit Name (eg, section) []:test
Common Name (eg, your name or your server's hostname) []:10.130.161.16
Email Address []:test@test.com
Please enter the following 'extra' attributes
to be sent with your certificate request
#此处可以直接回车跳过,否则之后用证书还要输入密码
A challenge password []:
An optional company name []:6.将生成的nginx证书拷贝到CA中心服务器上进行签名
[root@SH-DEV1 CA]# openssl ca -in nginx.csr -out nginx.crt -cert server.crt -keyfile server.key
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for server.key:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Feb 23 01:31:58 2017 GMT
Not After : Feb 23 01:31:58 2018 GMT
Subject:
countryName = CN
stateOrProvinceName = shanghai
organizationName = happyelements
organizationalUnitName = yummy
commonName = 10.130.161.50
emailAddress = lishuai.feng@happyelements.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
2B:BA:E5:77:6D:01:0B:B3:3A:2B:8D:62:93:08:56:AC:40:37:CC:92
X509v3 Authority Key Identifier:
keyid:1C:03:5F:03:FD:36:64:77:B1:CF:23:DB:3D:91:9D:01:CA:E5:D1:70
Certificate is to be certified until Feb 23 01:31:58 2018 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated注:此处有可能出现错误
failed to update database
TXT_DB error number 2此时代表着无法同时创建两个crt文件,即创建了根证书server.crt,就无法创建nginx.crt,此时需要删掉配置文件中dir处配置的index.txt,再重新touch index.txt就可以了
7.将已签名的证书拷贝回原服务器
8.配置nginx服务器,https默认使用443端口,所以要确保443端口未被占用,简要配置如下
server {
listen 443 ssl;
server_name 10.130.161.50;
ssl on;
ssl_certificate /opt/local/nginx1.10.3/ssl/nginx.crt;
ssl_certificate_key /opt/local/nginx1.10.3/ssl/nginx.key;
ssl_session_cache shared:SSL:10m;#此处为缓存ssl证书容量,据官方文档所述,cache中的1m可以存放4000个session
ssl_session_timeout 10m;
location ^~ /test-web/ {
proxy_pass http://workerTest;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
1633
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
