一.手动生成单个ssl证书
1.创建CA和申请证书
使用openssl工具创建CA证书和申请证书时,需要先查看配置文件,因为配置文件中对证书的名称和存放位置等相关信息都做了定义,具体可参考 /etc/pki/tls/openssl.cnf 文件。
[root@VM-0-114-centos ~]# vim /etc/pki/tls/openssl.cnf
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = /etc/pki/CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
# Extension copying option: use with caution.
# copy_extensions = copy
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = sha256 # use SHA-256 by default
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
(1)、创建自签证书
第一步:创建为 CA 提供所需的目录及文件
[root@VM-0-114-centos CA]# mkdir -pv /etc/pki/CA/{certs,crl,newcerts,private}
[root@VM-0-114-centos CA]# touch /etc/pki/CA/{serial,index.txt}
[root@VM-0-114-centos CA]# tree
.
├── certs
├── crl
├── index.txt
├── newcerts
├── private
└── serial
4 directories, 2 files第二步:指明证书的开始编号
]# echo 01 >> serial第三步:生成私钥,私钥的文件名与存放位置要与配置文件中的设置相匹配;
[root@VM-0-114-centos CA]# (umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 4096)
Generating RSA private key, 4096 bit long modulus
.....................................................................................................................................................................................................................++
..........................................................++
e is 65537 (0x10001)
[root@VM-0-114-centos CA]# ll private/
总用量 4
-rw------- 1 root root 3243 10月 18 21:03 cakey.pem第四步:生成自签证书,自签证书的存放位置也要与配置文件中的设置相匹配,生成证书时需要填写相应的信息;
[root@VM-0-114-centos CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:ShengZhen
Locality Name (eg, city) [Default City]:shenzhen
Organization Name (eg, company) [Default Company Ltd]:keyao
Organizational Unit Name (eg, section) []:mage
Common Name (eg, your name or your server's hostname) []:*.tapd.demo.com
Email Address []:httpd@keyao.com
[root@VM-0-114-centos CA]# ll /etc/pki/CA/cacert.pem
-rw-r--r-- 1 root root 2118 10月 18 21:11 /etc/pki/CA/cacert.pem命令中用到的选项解释:
-new:表示生成一个新证书签署请求
-x509:专用于CA生成自签证书,如果不是自签证书则不需要此项
-key:生成请求时用到的私钥文件
-out:证书的保存路径
-days:证书的有效期限,单位是day(天),默认是365天
(2)颁发证书
在需要使用证书的主机上生成证书请求,以 httpd 服务为例,步骤如下:
第一步:在需要使用证书的主机上生成私钥,这个私钥文件的位置可以随意定
第二步:生成证书签署请求
第三步:将请求通过可靠方式发送给 CA 主机
[root@VM-0-114-centos test]# (umask 077;openssl genrsa -out httpd.key 4096)
Generating RSA private key, 4096 bit long modulus
............................................................................................................................................................................................................................................++
..........................++
e is 65537 (0x10001)
[root@VM-0-114-centos test]# openssl req -new -key httpd.key -out httpd.csr -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Shenzhen
Locality Name (eg, city) [Default City]:shenzhen
Organization Name (eg, company) [Default Company Ltd]:keyao
Organizational Unit Name (eg, section) []:*.tapd.demo.com
Common Name (eg, your name or your server's hostname) []:www.tapd.demo.com
Email Address []:https@keyao.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@VM-0-114-centos test]# ll
总用量 8
-rw-r--r-- 1 root root 1765 10月 18 21:26 httpd.csr
-rw------- 1 root root 3243 10月 18 21:23 httpd.key第四步:CA 服务器拿到证书签署请求文件后颁发证书,这一步是在 CA 服务器上做的
[root@VM-0-114-centos /]# ls
bin dev lost+found opt run storage usr
boot etc lib media proc sbin sys var
data home lib64 mnt root srv tmp
[root@VM-0-114-centos /]# openssl ca -in /httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 2 (0x2)
Validity
Not Before: Oct 19 13:28:38 2021 GMT
Not After : Oct 19 13:28:38 2022 GMT
Subject:
countryName = CN
stateOrProvinceName = ShenZhen
organizationName = keyao
organizationalUnitName = yaoke.com
commonName = www.yaoke.com
emailAddress = httpd@magedu.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
A7:23:5A:30:09:64:4D:D8:51:3A:BB:C9:B6:E0:F6:80:87:5C:E0:2F
X509v3 Authority Key Identifier:
keyid:36:55:4C:EE:B6:FA:90:67:AF:91:71:77:25:D0:A9:91:54:B3:68:06
Certificate is to be certified until Oct 19 13:28:38 2022 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@VM-0-114-centos /]# ls
bin dev httpd.csr lost+found opt run storage usr
boot etc lib media proc sbin sys var
data home lib64 mnt root srv tmp查看证书信息的命令为:
[root@VM-0-114-centos /]# openssl x509 -in /etc/pki/CA/certs/httpd.crt -noout -serial -subject
serial=02
subject= /C=CN/ST=ShenZhen/O=keyao/OU=yaoke.com/CN=www.yaoke.com/emailAddress=httpd@magedu.com(3)吊销证书
吊销证书的步骤也是在CA服务器上执行的,以刚才新建的 httpd.crt 证书为例,吊销步骤如下:
第一步:在客户机上获取要吊销证书的 serial 和 subject 信息
第二步:根据客户机提交的 serial 和 subject 信息,对比其余本机数据库 index.txt 中存储的是否一致
第三步:执行吊销操作
[root@VM-0-114-centos CA]# openssl ca -revoke /etc/pki/CA/newcerts/01.pem
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 01.
Data Base Updated第四步:生成吊销证书的吊销编号 (第一次吊销证书时执行)
]# echo 01 > /etc/pki/CA/crlnumber第五步:更新证书吊销列表
]# openssl ca -gencrl -out /etc/pki/CA/crl/ca.crl查看 crl 文件命令:
]# openssl crl -in /etc/pki/CA/crl/ca.crl -noout -text
二.脚本生成单个CA ssl证书
~]#vim aaaCA.cnf
[ req ]
distinguished_name = req_distinguished_name
x509_extensions = root_ca
[ req_distinguished_name ]
# 以下内容可随意填写
countryName = CN (2 letter code)
countryName_min = 2
countryName_max = 2
stateOrProvinceName = Guangdong
localityName = Shenzhen
0.organizationName = TC
organizationalUnitName = technology
0.commonName = aaa.xxx.co
0.commonName_max = 64
1.commonName = aaa.xxx.pro
1.commonName_max = 64
2.commonName = aaa.xxx.co
2.commonName_max = 64
3.commonName = aaa.xxx.pro
3.commonName_max = 64
4.commonName = aaa.xxx.me
4.commonName_max = 64
5.commonName = aaa.xxx.me
5.commonName_max = 64
6.commonName = aaa.xxx.me
6.commonName_max = 64
7.commonName = aaa.xxx.me
7.commonName_max = 64
8.commonName = aaa.xxx.me
8.commonName_max = 64
9.commonName = aaa.xxx.com
9.commonName_max = 64
emailAddress = admin@tapd.cn
emailAddress_max = 64
[ root_ca ]
basicConstraints = critical, CA:true
~]# vim tapdLocalExt.cnf
subjectAltName = @alt_names
extendedKeyUsage = serverAuth
[alt_names]
DNS.1 = *.xxx.xxx.com
DNS.2 = xxx.xxx.com
IP.1 = ingress的ip
IP.2 = lb的ip#私有CA
openssl req -x509 -newkey rsa:2048 -out CA.cer -outform PEM -keyout CA.pvk -days 10000 -verbose -config CA.cnf -nodes -sha256 -subj "/CN=aaa CA"#私钥
openssl req -newkey rsa:2048 -keyout aaa.pvk -out aaa.req -subj "/CN=*.xxx.xxx.com" -sha256 -nodes#公钥
openssl x509 -req -CA CA.cer -CAkey CA.pvk -in aaa.req -out aaa.cer -days 10000 -extfile aaaLocalExt.cnf -sha256 -set_serial 0x1113注:该脚本修该的地方就是 enerate_ca.sh你的私钥,tapdCA.cnf应答文件,tapdLocalExt.cnf你要解析的ip地址
三.脚本自动生成通配符ssl证书
新建文件 gencert.sh ,编辑并加入以下内容:
#!/usr/bin/env bash
#
# Copyright 2020 Liu Hongyu (eliuhy@163.com)
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
set -e
DOMAIN="$1"
WORK_DIR="$(mktemp -d)"
if [ -z "$DOMAIN" ]; then
echo "Domain name needed."
exit 1
fi
echo "Temporary working dir is $WORK_DIR "
echo "Gernerating cert for $DOMAIN ..."
#
# Fix the following error:
# --------------------------
# Cannot write random bytes:
# 139695180550592:error:24070079:random number generator:RAND_write_file:Cannot open file:../crypto/rand/randfile.c:213:Filename=/home/eliu/.rnd
#
[ -f $HOME/.rnd ] || dd if=/dev/urandom of=$HOME/.rnd bs=256 count=1
openssl genrsa -out $WORK_DIR/ca.key 4096
openssl req -x509 -new -nodes -sha512 -days 3650 \
-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=$DOMAIN" \
-key $WORK_DIR/ca.key \
-out $WORK_DIR/ca.crt
openssl genrsa -out $WORK_DIR/server.key 4096
openssl req -sha512 -new \
-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=$DOMAIN" \
-key $WORK_DIR/server.key \
-out $WORK_DIR/server.csr
cat > $WORK_DIR/v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=$DOMAIN
DNS.2=*.$DOMAIN
EOF
openssl x509 -req -sha512 -days 3650 \
-extfile $WORK_DIR/v3.ext \
-CA $WORK_DIR/ca.crt -CAkey $WORK_DIR/ca.key -CAcreateserial \
-in $WORK_DIR/server.csr \
-out $WORK_DIR/server.crt
openssl x509 -inform PEM -in $WORK_DIR/server.crt -out $WORK_DIR/$DOMAIN.cert
mkdir -p ./$DOMAIN
cp $WORK_DIR/server.key $WORK_DIR/server.crt ./$DOMAIN假设我们要为 example.com 生成证书,执行如下命令:
./gencert.sh example.com生成的后的目录结构如下:
.
├── example.com
│ ├── server.crt
│ └── server.key
└── gencert.sh然后查看通配符ssl
for i in `find . -maxdepth 2 -name "*.crt"`;do openssl x509 -in $i -text -noout;done
四.导出证书
sz server.crt server.key
163
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
