OpenSSL自建CA和颁发SSL证书

系统环境:

Ubuntu 18.10

OpenSSL 1.1.1  11 Sep 2018

一:自建CA

1:依次创建如下目录

mkdir -p /opt/ca/root

mkdir /opt/ca/root/key

2:vim /opt/ca/root/openssl.cnf

[ ca ]
default_ca	= CA_default

[ CA_default ]
dir		    = /opt/ca/root
certs		= $dir/certs
crl_dir		= $dir/crl
database	= $dir/index.txt
new_certs_dir	= $dir/newcerts
certificate	= $dir/key/cacert.crt
serial		= $dir/serial
crlnumber	= $dir/crlnumber
crl		    = $dir/crl.pem
private_key	= $dir/key/cakey.pem
RANDFILE	= $dir/key/.rand
unique_subject	= no

x509_extensions	= usr_cert
copy_extensions = copy

name_opt 	= ca_default
cert_opt 	= ca_default

default_days	= 365
default_crl_days= 30
default_md	= sha256
preserve	= no
policy		= policy_ca

[ policy_ca ]
countryName		= supplied
stateOrProvinceName	= supplied
organizationName	= supplied
organizationalUnitName	= supplied
commonName		= supplied
emailAddress		= optional

[ req ]
default_bits		= 2048
default_keyfile 	= privkey.pem
distinguished_name	= req_distinguished_name
attributes		= req_attributes
x509_extensions	= v3_ca
string_mask = utf8only
utf8 = yes
prompt                  = no

[ req_distinguished_name ]
countryName			= CN
stateOrProvinceName		= beijing
localityName			= beijing
organizationName        = Global Google CA Inc
organizationalUnitName	= Root CA
commonName			= Global Google Root CA

[ usr_cert ]
basicConstraints = CA:TRUE

[ v3_ca ]
basicConstraints        = CA:TRUE

[ req_attributes ]

3:创建如下目录及文件

mkdir /opt/ca/root/newcerts

touch /opt/ca/root/index.txt

touch /opt/ca/root/index.txt.attr

echo 01 > /opt/ca/root/serial

4:创建CA私钥

openssl genrsa -out /opt/ca/root/key/cakey.pem 2048

5:生成CA证书请求文件

openssl req -new -key /opt/ca/root/key/cakey.pem -out /opt/ca/root/key/ca.csr -config /opt/ca/root/openssl.cnf

6:自签名

openssl ca -selfsign -in /opt/ca/root/key/ca.csr -out /opt/ca/root/key/cacert.crt -config /opt/ca/root/openssl.cnf

7:修改/opt/ca/root/openssl.cnf配置,把

[ usr_cert ]
basicConstraints = CA:TRUE

修改为

[ usr_cert ]
basicConstraints = CA:FALSE

CA:TRUE代表的是签发的是CA机构(自己是CA机构),CA:FALSE代表的是签发的是证书(改成false就不能去签发其他CA)

经过以上7个步骤,就成功创建了CA私钥及CA证书。有了这些就可以去签发其他的证书请求了

 

二:使用自建CA签名证书

1:mkdir /opt/ca/taobao

2:vim /opt/ca/taobao/openssl.cnf

[ req ]
prompt             = no
distinguished_name = server_distinguished_name
req_extensions     = req_ext
x509_extensions	= v3_req
attributes		= req_attributes
string_mask = utf8only
utf8 = yes

[ server_distinguished_name ]
commonName              = taobao2018.cn
stateOrProvinceName     = guangzhou
countryName             = CN
organizationName        = 广州我要淘科技有限公司
organizationalUnitName  = IT

[ v3_req ]
basicConstraints        = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

[ req_attributes ]

[ req_ext ]
subjectAltName      = @alternate_names

[ alternate_names ]
DNS.1        = taobao2018.cn
DNS.2        = bbs.taobao2018.cn
DNS.3        = taobao2019.cn

3:生成网站私钥

openssl genrsa -out /opt/ca/taobao/privkey.pem 2048

4:生成证书请求文件(csr文件)

openssl req -new -key /opt/ca/taobao/privkey.pem -out /opt/ca/taobao/taobao.csr -config /opt/ca/taobao/openssl.cnf

5:使用自建CA进行签发证书

openssl ca -in /opt/ca/taobao/taobao.csr -out /opt/ca/taobao/taobao.crt -config /opt/ca/root/openssl.cnf

6:查看证书信息(可选)

openssl x509 -text -in /opt/ca/taobao/taobao.crt

经过以上几个步骤,就生成了由自建CA签发的证书了

 

三:配置nginx的ssl

server {
	listen       443 ssl;
	server_name  taobao2018.cn bbs.taobao2018.cn taobao2019.cn;

	ssl_certificate      /opt/ca/taobao/taobao.crt;
	ssl_certificate_key  /opt/ca/taobao/privkey.pem;

	ssl_session_cache    shared:SSL:1m;
	ssl_session_timeout  5m;

	ssl_ciphers  HIGH:!aNULL:!MD5;
	ssl_prefer_server_ciphers  on;

	location / {
		root   html;
		index  index.html index.htm;
	}
}

保存配置文件之后,启动nginx

 

四:导入自建CA的证书(根证书)

这里以Firefox为例,打开:选项 -> 隐私与安全 -> 查看证书,在证书颁发机构里面选择导入,

选择文件 /opt/ca/root/key/cacert.crt 导入并勾选2个信任的复选框

 

五:配置hosts

192.168.133.134 taobao2018.cn
192.168.133.134 bbs.taobao2018.cn
192.168.133.134 taobao2019.cn

最后,使用https方式访问上面的三个url中的任意一个均可

访问之后,也可以在Firefox上查看证书

 

注意:

1:证书的x509信息如:stateOrProvinceName、organizationalUnitName已经在openssl.cnf配置文件中指定了,所以在生成证书请求文件的时候,不需要再输入了

2:证书请求文件里面的commonName,只需要填写主要的域名就可以了,其他的域名(包括主域名)必须要在openssl.cnf配置文件的subjectAltName属性中指定,否则浏览器会报不安全警告。本例子中展示了证书支持3个域名,所以这3个域名都要配置在subjectAltName属性中

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值