系统环境:
Ubuntu 18.10
OpenSSL 1.1.1 11 Sep 2018
一:自建CA
1:依次创建如下目录
mkdir -p /opt/ca/root
mkdir /opt/ca/root/key
2:vim /opt/ca/root/openssl.cnf
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = /opt/ca/root
certs = $dir/certs
crl_dir = $dir/crl
database = $dir/index.txt
new_certs_dir = $dir/newcerts
certificate = $dir/key/cacert.crt
serial = $dir/serial
crlnumber = $dir/crlnumber
crl = $dir/crl.pem
private_key = $dir/key/cakey.pem
RANDFILE = $dir/key/.rand
unique_subject = no
x509_extensions = usr_cert
copy_extensions = copy
name_opt = ca_default
cert_opt = ca_default
default_days = 365
default_crl_days= 30
default_md = sha256
preserve = no
policy = policy_ca
[ policy_ca ]
countryName = supplied
stateOrProvinceName = supplied
organizationName = supplied
organizationalUnitName = supplied
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca
string_mask = utf8only
utf8 = yes
prompt = no
[ req_distinguished_name ]
countryName = CN
stateOrProvinceName = beijing
localityName = beijing
organizationName = Global Google CA Inc
organizationalUnitName = Root CA
commonName = Global Google Root CA
[ usr_cert ]
basicConstraints = CA:TRUE
[ v3_ca ]
basicConstraints = CA:TRUE
[ req_attributes ]3:创建如下目录及文件
mkdir /opt/ca/root/newcerts
touch /opt/ca/root/index.txt
touch /opt/ca/root/index.txt.attr
echo 01 > /opt/ca/root/serial
4:创建CA私钥
openssl genrsa -out /opt/ca/root/key/cakey.pem 2048
5:生成CA证书请求文件
openssl req -new -key /opt/ca/root/key/cakey.pem -out /opt/ca/root/key/ca.csr -config /opt/ca/root/openssl.cnf
6:自签名
openssl ca -selfsign -in /opt/ca/root/key/ca.csr -out /opt/ca/root/key/cacert.crt -config /opt/ca/root/openssl.cnf
7:修改/opt/ca/root/openssl.cnf配置,把
[ usr_cert ]
basicConstraints = CA:TRUE
修改为
[ usr_cert ]
basicConstraints = CA:FALSE
CA:TRUE代表的是签发的是CA机构(自己是CA机构),CA:FALSE代表的是签发的是证书(改成false就不能去签发其他CA)
经过以上7个步骤,就成功创建了CA私钥及CA证书。有了这些就可以去签发其他的证书请求了
二:使用自建CA签名证书
1:mkdir /opt/ca/taobao
2:vim /opt/ca/taobao/openssl.cnf
[ req ]
prompt = no
distinguished_name = server_distinguished_name
req_extensions = req_ext
x509_extensions = v3_req
attributes = req_attributes
string_mask = utf8only
utf8 = yes
[ server_distinguished_name ]
commonName = taobao2018.cn
stateOrProvinceName = guangzhou
countryName = CN
organizationName = 广州我要淘科技有限公司
organizationalUnitName = IT
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ req_attributes ]
[ req_ext ]
subjectAltName = @alternate_names
[ alternate_names ]
DNS.1 = taobao2018.cn
DNS.2 = bbs.taobao2018.cn
DNS.3 = taobao2019.cn3:生成网站私钥
openssl genrsa -out /opt/ca/taobao/privkey.pem 2048
4:生成证书请求文件(csr文件)
openssl req -new -key /opt/ca/taobao/privkey.pem -out /opt/ca/taobao/taobao.csr -config /opt/ca/taobao/openssl.cnf
5:使用自建CA进行签发证书
openssl ca -in /opt/ca/taobao/taobao.csr -out /opt/ca/taobao/taobao.crt -config /opt/ca/root/openssl.cnf
6:查看证书信息(可选)
openssl x509 -text -in /opt/ca/taobao/taobao.crt
经过以上几个步骤,就生成了由自建CA签发的证书了
三:配置nginx的ssl
server {
listen 443 ssl;
server_name taobao2018.cn bbs.taobao2018.cn taobao2019.cn;
ssl_certificate /opt/ca/taobao/taobao.crt;
ssl_certificate_key /opt/ca/taobao/privkey.pem;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
}
}保存配置文件之后,启动nginx
四:导入自建CA的证书(根证书)
这里以Firefox为例,打开:选项 -> 隐私与安全 -> 查看证书,在证书颁发机构里面选择导入,
选择文件 /opt/ca/root/key/cacert.crt 导入并勾选2个信任的复选框
五:配置hosts
192.168.133.134 taobao2018.cn
192.168.133.134 bbs.taobao2018.cn
192.168.133.134 taobao2019.cn最后,使用https方式访问上面的三个url中的任意一个均可
访问之后,也可以在Firefox上查看证书
注意:
1:证书的x509信息如:stateOrProvinceName、organizationalUnitName已经在openssl.cnf配置文件中指定了,所以在生成证书请求文件的时候,不需要再输入了
2:证书请求文件里面的commonName,只需要填写主要的域名就可以了,其他的域名(包括主域名)必须要在openssl.cnf配置文件的subjectAltName属性中指定,否则浏览器会报不安全警告。本例子中展示了证书支持3个域名,所以这3个域名都要配置在subjectAltName属性中
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
