自建CA服务器自签证书服务器
一、配置证书服务器模板
#修改openssl.cnf文件
vi /etc/pki/tls/openssl.cnf
#确保[ req ]下存在以下两行
[ req ]
distinguished_name = req_distinguished_name
req_extensions = v3_req
#确保[ req_distinguished_name ]下没有 0.xxx 的标签,有的话把0.xxx的0.去掉
#[ v3_req ]最后一行新增如下一行内容
[ v3_req ]
subjectAltName = @alt_names
#新增 [ alt_names ]
[ alt_names ]
DNS.1 = *.test.com
DNS.2 = *.test.cc
IP.1 = 219.150.218.112
IP.2 = 192.168.1.248
IP.3 = 192.168.1.249
IP.4 = 172.20.31.88
IP.5 = 172.16.21.3
IP.6 = 113.219.200.35
IP.7 = 116.163.46.143
二、申请和转换证书
#CA根证书
openssl rand -out private/.rand 1000
openssl genrsa -out private/ca.key 2048
openssl req -new -key private/ca.key -out private/ca.csr -subj "/C=CN/O=EastRayCloud Technologies, Inc./OU=Domain Validated SSL/CN=EastRayCloud CA"
openssl x509 -req -days 36500 -sha1 -extensions v3_ca -signkey private/ca.key -in private/ca.csr -out certs/ca.crt
#根证书格式转换
openssl pkcs12 -export -cacerts -inkey private/ca.key -in certs/ca.crt -out certs/ca.p12
keytool -importkeystore -v -srckeystore certs/ca.p12 -srcstoretype pkcs12 -srcstorepass 9865321 -destkeystore certs/ca.keystore -deststoretype jks -deststorepass 9865321
#根签发服务器证书或客户端证书
openssl genrsa -out private/server.key 2048
openssl req -new -key private/server.key -out private/server.csr -subj "/C=CN/O=EastRayCloud Technologies, Inc./OU=Domain Validated SSL/CN=*.eastraycloud.com" -config /etc/pki/tls/openssl.cnf
openssl ca -days 36500 -in private/server.csr -out certs/server.crt -cert certs/ca.crt -keyfile private/ca.key -extensions v3_req -config /etc/pki/tls/openssl.cnf
#openssl ca -days 36500 -in private/client.csr -out certs/client.crt -cert certs/ca.crt -keyfile private/ca.key -extensions v3_req -config /etc/pki/tls/openssl.cnf
#服务器证书格式转换
openssl pkcs12 -export -clcerts -inkey private/server.key -in certs/domain.crt -out certs/domain.p12
keytool -importkeystore -v -srckeystore certs/domain.p12 -srcstoretype pkcs12 -srcstorepass 9865321 -destkeystore certs/domain.keystore -deststoretype jks -deststorepass 9865321
#签发客户端证书
openssl genrsa -out private/client.key 2048
openssl req -new -key private/client.key -out private/client.csr -subj "/C=CN/O=EastRayCloud Technologies, Inc./OU=Domain Validated SSL/CN=*.test.com"
openssl x509 -req -days 36500 -in private/client.csr -signkey client.key -out certs/client.crt
#客户端证书格式转换
openssl pkcs12 -export -inkey private/client.key -in certs/client.cer -out certs/client.p12
keytool -importkeystore -v -srckeystore certs/test.domain.p12 -srcstoretype pkcs12 -srcstorepass 9865321 -destkeystore certs/test.domain.keystore -deststoretype jks -deststorepass 9865321
#重复签发操作
rm -f /etc/pki/CA/index.txt* /etc/pki/CA/serial*
touch /etc/pki/CA/index.txt
touch /etc/pki/CA/serial
echo 01 > /etc/pki/CA/serial
三、普通加密证书申请(用于加密不验证的情况)
openssl genrsa -out private/test.domain.key 2048
openssl req -new -key private/test.domain.key -out private/test.domain.csr
openssl x509 -req -days 36500 -in private/test.domain.csr -signkey private/test.domain.key -out certs/test.domain.crt
注:想要受浏览器信任,必须下载根CA证书导入到浏览器的‘受信任的根证书颁发机构’