通过shell使用openssl生成证书

最新推荐文章于 2022-07-21 16:24:32 发布

class FW

最新推荐文章于 2022-07-21 16:24:32 发布

阅读量1.1k

点赞数

文章标签： openssl lighttpd

本文链接：https://blog.csdn.net/qq_37172890/article/details/105263229

版权

calm heart

证书说明
环境说明
shell脚本
openssl.cnf配置
lighttpd.conf配置
其他说明
Finally

证书说明

CA可视为密码学中的认证中心，本文通过自建的ca根证书(浏览器为不安全，需要信任），签名申请证书。(可申请不同证书用于不同端口或域名，共用同一个CA)

环境说明

openwrt
openssl
lighttpd

shell脚本

#!/bin/bash 
#@description 搭键openssl环境及配置

#修改openssl.conf相关配置，建立ca的相关配置及目录
mv -f /etc/ssl/openssl.cnf /etc/ssl/openssl.cnf_bak
\cp -f /home/openssl.cnf /etc/ssl/

mkdir -p /etc/lighttpd/cert/CA
mkdir /etc/lighttpd/cert/CA/certs
mkdir /etc/lighttpd/cert/CA/crl
mkdir /etc/lighttpd/cert/CA/newcerts
mkdir /etc/lighttpd/cert/CA/private
echo "01" > /etc/lighttpd/cert/CA/serial
touch /etc/lighttpd/cert/CA/index.txt
touch /etc/lighttpd/cert/CA/crlnumber

cd /etc/lighttpd/cert/CA
#生成CA密钥key(加密方式为des3 密码为111111 2048字节)
openssl genrsa -des3 -passout pass:111111 -out private/ca.key 2048
#生成CA证书请求文件(公钥+用户相关信息)
openssl req -new -days 3650 -key private/ca.key  -passin pass:111111 -out private/ca.csr -subj "/C=CN/ST= /L= /O= /OU= /CN= /emailAddress= "
#自签发 生成CA根证书(浏览器为不安全,需要使用openssl.conf相关配置，生成的证书格式可视为=证书+其他信息）,此条cmd生成的ca根证书无效，可用其他cmd
openssl ca -selfsign -in private/ca.csr -days 3650 -keyfile private/ca.key -key 111111 -out ./certs/ca.crt -batch
#跳过请求文件生成，直接生成ca根证书(也需要使用openssl.conf配置，不过不需要serial等相关配置，生成的证书格式可视为=证书)
openssl req -new -x509 -days 3650 -key private/ca.key  -passin pass:111111 -out ./certs/ca2.crt -subj "/C=CN/ST= /L= /O= /OU= /CN= /emailAddress= "

mkdir /etc/lighttpd/cert/server
cd /etc/lighttpd/cert/server
#生成服务端密钥key(加密方式为des3 密码为111111 2048字节)
openssl genrsa -des3 -passout pass:111111 -out server.key 2048
#生成服务端证书请求文件(
openssl req -new -days 3650 -key server.key  -passin pass:111111 -out server.csr -subj "/C=CN/ST= /L= /O= /OU= /CN=program/emailAddress= "
#使用openssl.conf的ca配置的CA签发服务端证书（公钥+用户相关信息,配置信息不能和已申请证书完全一致，否则会报错)
openssl ca -in server.csr -key 111111 -out server.crt -batch
#另一种方式生成服务端证书（自行定义了ca证书及key目录，生成证书不包含用户信息，配置信息可重复，pass为ca.key密码）
openssl x509 -req -days 3650 -in server.csr -CA ../CA/certs/ca.crt -CAkey ../CA/private/ca.key -passin pass:111111 -CAcreateserial -out server2.crt

#私钥转非加密
openssl rsa -in server.key -passin pass:111111 -out nopassserver.key
openssl rsa -in ../CA/private/ca.key -passin pass:111111 -out ../CA/private/nopassca.key
#合并key和证书为一个文件（用于lighttpd配置）
cat /etc/lighttpd/cert/server/nopassserver.key /etc/lighttpd/cert/server/server.crt > /etc/lighttpd/cert/server/server.pem
cat /etc/lighttpd/cert/server/nopassserver.key /etc/lighttpd/cert/server/server2.crt > /etc/lighttpd/cert/server/server2.pem
cat /etc/lighttpd/cert/CA/private/nopassca.key /etc/lighttpd/cert/CA/certs/ca.crt > /etc/lighttpd/cert/CA/certs/ca.pem
cat /etc/lighttpd/cert/CA/private/nopassca.key /etc/lighttpd/cert/CA/certs/ca2.crt > /etc/lighttpd/cert/CA/certs/ca2.pem

#修改lighttpd相关配置
\cp -f /home/lighttpd.conf /etc/lighttpd/
chown -R http:www-data /etc/lighttpd/cert
lighttpd -tt -f /etc/lighttpd/lighttpd.conf
/etc/init.d/lighttpd restart




#私钥转加密
#openssl rsa -in nopassserver.key -des3 -passout pass:111111 -out server.key
#PEM格式转DER格式(二进制数据,不可读，windows系统常用)
#openssl (rsa|x509) -in key.cer -inform PEM -outform DER -out key.der

openssl.cnf配置

[ ca ]
default_ca	= CA_default		# The default ca section

####################################################################
[ CA_default ]

dir		= /etc/lighttpd/cert/CA		# Where everything is kept
certs		= $dir/certs		# Where the issued certs are kept
crl_dir		= $dir/crl		# Where the issued crl are kept
database	= $dir/index.txt	# database index file.
#unique_subject	= no			# Set to 'no' to allow creation of
					# several ctificates with same subject.
new_certs_dir	= $dir/newcerts		# default place for new certs.

certificate	= $dir/certs/ca.crt 	# The CA certificate
serial		= $dir/serial 		# The current serial number
crlnumber	= $dir/crlnumber	# the current crl number
					# must be commented out to leave a V1 CRL
crl		= $dir/crl.pem 		# The current CRL
private_key	= $dir/private/ca.key  # The private key
RANDFILE	= $dir/private/.rand	# private random number file

x509_extensions	= usr_cert		# The extentions to add to the cert

# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt 	= ca_default		# Subject Name options
cert_opt 	= ca_default		# Certificate field options

# Extension copying option: use with caution.
# copy_extensions = copy

# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions	= crl_ext

default_days	= 3650			# how long to certify for
default_crl_days= 30			# how long before next CRL
default_md	= default		# use public key default MD
preserve	= no			# keep passed DN ordering

# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy		= policy_match

lighttpd.conf配置

server.modules += ( "mod_openssl" )


$SERVER["socket"] == ":443" {
    ssl.engine = "enable"
    ssl.pemfile = "/etc/lighttpd/cert/server/server.pem"
    ssl.ca-file = "/etc/lighttpd/cert/CA/certs/ca2.pem"
    server.document-root        = "/www/html/engie/program"
}

其他说明

1.平台环境为openwrt,很多环境缺失，一般linux系统安装openssl后不需要创建目录
2.上述shell使用两种方式生成CA和证书和服务端证书（ca.crt无效）
3.上述shell根据本机环境编写，例如：chown -R http:www-data /etc/lighttpd/cert为我的lighttpd的默认用户及用户组，有疑惑可以提，你猜我回不回答。

Finally

A trace of the world.

class FW

关注

0
点赞
踩
2

收藏

觉得还不错? 一键收藏
0
评论
通过shell使用openssl生成证书

calm heart证书说明环境说明shell脚本openssl.cnf配置lighttpd.conf配置其他说明Finally证书说明CA可视为密码学中的认证中心，本文通过自建的ca根证书(浏览器为不安全，需要信任），签名申请证书。(可申请不同证书用于不同端口或域名，共用同一个CA)环境说明openwrtopenssllighttpdshell脚本#!/bin/bash #@d...
复制链接

扫一扫