背景
单纯只是为了需要使用年限长点.
工具准备
- Ubuntu系统
- openssl 版本号:1.1.1-1ubuntu2.1~18.04.15
自动化脚本
#!/bin/bash
function create() {
echo start!
keepTime=$1
echo $1
openssl genrsa -out ca.key 4096
openssl req -new -sha256 -out ca.csr -key ca.key -config ca.conf
openssl x509 -req -days ${keepTime} -in ca.csr -signkey ca.key -out ca.crt
openssl genrsa -out server.key 2048
openssl req -new -sha256 -out server.csr -key server.key -config server.conf
openssl x509 -req -day ${keepTime} -CA ca.crt -CAkey ca.key -CAcreateserial -in server.csr -out server.crt -extensions req_ext -extfile server.conf
echo success!
}
function main() {
case $1 in
new)
create $2
;;
test)
openssl s_server -accept 443 -CAfile ca.crt -verify 1 -cert server.crt -key server.key -www -debug -msg
;;
*)
usage_print $0
;;
easc
}
main $@
配置文件
本文只有两个配置文件需要修改ca.conf server.conf
ca.conf
[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
countryName = CN
countryName_default = CN
stateOrProvinceName = ChenMing SSL
stateOrProvinceName_default = ChenMing SSL
localityName = ShenZhen
localityName_default = ShenZhen
organizationName = ChenMing
organizationName_default = ChenMing
commonName = APPNAME
commonName_max = 64
commonName_default = APPNAME
字符串部分随便填写如果客户没有要求,第一个default_bits默认使用4096
server.conf
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
[ req_distinguished_name ]
countryName = CN
countryName_default = CN
stateOriProvinceName = ChenMing SSL
stateOriProvinceName_default = ChenMing SSL
localityName = ShenZhen
localityName_default = ShenZhen
organizationName = ChenMing
organizationName_default = ChenMing
commonName = APPNAME
commonName_max = 64
commonName_default = APPNAME
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = a.chenming.com.cn
DNS.2 = b.chenming.com.cn
DNS.3 = *.chenming.com
域名校验就是通过
[alt_names]
部分进行修改
上面字符串部分和ca.conf最好匹配上