- 创建根证书的私匙(ca.key)
openssl genrsa -out ca.key 2048
- 创建根证书(ca.crt)
openssl req -new -x509 -days 36500 -key ca.key -out ca.crt -subj "/C=CN/ST=ShiChuan/L=ChengDu/O=Your Company Name/OU=Your Root CA"
- 创建SSL证书私匙(网站证书)(server.key)
openssl genrsa -out server.key 2048
- 创建SSL证书(网站证书)(server.crt)
openssl req -new -key server.key -out server.csr -subj "/C=CN/ST=ShiChuan/L=ChengDu/O=Your Company Name/OU=wangye.org/CN=wangye.org"
/O字段内容必须与刚才的CA根证书相同;/CN字段为公用名称(Common Name),必须为网站的域名(不带www);/OU字段最好也与为网站域名
- 用CA根证书签署SSL自建证书
openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key
报错:unable to open '/etc/pki/CA/index.txt'
[root@localhost tmp]# touch /etc/pki/CA/index.txt
报错:error while loading serial number
140515054446496:error:02001002:system library:
fopen:No such file or directory:bss_file.c:398:fopen('/etc/pki/CA/serial','r')
[root@localhost tmp]# echo 00 > /etc/pki/CA/serial
[root@localhost tmp]# openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Feb 7 02:13:45 2017 GMT
Not After : Feb 7 02:13:45 2018 GMT
Subject:
countryName = CN
stateOrProvinceName = ShiChuan
organizationName = Your Company Name
organizationalUnitName = wangye.org
commonName = wangye.org
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
5E:D1:22:95:85:87:DF:FC:0C:C8:C9:BC:7F:73:A6:20:B9:80:83:8C
X509v3 Authority Key Identifier:
keyid:24:C0:24:B4:A9:E6:84:B6:9D:1B:DF:64:C0:52:96:C2:3D:FA:9C:85
Certificate is to be certified until Feb 7 02:13:45 2018 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
服务器需要的证书:server.crt和server.key 备注:由于是自签名证书,所以客户端需要安装根证书,将刚才第2步创建的根证书ca.crt下载到客户端,然后双击导入,否则会提示不受信任的证书发布商问题