使用CACert.org在线免费制作签名证书, 官方网站https://www.cacert.org/index.php
文中制作签名证书以域名xmkk.net为例
依赖包: openssl
验证域名授权
a) Domains->Add: 添加需验证的域名;
b) 验证Email: 点击Email中的验证地址, 确认通过;
c) Domains->View: 查看状态是通过验证;
制作服务器证书
1. 生成服务器证书私钥
# openssl genrsa -out ssl/domain_key_xmkk.net.pem 4096
# openssl req -new -key ssl/domain_key_xmkk.net.pem -out ssl/xmkk.net.csr -subj '/CN=xmkk.net'
# cat ssl/xmkk.net.csr
2. 生成服务器证书公钥
a) 将上面CSR文件输出的内容, 用于CAcert.org进行签名: Server Certificates->New;
b) 将CAcert.org的服务器证书公钥拷贝到本地
# cat > ssl/domain_cert_xmkk.net.pem << EOF
-----BEGIN CERTIFICATE-----
MIIF5zCCA8+gAwIBAgIDAQKKMA0GCSqGSIb3DQEBBQUAMFQxFDASBgNVBAoTC0NB
Y2VydCBJbmMuMR4wHAYDVQQLExVodHRwOi8vd3d3LkNBY2VydC5vcmcxHDAaBgNV
BAMTE0NBY2VydCBDbGFzcyAzIFJvb3QwHhcNMTIwODAxMTQzOTA3WhcNMTQwODAx
.
.
.
vcx9+LYSwVLCr33NkDx9zqBn3Qp2ZcaUxOdSo/QxdnE2Wj7J06D309RuDRCxZA7E
cvfc3qE1Q0ESbEOAmN+ZYHhCHZjKe3jNlxED
-----END CERTIFICATE-----
EOF
制作客户端证书, 使用keytool命令
a) 生成keystore, 输入keystore的密码, 输入客户端私钥证书的密码, 这里好像要求密码一致
$ keytool -genkey -alias fenng -keyalg RSA -keysize 4096 -keystore ssl/.fenng.keytool -dname 'CN=fenng@xmkk.net'
b) 生成客户端证书私钥
$ keytool -certreq -alias fenng -file ssl/fenng.csr -keystore ssl/.fenng.keytool -storepass mysecret
$ cat ssl/fenng.csr
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIEZDCCAkwCAQAwHzEdMBsGA1UEAwwUZGFuaWVsQHBvY29jay5jb20uYXUwggIiMA0GCSqGSIb3
DQEBAQUAA4ICDwAwggIKAoICAQC/ySJt3ZNulDnWG7MtrE+Y6Rkl6ln/ovdefxFdoaBSkg4Bqg8K
.
.
.
cfsbPXSEcdZTYKzPaQpTtkCeWMRKh5R4M61IOd40tANhVbZbf32sZlAeRos7
-----END NEW CERTIFICATE REQUEST-----
c) 获取输出内容到CAcert做客户端公钥证书, 并拷贝至本地
# cat > ssl/fenng.crt << EOF
-----BEGIN CERTIFICATE-----
MIIF5zCCA8+gAwIBAgIDAQKKMA0GCSqGSIb3DQEBBQUAMFQxFDASBgNVBAoTC0NB
Y2VydCBJbmMuMR4wHAYDVQQLExVodHRwOi8vd3d3LkNBY2VydC5vcmcxHDAaBgNV
BAMTE0NBY2VydCBDbGFzcyAzIFJvb3QwHhcNMTIwODAxMTQzOTA3WhcNMTQwODAx
.
.
.
vcx9+LYSwVLCr33NkDx9zqBn3Qp2ZcaUxOdSo/QxdnE2Wj7J06D309RuDRCxZA7E
cvfc3qE1Q0ESbEOAmN+ZYHhCHZjKe3jNlxED
-----END CERTIFICATE-----
EOF
d) 使用根证书对客户端证书公钥进行签名
$ keytool -import -alias root -keystore ssl/.fenng.keytool -storepass mysecret -trustcacerts -file ssl/root_cert_cacert.org.pem
...
Trust this certificate? [no]: yes
Certificate was added to keystore
$ $ keytool -importcert -alias fenng -file ssl/fenng.crt -keystore ~/.fenng.keytool -storepass mysecret
Certificate reply was installed in keystore
转载于:https://blog.51cto.com/fenng/1197111