0.环境
安装了nginx,安装了openssl
1.配置和脚本
先创建一个demo目录(位置自己选择,我选择建在nginx的目录下):
mkdir /etc/nginx/ca-demo
cd/etc/nginx/ca-demo
修改SSL配置openssl.cnf(也可能是openssl.conf,不知道在哪可以用find -name / openssl.cnf查找)
将dir属性改成你上一步自建的目录,不要用相对路径,会踩坑,保存,如图:
我喜欢自动化,所以写了三个如下脚本,可以直接使用:
ca.sh:
#!/bin/bash
#Create directory hierarchy.创建目录结构touchindex.txt serialchmod 666index.txt serialecho 01 >serialmkdir -p newcerts private
#生成RSA密钥对
openssl genrsa-des3 -out ./private/cakey.pem 2048#openssl req-new -days 365 -key ./private/cakey.pem -out ca.csr
#openssl ca-selfsign -in ca.csr -out ca.crt
# one step.一步生成csr,crt,直接10年使用期
openssl req-new -x509 -days 3650 -key ./private/cakey.pem -out ca.crt
server.sh:
#!/bin/bash
# 签发服务器证书mkdirserver
openssl genrsa-out ./server/server.key
openssl req-new -key ./server/server.key -out ./server/server.csr
openssl ca-in ./server/server.csr -cert ./ca.crt -keyfile ./private/cakey.pem -out ./server/server.crt -days 3650
client.sh:
#!/bin/bash
# 签发client证书mkdirclient
openssl genrsa-des3 -out ./client/client.key 2048openssl req-new -key ./client/client.key -out ./client/client.csr
openssl ca-in ./client/client.csr -cert ./ca.crt -keyfile ./private/cakey.pem -out ./client/client.crt -config "/etc/ssl/openssl.cnf"openssl pkcs12-export -clcerts -in ./client/client.crt -inkey ./client/client.key -out ./client/client.p12
将以上三个脚本复制到自建demo目录中,如下所示:
加入运行权限:
chmod +x *.sh
结果如下:
未完待续...
To be Continued...
原文:http://www.cnblogs.com/dreamingodd/p/7357029.html