1、生成根证书和私钥 :生成rootkey.pem 和 root.pem,如果要浏览器警告,需要把root.pem导入到浏览器根证书目录。
CN="Root CA" SAN="IP:172.16.0.1" ./openssl req -config ca.conf -x509 -nodes -keyout rootkey.pem -out root.pem -newkey rsa:2048 -days 36500
2、生成RSA用户证书请求和私钥:生成 privkey.pem 和 req.pem
CN="Usr Cert" SAN="IP:172.16.0.1" ./openssl req -config ca.conf -nodes -keyout privkey.pem -out req.pem -newkey rsa:2048
3、生成用户证书:即使用CA来签名用户证书请求请求,使用rootkey.pem 、root.pem、req.pem来生成输出 usr.pem
CN="Usr Cert" SAN="IP:172.16.0.1" ./openssl x509 -req -extensions v3_req -extfile ca.conf -in req.pem -CA root.pem -CAkey rootkey.pem -days 3600 -CAcreateserial -out usr.pem
ca.conf的内容可以参考下面即可:
# ca.cnf
HOME = .
RANDFILE = $ENV::HOME/.rnd
CN = "Not Defined"
SAN = "Not Defined"
default_ca = ca
####################################################################
[ req ]
default_bits = 2048
default_keyfile = privkey.pem
prompt = no # ????
distinguished_name = req_distinguished_name
x509_extensions = v3_ca # ?? only for ca
string_mask = utf8only
req_extensions = v3_req
[ req_distinguished_name ]
countryName = CN
stateOrProvinceName = Shanghai
localityName = Shanghai
organizationName = SpiderX Technology Co.,Ltd.
organizationalUnitName = SpiderX
commonName = $ENV::CN
[ v3_req ]
subjectAltName = $ENV::SAN
[ usr_cert ]
basicConstraints = critical, CA:FALSE
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
nsComment = "SpiderX Generated Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid
[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
basicConstraints = critical,CA:true
keyUsage = critical, cRLSign, keyCertSign
[ca]
database = index.txt
crlnumber = crlnum.txt
1808
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
