在Linux下如何根据域名自签发各种SSL证书,这里我们以Apache、Tomcat、Nginx为例。
openssl自签发泛域名(通配符)证书
首先要有openssl工具,如果没有那么使用如下命令安装:
yum install -y openssl openssl-devel
修改openssl.cnf配置文件
具体修改如下
[root@docker02 ~]# vim /etc/pki/tls/openssl.cnf
[ req ]
………………
# 将如下配置的注释放开
req_extensions = v3_req # The extensions to add to a certificate request
………………
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# 添加如下行
subjectAltName = @SubjectAlternativeName
# 同时增加如下信息
[SubjectAlternativeName]
DNS.1 = zhangbook.com
DNS.2 = *.zhangbook.com
说明:本次我们以 *.zhangbook.com
泛域名为例。
创建根证书
[root@docker02 ssl]# pwd
/root/software/ssl
[root@docker02 ssl]#
## 创建CA私钥
[root@docker02 ssl]# openssl genrsa -out CA.key 2048
## 制作CA公钥
[root@docker02 ssl]# openssl req -sha256 -new -x509 -days 36500 -key CA.key -out CA.crt -config /etc/pki/tls/openssl.cnf
………………
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BJ
Locality Name (eg, city) [Default City]:BeiJing
Organization Name (eg, company) [Default Company Ltd]:BTC
Organizational Unit Name (eg, section) []:MOST
Common Name (eg, your name or your server's hostname) []:Light Zhang # 这里就是证书上的:颁发者
Email Address []:ca@test.com
当然上述的公钥制作方式需要交互式输入信息,如果不想频繁输入,那么可以使用如下命令:
## 免交互式制作CA公钥
openssl req -sha256 -new -x509 -days 36500 -key CA.key -out CA.crt -config /etc/pki/tls/openssl.cnf -subj "/C=CN/ST=BJ/L=BeiJing/O=BTC/OU=MOST/CN=Light Zhang/emailAddress=ca@test.com"
subj内容详解:
C = Country Name (2 letter code)
ST = State or Province Name (full name)
L = Locality Name (eg, city) [Default City]
O = Organization Name (eg, company) [Default Company Ltd]
OU = Organizational Unit Name (eg, section)
CN = Common Name (eg, your name or your server's hostname)
emailAddress = Email Address
此时的的文件有:
[root@docker02 ssl]# ll
total 32
-rw-r--r-- 1 root root 1387 Oct 2 10:25 CA.crt
-rw-r--r-- 1 root root 1679 Oct 2 10:04 CA.key
自签发泛域名证书
操作步骤为:
- 生成域名私钥
- 生成证书签发请求文件
- 使用自签署的CA,生成域名公钥
具体如下:
### 当前目录 /root/software/ssl
# 生成 zhangbook.com.key 密钥
openssl genrsa -out zhangbook.com.key 2048
# 生成 zhangbook.com.csr 证书签发请求 交互式
openssl req -new -sha256 -key zhangbook.com.key -out zhangbook.com.csr -config /etc/pki/tls/openssl.cnf
………………
##### 产生的交互式内容与填写如下
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BJ
Locality Name (eg, city) [Default City]:BeiJing
Organization Name (eg, company) [Default Company Ltd]:BTC
Organizational Unit Name (eg, section) []:MOST
Common Name (eg, your name or your server's hostname) []:*.zhangbook.com # 这里就是证书上的:颁发给
Email Address []:ca@test.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:BTC
………………
# 生成 zhangbook.com.csr 证书签发请求 非交互式
openssl req -new -sha256 -key zhangbook.com.key -out zhangbook.com.csr -config /etc/pki/tls/openssl.cnf -subj "/C=CN/ST=BJ/L=BeiJing/O=BTC/OU=MOST/CN=*.zhangbook.com/emailAddress=ca@test.com"
PS1:上面的Common Name 就是在这步填写 *.zhangbook.com
,表示的就是该证书支持泛域名,common name一定要在SubjectAlternativeName中包含</