最新消息:

Openssl生成根证书、服务器证书并签核证书

IT技术 ipcpu 4757浏览

1.修改Openssl配置文件CA目录

多数操作系统默认不需要修改

  1. cat /etc/pki/tls/openssl.cnf
  2. dir = /etc/pki/CA

2.生成根证书及私钥

  1. cd /etc/pki/CA
  2. #新建证书存放目录
  3. mkdir private crl certs newcerts
  4. #新建serial文件并写入初始序列号00
  5. echo '00' > serial
  6. #新建index.txt空文件
  7. touch index.txt
  8. #生成CA根证书私钥
  9. openssl genrsa -out private/cakey.pem 2048
  10. #生成CA根证书
  11. openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650

3.生成服务器证书私钥、证书请求

  1. cd /etc/nginx
  2. #生成网站私钥
  3. openssl genrsa -out m.ipcpu.com.key 2048
  4. #生成证书请求文件
  5. openssl req -new -key m.ipcpu.com.key -out m.ipcpu.com.csr

4.使用本地CA签发证书

  1. openssl ca -in m.ipcpu.com.csr -out m.ipcpu.com.crt -days 365

签发成功后会提示数据库已经更新

  1. [root@ip-172-31-32-208 nginx]# openssl ca -in m.ipcpu.com.csr -out m.ipcpu.com.crt -days 365
  2. Using configuration from /etc/pki/tls/openssl.cnf
  3. Check that the request matches the signature
  4. Signature ok
  5. Certificate Details:
  6. Serial Number: 0 (0x0)
  7. Validity
  8. Not Before: Dec 20 15:20:03 2014 GMT
  9. Not After : Dec 20 15:20:03 2015 GMT
  10. Subject:
  11. countryName = CN
  12. stateOrProvinceName = Beijing
  13. organizationName = ipcpu.com
  14. organizationalUnitName = ops
  15. commonName = m.ipcpu.com
  16. emailAddress = m@ipcpu.com
  17. X509v3 extensions:
  18. X509v3 Basic Constraints:
  19. CA:FALSE
  20. Netscape Comment:
  21. OpenSSL Generated Certificate
  22. X509v3 Subject Key Identifier:
  23. AA:00:B2:61:9F:55:D1:C6:67:69:75:B4:BF:5D:3C:A3:DC:A8:82:94
  24. X509v3 Authority Key Identifier:
  25. keyid:87:73:06:6C:EF:01:EB:9B:47:3B:69:4E:26:21:76:9A:61:F3:E2:A5
  26. Certificate is to be certified until Dec 20 15:20:03 2015 GMT (365 days)
  27. Sign the certificate? [y/n]:y
  28. 1 out of 1 certificate requests certified, commit? [y/n]y
  29. Write out database with 1 new entries
  30. Data Base Updated

此时CA目录下的serial和index.txt均有更新。

  1. [root@ip-172-31-32-208 CA]# cat serial
  2. 01
  3. [root@ip-172-31-32-208 CA]# cat index.txt
  4. V 151220152003Z 00 unknown /C=CN/ST=Beijing/O=ipcpu.com/OU=ops/CN=m.ipcpu.com/emailAddress=m@ipcpu.com
  5. [root@ip-172-31-32-208 CA]#

参考文章: http://www.haiyun.me/archives/openssl-ca-cert.html

来自为知笔记(Wiz)

转载请注明:IPCPU-网络之路 » Openssl生成根证书、服务器证书并签核证书