{"id":371,"date":"2014-12-21T20:20:14","date_gmt":"2014-12-21T12:20:14","guid":{"rendered":"http:\/\/www.ipcpu.com\/?p=371"},"modified":"2014-12-21T20:20:14","modified_gmt":"2014-12-21T12:20:14","slug":"openssl-private","status":"publish","type":"post","link":"https:\/\/c.ipcpu.com\/2014\/12\/openssl-private\/","title":{"rendered":"Openssl\u751f\u6210\u6839\u8bc1\u4e66\u3001\u670d\u52a1\u5668\u8bc1\u4e66\u5e76\u7b7e\u6838\u8bc1\u4e66"},"content":{"rendered":"
\u591a\u6570\u64cd\u4f5c\u7cfb\u7edf\u9ed8\u8ba4\u4e0d\u9700\u8981\u4fee\u6539<\/p>\n
cat <\/span>\/<\/span>etc<\/span>\/<\/span>pki<\/span>\/<\/span>tls<\/span>\/<\/span>openssl<\/span>.<\/span>cnf<\/span><\/code><\/li>
dir <\/span>=<\/span> <\/span>\/etc\/<\/span>pki<\/span>\/<\/span>CA<\/span><\/code><\/li><\/ol><\/pre>\n
2.\u751f\u6210\u6839\u8bc1\u4e66\u53ca\u79c1\u94a5<\/h4>\n
cd <\/span>\/<\/span>etc<\/span>\/<\/span>pki<\/span>\/<\/span>CA<\/span><\/code><\/li>
#\u65b0\u5efa\u8bc1\u4e66\u5b58\u653e\u76ee\u5f55<\/span><\/code><\/li>
mkdir <\/span>private<\/span> crl certs newcerts <\/span><\/code><\/li>
#\u65b0\u5efaserial\u6587\u4ef6\u5e76\u5199\u5165\u521d\u59cb\u5e8f\u5217\u53f700<\/span><\/code><\/li>
echo <\/span>'00'<\/span> <\/span>><\/span> serial <\/span><\/code><\/li>
#\u65b0\u5efaindex.txt\u7a7a\u6587\u4ef6<\/span><\/code><\/li>
touch index<\/span>.<\/span>txt<\/span><\/code><\/li>
#\u751f\u6210CA\u6839\u8bc1\u4e66\u79c1\u94a5<\/span><\/code><\/li>
openssl genrsa <\/span>-<\/span>out<\/span> <\/span>private<\/span>\/<\/span>cakey<\/span>.<\/span>pem <\/span>2048<\/span> <\/span><\/code><\/li>
#\u751f\u6210CA\u6839\u8bc1\u4e66<\/span><\/code><\/li>
openssl req <\/span>-<\/span>new<\/span> <\/span>-<\/span>x509 <\/span>-<\/span>key <\/span>private<\/span>\/<\/span>cakey<\/span>.<\/span>pem <\/span>-<\/span>out<\/span> cacert<\/span>.<\/span>pem <\/span>-<\/span>days <\/span>3650<\/span><\/code><\/li><\/ol><\/pre>\n
3.\u751f\u6210\u670d\u52a1\u5668\u8bc1\u4e66\u79c1\u94a5\u3001\u8bc1\u4e66\u8bf7\u6c42<\/h4>\n
cd <\/span>\/<\/span>etc<\/span>\/<\/span>nginx<\/span><\/code><\/li>
#\u751f\u6210\u7f51\u7ad9\u79c1\u94a5<\/span><\/code><\/li>
openssl genrsa <\/span>-<\/span>out<\/span> m<\/span>.<\/span>ipcpu<\/span>.<\/span>com<\/span>.<\/span>key <\/span>2048<\/span><\/code><\/li>
#\u751f\u6210\u8bc1\u4e66\u8bf7\u6c42\u6587\u4ef6<\/span><\/code><\/li>
openssl req <\/span>-<\/span>new<\/span> <\/span>-<\/span>key m<\/span>.<\/span>ipcpu<\/span>.<\/span>com<\/span>.<\/span>key <\/span>-<\/span>out<\/span> m<\/span>.<\/span>ipcpu<\/span>.<\/span>com<\/span>.<\/span>csr<\/span><\/code><\/li><\/ol><\/pre>\n
4.\u4f7f\u7528\u672c\u5730CA\u7b7e\u53d1\u8bc1\u4e66<\/h4>\n
openssl ca <\/span>-<\/span>in<\/span> m<\/span>.<\/span>ipcpu<\/span>.<\/span>com<\/span>.<\/span>csr <\/span>-<\/span>out<\/span> m<\/span>.<\/span>ipcpu<\/span>.<\/span>com<\/span>.<\/span>crt <\/span>-<\/span>days <\/span>365<\/span><\/code><\/li><\/ol><\/pre>\n
\u7b7e\u53d1\u6210\u529f\u540e\u4f1a\u63d0\u793a\u6570\u636e\u5e93\u5df2\u7ecf\u66f4\u65b0<\/p>\n
[<\/span>root@ip<\/span>-<\/span>172<\/span>-<\/span>31<\/span>-<\/span>32<\/span>-<\/span>208<\/span> nginx<\/span>]#<\/span> openssl ca <\/span>-<\/span>in<\/span> m<\/span>.<\/span>ipcpu<\/span>.<\/span>com<\/span>.<\/span>csr <\/span>-<\/span>out<\/span> m<\/span>.<\/span>ipcpu<\/span>.<\/span>com<\/span>.<\/span>crt <\/span>-<\/span>days <\/span>365<\/span><\/code><\/li>
Using<\/span> configuration <\/span>from<\/span> <\/span>\/<\/span>etc<\/span>\/<\/span>pki<\/span>\/<\/span>tls<\/span>\/<\/span>openssl<\/span>.<\/span>cnf<\/span><\/code><\/li>
Check<\/span> that the request matches the signature<\/span><\/code><\/li>
Signature<\/span> ok<\/span><\/code><\/li>
Certificate<\/span> <\/span>Details<\/span>:<\/span><\/code><\/li>
<\/span>Serial<\/span>