目錄

一.手動(dòng)生成單個(gè)ssl證書

1.創(chuàng)建CA和申請(qǐng)證書

二.腳本生成單個(gè)CA ssl證書

三.腳本自動(dòng)生成通配符ssl證書

四.導(dǎo)出證書

---

一.手動(dòng)生成單個(gè)ssl證書

1.創(chuàng)建CA和申請(qǐng)證書

使用openssl工具創(chuàng)建CA證書和申請(qǐng)證書時(shí)，需要先查看配置文件，因?yàn)榕渲梦募袑?duì)證書的名稱和存放位置等相關(guān)信息都做了定義，具體可參考?/etc/pki/tls/openssl.cnf?文件。

[root@VM-0-114-centos ~]# vim /etc/pki/tls/openssl.cnf #################################################################### [ ca ] default_ca = CA_default # The default ca section#################################################################### [ CA_default ]dir = /etc/pki/CA # Where everything is kept certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. #unique_subject = no # Set to 'no' to allow creation of# several ctificates with same subject. new_certs_dir = $dir/newcerts # default place for new certs.certificate = $dir/cacert.pem # The CA certificate serial = $dir/serial # The current serial number crlnumber = $dir/crlnumber # the current crl number# must be commented out to leave a V1 CRL crl = $dir/crl.pem # The current CRL private_key = $dir/private/cakey.pem# The private key RANDFILE = $dir/private/.rand # private random number filex509_extensions = usr_cert # The extentions to add to the cert # Comment out the following two lines for the "traditional" # (and highly broken) format. name_opt = ca_default # Subject Name options cert_opt = ca_default # Certificate field options# Extension copying option: use with caution. # copy_extensions = copy# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs # so this is commented out by default to leave a V1 CRL. # crlnumber must also be commented out to leave a V1 CRL. # crl_extensions = crl_extdefault_days = 365 # how long to certify for default_crl_days= 30 # how long before next CRL default_md = sha256 # use SHA-256 by default preserve = no # keep passed DN ordering# A few difference way of specifying how similar the request should look # For type CA, the listed attributes must be the same, and the optional # and supplied fields are just that :-) policy = policy_match# For the CA policy [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional

（1）、創(chuàng)建自簽證書

第一步：創(chuàng)建為 CA 提供所需的目錄及文件

[root@VM-0-114-centos CA]# mkdir -pv /etc/pki/CA/{certs,crl,newcerts,private} [root@VM-0-114-centos CA]# touch /etc/pki/CA/{serial,index.txt} [root@VM-0-114-centos CA]# tree . ├── certs ├── crl ├── index.txt ├── newcerts ├── private └── serial4 directories, 2 files

第二步：指明證書的開始編號(hào)

]# echo 01 >> serial

第三步：生成私鑰，私鑰的文件名與存放位置要與配置文件中的設(shè)置相匹配；

[root@VM-0-114-centos CA]# (umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 4096) Generating RSA private key, 4096 bit long modulus .....................................................................................................................................................................................................................++ ..........................................................++ e is 65537 (0x10001) [root@VM-0-114-centos CA]# ll private/ 總用量 4 -rw------- 1 root root 3243 10月 18 21:03 cakey.pem

第四步：生成自簽證書，自簽證書的存放位置也要與配置文件中的設(shè)置相匹配，生成證書時(shí)需要填寫相應(yīng)的信息；

[root@VM-0-114-centos CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3650 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:ShengZhen Locality Name (eg, city) [Default City]:shenzhen Organization Name (eg, company) [Default Company Ltd]:keyao Organizational Unit Name (eg, section) []:mage Common Name (eg, your name or your server's hostname) []:*.tapd.demo.com Email Address []:httpd@keyao.com [root@VM-0-114-centos CA]# ll /etc/pki/CA/cacert.pem -rw-r--r-- 1 root root 2118 10月 18 21:11 /etc/pki/CA/cacert.pem

命令中用到的選項(xiàng)解釋：

-new：表示生成一個(gè)新證書簽署請(qǐng)求

-x509：專用于CA生成自簽證書，如果不是自簽證書則不需要此項(xiàng)

-key：生成請(qǐng)求時(shí)用到的私鑰文件

-out：證書的保存路徑

-days：證書的有效期限，單位是day（天），默認(rèn)是365天

（2）頒發(fā)證書

在需要使用證書的主機(jī)上生成證書請(qǐng)求，以 httpd 服務(wù)為例，步驟如下：

第一步：在需要使用證書的主機(jī)上生成私鑰，這個(gè)私鑰文件的位置可以隨意定

第二步：生成證書簽署請(qǐng)求

第三步：將請(qǐng)求通過可靠方式發(fā)送給 CA 主機(jī)

[root@VM-0-114-centos test]# (umask 077;openssl genrsa -out httpd.key 4096) Generating RSA private key, 4096 bit long modulus ............................................................................................................................................................................................................................................++ ..........................++ e is 65537 (0x10001) [root@VM-0-114-centos test]# openssl req -new -key httpd.key -out httpd.csr -days 365 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:Shenzhen Locality Name (eg, city) [Default City]:shenzhen Organization Name (eg, company) [Default Company Ltd]:keyao Organizational Unit Name (eg, section) []:*.tapd.demo.com Common Name (eg, your name or your server's hostname) []:www.tapd.demo.com Email Address []:https@keyao.comPlease enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: [root@VM-0-114-centos test]# ll 總用量 8 -rw-r--r-- 1 root root 1765 10月 18 21:26 httpd.csr -rw------- 1 root root 3243 10月 18 21:23 httpd.key

第四步：CA 服務(wù)器拿到證書簽署請(qǐng)求文件后頒發(fā)證書，這一步是在 CA 服務(wù)器上做的

[root@VM-0-114-centos /]# ls bin dev lost+found opt run storage usr boot etc lib media proc sbin sys var data home lib64 mnt root srv tmp[root@VM-0-114-centos /]# openssl ca -in /httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details:Serial Number: 2 (0x2)ValidityNot Before: Oct 19 13:28:38 2021 GMTNot After : Oct 19 13:28:38 2022 GMTSubject:countryName = CNstateOrProvinceName = ShenZhenorganizationName = keyaoorganizationalUnitName = yaoke.comcommonName = www.yaoke.comemailAddress = httpd@magedu.comX509v3 extensions:X509v3 Basic Constraints: CA:FALSENetscape Comment: OpenSSL Generated CertificateX509v3 Subject Key Identifier: A7:23:5A:30:09:64:4D:D8:51:3A:BB:C9:B6:E0:F6:80:87:5C:E0:2FX509v3 Authority Key Identifier: keyid:36:55:4C:EE:B6:FA:90:67:AF:91:71:77:25:D0:A9:91:54:B3:68:06Certificate is to be certified until Oct 19 13:28:38 2022 GMT (365 days) Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated [root@VM-0-114-centos /]# ls bin dev httpd.csr lost+found opt run storage usr boot etc lib media proc sbin sys var data home lib64 mnt root srv tmp

查看證書信息的命令為：

[root@VM-0-114-centos /]# openssl x509 -in /etc/pki/CA/certs/httpd.crt -noout -serial -subject serial=02 subject= /C=CN/ST=ShenZhen/O=keyao/OU=yaoke.com/CN=www.yaoke.com/emailAddress=httpd@magedu.com

（3）吊銷證書

吊銷證書的步驟也是在CA服務(wù)器上執(zhí)行的，以剛才新建的 httpd.crt 證書為例，吊銷步驟如下：

第一步：在客戶機(jī)上獲取要吊銷證書的?serial?和?subject?信息?

第二步：根據(jù)客戶機(jī)提交的?serial?和?subject?信息，對(duì)比其余本機(jī)數(shù)據(jù)庫(kù)?index.txt?中存儲(chǔ)的是否一致?

第三步：執(zhí)行吊銷操作

[root@VM-0-114-centos CA]# openssl ca -revoke /etc/pki/CA/newcerts/01.pem Using configuration from /etc/pki/tls/openssl.cnf Revoking Certificate 01. Data Base Updated

第四步：生成吊銷證書的吊銷編號(hào)?（第一次吊銷證書時(shí)執(zhí)行）

]# echo 01 > /etc/pki/CA/crlnumber

第五步：更新證書吊銷列表

]# openssl ca -gencrl -out /etc/pki/CA/crl/ca.crl

查看 crl 文件命令：

]# openssl crl -in /etc/pki/CA/crl/ca.crl -noout -text

二.腳本生成單個(gè)CA ssl證書

[root@VM-0-114-centos tapd_test_com_ca]# ls
generate_ca.sh? tapdCA.cnf? tapd.cer????????? tapd.pvk
tapdCA.cer????? tapdCA.pvk? tapdLocalExt.cnf? tapd.req

[root@VM-0-114-centos tapd_test_com_ca]# cat generate_ca.sh
#私有CA
openssl req -x509 -newkey rsa:2048 -out tapdCA.cer -outform PEM -keyout tapdCA.pvk -days 10000 -verbose -config tapdCA.cnf -nodes -sha256 -subj "/CN=TAPD CA"

#私鑰
openssl req -newkey rsa:2048 -keyout tapd.pvk -out tapd.req -subj "/CN=*.tapd.demo.com" -sha256 -nodes

#公鑰
openssl x509 -req -CA tapdCA.cer -CAkey tapdCA.pvk -in tapd.req -out tapd.cer -days 10000 -extfile tapdLocalExt.cnf -sha256 -set_serial 0x1113

[root@VM-0-114-centos tapd_test_com_ca]#vim tapdCA.cnf [ req ] distinguished_name = req_distinguished_name x509_extensions = root_ca[ req_distinguished_name ]# 以下內(nèi)容可隨意填寫 countryName = CN (2 letter code) countryName_min = 2 countryName_max = 2 stateOrProvinceName = Guangdong localityName = Shenzhen 0.organizationName = TC organizationalUnitName = technology 0.commonName = tapd.bilibili.co 0.commonName_max = 64 1.commonName = tapd.bilibili.pro 1.commonName_max = 64 2.commonName = tapd.demo.co 2.commonName_max = 64 3.commonName = tapd.demo.pro 3.commonName_max = 64 4.commonName = tapd.erik.me 4.commonName_max = 64 5.commonName = tapd.power.me 5.commonName_max = 64 6.commonName = tapd.clark.me 6.commonName_max = 64 7.commonName = tapd.anye.me 7.commonName_max = 64 8.commonName = tapd.robert.me 8.commonName_max = 64 9.commonName = tapd.test.com 9.commonName_max = 64 emailAddress = admin@tapd.cn emailAddress_max = 64[ root_ca ] basicConstraints = critical, CA:true ~ [root@VM-0-114-centos tapd_test_com_ca]# vim tapdLocalExt.cnf subjectAltName = @alt_names extendedKeyUsage = serverAuth[alt_names]DNS.1 = *.tapd.demo.com DNS.2 = tapd.demo.com IP.1 = 172.17.0.114 IP.2 = 172.17.0.142 IP.3 = 172.17.0.98

注：該腳本修該的地方就是 enerate_ca.sh你的私鑰，tapdCA.cnf應(yīng)答文件,tapdLocalExt.cnf你要解析的ip地址

三.腳本自動(dòng)生成通配符ssl證書

新建文件 gencert.sh ，編輯并加入以下內(nèi)容：#!/usr/bin/env bash # # Copyright 2020 Liu Hongyu (eliuhy@163.com) # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # set -eDOMAIN="$1" WORK_DIR="$(mktemp -d)"if [ -z "$DOMAIN" ]; thenecho "Domain name needed."exit 1 fiecho "Temporary working dir is $WORK_DIR " echo "Gernerating cert for $DOMAIN ..."# # Fix the following error: # -------------------------- # Cannot write random bytes: # 139695180550592:error:24070079:random number generator:RAND_write_file:Cannot open file:../crypto/rand/randfile.c:213:Filename=/home/eliu/.rnd # [ -f $HOME/.rnd ] || dd if=/dev/urandom of=$HOME/.rnd bs=256 count=1openssl genrsa -out $WORK_DIR/ca.key 4096openssl req -x509 -new -nodes -sha512 -days 3650 \-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=$DOMAIN" \-key $WORK_DIR/ca.key \-out $WORK_DIR/ca.crtopenssl genrsa -out $WORK_DIR/server.key 4096openssl req -sha512 -new \-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=$DOMAIN" \-key $WORK_DIR/server.key \-out $WORK_DIR/server.csrcat > $WORK_DIR/v3.ext <<-EOF authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names[alt_names] DNS.1=$DOMAIN DNS.2=*.$DOMAIN EOFopenssl x509 -req -sha512 -days 3650 \-extfile $WORK_DIR/v3.ext \-CA $WORK_DIR/ca.crt -CAkey $WORK_DIR/ca.key -CAcreateserial \-in $WORK_DIR/server.csr \-out $WORK_DIR/server.crtopenssl x509 -inform PEM -in $WORK_DIR/server.crt -out $WORK_DIR/$DOMAIN.certmkdir -p ./$DOMAIN cp $WORK_DIR/server.key $WORK_DIR/server.crt ./$DOMAIN

假設(shè)我們要為 example.com 生成證書，執(zhí)行如下命令：

./gencert.sh example.com

生成的后的目錄結(jié)構(gòu)如下：

. ├── example.com │ ├── server.crt │ └── server.key └── gencert.sh

然后查看通配符ssl

for i in `find . -maxdepth 2 -name "*.crt"`;do openssl x509 -in $i -text -noout;done

四.導(dǎo)出證書

sz server.crt server.key

為域名快速生成自簽名證書 - 簡(jiǎn)書

總結(jié)

以上是生活随笔為你收集整理的生成自签ssl证书的全部?jī)?nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯(cuò)，歡迎將生活随笔推薦給好友。