IT数码 购物 网址 头条 软件 日历 阅读 图书馆
TxT小说阅读器
↓语音阅读,小说下载,古典文学↓
图片批量下载器
↓批量下载图片,美女图库↓
图片自动播放器
↓图片自动播放器↓
一键清除垃圾
↓轻轻一点,清除系统垃圾↓
开发: C++知识库 Java知识库 JavaScript Python PHP知识库 人工智能 区块链 大数据 移动开发 嵌入式 开发工具 数据结构与算法 开发测试 游戏开发 网络协议 系统运维
教程: HTML教程 CSS教程 JavaScript教程 Go语言教程 JQuery教程 VUE教程 VUE3教程 Bootstrap教程 SQL数据库教程 C语言教程 C++教程 Java教程 Python教程 Python3教程 C#教程
数码: 电脑 笔记本 显卡 显示器 固态硬盘 硬盘 耳机 手机 iphone vivo oppo 小米 华为 单反 装机 图拉丁
 
   -> 网络协议 -> 生成自签ssl证书 -> 正文阅读

[网络协议]生成自签ssl证书

一.手动生成单个ssl证书

1.创建CA和申请证书

使用openssl工具创建CA证书和申请证书时,需要先查看配置文件,因为配置文件中对证书的名称和存放位置等相关信息都做了定义,具体可参考?/etc/pki/tls/openssl.cnf?文件。

[root@VM-0-114-centos ~]# vim /etc/pki/tls/openssl.cnf 
####################################################################
[ ca ]
default_ca      = CA_default            # The default ca section

####################################################################
[ CA_default ]

dir             = /etc/pki/CA           # Where everything is kept
certs           = $dir/certs            # Where the issued certs are kept
crl_dir         = $dir/crl              # Where the issued crl are kept
database        = $dir/index.txt        # database index file.
#unique_subject = no                    # Set to 'no' to allow creation of
                                        # several ctificates with same subject.
new_certs_dir   = $dir/newcerts         # default place for new certs.

certificate     = $dir/cacert.pem       # The CA certificate
serial          = $dir/serial           # The current serial number
crlnumber       = $dir/crlnumber        # the current crl number
                                        # must be commented out to leave a V1 CRL
crl             = $dir/crl.pem          # The current CRL
private_key     = $dir/private/cakey.pem# The private key
RANDFILE        = $dir/private/.rand    # private random number file

x509_extensions = usr_cert              # The extentions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt        = ca_default            # Subject Name options
cert_opt        = ca_default            # Certificate field options

# Extension copying option: use with caution.
# copy_extensions = copy

# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions        = crl_ext

default_days    = 365                   # how long to certify for
default_crl_days= 30                    # how long before next CRL
default_md      = sha256                # use SHA-256 by default
preserve        = no                    # keep passed DN ordering

# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy          = policy_match

# For the CA policy
[ policy_match ]
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

(1)、创建自签证书

第一步:创建为 CA 提供所需的目录及文件

[root@VM-0-114-centos CA]# mkdir -pv /etc/pki/CA/{certs,crl,newcerts,private}
[root@VM-0-114-centos CA]# touch /etc/pki/CA/{serial,index.txt}
[root@VM-0-114-centos CA]# tree
.
├── certs
├── crl
├── index.txt
├── newcerts
├── private
└── serial

4 directories, 2 files

第二步:指明证书的开始编号

]# echo 01 >> serial 

第三步:生成私钥,私钥的文件名与存放位置要与配置文件中的设置相匹配;

[root@VM-0-114-centos CA]# (umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 4096)
Generating RSA private key, 4096 bit long modulus
.....................................................................................................................................................................................................................++
..........................................................++
e is 65537 (0x10001)
[root@VM-0-114-centos CA]# ll private/
总用量 4
-rw------- 1 root root 3243 10月 18 21:03 cakey.pem

第四步:生成自签证书,自签证书的存放位置也要与配置文件中的设置相匹配,生成证书时需要填写相应的信息;

[root@VM-0-114-centos CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:ShengZhen    
Locality Name (eg, city) [Default City]:shenzhen
Organization Name (eg, company) [Default Company Ltd]:keyao
Organizational Unit Name (eg, section) []:mage
Common Name (eg, your name or your server's hostname) []:*.tapd.demo.com
Email Address []:httpd@keyao.com
[root@VM-0-114-centos CA]# ll /etc/pki/CA/cacert.pem 
-rw-r--r-- 1 root root 2118 10月 18 21:11 /etc/pki/CA/cacert.pem

命令中用到的选项解释:

-new:表示生成一个新证书签署请求

-x509:专用于CA生成自签证书,如果不是自签证书则不需要此项

-key:生成请求时用到的私钥文件

-out:证书的保存路径

-days:证书的有效期限,单位是day(天),默认是365天

(2)颁发证书

在需要使用证书的主机上生成证书请求,以 httpd 服务为例,步骤如下:

第一步:在需要使用证书的主机上生成私钥,这个私钥文件的位置可以随意定

第二步:生成证书签署请求

第三步:将请求通过可靠方式发送给 CA 主机

[root@VM-0-114-centos test]# (umask 077;openssl genrsa -out httpd.key 4096)  
Generating RSA private key, 4096 bit long modulus
............................................................................................................................................................................................................................................++
..........................++
e is 65537 (0x10001)
[root@VM-0-114-centos test]# openssl req -new -key httpd.key -out httpd.csr -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Shenzhen
Locality Name (eg, city) [Default City]:shenzhen
Organization Name (eg, company) [Default Company Ltd]:keyao
Organizational Unit Name (eg, section) []:*.tapd.demo.com
Common Name (eg, your name or your server's hostname) []:www.tapd.demo.com
Email Address []:https@keyao.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@VM-0-114-centos test]# ll
总用量 8
-rw-r--r-- 1 root root 1765 10月 18 21:26 httpd.csr
-rw------- 1 root root 3243 10月 18 21:23 httpd.key

第四步:CA 服务器拿到证书签署请求文件后颁发证书,这一步是在 CA 服务器上做的

[root@VM-0-114-centos /]# ls
bin   dev   lost+found  opt   run   storage  usr
boot  etc   lib        media       proc  sbin  sys      var
data  home  lib64      mnt         root  srv   tmp

[root@VM-0-114-centos /]# openssl ca -in /httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 2 (0x2)
        Validity
            Not Before: Oct 19 13:28:38 2021 GMT
            Not After : Oct 19 13:28:38 2022 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = ShenZhen
            organizationName          = keyao
            organizationalUnitName    = yaoke.com
            commonName                = www.yaoke.com
            emailAddress              = httpd@magedu.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                A7:23:5A:30:09:64:4D:D8:51:3A:BB:C9:B6:E0:F6:80:87:5C:E0:2F
            X509v3 Authority Key Identifier: 
                keyid:36:55:4C:EE:B6:FA:90:67:AF:91:71:77:25:D0:A9:91:54:B3:68:06

Certificate is to be certified until Oct 19 13:28:38 2022 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@VM-0-114-centos /]# ls
bin   dev   httpd.csr  lost+found  opt   run   storage  usr
boot  etc   lib        media       proc  sbin  sys      var
data  home  lib64      mnt         root  srv   tmp

查看证书信息的命令为:

[root@VM-0-114-centos /]# openssl x509 -in /etc/pki/CA/certs/httpd.crt -noout -serial -subject
serial=02
subject= /C=CN/ST=ShenZhen/O=keyao/OU=yaoke.com/CN=www.yaoke.com/emailAddress=httpd@magedu.com

(3)吊销证书

吊销证书的步骤也是在CA服务器上执行的,以刚才新建的 httpd.crt 证书为例,吊销步骤如下:

第一步:在客户机上获取要吊销证书的?serial?和?subject?信息?

第二步:根据客户机提交的?serial?和?subject?信息,对比其余本机数据库?index.txt?中存储的是否一致?

第三步:执行吊销操作

[root@VM-0-114-centos CA]# openssl ca -revoke /etc/pki/CA/newcerts/01.pem 
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 01.
Data Base Updated

第四步:生成吊销证书的吊销编号?(第一次吊销证书时执行)

]# echo 01 > /etc/pki/CA/crlnumber

第五步:更新证书吊销列表

]# openssl ca -gencrl -out /etc/pki/CA/crl/ca.crl

查看 crl 文件命令:

]# openssl crl -in /etc/pki/CA/crl/ca.crl -noout -text

二.脚本自动生成通配符ssl证书

新建文件 gencert.sh ,编辑并加入以下内容:

#!/usr/bin/env bash
#
# Copyright 2020 Liu Hongyu (eliuhy@163.com)
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
set -e

DOMAIN="$1"
WORK_DIR="$(mktemp -d)"

if [ -z "$DOMAIN" ]; then
  echo "Domain name needed."
  exit 1
fi

echo "Temporary working dir is $WORK_DIR "
echo "Gernerating cert for $DOMAIN ..."

#
# Fix the following error:
# --------------------------
# Cannot write random bytes:
# 139695180550592:error:24070079:random number generator:RAND_write_file:Cannot open file:../crypto/rand/randfile.c:213:Filename=/home/eliu/.rnd
#
[ -f $HOME/.rnd ] || dd if=/dev/urandom of=$HOME/.rnd bs=256 count=1

openssl genrsa -out $WORK_DIR/ca.key 4096

openssl req -x509 -new -nodes -sha512 -days 3650 \
  -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=$DOMAIN" \
  -key $WORK_DIR/ca.key \
  -out $WORK_DIR/ca.crt

openssl genrsa -out $WORK_DIR/server.key 4096

openssl req -sha512 -new \
  -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=$DOMAIN" \
  -key $WORK_DIR/server.key \
  -out $WORK_DIR/server.csr

cat > $WORK_DIR/v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1=$DOMAIN
DNS.2=*.$DOMAIN
EOF

openssl x509 -req -sha512 -days 3650 \
  -extfile $WORK_DIR/v3.ext \
  -CA $WORK_DIR/ca.crt -CAkey $WORK_DIR/ca.key -CAcreateserial \
  -in $WORK_DIR/server.csr \
  -out $WORK_DIR/server.crt

openssl x509 -inform PEM -in $WORK_DIR/server.crt -out $WORK_DIR/$DOMAIN.cert

mkdir -p ./$DOMAIN
cp $WORK_DIR/server.key $WORK_DIR/server.crt ./$DOMAIN

假设我们要为 example.com 生成证书,执行如下命令:

./gencert.sh example.com

生成的后的目录结构如下:

.
├── example.com
│   ├── server.crt
│   └── server.key
└── gencert.sh

三.导出证书

sz server.crt server.key

为域名快速生成自签名证书 - 简书

  网络协议 最新文章
使用Easyswoole 搭建简单的Websoket服务
常见的数据通信方式有哪些?
Openssl 1024bit RSA算法---公私钥获取和处
HTTPS协议的密钥交换流程
《小白WEB安全入门》03. 漏洞篇
HttpRunner4.x 安装与使用
2021-07-04
手写RPC学习笔记
K8S高可用版本部署
mySQL计算IP地址范围
上一篇文章      下一篇文章      查看所有文章
加:2021-10-20 12:51:44  更:2021-10-20 12:54:04 
 
开发: C++知识库 Java知识库 JavaScript Python PHP知识库 人工智能 区块链 大数据 移动开发 嵌入式 开发工具 数据结构与算法 开发测试 游戏开发 网络协议 系统运维
教程: HTML教程 CSS教程 JavaScript教程 Go语言教程 JQuery教程 VUE教程 VUE3教程 Bootstrap教程 SQL数据库教程 C语言教程 C++教程 Java教程 Python教程 Python3教程 C#教程
数码: 电脑 笔记本 显卡 显示器 固态硬盘 硬盘 耳机 手机 iphone vivo oppo 小米 华为 单反 装机 图拉丁

360图书馆 购物 三丰科技 阅读网 日历 万年历 2024年11日历 -2024/11/26 4:21:04-

图片自动播放器
↓图片自动播放器↓
TxT小说阅读器
↓语音阅读,小说下载,古典文学↓
一键清除垃圾
↓轻轻一点,清除系统垃圾↓
图片批量下载器
↓批量下载图片,美女图库↓
  网站联系: qq:121756557 email:121756557@qq.com  IT数码