系统环境:
Ubuntu 18.10
OpenSSL 1.1.1 11 Sep 2018
一:自建 CA
1:依次创建如下目录
mkdir -p /opt/ca/root
mkdir /opt/ca/root/key
2:vim /opt/ca/root/openssl.cnf
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = /opt/ca/root
certs = $dir/certs
crl_dir = $dir/crl
database = $dir/index.txt
new_certs_dir = $dir/newcerts
certificate = $dir/key/cacert.crt
serial = $dir/serial
crlnumber = $dir/crlnumber
crl = $dir/crl.pem
private_key = $dir/key/cakey.pem
RANDFILE = $dir/key/.rand
unique_subject = no
x509_extensions = usr_cert
copy_extensions = copy
name_opt = ca_default
cert_opt = ca_default
default_days = 365
default_crl_days= 30
default_md = sha256
preserve = no
policy = policy_ca
[ policy_ca ]
countryName = supplied
stateOrProvinceName = supplied
organizationName = supplied
organizationalUnitName = supplied
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca
string_mask = utf8only
utf8 = yes
prompt = no
[ req_distinguished_name ]
countryName = CN
stateOrProvinceName = beijing
localityName = beijing
organizationName = Global Google CA Inc
organizationalUnitName = Root CA
commonName = Global Google Root CA
[ usr_cert ]
basicConstraints = CA:TRUE
[ v3_ca ]
basicConstraints = CA:TRUE
[ req_attributes ]
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
3:创建如下目录及文件
mkdir /opt/ca/root/newcerts
touch /opt/ca/root/index.txt
touch /opt/ca/root/index.txt.attr
echo 01 > /opt/ca/root/serial
4:创建 CA 私钥
openssl genrsa -out /opt/ca/root/key/cakey.pem 2048
5:生成 CA 证书请求文件
openssl req -new -key /opt/ca/root/key/cakey.pem -out /opt/ca/root/key/ca.csr -config /opt/ca/root/openssl.cnf
6:自签名
openssl ca -selfsign -in /opt/ca/root/key/ca.csr -out /opt/ca/root/key/cacert.crt -config /opt/ca/root/openssl.cnf
7:修改 / opt/ca/root/openssl.cnf 配置,把
[usr_cert] basicConstraints = CA:TRUE
修改为
[usr_cert] basicConstraints = CA:FALSE
CA:TRUE 代表的是签发的是 CA 机构(自己是 CA 机构),CA:FALSE 代表的是签发的是证书(改成 false 就不能去签发其他 CA)
经过以上 7 个步骤,就成功创建了 CA 私钥及 CA 证书。有了这些就可以去签发其他的证书请求了
二:使用自建 CA 签名证书
1:mkdir /opt/ca/taobao
2:vim /opt/ca/taobao/openssl.cnf
[ req ]
prompt = no
distinguished_name = server_distinguished_name
req_extensions = req_ext
x509_extensions = v3_req
attributes = req_attributes
string_mask = utf8only
utf8 = yes
[ server_distinguished_name ]
commonName = taobao2018.cn
stateOrProvinceName = guangzhou
countryName = CN
organizationName = 广州我要淘科技有限公司
organizationalUnitName = IT
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ req_attributes ]
[ req_ext ]
subjectAltName = @alternate_names
[ alternate_names ]
DNS.1 = taobao2018.cn
DNS.2 = bbs.taobao2018.cn
DNS.3 = taobao2019.cn
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
3:生成网站私钥
openssl genrsa -out /opt/ca/taobao/privkey.pem 2048
4:生成证书请求文件(csr 文件)
openssl req -new -key /opt/ca/taobao/privkey.pem -out /opt/ca/taobao/taobao.csr -config /opt/ca/taobao/openssl.cnf
5:使用自建 CA 进行签发证书
openssl ca -in /opt/ca/taobao/taobao.csr -out /opt/ca/taobao/taobao.crt -config /opt/ca/root/openssl.cnf
6:查看证书信息(可选)
openssl x509 -text -in /opt/ca/taobao/taobao.crt
经过以上几个步骤,就生成了由自建 CA 签发的证书了
三:配置 nginx 的 ssl
server {
listen 443 ssl;
server_name taobao2018.cn bbs.taobao2018.cn taobao2019.cn;
ssl_certificate /opt/ca/taobao/taobao.crt;
ssl_certificate_key /opt/ca/taobao/privkey.pem;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
}
}
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
保存配置文件之后,启动 nginx
四:导入自建 CA 的证书(根证书)
这里以 Firefox 为例,打开:选项 -> 隐私与安全 -> 查看证书,在证书颁发机构里面选择导入,
选择文件 /opt/ca/root/key/cacert.crt 导入并勾选 2 个信任的复选框
五:配置 hosts
192.168.133.134 taobao2018.cn
192.168.133.134 bbs.taobao2018.cn
192.168.133.134 taobao2019.cn
2
3
最后,使用 https 方式访问上面的三个 url 中的任意一个均可
访问之后,也可以在 Firefox 上查看证书
注意:
1:证书的 x509 信息如:stateOrProvinceName、organizationalUnitName 已经在 openssl.cnf 配置文件中指定了,所以在生成证书请求文件的时候,不需要再输入了
2:证书请求文件里面的 commonName,只需要填写主要的域名就可以了,其他的域名(包括主域名)必须要在 openssl.cnf 配置文件的 subjectAltName 属性中指定,否则浏览器会报不安全警告。本例子中展示了证书支持 3 个域名,所以这 3 个域名都要配置在 subjectAltName 属性中
全文完
本文由 简悦 SimpRead (opens new window) 优化,用以提升阅读体验
使用了 全新的简悦词法分析引擎 beta,点击查看 (opens new window)详细说明