自签名CA认证
用openssl命令生成自己的根证书,让用户安装信任它,之后所有用这个根证书签名的证书,就可以被信任。
生成根证书
- 创建文件并配置环境
mkdir /root/ca
cd /root/ca
mkdir certs crl newcerts private
chmod 700 private
touch index.txt
echo 1000 > serial
touch openssl.cnf
先创建/root/ca文件夹,所有CA的操作都会在这个文件夹执行。
/root/ca:CA文件夹
/root/ca/certs:新签署证书和根证书存放的位置
/root/ca/crl:证书请求文件存放位置
/root/ca/newcerts:新签署证书存放的位置,是/root/ca/certs的备份
/root/ca/private:ca.key.pem(私钥)存放位置,千万别丢失
/root/ca/index.txt:证书签名的纪录
/root/ca/serial:下一次证书签名的序列号,保存到index.txt
/root/ca/openssl.cnf 配置文件的内容:初始内容
配置文件中:
policy = policy_strict 使用 policy_strict 为根CA签名,因为跟CA仅用于创建中间CA。
# Optionally, specify some defaults.
countryName_default = CN
stateOrProvinceName_default = BeiJing
localityName_default = BeiJing
0.organizationName_default = Flow CA
organizationalUnitName_default = Flow
emailAddress_default = flow@163.com
****
[ server_cert ]
# Extensions for server certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
增加
subjectAltName = @alt_names
[alt_names]
IP.1 = 127.0.0.1
IP.2 = 192.168.1.1
DNS.1 = flow.io
DNS.2 = ioptimi.flow.io
****
-
创建根密钥
# cd /root/ca生成一个RSA密钥,为4096位长度,并将该密钥用aes256对称加密,位置在private/ca.key.pem,并输入加密密钥:xxxx。# openssl genrsa -aes256 -out private/ca.key.pem 4096 输入两次密码xxxx。# chmod 400 private/ca.key.pem
-
创建根证书
使用根密钥(ca.key.pem)创建根证书(ca.cert.pem)。给予根证书有效期很长,例如20年。
# cd /root/ca
使用该req工具,都必须指定该-config选项使用的配置文件,否则OpenSSL将默认为 /etc/pki/tls/openssl.cnf。存放位置certs/ca.cert.pem。
-days 7300:有效期20年
# openssl req -config openssl.cnf
-key private/ca.key.pem
-new -x509 -days 7500 -sha256 -extensions v3_ca
-out certs/ca.cert.pem根据提示输入加密密钥:xxxx然后一值回车下去,使用配置文件中的默认值,也可以重新赋值。(上方配置文件中的可选值)# chmod 444 certs/ca.cert.pem验证根证书:# openssl x509 -noout -text -in certs/ca.cert.pemSignature Algorithm: sha256WithRSAEncryptionIssuer: C = CN, ST = BeiJing, L = BeiJing, O = Flow CA, OU = Flow, CN = Flow, emailAddress = flow@163.comValidityNot Before: Sep 2 04:00:14 2020 GMTNot After : Mar 16 04:00:14 2041 GMTSubject: C = CN, ST = BeiJing, L = BeiJing, O = Flow CA, OU = Flow, CN = Flow, emailAddress = flow@163.comSubject Public Key Info:Public Key Algorithm: rsaEncryptionRSA Public-Key: (4096 bit)Modulus: 公钥
生成服务端证书
-
生成服务端key(server.key)和证书请求(server.csr)
假设网站的域名或ip地址是127.0.0.1,那么在ca同级目录下创建127.0.0.1文件夹,生成服务端证书操作都在这个目录下进行。mkdir /root/127.0.0.1
cd /root/127.0.0.1
openssl genrsa -out server.key 2048
openssl req -new -key server.key -out server.csr
会出现提示,尽量全部都填写,防止以后浏览器对证书验证变得严格,又要重新签名。关键数据重复填写就可以了。
Country Name输入:CN
State or Province Name输入:BeiJing
Locality Name(eg, city)输入:BeiJing
Organization Name (eg, company)输入:Flow CA
Organizational Unit Name (eg, section)输入:Flow
Common Name输入域名或ip:127.0.0.1
Email Address:flow@163.comextra信息
A challenge password输入:yyyy
An optional company name []:Flow -
生成证书
修改下/root/ca/openssl.cnf
policy = policy_strict 为根CA签名
改为
policy = policy_loose 为中间CA签名
将下方IP或DNS更新为要签名的:
[alt_names]
IP.1 = 127.0.0.1
IP.2 = 192.168.1.1
DNS.1 = flow.io
DNS.2 = ioptimi.flow.io
- 生成证书:
-days 375:有效期375天,默认值也是375天,in输入文件,out存放地址cd /root/ca
openssl ca -config openssl.cnf \
-extensions server_cert -days 375 -notext -md sha256 \ -in crl/127.0.0.1.csr.pem \ -out certs/127.0.0.1.cert.pem
验证服务端证书:
openssl x509 -noout -text
-in certs/127.0.0.1.cert.pem
Issuer: C = CN, ST = BeiJing, L = BeiJing, O = Flow CA, OU = flow, CN = flow, emailAddress = webmaster@flow.io
Validity
Not Before: Sep 2 08:05:44 2020 GMT
Not After : Sep 12 08:05:44 2021 GMT
Subject: C = CN, ST = BeiJing, L = BeiJing, O = Flow CA, OU = Flow, CN = flow, emailAddress = flow@163.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
将127.0.0.1.cert.pem拷贝到/root/127.0.0.1目录下,并改名为server.crt
# cp certs/127.0.0.1.cert.pem …/127.0.0.1/server.crt