1.OpenSSL 制作自签名证书
1.1.第一阶段:制作 CA 根证书
1.2.第二阶段:制作服务器证书
1.3.第三阶段:制作客户端证书(双向认证使用)

2.Web 容器配置 HTTPS站点
2.1.Tomcat 配置方案
2.2.Nginx 配置方案
2.3.Apache Httpd 配置方案

3.客户端访问
3.1.安装 CA 机构证书
3.2.安装客户端 PKCS12 证书(双向认证使用)
3.3.常见问题

后记一:HTTPS 和 SSL 的概念和工作原理

后记二:在腾讯云服务上申请互联网域名的公共 CA 机构颁发的证书

后记三:制作服务器端自签证书

作者:张毅SOHO
链接:https://www.jianshu.com/p/5b3dfe4bb12e
来源:简书
著作权归作者所有。商业转载请联系作者获得授权,非商业转载请注明出处。
1.OpenSSL 制作自签名证书
1、安装 OpenSSL 。

[root@localhost conf.d]# sudo dnf install openssl
上次元数据过期检查:0:01:01 前,执行于 2022年04月18日 星期一 09时12分58秒。
软件包 openssl-1:1.1.1k-5.el8_5.x86_64 已安装。
依赖关系解决。
无需任何处理。
完毕!

2、创建 SSL 工作目录。

证书包括 CA 认证机构、服务器和客户端三类证书的制作,在 SSL 工作根目录下分别建立"ca"、“server”、"client"子目录存放对应的输出文件,并设置所有者为证书管理账户。

[root@localhost conf.d]#  sudo mkdir -p /data/ssl/ca
[root@localhost conf.d]# sudo mkdir -p /data/ssl/server
[root@localhost conf.d]# sudo mkdir -p /data/ssl/client
[root@localhost /]# sudo chown -R apache:apache /data/ssl

1.1.第一阶段:制作 CA 根证书
1、制作 CA【秘钥】。

操作过程:设置 CA 秘钥口令。

[root@localhost /]# openssl genrsa -des3 -out /data/ssl/ca/ca.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
......+++++
..................................................................................................................................................+++++
e is 65537 (0x010001)
Enter pass phrase for /data/ssl/ca/ca.key:
Verifying - Enter pass phrase for /data/ssl/ca/ca.key:
[root@localhost /]#

输入key:ma****.
说明:

【openssl genrsa】表示制作秘钥。
【-des3】表示加密秘钥使用的算法;
【-out】表示秘钥的输出文件;
【2048】表示秘钥的密码强度。

查看 CA 秘钥文件(需要输入秘钥口令):

[root@localhost /]# openssl rsa -in /data/ssl/ca/ca.key
Enter pass phrase for /data/ssl/ca/ca.key:
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEApEzUeG5bXOphTe7qu0NdbpiM0Erx4q1sNrRTY7uHZcqPhWY6
Ha7UM033+HQtg71z2hiEuVJkokoazo44fy17QNOZk5ule920dclFYuE3g6k0TSPa
WuPf7XrJFMdYPLNyI/xWSZF+7KJG/C3utWcYLAPY1xuVHW20xgCSuOV/cnJq0dz0
RVxbTIFKAC2fOAOQWumSxvfdYwX2yyPCB4bzIV0XIptqW3oOYd/1bqLh72A8Akqw
9LZccN9ktzTF0kz9h3ea9hZ+9srlICTypaTTTDBgN4zDn/wXnEnkd+gaeAwkEcC6
1wCr0yCa5GqCRdbZQ+6LdO5Z/uMJVPnkE22nsQIDAQABAoIBAB5W6a1Lg6eGyG0h
v0rRR8GSff5AuKYJLEB10ChMitYrL5GMrRKqJBlNPossuPLo2ync+TVXl6m4UXbv
IFOrzGTOLj/psAdNi3NstVlrCVtQtY3BHyNFjSZHVDZ4ET00TdGDWVPAgFWmKcGL
odbxsK8ADty6BTEn/wfJN07ZYk15s6bO8RuXXpssyP8gSfSfdaP+LzVTZ2wBIICU
vUbvJChPEzgzcKG92klDuuiB4UhGbSFG2bG6Of6UC8tpkthognK24eesootfj/As
4wI+bpTl8rIYdXbm0JhkEP2vcx9jpLJfGLDK5sjwWem/juCAEAtZDlhauYMo2KZ8
WjAYMYECgYEA0p1p5cvGo39tnrwS4k+35PBm9NrF5QHT4soIyrelyFLsCjZIe2h6
rolH3a0bc3gZfzSlxGQY5JXS5apwIkrzgt798TaTzE/H+pdIcei9ifFkbYWZQoxW
/OQOfnst6GoUgDC6Cnz0EaBjtT6El2KRaE5AKuvC0UgrzgHEK8ak8JkCgYEAx7R1
Qh7eUA17JgAspzoWZkFvC61w3XFNkSee7L3++Hj/YaMeaagwPQvJCdT5Pe+7DVy6
JEVlFCnICRv4P3kQOj2qAcb8ypkXEaHDQ0i9eD68Yzsg6LNDeGd/BKTYo7dDlFod
ASkbzKyED4eo5cRzq90T1f4gXifAq5RtFep/JtkCgYBScMWD6qjdVMLe8HVf2p57
4dIbJAt0YavDyRt55jrhV/wG30qt666h5SCZV+o335nzXfNJFXlc+Hxt47Iy6i25
W3oBUkC2J8B6iX8U/2o5taB+8l2UXASsxsQZpDPLFsLhjrEz68dJowOEbW1PKIkM
UBzz8Ab5Dov+/lgAXqgveQKBgBumfr3C7GEFHNHsIEKfJk7OLIPfZcsjTuwUIksB
G3ZnumRYY3OZl+Q753/2/vN2Z923wwYWnaInDs1EFCElr/uAYjOQy5t5itokHZcJ
UUJ+3TKYEzxk5aicG9gWwvAYBcFaoL1yZaj3EencjKQTiTh4ibCNWQnwUxrumBP6
vdQxAoGABmkPtzz3dSFb8ZsSUuaV5nk7NnZmnMJ/wh9h7IZ76ozotSOKHs7ke1EQ
kG7g7fTs0Un1vAyIFeJ0gbneTrW9Lj89RqE9qhSTm5qPd3xr92hk+MZc3ZiteBIN
0jWVj+sQIz+VORk7qZFZVVcQP0PyXpa1Kou5WZOD9QpkWDJPKeM=
-----END RSA PRIVATE KEY-----
[root@localhost /]#

2、制作 CA 【根证书签名申请】。

输入 CA 秘钥文件,输出 CA 根证书签名申请文件。

操作过程:验证 CA 秘钥口令 => 设置国家名称 => 设置省份名称 => 设置城市名称 => 设置组织机构名称 => 设置组织单元名称 => 设置证书名称 => 设置电子邮件地址和扩展属性(密码提示信息和可选的公司名称)。

[root@localhost /]# openssl req -new -key /data/ssl/ca/ca.key -out /data/ssl/ca/ca.csr
Enter pass phrase for /data/ssl/ca/ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:ch
State or Province Name (full name) []:hb
Locality Name (eg, city) [Default City]:xg
Organization Name (eg, company) [Default Company Ltd]:zf
Organizational Unit Name (eg, section) []:wqb
Common Name (eg, your name or your server's hostname) []:ca
Email Address []:wqbboy@163.comPlease enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@localhost /]#

说明:

【openssl req】表示制作证书签名申请。
【-new】表示生成证书请求文件;
【-key】表示秘钥的输入文件;
【-out】表示证书签名申请的输出文件。
注意:【Common Name】应为 CA 机构的名称。

查看 CA 证书申请文件:

[root@localhost /]# openssl req -in /data/ssl/ca/ca.csr -noout -text
Certificate Request:Data:Version: 1 (0x0)Subject: C = ch, ST = hb, L = xg, O = zf, OU = wqb, CN = ca, emailAddress = wqbboy@163.comSubject Public Key Info:Public Key Algorithm: rsaEncryptionRSA Public-Key: (2048 bit)Modulus:00:a4:4c:d4:78:6e:5b:5c:ea:61:4d:ee:ea:bb:43:5d:6e:98:8c:d0:4a:f1:e2:ad:6c:36:b4:53:63:bb:87:65:ca:8f:85:66:3a:1d:ae:d4:33:4d:f7:f8:74:2d:83:bd:73:da:18:84:b9:52:64:a2:4a:1a:ce:8e:38:7f:2d:7b:40:d3:99:93:9b:a5:7b:dd:b4:75:c9:45:62:e1:37:83:a9:34:4d:23:da:5a:e3:df:ed:7a:c9:14:c7:58:3c:b3:72:23:fc:56:49:91:7e:ec:a2:46:fc:2d:ee:b5:67:18:2c:03:d8:d7:1b:95:1d:6d:b4:c6:00:92:b8:e5:7f:72:72:6a:d1:dc:f4:45:5c:5b:4c:81:4a:00:2d:9f:38:03:90:5a:e9:92:c6:f7:dd:63:05:f6:cb:23:c2:07:86:f3:21:5d:17:22:9b:6a:5b:7a:0e:61:df:f5:6e:a2:e1:ef:60:3c:02:4a:b0:f4:b6:5c:70:df:64:b7:34:c5:d2:4c:fd:87:77:9a:f6:16:7e:f6:ca:e5:20:24:f2:a5:a4:d3:4c:30:60:37:8c:c3:9f:fc:17:9c:49:e4:77:e8:1a:78:0c:24:11:c0:ba:d7:00:ab:d3:20:9a:e4:6a:82:45:d6:d9:43:ee:8b:74:ee:59:fe:e3:09:54:f9:e4:13:6d:a7:b1Exponent: 65537 (0x10001)Attributes:a0:00Signature Algorithm: sha256WithRSAEncryption96:71:0f:df:47:3a:b0:2a:d8:42:60:69:fa:36:a1:bc:df:47:d7:48:d6:68:89:ab:a4:e7:49:94:71:3b:f0:7b:9f:3f:91:b8:77:16:06:60:90:6d:79:e7:d5:78:c3:2f:e7:be:7d:51:98:f6:0a:48:7e:7e:1a:30:cd:0f:70:1d:ad:64:98:b7:0d:ae:0d:e0:8d:7f:c1:7f:9c:71:72:7e:b4:b9:ab:c6:41:4b:82:17:46:c0:4e:f5:86:4d:8b:c4:ad:be:51:e2:fd:66:ec:71:47:f2:d8:71:a2:f4:02:f3:f3:d1:ee:6e:98:df:9e:c1:ad:e6:7f:d9:ef:a8:04:17:2e:8d:22:03:b3:64:6a:89:c0:3d:b7:03:9e:24:41:5a:20:a3:0f:ab:ba:8f:4d:89:66:4f:03:82:07:76:92:a4:94:a1:d6:e3:2d:ae:00:14:65:eb:4b:30:da:5d:80:32:82:b8:31:ef:49:08:7d:77:55:40:bd:c0:f2:fa:6f:8e:e7:47:57:89:94:76:80:3a:15:5b:5e:80:98:a6:fe:0e:0a:4f:00:3f:cb:37:2f:1f:28:d8:69:38:f3:ea:e2:78:29:f2:10:a0:a6:7d:09:c2:5a:af:7c:18:bc:04:c2:d8:be:fe:6d:f0:96:b9:7b:26:c2:ea:4f:4a:1b:56:0f:81

3、生成 CA 自签名【根证书】,即对签名申请进行自签名生成证书。

输入 CA 秘钥文件、CA 根证书签名申请,输出 CA 自签名根证书文件。

操作过程:验证 CA 秘钥口令。

[root@localhost /]#  openssl x509 -req -days 3650 -signkey /data/ssl/ca/ca.key -in /data/ssl/ca/ca.csr -out /data/ssl/ca/ca.pem
Signature ok
subject=C = ch, ST = hb, L = xg, O = zf, OU = wqb, CN = ca, emailAddress = wqbboy@163.com
Getting Private key
Enter pass phrase for /data/ssl/ca/ca.key:
[root@localhost /]#

说明:

【openssl x509】表示制作自签名证书。
【-req】表示输入文件的类型是证书签名申请;
【-days】表示证书的有效期,单位是天;
【-signkey】表示签名秘钥的输入文件;
【-in】表示证书签名申请的输入文件;
【-out】表示证书的输出文件。
查看 CA 证书文件:

[root@localhost /]# openssl x509 -in /data/ssl/ca/ca.pem -noout -text
Certificate:Data:Version: 1 (0x0)Serial Number:52:a1:bf:3e:4d:c7:22:68:e3:1e:0f:3d:be:50:78:99:00:9c:d0:23Signature Algorithm: sha256WithRSAEncryptionIssuer: C = ch, ST = hb, L = xg, O = zf, OU = wqb, CN = ca, emailAddress = wqbboy@163.comValidityNot Before: Apr 18 01:28:05 2022 GMTNot After : Apr 15 01:28:05 2032 GMTSubject: C = ch, ST = hb, L = xg, O = zf, OU = wqb, CN = ca, emailAddress = wqbboy@163.comSubject Public Key Info:Public Key Algorithm: rsaEncryptionRSA Public-Key: (2048 bit)Modulus:00:a4:4c:d4:78:6e:5b:5c:ea:61:4d:ee:ea:bb:43:5d:6e:98:8c:d0:4a:f1:e2:ad:6c:36:b4:53:63:bb:87:65:ca:8f:85:66:3a:1d:ae:d4:33:4d:f7:f8:74:2d:83:bd:73:da:18:84:b9:52:64:a2:4a:1a:ce:8e:38:7f:2d:7b:40:d3:99:93:9b:a5:7b:dd:b4:75:c9:45:62:e1:37:83:a9:34:4d:23:da:5a:e3:df:ed:7a:c9:14:c7:58:3c:b3:72:23:fc:56:49:91:7e:ec:a2:46:fc:2d:ee:b5:67:18:2c:03:d8:d7:1b:95:1d:6d:b4:c6:00:92:b8:e5:7f:72:72:6a:d1:dc:f4:45:5c:5b:4c:81:4a:00:2d:9f:38:03:90:5a:e9:92:c6:f7:dd:63:05:f6:cb:23:c2:07:86:f3:21:5d:17:22:9b:6a:5b:7a:0e:61:df:f5:6e:a2:e1:ef:60:3c:02:4a:b0:f4:b6:5c:70:df:64:b7:34:c5:d2:4c:fd:87:77:9a:f6:16:7e:f6:ca:e5:20:24:f2:a5:a4:d3:4c:30:60:37:8c:c3:9f:fc:17:9c:49:e4:77:e8:1a:78:0c:24:11:c0:ba:d7:00:ab:d3:20:9a:e4:6a:82:45:d6:d9:43:ee:8b:74:ee:59:fe:e3:09:54:f9:e4:13:6d:a7:b1Exponent: 65537 (0x10001)Signature Algorithm: sha256WithRSAEncryption1c:d6:ac:37:c5:23:f1:c5:74:c8:53:5e:7f:a1:5c:00:94:25:46:47:3f:7f:dc:28:51:40:45:cf:52:40:b5:00:14:b3:b5:d7:47:26:d0:59:34:bc:64:54:01:95:d2:38:a4:48:17:b8:81:f5:4a:9a:0f:91:98:17:6a:78:56:38:31:8b:ff:9c:40:61:7b:61:1a:d2:dc:47:3b:b7:dd:d8:1f:b7:12:fb:aa:03:d1:45:08:b8:43:4e:36:6e:54:d7:9d:7c:a7:f5:6c:3c:24:c9:4a:ea:75:99:4d:c9:54:a0:98:61:10:c9:35:a7:f5:7e:96:da:aa:71:49:72:f8:9c:ea:dd:83:ba:d0:79:c7:1b:8c:4f:81:62:81:bf:a8:56:d7:ef:6a:f5:20:05:f1:7b:3d:4e:b1:a7:06:3e:57:19:42:55:76:76:f4:5f:bf:61:69:1c:2b:10:68:c3:97:fc:7d:5f:2d:a5:4f:46:34:09:c5:14:fc:d7:97:68:c1:90:1a:b5:af:80:eb:e8:66:88:7f:f2:a0:cb:2a:4d:ed:b4:d3:d1:75:66:33:ec:a9:14:8a:4d:bc:cb:b2:a7:db:ad:6d:86:b7:07:af:05:6b:6b:23:b4:1a:f2:fe:fa:96:87:51:34:70:d0:cf:83:30:c6:11:b9:fd:f6:b1:85:e7:83
[root@localhost /]#

4、导出 CA【 PKCS12 证书】。

输入 CA 自签的 CA 证书文件、CA 秘钥,输出 CA PKCS12 证书。

操作过程:设置 PKCS12 证书口令。
gmssl工具安装使用及问题解决
gmssl版本:GmSSL-v1
(本次没有尝试最新的GmSSL-master,在编译的时候出了一下问题,后续如果解决出来了补上)
编译安装

[root@test-gmssl ~]# wget https://github.com/guanzhi/GmSSL/archive/GmSSL-v1.zip
[root@test-gmssl ~]# unzip GmSSL-v1.zip
[root@test-gmssl ~]# cd GmSSL-GmSSL-v1
[root@test-gmssl ~]# ./config --prefix=/usr/local
[root@test-gmssl ~]# make
[root@test-gmssl ~]# make install

gcc安装

dnf install -y httpd

安装完成检查

[root@test-gmssl ~]# gmssl verison
GmSSL 1.3.0 - OpenSSL 1.0.2d

4、导出 CA【 PKCS12 证书】。

输入 CA 自签的 CA 证书文件、CA 秘钥,输出 CA PKCS12 证书。

操作过程:设置 PKCS12 证书口令。

[root@localhost GmSSL-GmSSL-v1]# gmssl pkcs12 -export -in /data/ssl/ca/ca.pem -inkey /data/ssl/ca/ca.key -out /data/ssl/ca/ca.p12 -name ca
GMSSL: pem_lib.c 857: pem_str = RSA PRIVATE KEY
GMSSL: pem_lib.c 858: suffix = PRIVATE KEY
GMSSL: pem_lib.c 863: p = PRIVATE KEY
Enter pass phrase for /data/ssl/ca/ca.key:
GMSSL: pem_lib.c 857: pem_str = RSA PRIVATE KEY
GMSSL: pem_lib.c 858: suffix = PRIVATE KEY
GMSSL: pem_lib.c 863: p = PRIVATE KEY
GMSSL: d2i_pr.c 96
GMSSL: d2i_pr.c 118
GMSSL: d2i_pr.c 121

说明:

【openssl pkcs12】表示制作 PKCS12 证书。
【-export 】表示导出 PKCS12 证书;
【-in】表示签名证书的输入文件;
【-inkey】表示秘钥的输入文件;
【-name】表示 PKCS12 证书的别名;
【-out】表示 PKCS12 证书的输出文件。
查看 CA PKCS12 证书文件(需要输入 CA PKCS12 证书口令):

[root@localhost GmSSL-GmSSL-v1]# gmssl pkcs12 -in /data/ssl/ca/ca.p12 -info
140633287399104:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:asn1_lib.c:157:`查看 CA 产生的全部文件。```c
[root@localhost GmSSL-GmSSL-v1]# ls /data/ssl/ca/
ca.csr  ca.key  ca.p12  ca.pem

1.2.第二阶段:制作服务器证书
1、制作服务器【秘钥】。

操作过程:设置服务器秘钥口令。

[root@localhost GmSSL-GmSSL-v1]# openssl genrsa -des3 -out /data/ssl/server/server.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
.............................................................................+++++
...............................................................+++++
e is 65537 (0x010001)
Enter pass phrase for /data/ssl/server/server.key:
Verifying - Enter pass phrase for /data/ssl/server/server.key:
[root@localhost GmSSL-GmSSL-v1]#

说明:

【openssl genrsa】表示制作秘钥。
【-des3】表示加密秘钥使用的算法;
【-out】表示秘钥的输出文件;
【2048】表示秘钥的密码强度。
查看服务器秘钥文件(需要输入秘钥口令):

[root@localhost GmSSL-GmSSL-v1]#  openssl rsa -in /data/ssl/server/server.key
Enter pass phrase for /data/ssl/server/server.key:
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAxqYasLlhG9cWDrz2M5/tvhZNSQbOq2BNZTjlfB/HEdhukzsm
xkZoUMbw90dryWPjj1+eqw1MMxRp6Y0pbOhDNeNm3NEVu9rMB00VpVEzaWXH9j8F
nMokS1cnCwZ5RagRyIgSwz9HH+ownFxkr3JM0lIunNmpVHKKrJJlpb2IivA4XkpS
6C1U/AOpnjt3gDoSIHFz56BBWg4OqVfx8eWfS0Fqdg9caHcmdWLtMpeq1mCb61Wa
axwvH3inm/Uk5T5/vje7G9UW3FyZAqTVCf3vM04lVoal9DDZFTmfFRdqwPoFqJbJ
7L7G9278l+YWAYSPDyXIrtk7YM35q+tRoahwQwIDAQABAoIBADFWTei4khLND9Bn
RCq8PNrqRRWvGCNeTrqmL/DtH48iFwyAM3gpQn1Ve8GevnmNUpZoZEsNiXBiUI/O
HIzM/uxiZ0jOsTwv8l6Z2ZdunHs/6TMSof04A12m7q6BVBtly8znZumRTMPzcVFU
bTlaBRRzjtosAS9VJ3YHAjHw6fm/kefQxnhKmN3m0NiFNCxEy1AqoU3PsDOapqmw
AiTeKYr8/U86Nt8jt0bUonTRn2DRCCeUE4ZHmkSKxJMKQ5L5w0EItD2ofy2HtH8z
JOAN+Z6rzUjDQjT6+ipRaN5PfJ+GJg1r14YaXrRUbElFvNCRSGKVvd+7QBvD+MV0
BQZ6GykCgYEA5VPms4eVtVbB5YGtZc9OLadQPX3ty2ivQBmCgskOFf7mMNChJTc9
8TOdiONnGkpD7/LAwFzQlCo0ETHG2rhm2ond6UYvwEfjjEdZ7vXmvzHoeiZvXDjt
v7znyqB5bJEPbL3J8OsRVNZ/esbJkrZRA9QEVfVjSYiz3282qXIC0f8CgYEA3cDB
y65lbxoaY0lUuw4v8+8iuxG3ZiXLCnKZ4EJtFa51G7qLa593Ky697rC7U8C2+hC0
QiboPqZchfdzHstbUGtqC903CtW6nj70dUKtrOeg5mTRRMoLExixJxPe0tdnh3te
+YhG53ZNuN5elWhDvoFiZXlqXyLCmcxFhHXumb0CgYEAge3eWLsp4/sKkki9gGBK
z+zqtlxBvSxLloqdehIFjArGSsP5eQdqbd0rlSIaCTgoc6ta7+HmPvwGUfOc0dEG
XS0dcIxWg593WcQXPR9PI+ZX69UY5OxQL4EM5q2y/gLV9Ws2Hexg/mslAN/d1uS6
0+tspXMJVOFB4Aa3tpsk4+sCgYBttRprkUkfkTNy4Wmo7Vjt/uYY1Kf+Qj5UWeQk
3dgn/Np1MHIfeZI0a/iNaSQUSGh+CNuVSrhlnlpx8L0khAkWHT4mxnefxaOA/LZm
eOmBfErPERuzQ539AZ9LLPp1JxpSHcgb/b7Obmn/RwxWMHIrgslSWKI2lPTfr/7I
jKvRpQKBgQDk3TANS7mH2xhRPeEzkCTfw1DIgwL91UTunIhgCFnl0fGQfeMqBVJn
YX+lMNyzY/aAig7vNlMnXqXkfPOXabLwL77hW0n3s+0jQupyHYR2J1ZB959UXopN
HUQjLBlYtd6XeQl07yeAQ9nAEQfVz1LRO8KEIKbo1QVuo8QK7VK0PA==
-----END RSA PRIVATE KEY-----

2、制作服务器【证书签名申请】。

输入服务器秘钥文件,输出服务器证书签名申请文件。

操作过程:验证服务器秘钥口令 => 设置国家名称 => 设置省份名称 => 设置城市名称 => 设置组织机构名称 => 设置组织单元名称 => 设置证书名称 => 设置电子邮件地址和扩展属性(密码提示信息和可选的公司名称)。

[root@localhost GmSSL-GmSSL-v1]# openssl req -new -key /data/ssl/server/server.key -out /data/ssl/server/server.csr
Enter pass phrase for /data/ssl/server/server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:ch
State or Province Name (full name) []:hb
Locality Name (eg, city) [Default City]:xg
Organization Name (eg, company) [Default Company Ltd]:zf
Organizational Unit Name (eg, section) []:wqb
Common Name (eg, your name or your server's hostname) []:192.168.20.14
Email Address []:wqbboy@163.comPlease enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@localhost GmSSL-GmSSL-v1]#

说明:

【openssl req】表示制作证书签名申请。
【-new】表示生成证书请求文件;
【-key】表示秘钥的输入文件;
【-out】表示证书签名申请的输出文件。
注意:【Common Name】应为服务器的 IP 地址或者 DNS(如:192.168.216.128 或者 localhost)。在 在 Web 容器配置后,当客户端使用 HTTPS 协议访问时,如果域名与【Common Name】不一致,则会进行风险提示。

查看服务器证书申请文件:

[root@localhost GmSSL-GmSSL-v1]#  openssl req -in /data/ssl/server/server.csr -noout -text
Certificate Request:Data:Version: 1 (0x0)Subject: C = ch, ST = hb, L = xg, O = zf, OU = wqb, CN = 192.168.20.14, emailAddress = wqbboy@163.comSubject Public Key Info:Public Key Algorithm: rsaEncryptionRSA Public-Key: (2048 bit)Modulus:00:c6:a6:1a:b0:b9:61:1b:d7:16:0e:bc:f6:33:9f:ed:be:16:4d:49:06:ce:ab:60:4d:65:38:e5:7c:1f:c7:11:d8:6e:93:3b:26:c6:46:68:50:c6:f0:f7:47:6b:c9:63:e3:8f:5f:9e:ab:0d:4c:33:14:69:e9:8d:29:6c:e8:43:35:e3:66:dc:d1:15:bb:da:cc:07:4d:15:a5:51:33:69:65:c7:f6:3f:05:9c:ca:24:4b:57:27:0b:06:79:45:a8:11:c8:88:12:c3:3f:47:1f:ea:30:9c:5c:64:af:72:4c:d2:52:2e:9c:d9:a9:54:72:8a:ac:92:65:a5:bd:88:8a:f0:38:5e:4a:52:e8:2d:54:fc:03:a9:9e:3b:77:80:3a:12:20:71:73:e7:a0:41:5a:0e:0e:a9:57:f1:f1:e5:9f:4b:41:6a:76:0f:5c:68:77:26:75:62:ed:32:97:aa:d6:60:9b:eb:55:9a:6b:1c:2f:1f:78:a7:9b:f5:24:e5:3e:7f:be:37:bb:1b:d5:16:dc:5c:99:02:a4:d5:09:fd:ef:33:4e:25:56:86:a5:f4:30:d9:15:39:9f:15:17:6a:c0:fa:05:a8:96:c9:ec:be:c6:f7:6e:fc:97:e6:16:01:84:8f:0f:25:c8:ae:d9:3b:60:cd:f9:ab:eb:51:a1:a8:70:43Exponent: 65537 (0x10001)Attributes:a0:00Signature Algorithm: sha256WithRSAEncryption7d:b4:13:9b:6e:f3:7c:f2:2a:e2:06:91:31:7f:32:0a:36:8f:c8:83:83:00:56:3b:38:f2:46:16:f8:9a:c5:29:34:41:3f:1c:0c:74:19:4d:f4:1d:a6:00:71:51:5f:ad:f1:a0:59:6b:f2:2a:33:6e:a4:2e:ea:ed:43:7b:de:93:52:91:cb:14:a1:0e:f7:cb:86:1d:55:2f:29:60:8f:01:64:33:fb:3a:86:8d:77:f0:c5:81:89:eb:fb:24:31:b4:21:87:fa:ca:75:3d:32:8f:b2:53:af:6f:d0:55:0c:de:10:16:93:5e:a9:39:d8:bf:b5:b5:00:2c:32:0a:4c:fb:a8:68:e0:f8:bf:eb:ab:c8:55:e3:dc:65:b4:90:7f:85:bd:0f:bb:d3:10:87:b1:cd:db:07:73:2f:e0:fb:06:35:81:4c:0f:b8:1b:75:2b:fc:45:9b:b5:37:df:08:06:5d:6c:b3:95:a1:c1:53:02:19:53:d0:2a:33:79:f9:2b:3c:5d:69:36:80:da:fa:f2:11:93:16:a1:fd:d4:42:66:32:76:7c:3f:dd:66:da:66:0e:49:45:1c:45:15:6c:e4:10:b9:42:01:82:a4:71:52:9a:07:2a:4c:df:ef:92:80:80:3e:62:a0:f6:e2:2c:c4:11:ff:e4:9f:69:70:ad:79:6b
[root@localhost GmSSL-GmSSL-v1]#

3、生成 CA 签名的服务器【证书】,即 CA 对服务器签名申请进行签名生成服务器证书。

输入 CA 根证书文件、 CA 秘钥文件、服务器证书签名申请,输出 CA 签名的服务器证书文件。

操作过程:验证 CA 秘钥口令。

[root@localhost GmSSL-GmSSL-v1]# openssl x509 -req -days 3650 -CA /data/ssl/ca/ca.pem -CAkey /data/ssl/ca/ca.key -CAcreateserial -in /data/ssl/server/server.csr -out /data/ssl/server/server.pem
Signature ok
subject=C = ch, ST = hb, L = xg, O = zf, OU = wqb, CN = 192.168.20.14, emailAddress = wqbboy@163.com
Getting CA Private Key
Enter pass phrase for /data/ssl/ca/ca.key:

说明:

【openssl x509】表示制作 CA 签名的证书。
【-req】表示输入文件的类型是证书签名申请;
【-days】表示证书的有效期,单位是天;
【-CA】表示 CA 根证书的输入文件;
【-CAkey】表示 CA 秘钥的输入文件;
【-CAcreateserial】表示如果 CA 序列号文件不存在自动创建;
【-in】表示证书签名申请的输入文件;
【-out】表示证书的输出文件。
查看服务器证书文件:

[root@localhost GmSSL-GmSSL-v1]# openssl x509 -in /data/ssl/server/server.pem -noout -text
Certificate:Data:Version: 1 (0x0)Serial Number:1a:5d:40:ab:0f:da:91:d8:e3:e7:d0:2a:72:5a:bf:1c:cd:47:d8:dbSignature Algorithm: sha256WithRSAEncryptionIssuer: C = ch, ST = hb, L = xg, O = zf, OU = wqb, CN = ca, emailAddress = wqbboy@163.comValidityNot Before: Apr 18 01:54:54 2022 GMTNot After : Apr 15 01:54:54 2032 GMTSubject: C = ch, ST = hb, L = xg, O = zf, OU = wqb, CN = 192.168.20.14, emailAddress = wqbboy@163.comSubject Public Key Info:Public Key Algorithm: rsaEncryptionRSA Public-Key: (2048 bit)Modulus:00:c6:a6:1a:b0:b9:61:1b:d7:16:0e:bc:f6:33:9f:ed:be:16:4d:49:06:ce:ab:60:4d:65:38:e5:7c:1f:c7:11:d8:6e:93:3b:26:c6:46:68:50:c6:f0:f7:47:6b:c9:63:e3:8f:5f:9e:ab:0d:4c:33:14:69:e9:8d:29:6c:e8:43:35:e3:66:dc:d1:15:bb:da:cc:07:4d:15:a5:51:33:69:65:c7:f6:3f:05:9c:ca:24:4b:57:27:0b:06:79:45:a8:11:c8:88:12:c3:3f:47:1f:ea:30:9c:5c:64:af:72:4c:d2:52:2e:9c:d9:a9:54:72:8a:ac:92:65:a5:bd:88:8a:f0:38:5e:4a:52:e8:2d:54:fc:03:a9:9e:3b:77:80:3a:12:20:71:73:e7:a0:41:5a:0e:0e:a9:57:f1:f1:e5:9f:4b:41:6a:76:0f:5c:68:77:26:75:62:ed:32:97:aa:d6:60:9b:eb:55:9a:6b:1c:2f:1f:78:a7:9b:f5:24:e5:3e:7f:be:37:bb:1b:d5:16:dc:5c:99:02:a4:d5:09:fd:ef:33:4e:25:56:86:a5:f4:30:d9:15:39:9f:15:17:6a:c0:fa:05:a8:96:c9:ec:be:c6:f7:6e:fc:97:e6:16:01:84:8f:0f:25:c8:ae:d9:3b:60:cd:f9:ab:eb:51:a1:a8:70:43Exponent: 65537 (0x10001)Signature Algorithm: sha256WithRSAEncryption4d:c1:b0:ed:07:d5:65:cd:94:6d:4a:6d:46:6d:d1:d8:ca:b8:4b:1f:99:48:17:2e:74:e6:28:7a:c9:00:bc:cf:f8:52:3b:13:52:a1:20:93:cb:bd:95:2e:d1:06:bc:ba:3a:28:9e:a8:ed:06:20:a6:f3:a3:aa:25:0b:08:a8:54:bc:84:55:e9:26:bd:19:85:c1:58:b5:76:70:2f:bd:bb:9f:10:dd:48:5f:f9:3f:1f:96:5a:34:9d:d3:7f:f7:e9:49:64:25:cd:19:8f:7f:c8:79:0a:9c:ce:3b:6b:97:80:0c:3c:04:51:ae:46:58:e4:d9:87:3d:7d:86:2f:b6:83:e4:6d:e8:53:21:94:98:05:1a:95:00:c8:55:ca:8d:46:17:70:2a:04:5c:ed:d5:3b:98:ec:02:aa:65:24:6b:91:f9:72:9e:34:d5:d5:4d:70:7f:8a:84:ca:be:ce:c3:c2:6b:ea:b8:6b:ff:63:9d:63:c5:2b:43:cf:52:c1:0d:5b:f1:bc:df:85:d2:8a:1a:bf:37:32:ee:fc:20:38:a4:76:3f:1e:8e:02:50:f1:71:63:c2:27:87:65:85:39:a1:2b:e4:5c:56:a7:45:41:91:e7:93:8f:b5:9e:05:ca:dd:84:e7:63:7a:79:08:93:71:bf:1d:c9:35:b9:a4:09:58:48
[root@localhost GmSSL-GmSSL-v1]#

4、导出服务器【 PKCS12 证书】。

输入 CA 签名的服务器证书文件,输出服务器 PKCS12 证书。

操作过程:验证服务器秘钥口令 => 设置 PKCS12 证书口令。

[root@localhost GmSSL-GmSSL-v1]# openssl pkcs12 -export -in /data/ssl/server/server.pem -inkey /data/ssl/server/server.key -out /data/ssl/server/server.p12 -name https_cert
Enter pass phrase for /data/ssl/server/server.key:
Enter Export Password:
Verifying - Enter Export Password:
[root@localhost GmSSL-GmSSL-v1]#

说明:

【openssl pkcs12】表示制作 PKCS12 证书。
【-export 】表示导出 PKCS12 证书;
【-in】表示签名证书的输入文件;
【-inkey】表示秘钥的输入文件;
【-name】表示 PKCS12 证书的别名;
【-out】表示 PKCS12 证书的输出文件。
查看服务器 PKCS12 证书文件(需要输入服务器 PKCS12 证书口令):

[root@localhost GmSSL-GmSSL-v1]# openssl pkcs12 -in /data/ssl/server/server.p12 -info
Enter Import Password:
MAC: sha1, Iteration 2048
MAC length: 20, salt length: 8
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
Bag AttributesfriendlyName: https_certlocalKeyID: 06 5E C4 4E FC F7 E7 24 9D 81 60 BA 83 81 3C A6 DD 86 6C 1F
subject=C = ch, ST = hb, L = xg, O = zf, OU = wqb, CN = 192.168.20.14, emailAddress = wqbboy@163.comissuer=C = ch, ST = hb, L = xg, O = zf, OU = wqb, CN = ca, emailAddress = wqbboy@163.com-----BEGIN CERTIFICATE-----
MIIDbjCCAlYCFBpdQKsP2pHY4+fQKnJavxzNR9jbMA0GCSqGSIb3DQEBCwUAMG4x
CzAJBgNVBAYTAmNoMQswCQYDVQQIDAJoYjELMAkGA1UEBwwCeGcxCzAJBgNVBAoM
AnpmMQwwCgYDVQQLDAN3cWIxCzAJBgNVBAMMAmNhMR0wGwYJKoZIhvcNAQkBFg53
cWJib3lAMTYzLmNvbTAeFw0yMjA0MTgwMTU0NTRaFw0zMjA0MTUwMTU0NTRaMHkx
CzAJBgNVBAYTAmNoMQswCQYDVQQIDAJoYjELMAkGA1UEBwwCeGcxCzAJBgNVBAoM
AnpmMQwwCgYDVQQLDAN3cWIxFjAUBgNVBAMMDTE5Mi4xNjguMjAuMTQxHTAbBgkq
hkiG9w0BCQEWDndxYmJveUAxNjMuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAxqYasLlhG9cWDrz2M5/tvhZNSQbOq2BNZTjlfB/HEdhukzsmxkZo
UMbw90dryWPjj1+eqw1MMxRp6Y0pbOhDNeNm3NEVu9rMB00VpVEzaWXH9j8FnMok
S1cnCwZ5RagRyIgSwz9HH+ownFxkr3JM0lIunNmpVHKKrJJlpb2IivA4XkpS6C1U
/AOpnjt3gDoSIHFz56BBWg4OqVfx8eWfS0Fqdg9caHcmdWLtMpeq1mCb61Waaxwv
H3inm/Uk5T5/vje7G9UW3FyZAqTVCf3vM04lVoal9DDZFTmfFRdqwPoFqJbJ7L7G
9278l+YWAYSPDyXIrtk7YM35q+tRoahwQwIDAQABMA0GCSqGSIb3DQEBCwUAA4IB
AQBNwbDtB9VlzZRtSm1GbdHYyrhLH5lIFy505ih6yQC8z/hSOxNSoSCTy72VLtEG
vLo6KJ6o7QYgpvOjqiULCKhUvIRV6Sa9GYXBWLV2cC+9u58Q3Uhf+T8fllo0ndN/
9+lJZCXNGY9/yHkKnM47a5eADDwEUa5GWOTZhz19hi+2g+Rt6FMhlJgFGpUAyFXK
jUYXcCoEXO3VO5jsAqplJGuR+XKeNNXVTXB/ioTKvs7DwmvquGv/Y51jxStDz1LB
DVvxvN+F0ooavzcy7vwgOKR2Px6OAlDxcWPCJ4dlhTmhK+RcVqdFQZHnk4+1ngXK
3YTnY3p5CJNxvx3JNbmkCVhI
-----END CERTIFICATE-----
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
Bag AttributesfriendlyName: https_certlocalKeyID: 06 5E C4 4E FC F7 E7 24 9D 81 60 BA 83 81 3C A6 DD 86 6C 1F
Key Attributes: <No Attributes>
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIBlm+TfKX+PgCAggA
MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECPxlc3cQB34bBIIEyEOrlyORtLGF
Fsjzr2RTZu5TsfyOkB7DpMjIjrC3o6cgb0++QotI7n7k8EpYLjv8IcvSsyHeF7p+
vSuJ9cNuHhqKQOSLWqVY4jSHT3g6ijzYUgX9WNIZMdXZZvhKRqX17JcnEPgrrRkM
RTaSUmOYS5OJCkkDn5jtOnr1OvVPURv0qhVAMkCkvncrMwe43gRhoFb8M+YpJ2Vf
SJJxBNPj32aw0VRIItZiZQk8PhJbmoWGkyhgq0eTjEpZZ2+Gqes/qeFlUej8/uGH
bkAz9maStpTkm/67+rhcv94N1bv9aliKS5ml7DfuuWJUzYkRAqLZ5zMC9LMj7wyQ
2JJ6JilgR9Ke0gSzbg7SPRs3QDTor08IPvWyCL6b9YZodMXXi2qDZOY2a/BOpgQ5
YzcvK1YQm2C4TS6lmdw+q8zf87j2zi6R7wcBBjK8lWTrArvTAOnuUNMCpsqmFvZd
93Z+eK3ZJBpJ/cFAWO7hIksOHMSgIvWrjbF2XeWP24jpFd9yf4+KMoHgzxd7D1kr
rSBRzsw4CqpHbUVq23GLSRUZ9prx4J/iz8uuIam/g6orUSfByQA49jlctMXTN6F5
eL2ThTov8WWkfVDfgioNmJNf2tor4QDSRh1NC3jn5IFxn/yhIeJyAGjgEr8XZnA2
pttoXSF3V/nN+gBQUmagVwX2q6LEquMN28OyNJcZNPjBUz0SNy16TyXgQHqXvBfQ
KcRmcb+OF17F5yvdW+5FhAUeCvGPcTN2dLaBs++grPoRqHwL9ebTZEujr6K8en93
bYaqRi64ZA2eXqiFW4WU/Jfpw+LFi9PBoXuffo13+SwJt/fYpyqH4iSlta8Kp5O0
Rj3QEsIo49hP6EntVouj9z000e9Px++rbGAuKWDRc9fohyzagf0gSwau6KpDdiFQ
kyBA0YgNv76ThICC2PBi3L3go3R4v7UTUjII7uqiWrLSBI6CnBxXZx2vRFMyA0ac
MmEqG5SnKfk0OcMVOBIJDAoVt41LVeMiODQQNH9AIVzfmx7uTDJEIuiyykLcM76F
zNmj+vpR1Tpwfho9in8BlvSDZCMR01fkZ5KmVdg4guwgRY1oAgqHe2DFkDVhbrwG
ycOvnWjsJ2eBpZoGEJccToR/13Nt+r2hCKzf9UOCGZV6LssViSxu7aJuozBzyA6c
FHyfz/Ta0dMnEVFBCpCFQx0SxtK3By/i4VWTsfZaaM09kb1Z/mkIYHiDTnyCvoOT
RIpGoyROLmnQkiHViP3b10qHIcOA0RF37F3AWCiUOTAo2/JcrGOk8YMhSaJYKFQT
ajiswa65B9O6X+OytrZqOGvsWXwhsh9Frur7o6mEhAX4no0DGFwvFs/5/J+yvQ7X
ZyR7g4dZM161kmpgtHDRt1D2Qha6ljVNEmT/DmHc4BSfp8fSR6vP8HFxlVoKGxl/
u38NSOqyILlvhEDhJUPlxV1fue+m7vfEzXHP1CT745uEiDW/OkTDB+fw+Tz4w4xG
b4EjVQcVeHfKRfhaZmbBpZK2ZAaN87K22qiOtqgH+ACj+EKPNRZFDcEsoyBcJbwC
QrNs9yS69ZJOgsDtpbiDf89w/JNZ4S1I5u3ILrQr2B8LQGOpSIh6LeAd5cLDifNu
tyOXG2lrPcTXFjRKRsODXg==
-----END ENCRYPTED PRIVATE KEY-----
[root@localhost GmSSL-GmSSL-v1]#

5、查看服务器产生的全部文件。

1.3.第三阶段:制作客户端证书(双向认证时使用)
1、制作客户端【秘钥】。

操作过程:设置客户端秘钥口令。

[root@localhost GmSSL-GmSSL-v1]# openssl genrsa -des3 -out /data/ssl/client/client.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
........+++++
..........+++++
e is 65537 (0x010001)
Enter pass phrase for /data/ssl/client/client.key:
Verifying - Enter pass phrase for /data/ssl/client/client.key:
[root@localhost GmSSL-GmSSL-v1]#

说明:

【openssl genrsa】表示制作秘钥。
【-des3】表示加密秘钥使用的算法;
【-out】表示秘钥的输出文件;
【2048】表示秘钥的密码强度。
查看客户端秘钥文件(需要输入秘钥口令):

[root@localhost GmSSL-GmSSL-v1]#  openssl rsa -in /data/ssl/client/client.key
Enter pass phrase for /data/ssl/client/client.key:

2、制作客户端【证书签名申请】。

输入客户端秘钥文件,输出客户端证书签名申请文件。

操作过程:验证客户端秘钥口令 => 设置国家名称 => 设置省份名称 => 设置城市名称 => 设置组织机构名称 => 设置组织单元名称 => 设置证书名称 => 设置电子邮件地址和扩展属性(密码提示信息和可选的公司名称)。

[root@localhost GmSSL-GmSSL-v1]# openssl req -new -key /data/ssl/client/client.key -out /data/ssl/client/client.csr
Enter pass phrase for /data/ssl/client/client.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:ch
State or Province Name (full name) []:hb
Locality Name (eg, city) [Default City]:xg
Organization Name (eg, company) [Default Company Ltd]:zf
Organizational Unit Name (eg, section) []:wqb
Common Name (eg, your name or your server's hostname) []:https_client
Email Address []:Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@localhost GmSSL-GmSSL-v1]#

说明:

【openssl req】表示制作证书签名申请。
【-new】表示生成证书请求文件;
【-key】表示秘钥的输入文件;
【-out】表示证书签名申请的输出文件。
注意:【Common Name】应为客户端的统一标识。

查看客户端证书申请文件:

[root@localhost GmSSL-GmSSL-v1]# openssl req -in /data/ssl/client/client.csr -noout -text
Certificate Request:Data:

3、生成 CA 签名的客户端【证书】,即 CA 对客户端签名申请进行签名生成客户端证书。

输入 CA 根证书文件、 CA 秘钥文件、客户端证书签名申请,输出 CA 签名的客户端证书文件。

操作过程:验证 CA 秘钥口令。

[root@localhost GmSSL-GmSSL-v1]# openssl x509 -req -days 3650 -CA /data/ssl/ca/ca.pem -CAkey /data/ssl/ca/ca.key -CAcreateserial -in /data/ssl/client/client.csr -out /data/ssl/client/client.pem
Signature ok
subject=C = ch, ST = hb, L = xg, O = zf, OU = wqb, CN = https_client
Getting CA Private Key
Enter pass phrase for /data/ssl/ca/ca.key:

说明:

【openssl x509】表示制作 CA 签名的证书。
【-req】表示输入文件的类型是证书签名申请;
【-days】表示证书的有效期,单位是天;
【-CA】表示 CA 根证书的输入文件;
【-CAkey】表示 CA 秘钥的输入文件;
【-CAcreateserial】表示如果 CA 序列号文件不存在自动创建;
【-in】表示证书签名申请的输入文件;
【-out】表示证书的输出文件。
查看客户端证书文件:

[root@localhost GmSSL-GmSSL-v1]#  openssl x509 -in /data/ssl/client/client.pem -noout -text
Certificate:Data:Version: 1 (0x0)Serial Number:

4、导出客户端【 PKCS12 证书】。

输入 CA 签名的客户端证书文件,输出客户端 PKCS12 证书。

操作过程:验证客户端秘钥口令 => 设置 PKCS12 证书口令。

[root@localhost GmSSL-GmSSL-v1]# openssl pkcs12 -export -in /data/ssl/client/client.pem -inkey /data/ssl/client/client.key -out /data/ssl/client/client.p12 -name https_client
Enter pass phrase for /data/ssl/client/client.key:
Enter Export Password:
Verifying - Enter Export Password:
[root@localhost GmSSL-GmSSL-v1]#

说明:

【openssl pkcs12】表示制作 PKCS12 证书。
【-export 】表示导出 PKCS12 证书;
【-in】表示签名证书的输入文件;
【-inkey】表示秘钥的输入文件;
【-name】表示 PKCS12 证书的别名;
【-out】表示 PKCS12 证书的输出文件。
查看客户端 PKCS12 证书文件(需要输入客户端 PKCS12 证书口令):

[root@localhost GmSSL-GmSSL-v1]# openssl pkcs12 -in /data/ssl/client/client.p12 -info
Enter Import Password:
MAC: sha1, Iteration 2048
MAC length: 20, salt length: 8
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag

查看客户端产生的全部文件。

[root@localhost GmSSL-GmSSL-v1]# ls /data/ssl/client
client.csr  client.key  client.p12  client.pem

2.Web 容器配置 HTTPS 站点

2.3.Apache Httpd 配置方案
1、安装并配置 Apache Httpd。

[centos@host ~]$ sudo dnf install httpd
[centos@host ~]$ sudo dnf install mod_ssl openssl
[centos@host ~]$ sudo setenforce 0
[centos@host ~]$ sudo gedit /etc/httpd/conf.d/ssl.conf

[root@localhost conf.d]# dnf install mod_ssl openssl -y
上次元数据过期检查:0:56:51 前,执行于 2022年04月18日 星期一 09时12分58秒。
软件包 openssl-1:1.1.1k-5.el8_5.x86_64 已安装。
依赖关系解决。
================================================================================软件包   架构    版本                                         仓库        大小
================================================================================
安装:mod_ssl  x86_64  1:2.4.37-43.module_el8.5.0+1022+b541f3b1     AppStream  136 k事务概要
================================================================================
安装  1 软件包总下载:136 k
安装大小:266 k
下载软件包:
mod_ssl-2.4.37-43.module_el8.5.0+1022+b541f3b1. 162 kB/s | 136 kB     00:00
--------------------------------------------------------------------------------
总计                                            162 kB/s | 136 kB     00:00
运行事务检查
事务检查成功。
运行事务测试
事务测试成功。
运行事务准备中  :                                                                 1/1安装    : mod_ssl-1:2.4.37-43.module_el8.5.0+1022+b541f3b1.x86_64         1/1运行脚本: mod_ssl-1:2.4.37-43.module_el8.5.0+1022+b541f3b1.x86_64         1/1验证    : mod_ssl-1:2.4.37-43.module_el8.5.0+1022+b541f3b1.x86_64         1/1已安装:mod_ssl-1:2.4.37-43.module_el8.5.0+1022+b541f3b1.x86_64完毕!
[root@localhost conf.d]# ls
autoindex.conf  php.conf  ssl.conf      welcome.conf
nextcloud.conf  README    userdir.conf
[root@localhost conf.d]# ll
总用量 36
-rw-r--r--. 1 root root 2926 11月 12 12:58 autoindex.conf
-rw-r--r--. 1 root root  300 3月  30 15:23 nextcloud.conf
-rw-r--r--. 1 root root 1617 2月  15 22:26 php.conf
-rw-r--r--. 1 root root  400 11月 12 12:58 README
-rw-r--r--. 1 root root 8720 11月 12 12:54 ssl.conf
-rw-r--r--. 1 root root 1252 11月 12 12:54 userdir.conf
-rw-r--r--. 1 root root  574 11月 12 12:54 welcome.conf
[root@localhost conf.d]#

[root@localhost conf.d]# setenforce 0
[root@localhost conf.d]# gedit ssl.conf
[root@localhost conf.d]# ls
autoindex.conf  php.conf  ssl.conf      welcome.conf
nextcloud.conf  README    userdir.conf
[root@localhost conf.d]# vi ssl.conf
[root@localhost conf.d]# vi ssl.conf

在文件中的编辑以下配置并保存:

# 监听端口
Listen 443 https
# Https 根路径
DocumentRoot "/var/www/html"
# 服务器域名
ServerName localhost
# 服务器签名证书文件
SSLCertificateFile /data/ssl/server/server.pem
# 服务器秘钥文件
SSLCertificateKeyFile /data/ssl/server/server.key# 开启客户端证书认证(双向认证)
# SSLVerifyClient require  # CA 证书(双向认证)
# SSLCACertificateFile  /data/ssl/ca/ca.pem

监听端口

Listen 443 https

Https 根路径

DocumentRoot “/var/www/html”

服务器域名

ServerName localhost

服务器签名证书文件

SSLCertificateFile /data/ssl/server/server.pem

服务器秘钥文件

SSLCertificateKeyFile /data/ssl/server/server.key

开启客户端证书认证(双向认证)

SSLVerifyClient require

CA 证书(双向认证)

SSLCACertificateFile /data/ssl/ca/ca.pem

2、启动/重新启动 Apache Httpd 服务器。

[centos@host ~]$ sudo systemctl start httpd.service
或者

[centos@host ~]$ sudo systemctl restart httpd.service

RedHat/CentOS8【OpenSSL】制作自签证书和 HTTPS 配置相关推荐

  1. GmSSL制作国密算法自签证书和 HTTPS 配置

    GmSSL 是一个开源(遵循 BSD 协议)的密码工具箱,支持 SM2 / SM3 / SM4 / SM9 / ZUC 等国密(国家商用密码)算法.SM2 国密数字证书及基于 SM2 证书的 SSL ...

  2. Windows下使用OpenSSL生成自签证书(亲测)

    一,前言 经常写博客的小伙伴儿都知道,大家一般在前言里面会提到为什么写这篇博客,而我这篇博客 主要是探讨OpenSSL自签名证书,用于对安全性要求比较高的商业活动.. 二,探讨前景: 生成一对 RSA ...

  3. openssl 生成自签证书及查看证书细节

    生成X509格式的CA自签名证书 # openssl req -new -x509 -keyout ca.key -out ca.crt 生成服务端的私钥(key文件)及csr文件 # openssl ...

  4. 填坑:Windows下使用OpenSSL生成自签证书(很简单,一个晚上搞明白的,让后来者少走弯路)

    最近在学习中发现openssl 中有个坑,所有的教程都是openssl genrsa -des3 -out private.key 1024,但是产生的证书,npm start 之后就报错如下: er ...

  5. 填坑:Windows下使用OpenSSL生成自签证书(很简单,一个晚上搞明白的,让后来者少走弯路)...

    最近在学习中发现openssl 中有个坑,所有的教程都是openssl genrsa -des3 -out private.key 1024,但是产生的证书,npm start 之后就报错如下: er ...

  6. 内网使用自签证书搭建https服务器

    1.生成证书 因为是内网环境,所以自签发证书即可,也是免费的.如果是外网环境,请使用云服务商提供的证书. 本文主要介绍内网,使用ip访问的系统,配置https服务器: 创建配置文件 openssl.c ...

  7. 解密TLS协议全记录之Openssl的使用与Nginx Server的配置

    引言 Openssl是TLS协议进行报文加密,安全通讯而用到的开源代码包,代码主要由C语言编写,我个人也只看了其中一部分代码,当作工具使用,没有深入分析. 其维基百科的链接:https://zh.wi ...

  8. openssl实现CA自签证书和颁发数字证书

    1. 测试环境准备: CA签署服务器:192.168.2.181 WEB服务器:192.168.2.180 CA安装openssl  WEB服务器使用nginx 2. CA生成自签证书: 2.1 为C ...

  9. 如何使用Openssl 制作CA证书

    一.SSL协议百科名片 SSL是Secure Socket Layer(安全套接层协议),可以在Internet上提供秘密性传输.Netscape公司在推出第一个Web浏览器的同时,提出了SSL协议标 ...

最新文章

  1. php把单词切割成数组,PHP – 将单词分解为数组
  2. 工业互联网 — 5G 边缘计算与 IIoT
  3. HttpApplication IHttpAsyncHandler, IHttpHandler, IComponent, IDisposable ps url System.Web.dll
  4. oracle 11g备份,导入oracle 10g
  5. [当人工智能遇上安全] 6.基于机器学习的入侵检测和攻击识别——以KDD CUP99数据集为例
  6. IOS第七天(2:UiTableView 加上数据分离)
  7. python安装django模块_python中安装django模块的方法
  8. 傅里叶变换频谱的可视化保存
  9. 数组乱码_python 爬虫随笔-土办法治乱码
  10. PAT (Basic Level) Practice1023 组个最小数
  11. Linux--U盘安装Ubuntu12.04
  12. 使用DevExpress.XtraTabbedMdi.XtraTabbedMdiManager控件来加载MDI窗体
  13. MySQL 入门(十)—— 数据操作
  14. 熟练使用 Elastic Job系列之作业分片策略(五)
  15. Java多线程系列--“JUC集合”02之 CopyOnWriteArrayList
  16. VS2019报本次安装Visual Studio 所用的安装程序不完整错误
  17. 《程序员的自我修养》学习笔记之温故而知新
  18. 【经典算法题】用两个鸡蛋和100层的楼来测鸡蛋硬度
  19. 从物理意义上了解PCA
  20. 关于4G物联网卡的使用

热门文章

  1. 校长娱乐-我叫MT高级技能出处
  2. PowerDesigner常见错误
  3. multisim14晶振在哪里_晶体谐振器在multisim中怎么找到
  4. 《嵌入式 – GD32开发实战指南》第14章 内部温度传感器
  5. 【人脸识别】PCA人脸识别(识别率)【含GUI Matlab源码 802期】
  6. SAP中分配和分摊的区别
  7. 一个目标100亿的互联网金融创业项目完整思路(毫无保留,赤裸裸全部是干货分享)
  8. JavaFX桌面应用开发-菜单栏-MenuBar、Menu 、MenuItem
  9. 浅谈LCD液晶屏和电子墨水屏的区别
  10. 杭电2030-2039题解