使用OpenSSL生成自己服务器的证书
之前做实验的时候,曾经写过一篇博客,如何使用OpenSSL创建证书。这里再做一个整理,增加一些内容,精简一部分内容。
参考链接
OpenSSL Certificate Authoirty
信安实践——自建CA证书搭建https服务器
您的连接不是私密连接:NET::ERR_CERT_COMMON_NAME_INVALID
使用OpenSSL制作自签名ECC证书
运行环境
Apache + Ubuntu 16.04
使用工具
OpenSSL 、Namesilo、驰迅网络
前言
服务器在驰迅网络
中买的香港的服务器(某宝上),域名在Namesilo
上购买的,因此无需备案就可以使用,如果只是做实验还是挺好用的。本次实验使用Apache服务器,证书的申请使用OpenSSL
。主要参考的来源是上方的几个链接,特别感谢师姐的帮助,这篇博客也参考了师姐整理的笔记。
安装Apache 和 SSL 扩展
首先在Ubuntu 16.04的环境下安装Apache:
由于这里我已经安装过了,所以重新敲一遍的过程可能有一些怪异。这里服务器自动给我的root
,我还没有创建新用户,这里推荐重新建立一个新用户在自己的目录下进行实验,所以如果出现了Permission denied
,记得sudo
root@cloud:~# apt install apache2
如果你在这个过程中遇到 xxx not upgraded
这种问题,可以通过执行下面这条命令进行更改。(这个一般是因为安装过程中手残按了终止,我也不是很清楚原因)
root@cloud:~# apt-get dist-upgrade
接下来,检查Apache的状态:
root@cloud:~# systemctl status apache2
# 启动
root@cloud:~# /etc/init.d/apache2 start
# 停止
root@cloud:~# /etc/init.d/apache2 stop
# 重启
root@cloud:~# /etc/init.d/apache2 restart
配置SSL模块
Apache开启SSL服务模块
root@cloud:~# a2enmod ssl
接下来的步骤需要生成证书后完成
修改配置文件并将证书路径添加到/etc/apache2/sites-available/default-ssl.conf
中,启用配置文件并重启服务器。
# 启用配置文件
root@cloud:~# a2ensite default-ssl.conf
# 重启Apache
root@cloud:~# /etc/init.d/apache2 restart
如果遇到
site default-ssl not properly enabled, default-ssl.conf is a real file
这样的错误,可以启用软连接,本人不太清楚这样是否为最好的解决方案,可以看一下之前的博客
使用OpenSSL生成SSL证书(RSA)
OpenSSL在Ubuntu 16.04中是默认安装的
这里主要的内容参考OpenSSL Certificate Authoirty,大家可以自行前往原网站查看原作者的思路。
以下是本人操作的步骤,以及对于配置文件的修改:
最终的文件列表
root@cloud:~# tree
.
└── ca # 根CA文件夹├── certs # 根CA证书文件夹│ └── ca.cert.pem # 根CA证书├── crl # 证书撤销列表├── index.txt # CA文本数据库文件,索引文件├── index.txt.attr # CA文本数据库属性文件,包含一个配置行├── index.txt.old # CA文本数据库备份文件├── intermediate # 中间CA证书文件夹│ ├── certs # 中间CA证书│ │ ├── ca-chain.cert.pem # 证书链文件│ │ ├── intermediate.cert.pem # 中间CA证书│ │ └── www.felixlab.shop.cert.pem # Web服务证书│ ├── crl # 证书撤销列表│ ├── crlnumber # CRL中证书吊销数目数目│ ├── csr # 证书签名请求│ │ ├── intermediate.csr.pem │ │ └── www.felixlab.shop.csr.pem│ ├── index.txt # 中间CA文本数据库文件│ ├── index.txt.attr # 中间CA文本数据库属性文件│ ├── index.txt.old # 中间CA文本数据库备份文件│ ├── newcerts # 新生成证书│ │ └── 1000.pem │ ├── openssl.cnf # 中间CA配置文件│ ├── private # 中间CA私钥文件夹│ │ ├── intermediate.key.pem # 中间CA私钥│ │ └── www.felixlab.shop.key.pem # 网站私钥│ ├── serial # 生成证书序列号文件│ └── serial.old # 备份文件├── newcerts # 新生成证书文件夹│ └── 1000.pem├── openssl.cnf # 主配置文件├── private # 根CA私钥文件夹│ └── ca.key.pem # 根CA私钥├── serial # 根CA序列号文件└── serial.old # 根CA序列号备份文件11 directories, 24 files
创建根CA证书
创建根CA证书的私钥和公钥
创建文件夹
root@cloud:/# mkdir /fydlab/ca
root@cloud:/# cd /fydlab/ca
root@cloud:/fydlab/ca# pwd
/fydlab/ca
root@cloud:/fydlab/ca# mkdir certs crl newcerts private
root@cloud:/fydlab/ca# chmod 700 private
root@cloud:/fydlab/ca# touch index.txt
root@cloud:/fydlab/ca# echo 1000 > serial
root@cloud:/fydlab/ca# touch openssl.cnf
root@cloud:/fydlab/ca# tree
.
├── certs
├── crl
├── index.txt
├── newcerts
├── openssl.cnf
├── private
└── serial4 directories, 3 files
这里按照blog的附录的内容进行一点点修改:
# OpenSSL root CA configuration file.[ ca ]
# `man ca`
default_ca = CA_default[ CA_default ]
# Directory and file locations.
# 把 dir 修改为自己的目录
dir = /fydlab/ca
certs = $dir/certs
crl_dir = $dir/crl
new_certs_dir = $dir/newcerts
database = $dir/index.txt
serial = $dir/serial
RANDFILE = $dir/private/.rand# The root key and root certificate.
private_key = $dir/private/ca.key.pem
certificate = $dir/certs/ca.cert.pem# For certificate revocation lists.
crlnumber = $dir/crlnumber
crl = $dir/crl/ca.crl.pem
crl_extensions = crl_ext
default_crl_days = 30# SHA-1 is deprecated, so use SHA-2 instead.
default_md = sha256name_opt = ca_default
cert_opt = ca_default
default_days = 375
preserve = no
policy = policy_strict[ policy_strict ]
# The root CA should only sign intermediate certificates that match.
# See the POLICY FORMAT section of `man ca`.
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional[ policy_loose ]
# Allow the intermediate CA to sign a more diverse range of certificates.
# See the POLICY FORMAT section of the `ca` man page.
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional[ req ]
# Options for the `req` tool (`man req`).
default_bits = 2048
distinguished_name = req_distinguished_name
string_mask = utf8only# SHA-1 is deprecated, so use SHA-2 instead.
default_md = sha256# Extension to add when the -x509 option is used.
x509_extensions = v3_ca[ req_distinguished_name ]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name
localityName = Locality Name
0.organizationName = Organization Name
organizationalUnitName = Organizational Unit Name
commonName = Common Name
emailAddress = Email Address# Optionally, specify some defaults.
# 这里可以配置自己的默认项 Common Name需要不同,自己制定即可
countryName_default = CN
stateOrProvinceName_default = Beijing
localityName_default = Haidian
0.organizationName_default = Felix Ltd
organizationalUnitName_default = Felix Ltd Authority Certificate
emailAddress_default = 1122334@qq.com[ v3_ca ]
# Extensions for a typical CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign[ v3_intermediate_ca ]
# Extensions for a typical intermediate CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign[ usr_cert ]
# Extensions for client certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection[ server_cert ]
# Extensions for server certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth[ crl_ext ]
# Extension for CRLs (`man x509v3_config`).
authorityKeyIdentifier=keyid:always[ ocsp ]
# Extension for OCSP signing certificates (`man ocsp`).
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, OCSPSigning
需要修改的内容在上述文字中用注释标明,其余内容也很关键,鉴于作者水平就不多解释了。
创建Root Key
root@cloud:/fydlab/ca# pwd /fydlab/ca
# 这一步需要输入口令
root@cloud:/fydlab/ca# openssl genrsa -aes256 -out private/ca.key.pem 4096
root@cloud:/fydlab/ca# chmod 400 private/ca.key.pem
创建根证书
首先确保自己已经配置了openssl.cnf
root@cloud:/fydlab/ca# openssl req -config openssl.cnf -key private/ca.key.pem -new -x509 -days 7300 -sha256 -extensions v3_ca -out certs/ca.cert.pem
Enter pass phrase for private/ca.key.pem:
----
Country Name (2 letter code) [CN]:
State or Province Name [Beijing]:
Locality Name [Beijing]:
Organization Name [Felix Ltd]:
Organizational Unit Name [Felix Ltd Authority Certificate]:
Common Name []:Felix Ltd Root CA
Email Address [1122334@qq.com]:
root@cloud:/fydlab/ca# chmod 444 certs/ca.cert.pem
验证根证书格式
root@cloud:/fydlab/ca# openssl x509 -noout -text -in certs/ca.cert.pem
创建中间证书
# 创建文件夹并进入目录
root@cloud:/fydlab/ca# mkdir /fydlab/ca/intermediate
root@cloud:/fydlab/ca# cd /fydlab/ca/intermediate
root@cloud:/fydlab/ca/intermediate# mkdir certs crl csr newcerts private
root@cloud:/fydlab/ca/intermediate# chmod 700 private
root@cloud:/fydlab/ca/intermediate# touch index.txt
root@cloud:/fydlab/ca/intermediate# echo 1000 > serial
root@cloud:/fydlab/ca/intermediate# echo 1000 > crlnumber
root@cloud:/fydlab/ca/intermediate# touch openssl.cnf
以下为openssl.cnf
的内容
# OpenSSL intermediate CA configuration file.[ ca ]
# `man ca`
default_ca = CA_default[ CA_default ]
# Directory and file locations.
# 这里的路径要换成自己的
dir = /fydlab/ca/intermediate
certs = $dir/certs
crl_dir = $dir/crl
new_certs_dir = $dir/newcerts
database = $dir/index.txt
serial = $dir/serial
RANDFILE = $dir/private/.rand# The root key and root certificate.
private_key = $dir/private/intermediate.key.pem
certificate = $dir/certs/intermediate.cert.pem# For certificate revocation lists.
crlnumber = $dir/crlnumber
crl = $dir/crl/intermediate.crl.pem
crl_extensions = crl_ext
default_crl_days = 30# SHA-1 is deprecated, so use SHA-2 instead.
default_md = sha256name_opt = ca_default
cert_opt = ca_default
default_days = 375
preserve = no
policy = policy_loose[ policy_strict ]
# The root CA should only sign intermediate certificates that match.
# See the POLICY FORMAT section of `man ca`.
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional[ policy_loose ]
# Allow the intermediate CA to sign a more diverse range of certificates.
# See the POLICY FORMAT section of the `ca` man page.
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional[ req ]
# Options for the `req` tool (`man req`).
default_bits = 2048
distinguished_name = req_distinguished_name
string_mask = utf8only# SHA-1 is deprecated, so use SHA-2 instead.
default_md = sha256# Extension to add when the -x509 option is used.
x509_extensions = v3_ca[ req_distinguished_name ]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name
localityName = Locality Name
0.organizationName = Organization Name
organizationalUnitName = Organizational Unit Name
commonName = Common Name
emailAddress = Email Address# Optionally, specify some defaults.
countryName_default = CN
stateOrProvinceName_default = Beijing
localityName_default = Haidian
0.organizationName_default = Felix Ltd
organizationalUnitName_default = Felix Ltd Authority Certificate
emailAddress_default = 1122334@qq.com[ v3_ca ]
# Extensions for a typical CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign[ v3_intermediate_ca ]
# Extensions for a typical intermediate CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign[ usr_cert ]
# Extensions for client certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection[ server_cert ]
# 这里需要配置一下 SAN扩展,否则谷歌浏览器会报COMMON NAME错误
# Extensions for server certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
############添加的内容############
subjectAltName = @alt_names[ alt_names ]
DNS.1 = *.fydlab.shop
DNS.2 = *fydlab.shop
DNS.3 = fydlab.shop
############添加的内容############[ crl_ext ]
# Extension for CRLs (`man x509v3_config`).
authorityKeyIdentifier=keyid:always[ ocsp ]
# Extension for OCSP signing certificates (`man ocsp`).
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, OCSPSigning
# 创建中间CA私钥
root@cloud:/fydlab/ca/intermediate# cd /fydlab/ca
root@cloud:/fydlab/ca# openssl genrsa -aes256 -out intermediate/private/intermediate.key.pem 4096
root@cloud:/fydlab/ca# chmod 400 intermediate/private/intermediate.key.pem# 创建中间CA csr
root@cloud:/fydlab/ca# openssl req -config intermediate/openssl.cnf -new -sha256 -key intermediate/private/intermediate.key.pem -out intermediate/csr/intermediate.csr.pem
## 这里中间CA 的Common Name 可以定义为:Felix Ltd Intermediate CA# 签署中间CA证书
root@cloud:/fydlab/ca# openssl ca -config openssl.cnf -extensions v3_intermediate_ca -days 3650 -notext -md sha256 -in intermediate/csr/intermediate.csr.pem -out intermediate/certs/intermediate.cert.pem
root@cloud:/fydlab/ca# chmod 444 intermediate/certs/intermediate.cert.pem# 查看 `index.txt` 文件内容
root@cloud:/fydlab/ca# cat index.txt# 查看并验证生成的证书
root@cloud:/fydlab/ca# openssl x509 -noout -text -in intermediate/certs/intermediate.cert.pem
root@cloud:/fydlab/ca# openssl verify -CAfile certs/ca.cert.pem intermediate/certs/intermediate.cert.pem# 创建证书链文件
root@cloud:/fydlab/ca# cat intermediate/certs/intermediate.cert.pem certs/ca.cert.pem > intermediate/certs/ca-chain.cert.pem
root@cloud:/fydlab/ca# chmod 444 intermediate/certs/ca-chain.cert.pem
创建网站证书
# 创建私钥
root@cloud:/fydlab/ca# openssl genrsa -aes256 -out intermediate/private/www.fydlab.shop.key.pemroot@cloud:/fydlab/ca# chmod 400 intermediate/private/www.fydlab.shop.key.pem
# 创建CSR
root@cloud:/fydlab/ca# openssl req -config intermediate/openssl.cnf -key intermediate/private/www.fydlab.shop.key.pem -new -sha256 -out intermediate/csr/www.fydlab.shop.csr.pem
## 这里的 common name 可以写 网站域名
# 创建证书 需要用到 server_cert扩展
root@cloud:/fydlab/ca# openssl ca -config intermediate/openssl.cnf -extensions server_cert -days 375 -notext -md sha256 -in intermediate/csr/www.fydlab.shop.csr.pem -out intermediate/certs/www.fydlab.shop.cert.pem# 查看 index.txt 中的内容:
root@cloud:/fydlab/ca# cat intermediate/index.txt# 验证证书
root@cloud:/fydlab/ca# openssl x509 -noout -text -in intermediate/certs/www.fydlab.shop.cert.pemroot@cloud:/fydlab/ca# openssl verify -CAfile intermediate/certs/ca-chain.cert.pem intermediate/certs/www.fydlab.shop.cert.pem
部署到服务器上
修改/etc/apache/sites-enabled/default-ssl.conf
文件
<IfModule mod_ssl.c><VirtualHost _default_:443>ServerAdmin webmaster@localhostDocumentRoot /var/www/html# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,# error, crit, alert, emerg.# It is also possible to configure the loglevel for particular# modules, e.g.#LogLevel info ssl:warnErrorLog ${APACHE_LOG_DIR}/error.logCustomLog ${APACHE_LOG_DIR}/access.log combined# For most configuration files from conf-available/, which are# enabled or disabled at a global level, it is possible to# include a line for only one particular virtual host. For example the# following line enables the CGI configuration for this host only# after it has been globally disabled with "a2disconf".#Include conf-available/serve-cgi-bin.conf# SSL Engine Switch:# Enable/Disable SSL for this virtual host.SSLEngine on# A self-signed (snakeoil) certificate can be created by installing# the ssl-cert package. See# /usr/share/doc/apache2/README.Debian.gz for more info.# If both key and certificate are stored in the same file, only the# SSLCertificateFile directive is needed.### 需要修改的部分 ###SSLCertificateFile /root/ca/intermediate/certs/www.fydlab.shop.cert.pem### 需要修改的部分 ###SSLCertificateKeyFile /root/ca/intermediate/private/www.fydlab.shop.key.pem# Server Certificate Chain:# Point SSLCertificateChainFile at a file containing the# concatenation of PEM encoded CA certificates which form the# certificate chain for the server certificate. Alternatively# the referenced file can be the same as SSLCertificateFile# when the CA certificates are directly appended to the server# certificate for convinience.### 需要修改的部分 ###SSLCertificateChainFile /root/ca/intermediate/certs/ca-chain.cert.pem# Certificate Authority (CA):# Set the CA certificate verification path where to find CA# certificates for client authentication or alternatively one# huge file containing all of them (file must be PEM encoded)# Note: Inside SSLCACertificatePath you need hash symlinks# to point to the certificate files. Use the provided# Makefile to update the hash symlinks after changes.#SSLCACertificatePath /etc/ssl/certs/#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt# Certificate Revocation Lists (CRL):# Set the CA revocation path where to find CA CRLs for client# authentication or alternatively one huge file containing all# of them (file must be PEM encoded)# Note: Inside SSLCARevocationPath you need hash symlinks# to point to the certificate files. Use the provided# Makefile to update the hash symlinks after changes.#SSLCARevocationPath /etc/apache2/ssl.crl/#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl# Client Authentication (Type):# Client certificate verification type and depth. Types are# none, optional, require and optional_no_ca. Depth is a# number which specifies how deeply to verify the certificate# issuer chain before deciding the certificate is not valid.#SSLVerifyClient require#SSLVerifyDepth 10# SSL Engine Options:# Set various options for the SSL engine.# o FakeBasicAuth:# Translate the client X.509 into a Basic Authorisation. This means that# the standard Auth/DBMAuth methods can be used for access control. The# user name is the `one line' version of the client's X.509 certificate.# Note that no password is obtained from the user. Every entry in the user# file needs this password: `xxj31ZMTZzkVA'.# o ExportCertData:# This exports two additional environment variables: SSL_CLIENT_CERT and# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the# server (always existing) and the client (only existing when client# authentication is used). This can be used to import the certificates# into CGI scripts.# o StdEnvVars:# This exports the standard SSL/TLS related `SSL_*' environment variables.# Per default this exportation is switched off for performance reasons,# because the extraction step is an expensive operation and is usually# useless for serving static content. So one usually enables the# exportation for CGI and SSI requests only.# o OptRenegotiate:# This enables optimized SSL connection renegotiation handling when SSL# directives are used in per-directory context.#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire<FilesMatch "\.(cgi|shtml|phtml|php)$">SSLOptions +StdEnvVars</FilesMatch><Directory /usr/lib/cgi-bin>SSLOptions +StdEnvVars</Directory># SSL Protocol Adjustments:# The safe and default but still SSL/TLS standard compliant shutdown# approach is that mod_ssl sends the close notify alert but doesn't wait for# the close notify alert from client. When you need a different shutdown# approach you can use one of the following variables:# o ssl-unclean-shutdown:# This forces an unclean shutdown when the connection is closed, i.e. no# SSL close notify alert is send or allowed to received. This violates# the SSL/TLS standard but is needed for some brain-dead browsers. Use# this when you receive I/O errors because of the standard approach where# mod_ssl sends the close notify alert.# o ssl-accurate-shutdown:# This forces an accurate shutdown when the connection is closed, i.e. a# SSL close notify alert is send and mod_ssl waits for the close notify# alert of the client. This is 100% SSL/TLS standard compliant, but in# practice often causes hanging connections with brain-dead browsers. Use# this only for browsers where you know that their SSL implementation# works correctly.# Notice: Most problems of broken clients are also related to the HTTP# keep-alive facility, so you usually additionally want to disable# keep-alive for those clients, too. Use variable "nokeepalive" for this.# Similarly, one has to force some clients to use HTTP/1.0 to workaround# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and# "force-response-1.0" for this.# BrowserMatch "MSIE [2-6]" \# nokeepalive ssl-unclean-shutdown \# downgrade-1.0 force-response-1.0</VirtualHost>
</IfModule># vim: syntax=apache ts=4 sw=4 sts=4 sr noet
接下来指定配置文件,然后重启Apache即可
# 启用配置文件
root@cloud:~# a2ensite default-ssl.conf
# 重启Apache
root@cloud:~# /etc/init.d/apache2 restart
在浏览器中访问一下自己的网站,应该是没问题的。
使用OpenSSL生成SSL证书(ECC)
以下只展示命令行输入
mkdir ca
cd ca/
mkdir certs crl newcerts private
chmod 700 private/
touch index.txt
echo 1000 > serial
touch openssl.cnf
vim openssl.cnf
# 这里是重点!参数和格式
openssl ecparam -genkey -out private/ca.key.pem -name prime256v1
openssl req -config openssl.cnf -key private/ca.key.pem -new -x509 -days 730 -sha256 -extensions v3_ca -out certs/ca.cert.pem
chmod 444 certs/ca.cert.pem
openssl x509 -noout -text -in certs/ca.cert.pem# 中间证书
mkdir intermediate
cd intermediate/
mkdir certs crl csr newcerts private
chmod 700 private/
touch index.txt
echo 1000 > serial
echo 1000 > crlnumber
touch openssl.cnf
vim openssl.cnf
cd ../
openssl ecparam -genkey -name prime256v1 -out intermediate/private/intermediate.key.pem
chmod 400 intermediate/private/intermediate.key.pem\n
openssl req -config intermediate/openssl.cnf -new -sha256 -key intermediate/private/intermediate.key.pem -out intermediate/csr/intermediate.csr.pem
openssl ca -config openssl.cnf -extensions v3_intermediate_ca -days 720 -notext -md sha256 -in intermediate/csr/intermediate.csr.pem -out intermediate/certs/intermediate.cert.pem
chmod 444 intermediate/certs/intermediate.cert.pem
cat index.txt
openssl x509 -noout -text -in intermediate/certs/intermediate.cert.pem
openssl verify -CAfile certs/ca.cert.pem intermediate/certs/intermediate.cert.pem
cat intermediate/certs/intermediate.cert.pem certs/ca.cert.pem > intermediate/certs/ca-chain.cert.pem# 叶子证书
chmod 444 intermediate/certs/ca-chain.cert.pem
openssl ecparam -genkey -name prime256v1 -out intermediate/private/cert.key.pem
chmod 400 intermediate/private/cert.key.pem
openssl req -config intermediate/openssl.cnf -key intermediate/private/cert.key.pem -new -sha256 -out intermediate/csr/cert.shop.csr.pem
openssl ca -config intermediate/openssl.cnf -extensions server_cert -days 375 -notext -md sha256 -in intermediate/csr/cert.shop.csr.pem -out intermediate/certs/cert.cert.pem
1cat intermediate/index.txt
openssl x509 -noout -text -in intermediate/certs/cert.cert.pem
openssl verify -CAfile intermediate/certs/ca-chain.cert.pem intermediate/certs/cert.cert.pem
服务器和域名怎么弄的呢?
上面已经说了,可以去某宝上搜索驰迅网络
,购买之后商家会要求去网站注册一个账号,然后他会开一个服务器并把账号密码发送给你。然后使用xshell
或者MobaXTerm
甚至Jetbrains
的工具都可以,这里推荐使用前两者,MobaXterm
超级好用,如果你和我一样在Mac上找不到特别好用的工具(或许是我比较懒),可以使用Jetbrains→Tools→Deployment→Configuration
,然后选择SFTP
,配置自己的服务器就可以了。这样就可以在自己的笔记本上配置自己的服务器了,具体怎么做参考前两节就可以了。
然后是域名,可以去NameSilo这个网站申请域名,具体的配置可以参考这篇Blog,我选择的A记录
解析,配置完成后可以去whatsmydns这个网站进行查阅,看什么时候可以在自己的笔记本上访问自己的域名了,就可以继续完成数字证书的实验了。
使用OpenSSL生成自己服务器的证书相关推荐
- linux 运行ca.crt,linux下使用openssl生成 csr crt CA证书,opensslcsr
linux下使用openssl生成 csr crt CA证书,opensslcsr 本文主要借鉴和引用了下面2个地址的内容,然后在自己的机器上进行了测试和执行,并做了如下记录. ref: http:/ ...
- redhat/openssl生成自签ca证书并使用
一键生成自签名ssl证书和私钥 ./create_self_signed_cert.sh"/C=CN/ST=Guangdong/L=Guangzhou/O=xdevops/OU=xdevop ...
- OPENSSL生成SSL自签证书
OPENSSL生成SSL自签证书 目前,有许多重要的公网可以访问的网站系统(如网银系统)都在使用自签SSL证书,即自建PKI系统颁发的SSL证书,而不是部署支持浏览器的SSL证书. 支持浏览器的SSL ...
- IIS 使用OpenSSL 生成的自签名证书,然后使用SingalR 客户端访问Https 站点通信
使用SignalR 的客户端去发送消息给使用 https 部署的站点,官方文档目前并没有详细的教程,所以在此记录下步骤: 使用管理员身份打开cmd 窗口,选择一个整数保存文件夹的地址,切换到对应的文件 ...
- ca证书 csr_linux下使用openssl生成 csr crt CA证书
证书文件生成: 一.服务器端 1.生成服务器端 私钥(key文件); openssl genrsa -des3 -out server.key 1024 运行时会提示输入密码,此密码用于加密ke ...
- iOS开发——openssl生成CSR (pkcs10) 请求证书
由于涉及在线开户相关,所以整理一下~ 本文在前人的基础上更加完善:通过openssl 生成证书请求CSR 符合pkcs10的语法规范 为客户端生成,代码为C语言,可以直接在xcode的中于objec ...
- OpenSSL生成本地https测试证书
一.准备工作 1.本地安装好git工具 2.创建一个cert文件夹用来放证书文件 二.创建证书 第一步:使用openssl生成密钥privkey.pem 1.操作系统说明 windows系统:在cer ...
- 使用openssl生成cer、p12证书
这篇文件的资源也是参考了其他博主的文章,这里需要感谢这些博主.我这边只是做一个记录,方便日后查阅.谢谢! 创建证书的时候使用的密码都是11111111,故命令语句中都是按照该密码输入的. 一.准备工作 ...
- http系列---OpenSSL生成根证书CA及签发子证书
文章目录 1. 前言 2. 修改OpenSSL的配置 3. 生成根证书 4. 用根证书签发server端证书 5. 用根证书签发client端证书 6. 导出证书 7. 附项目证书目录 1. 前言 系 ...
最新文章
- git常见使用场景总结
- 数据中心更新那么快,运维人如何度过35岁危机?
- P2717-寒假作业【逆序对,树状数组】
- byte 类型比较_基本类型和包装类对象使用 == 和 equals进行比较的结果?
- php 替换 tab,PHP 删除字符串中的空格和换行符终极方法 - 文章教程
- call和apply;this;闭包
- 使用Kubeadm(1.13+)快速搭建Kubernetes集群
- 注解与 xml 实现aop哪种好_Spring 从入门到入土——AOP 就这么简单!| 原力计划
- 华为交换机学习指南基于MAC地址划分VLAN
- 如何解决微软自带输入法突然变成繁体
- Python提取docx格式Word文档中所有尾注
- linux下交叉编译date命令,arm移植NTP(同步嵌入式linux系统时间)
- php可以发短信的代码,php实现短信发送代码
- Fiddler对手机APP进行抓包
- IAMP方式下载邮件记录
- 给定三角形边长,求三角形面积
- 基于51单片机---遥控灯
- Unsupervised Learning of Probably Symmetric Deformable 3D Objects from Images in the Wild
- 基于投入导向的超效率CCR-DEA模型(MATLAB)
- 默孚龙滑环设备怎么进行维护
热门文章
- VUE-flex布局之 align-self 单个交叉轴对齐方式(11)
- centos7 安装 oniguruma-devel
- 面试笔试中算法设计问题的回答技巧总结
- 多多情报通:拼多多发布机会商品是谁发货?该怎么发货?
- jupyter安装php,如何安装jupyter
- 某人的酒量大叫海量,你见过最多一次喝多少酒的人(喝醉不算)?
- 基于JAVA小型健身俱乐部网站计算机毕业设计源码+数据库+lw文档+系统+部署
- MySQL - change 和 modify 的区别
- 基于ATR确定头寸的择时股票量化策略
- 2021-08-10第一章绪论1.1统计学与医学统计学