2019-06-18 openssl和ssl证书的那些事 openssl 的相关用法,自签 CA 证书,签发 SSL 证书、多域名证书、通配型证书等等. 自建CA证书 ### 配置openssl.cnf, 不修改也行,主要就是一些默认参数 --- /etc/pki/tls/openssl.cnf --- ... [ CA_default ] ... default_days = 3650 # how long to certify for ... [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = CN countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = GD localityName = Locality Name (eg, city) localityName_default = GZ 0.organizationName = Organization Name (eg, company) 0.organizationName_default = Otokaze organizationalUnitName = Organizational Unit Name (eg, section) organizationalUnitName_default = Otokaze commonName = Common Name (eg, your name or your server\'s hostname) commonName_max = 64 emailAddress = Email Address emailAddress_default = root@zfl9.com emailAddress_max = 64 ... ### touch index.txt serial cd /etc/pki/CA/ touch index.txt serial echo 01 > serial ### 生成CA私钥 openssl genrsa -out private/cakey.pem 2048 chmod 600 private/cakey.pem ### 签署CA证书 openssl req -new -x509 -key private/cakey.pem -out cacert.pem Bash Copy 单域名证书 ### 以nginx为例,apache同理 mkdir /etc/pki/nginx cd /etc/pki/nginx/ ### 生成私钥 openssl genrsa -out www.zfl.com.key 2048 ### 生成csr证书签名请求 openssl req -new -key www.zfl.com.key -out www.zfl.com.csr (Commone Name 填写域名) ### CA签署证书 openssl ca -in www.zfl.com.csr -out www.zfl.com.crt 或 openssl x509 -req -in www.zfl.com.csr -CA /etc/pki/CA/cacert.pem -CAkey /etc/pki/CA/private/cakey.pem -CAcreateserial -out www.zfl.com.crt Bash Copy 多域名SAN/通配符CN 证书 ### 生成私钥 openssl genrsa -out zfl.key 2048 ### 生成csr证书签名请求 openssl req -new \ -key zfl.key \ -subj "/C=CN/ST=GD/L=GZ/O=Otokaze/OU=Otokaze/CN=Otokaze" \ -reqexts SAN \ -config <(cat /etc/pki/tls/openssl.cnf \ <(printf "[SAN]\nsubjectAltName=DNS:zfl.com,DNS:*.zfl.com")) \ -out zfl.csr # 注意到subjectAltName=DNS:zfl.com,DNS:*.zfl.com # SAN多域名证书可以是通配型的域名,也可以是单个具体域名 # *.zfl.com 不包含 zfl.com # 你可以写任意多个域名上去 ### 查看csr文件信息 openssl req -text -noout -in zfl.csr # 可以看到包含了 Subject Alternative Names 字段 ### CA签署证书 openssl ca -in zfl.csr \ -extensions SAN \ -config <(cat /etc/pki/tls/openssl.cnf \ <(printf "[SAN]\nsubjectAltName=DNS:zfl.com,DNS:*.zfl.com")) \ -out zfl.crt ### 查看crt证书信息 openssl x509 -text -noout -in zfl.crt Bash Copy TXT_DB error number 2 错误 rm -fr /etc/pki/CA/index.txt touch /etc/pki/CA/index.txt Bash Copy 导入CA证书 ### 我们自己颁发的CA证书是不被系统信任的,需要自己添加,否则浏览器或提示证书不安全,curl也会报错 ### windows Win+R 运行 certmgr.msc 定位到 受信任的根证书颁发机构 -> 证书 -> 右键单击 -> 所有任务 -> 导入 选择你的证书文件 cacert.pem,导入即可 ### linux 先备份系统默认的根证书 cp -af /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem{,.bak} 然后追加进去就行 cat /etc/pki/CA/cacert.pem >> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem Bash Copy 查看证书链 # 查看证书链 openssl s_client -connect www.zfl9.com:443 # 可看到这些字段 Certificate chain 0 s:/CN=www.zfl9.com i:/C=CN/O=TrustAsia Technologies, Inc./OU=Symantec Trust Network/OU=Domain Validated SSL/CN=TrustAsia DV SSL CA - G5 1 s:/C=CN/O=TrustAsia Technologies, Inc./OU=Symantec Trust Network/OU=Domain Validated SSL/CN=TrustAsia DV SSL CA - G5 i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5