使用openssl生成自簽名證書為伺服器證書籤名
阿新 • • 發佈:2021-07-29
自簽名證書生成
# 生成自簽名證書的私鑰ca.key openssl genrsa -out ca.key 2048 # 生成自簽名證書ca.crt openssl req -new -x509 -days 365 -key ca.key -out ca.crt
使用自簽名證書籤名伺服器證書
# 生成伺服器私鑰server.key openssl genrsa -out server.key 2048 # 生成伺服器證書請求server.csr openssl req -new -key server.key -out server.csr # 生成伺服器證書server.crt openssl x509-req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
驗證證書有效性
openssl x509 -text -noout -in server.crt
openssl簽名配置檔案server.conf
[req] default_bits = 2048 default_keyfile = server.key distinguished_name = req_distinguished_name encrypt_key = no default_md = sha256 req_extensions= req_ext
[req_distinguished_name] commonName_default = www.xxx.com commonName_max = 64 organizationName_default = xxx Co.,Ltd. organizationalUnitName_default = IT Support Dept localityName_default = City stateOrProvinceName_default = Province countryName_default = CN [req_ext] subjectAltName = @alt_names [alt_names] DNS.1 = www.xxx.com IP.1 = xxx.xxx.xxx.xxx
使用配置檔案生成server.crt證書
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -extfile server.conf -set_serial 01 -out server.crt