常用后缀名
| 格式 | 说明 |
|---|---|
| .crt,.cer | 证书(Certificate) |
| .key | 密钥/私钥(Private Key) |
| .csr | 证书认证签名请求(Certificate signing request) |
| .pem | base64编码文本储存格式,可以单独放证书或密钥,也可以同时放两个;base64编码就是两条-------之间的那些莫名其妙的字符 |
CA根证书生成
脚本如下,需要修改部分参数,注意
COMMON_NAME要写服务器所在的域名或者IP地址
vim ca-generate.sh
#!/bin/bash
COUNTRY="CN"
STATE="ZJ"
CITY="NB"
ORGANIZATION="nise-ca"
ORGANIZATIONAL_UNIT="nise-ca"
COMMON_NAME="nise-ca"
EMAIL="huzhihui_c@qq.com"
echo "generate ca.key"
openssl genrsa -out ca.key 2048
echo "generate ca.crt"
SUBJECT="/C=$COUNTRY/ST=$STATE/L=$CITY/O=$ORGANIZATION/OU=$ORGANIZATIONAL_UNIT/CN=$COMMON_NAME/emailAddress=$EMAIL"
openssl req -x509 -new -nodes -key ca.key -sha256 -days 2000 -out ca.crt -subj "${SUBJECT}"
生成自签署证书
vim domain-generate.sh
#!/bin/bash
DOMAIN=$1
if [[ ! -n $DOMAIN ]] ; then
echo -e "---请输入生成证书的域名或服务器IP---"
read -r DOMAIN
fi
COUNTRY="CN"
STATE="ZJ"
CITY="NB"
ORGANIZATION="nise"
ORGANIZATIONAL_UNIT="nise"
COMMON_NAME="${DOMAIN}"
EMAIL="huzhihui_c@qq.com"
SUBJECT="/C=$COUNTRY/ST=$STATE/L=$CITY/O=$ORGANIZATION/OU=$ORGANIZATIONAL_UNIT/CN=$COMMON_NAME/emailAddress=$EMAIL"
echo "generate domain ssl key"
openssl genrsa -out "${COMMON_NAME}.key" 2048
openssl req -subj "$SUBJECT" -sha256 -new -key "${COMMON_NAME}.key" -out ${COMMON_NAME}.csr
echo """
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:false
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = ${COMMON_NAME}
DNS.2 = *.${COMMON_NAME}
""" > extfile.ext
echo "generate domain ssl crt"
openssl x509 -req -in ${COMMON_NAME}.csr -CA "ca.crt" -CAkey "ca.key" -CAcreateserial -out ${COMMON_NAME}.crt -days 2000 -sha256 -extfile extfile.ext
rm -rf ${COMMON_NAME}.csr
运行
# chmod -R 755 ca-generate.sh domain-generate.sh
# ./ca-generate.sh
# ./domain-generate.sh
[root@localhost ssl]# ls
ca.crt ca-generate.sh ca.key ca.srl tls-generate.sh www.baidu.cn.crt www.baidu.cn.key www.baidu.com.crt www.baidu.com.key
最后配置到服务端即可
- 注意:如果想本地证书被信任,需要把
ca.crt添加到受信任的根证书颁发机构,这样双方进行通信就可以了
