openssl生成证书 及配置https

证书申请及签署步骤：

1、生成证书申请请求

2、RA核验

3、CA签署

4、获取证书

格式说明

35 ####################################################################
36 [ ca ]
37 default_ca      = CA_default            # 默认ca
38 
42 dir             = /etc/pki/CA           #   ca机构的总目录
43 certs           = $dir/certs            #   存放证书
44 crl_dir         = $dir/crl              #   证书吊销列表
45 database        = $dir/index.txt        #   所有用户的证书的数据库索引， 存放用户证书的  相关信息  默认文件不存在，需要手动新建，单内容不用管
    new_certs_dir   = $dir/newcerts         # 存放新证书的


50   certificate     = $dir/cacert.pem       # The CA certificate   ca的自签名证书
51 serial          = $dir/serial           # The current serial number  证书编号
52 crlnumber       = $dir/crlnumber        # the current crl number  吊销证书的编号

54 crl             = $dir/crl.pem           # The current CRL
55 private_key     = $dir/private/cakey.pem # The private key  私钥位置


73 default_days    = 365                   # how long to certify for  证书的有效期
74 default_crl_days= 30                    # how long before next CRL
75 default_md      = sha256                # use SHA-256 by default
76 preserve        = no                    # keep passed DN ordering

创建CA所需要的文件及文件夹

生成CA私钥

cd /etc/pki/CA/ 
(umask 066; openssl genrsa -out private/cakey.pem 2048)

#设置文件权限掩码为`066`（以确保新创建的文件具有`600`权限），然后使用`openssl`生成一个2048位的RSA私钥，并将该私钥保存到`private/cakey.pem`文件中。
[root@localhost CA]#openssl genrsa -out private/cakey.pem 2048
Generating RSA private key, 2048 bit long modulus
....................................................+++
.......................................................................+++
e is 65537 (0x10001)

[root@localhost private]# ll
总用量 4
-rw-------. 1 root root 1679 8月  10 10:43 cakey.pem

生成CA自签名证书

[root@localhost CA]#openssl req -new -x509 -key   /etc/pki/CA/private/cakey.pem  -days 3650 -out /etc/pki/CA/cacert.pem

选项说明：

-new：生成新证书签署请求
-x509：专用于CA生成自签证书  协议x509
-key：生成请求时用到的私钥文件
-days n：证书的有效期限
-out /PATH/TO/SOMECERTFILE: 证书的保存路径

用户申请证书

• 生成私钥 （一般以key结尾） 私钥
• 利用生成的私钥 生成 证书申请文件（一般csr文件） csr
• 生成证书文件（一般以crt结尾） crt

建立私钥

[root@localhost data]#mkdir  /data/app1
[root@localhost data]#openssl  genrsa -out  /data/app1/app1.key 2048
Generating RSA private key, 2048 bit long modulus
...........................................+++
...............................................................................................................................................................................................................+++
e is 65537 (0x10001)
[root@localhost data]#chmod 600 /data/app1/app1.key 

生成证书申请文件

[root@localhost data]#openssl req -new -key /data/app1/app1.key -out /data/app1/app1.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:jiangsu
Locality Name (eg, city) [Default City]:suzhou 
Organization Name (eg, company) [Default Company Ltd]:kgc    
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:www.kgc.cn     
Email Address []:
​
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
​

颁发证书

[root@localhost data]#openssl ca -in /data/app1/app1.csr -out /etc/pki/CA/certs/app1.crt   -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Aug  8 16:58:52 2024 GMT
            Not After : May  5 16:58:52 2027 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = jiangsu
            organizationName          = kgc
            organizationalUnitName    = it
            commonName                = www.kgc.cn
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                FB:49:A4:0C:16:C6:FF:AC:86:BB:7E:21:99:BE:3E:69:2C:B9:B8:41
            X509v3 Authority Key Identifier: 
                keyid:1F:DD:EC:E0:8E:A8:CB:C5:66:45:5D:AE:67:B5:69:6A:1A:08:5C:13
​
Certificate is to be certified until May  5 16:58:52 2027 GMT (1000 days)
Sign the certificate? [y/n]:
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
​
​
[root@localhost data]#cat /etc/pki/CA/index.txt
V   270505165852Z       01  unknown /C=CN/ST=jiangsu/O=kgc/OU=it/CN=www.kgc.cn
[root@localhost data]#cat /etc/pki/CA/serial
02
​

验证证书是否有效

[root@localhost data]#openssl  ca -status  01
Using configuration from /etc/pki/tls/openssl.cnf
01=Valid (V)
​
​
​
V   有效
01 证书编号
​
​
[root@localhost data]#openssl  ca -status  2
Using configuration from /etc/pki/tls/openssl.cnf
Serial 02 not present in db.
Error verifying serial 2!
​
[root@localhost data]#sz /etc/pki/CA/certs/app1.crt 

一键脚本

CA_SUBJECT="/O=kgc/CN=ca.kgc.com"
SUBJECT="/C=CN/ST=js/L=nj/O=kgc/CN=www.kgc.com"
SERIAL=34
EXPIRE=202002
FILE=kgc.com
​
openssl req  -x509 -newkey rsa:2048 -subj $CA_SUBJECT -keyout ca.key -nodes -days 202002 -out ca.crt
​
openssl req -newkey rsa:2048 -nodes -keyout ${FILE}.key  -subj $SUBJECT -out ${FILE}.csr
​
openssl x509 -req -in ${FILE}.csr  -CA ca.crt -CAkey ca.key -set_serial $SERIAL  -days $EXPIRE -out ${FILE}.crt
​
chmod 600 ${FILE}.key ca.key
​

准备nginx的测试文件

将证书放在指定的目录下

 mv /etc/pki/CA/certs/app1.crt /apps/nginx/conf/cert.pem #证书
 mv app1.key /apps/nginx/conf/cert.key  #密钥

重启访问