cfssl 自签名证书

2020-05-21  本文已影响0人  akka9
cfssl print-defaults config > ca-config.json
cfssl print-defaults csr > ca-csr.json

修改 ca-config.json
过期时间改为 439200h  (50年) 或 263520h (30年)
profile www 中增加 "client auth"

修改 ca-csr.json
"CN"  默认域名
"hosts"  额外的域名或IP地址
"names"  CA的组织信息


# 生成 CA 证书
cfssl gencert -initca ca-csr.json | cfssljson -bare ca 
# 查看CA证书
openssl x509  -noout -text -in  ca.pem

# 服务器csr
cfssl print-defaults csr > self-csr.json

"CN"  默认域名
"hosts"  额外的域名或IP地址
"names"  CA的组织信息

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www self-csr.json | cfssljson -bare self

# 查看服务器证书
openssl x509  -noout -text -in  self.pem

# 证书合并
cat self.pem ca.pem > self.crt
cp self-key.pem self.key

# nginx 部署

    ssl_certificate      self.crt;
    ssl_certificate_key  self.key;
    ssl_session_timeout  5m;
    ssl_protocols  TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers EECDH+AES:EECDH+CHACHA20;


# apache 参考
<VirtualHost :9443>

DocumentRoot "/myproject"  #项目目录

SSLEngine on
SSLProtocol all -SSLv2 –SSLv3 
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

SSLCertificateFile  /xx/xx/self.pem

SSLCertificateKeyFile /xx/xx/self.key

SSLCertificateChainFile /xx/xx/ca.pem

</VirtualHost>

上一篇 下一篇

猜你喜欢

热点阅读