自建CA签发SSL证书(openssl-perl)
2017-05-10 本文已影响0人
袁先生的笔记
环境
系统:CentOS 6.6
准备
- 安装依赖包
# yum install openssl openssl-perl
创建CA
- 编辑
openssl.cnf(修改默认配置,非必需)
# vim /etc/pki/tls/openssl.cnf
default_days = 3650
countryName_default = CN
stateOrProvinceName_default = BeiJing
localityName_default = BeiJing
0.organizationName_default = Company Ltd
organizationalUnitName_default = IT
- 清空
/etc/pki/CA(否则创建时会自动退出,且无报错)
# rm -fr /etc/pki/CA/*
- 创建CA
# cd /etc/pki/tls/misc
# ./CA.pl -newca
Enter PEM pass phrase: 输入CA密码
Verifying - Enter PEM pass phrase: 重复CA密码
......
Country Name (2 letter code) [GB]: CN
State or Province Name (full name) [Berkshire]:BeiJing
Locality Name (eg, city) [Newbury]:BeiJing
Organization Name (eg, company) [My Company Ltd]:Company Ltd
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:domain.com
Email Address []:email@126.com
......
Enter pass phrase for /etc/pki/CA/private/cakey.pem:输入CA密码
......
注:Common Name一定要输入目标机器的fully qualified name
签发证书
- 创建证书请求
# ./CA.pl -newreq-nodes
......
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:BeiJing
Locality Name (eg, city) [Newbury]:BeiJing
Organization Name (eg, company) [My Company Ltd]:Company Ltd
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:your.domain.com
Email Address []:email@126.com
......
- CA签发证书
# ./CA.pl -sign
......
Enter pass phrase for /etc/pki/CA/private/cakey.pem: 输入CA密码
......
Sign the certificate? [y/n]:y
......
1 out of 1 certificate requests certified, commit? [y/n]y
......
当前目录下会生成3个文件
newreq.pem证书请求文件,可删除
newcert.pemCA签发的证书
newkey.pem证书对应的私钥
- 重命名证书和私钥
# rm -f newreq.pem
# mv newcert.pem your.domain.com.cert
# mv newkey.pem your.domain.com.key
- 把证书
your.domain.com.cert和私钥your.domain.com.key传输给所需服务器
