第一步我們建立根證書:(#是注釋)
#1.進入根目錄,建立檔案
cd /
mkdir ca
mkdir ca/root
#2.建立根證書目錄
cd /ca/root
#3.#建立相關目錄,private存放根憑證的私鑰,cert存放根憑證的憑證,signed_certs存放根憑證簽發過的憑證的副本.
mkdir private cert signed_certs
#變更private目錄的訪問許可權.
chmod 700 private
#建立index.txt,此檔案會用來紀錄根憑證簽發過的憑證的紀錄,每次根憑證簽發憑證openssl會自動更新此檔案.
touch index.txt
#建立serial,並在檔案中填入0001,被簽發的憑證都會有序號的字段,紀錄此憑證在上一層簽發單位所簽發的憑證的序號,此檔案會用來紀錄根憑證簽發的憑證的序號,每次根憑證簽發憑證openssl會自動更新此檔案.
echo 0001 > serial
建立openssl_root_ca.cnf並放置在root目錄內
touch openssl_root_ca.cnf
內容:
[ ca ]
default_ca = ca_default
[ ca_default ]
#放置相關的檔案和目錄.
dir = /ca/root
certs = $dir/cert
new_certs_dir = $dir/signed_certs
database = $dir/index.txt
serial = $dir/serial
randfile = $dir/private/.rand
#放置私鑰和憑證的路徑.
private_key = $dir/private/root_ca.key.pem
certificate = $dir/cert/root_ca.cert.pem
default_md = sha256
name_opt = ca_default
cert_opt = ca_default
default_days = 365
preserve = no
policy = policy_defualt
[ policy_defualt ]
#簽發中繼憑證時資料的檢查(是否必須和根憑證一樣).
countryname = optional
stateorprovincename = optional
organizationname = optional
organizationalunitname = optional
commonname = supplied
emailaddress = optional
[ req ]
# req工具需要的引數.
default_bits = 2048
distinguished_name = req_distinguished_name
string_mask = utf8only
default_md = sha256
[ req_distinguished_name ]
#產生憑證時要輸入的資料的說明.
countryname = country name (2 letter code)
stateorprovincename = state or province name
localityname = locality name
0.organizationname = organization name
organizationalunitname = organizational unit name
commonname = common name
emailaddress = email address
[ root_ca ]
#簽發根憑證使用.
subjectkeyidentifier = hash
authoritykeyidentifier = keyid:always,issuer
basicconstraints = critical, ca:true
keyusage = critical, digitalsignature, crlsign, keycertsign
[ intermediate_ca ]
#簽發中繼憑證使用.
subjectkeyidentifier = hash
authoritykeyidentifier = keyid:always,issuer
basicconstraints = critical, ca:true, pathlen:0
keyusage = critical, digitalsignature, crlsign, keycertsign
openssl genrsa -aes256 -out private/root_ca.key.pem 4096
#會提示需要輸入私鑰使用的密碼
#再次確認密碼
verifying - enter pass phrase for private/root_ca.key.pem: alice123
#變更私鑰的訪問許可權
chmod 400 private/root_ca.key.pem
在根憑證目錄產生根憑證的自簽憑證,檔名是 root_ca.cert.pem
openssl req -config openssl_root_ca.cnf \
-new -x509 -days 7300 -sha256 -extensions root_ca \
-key private/root_ca.key.pem \
-out cert/root_ca.cert.pem
#會提示需要輸入根憑證的私鑰密碼
enter pass phrase for private/root_ca.key.pem: ******
輸入你設定密碼
#接著需要輸入憑證擁有者的資訊.
#所在的國家的縮寫, 2個字母,例如taiwan = tw, unit state = us.
country name (2 letter code) : tw
#所在的州或省.
state or province name : taiwan
#所在的城市.
locality name : ****ei
#所在的公司.
organization name : alice ltd
#所在的公司的單位.
organizational unit name [ ]: alice ltd certificate authority
#憑證的名稱.
common name : alice ltd root ca
#聯絡信箱.
email address : alice@local
#變更憑證的訪問許可權.
chmod 444 cert/root_ca.cert.pem
檢查自簽的根憑證是否無誤.
openssl x509 -noout -text -in cert/root_ca.cert.pem
自建ca根證書 如何建立私有 CA 並簽發證書
為什麼需要自己的 ca?因為公共 ca 比如排名前幾的這幾家 comodo,symantec,globalsign,digicert,startcom 頒發證書要收費,而且 很貴。當然現在也有了像 letsencrypt 這樣的免費 ca。我們的應用是企業內網,網域名稱使用私有網域名稱,沒有辦法使用...
OpenSSL建立根CA並簽發證書
windows下安裝配置openssl,建立democa資料夾,建立相應資料夾和檔案,命令列進入openssl 生成根ca金鑰 生成根證書 req new x509 days 7300 key ca.key out ca.crt subj c cn st provin l city o org ou...
openssl生成CA根證書及子證書
生成根證書 1.生成ca秘鑰,得到ca.key openssl genrsa out ca.key 4096 2.生成ca證書簽發請求,得到ca.csr openssl req new key ca.key out ca.csr subj c cn st jiangsu l nanjing o ji...