Openssl生成证书流程

Openssl生成证书流程 偶然想到在内网配置https，就梳理了下利用openssl与ca生成证书的过程。 生成过程分为服务端跟客户端，这里我在一台上测试。 一.介绍 CA是Certificate Authority的缩写，也就是认证中心。 CA的功能有：颁发证书，更新证书，撤销证书和验证证书，相当于公安局的户籍部门。 CA证书的作用是作身份认证。 数字证书认证过程： ×××办理过程： 带上户口本-》当地派出所-》签发证书-》你去领证书 ×××办理过程： 带上户口本（证明你合法）-》当地派出所（认证机构）-》签发证书（审核有效信息）-》你去领证书。 客户得到CA证书的流程如下：

CSR文件根据客户端的公钥和主机标识生成，主机标识包括国家，省区，县市，组织，邮箱，主机名等信息。用户在拿到数字证书后，用浏览器中的CA的公钥解开证书，得到客户端的标识，从而确认身份

二.搭建 1.必备软件openssl，查看是否已安装 [root@ayu conf]# rpm -qf which openssl openssl-1.0.1e-48.el6_8.3.x86_64 2.配置自己的CA认证中心。生成CA的根证书和私钥，根证书包括CA的公钥 修改openssl配置文件[root@ayu conf]# vim /etc/pki/tls/openssl.cnf 修改如下 #basicConstraints=CA:FALSE basicConstraints=CA:TRUE设置使用本地为CA认证中心。 [root@ayu conf]# /etc/pki/tls/misc/CA -h usage: /etc/pki/tls/misc/CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify 选项 ： -newcert 新证书 -newreq 新请求 -newreq-nodes 新请求节点 -newca 新的CA证书 -sign 签证 -verify 验证 [root@ayu conf]# /etc/pki/tls/misc/CA -newcert Generating a 2048 bit RSA private key .+++ ...........................................................................................................................+++ writing new private key to 'newkey.pem' Enter PEM pass phrase:输入保护秘钥文件的密码 Verifying - Enter PEM pass phrase:

You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank.

Country Name (2 letter code) [XX]:CH State or Province Name (full name) []:hubei Locality Name (eg, city) [Default City]:wuhan Organization Name (eg, company) [Default Company Ltd]:ayu Organizational Unit Name (eg, section) []:ayu Common Name (eg, your name or your server's hostname) []:ayu Email Address []:123@qq.com Certificate is in newcert.pem, private key is in newkey.pem [root@ayu certificate]# ll 总用量 8 -rw-r--r--. 1 root root 1350 3月 20 00:50 newcert.pem -rw-r--r--. 1 root root 1834 3月 20 00:50 newkey.pem 可以看到已经生成两个文件，一个为根证书（公钥），一个为秘钥。 3.客户端认证文件准备 [root@ayu certificate_keys]# openssl genrsa -des3 -out server.key Generating RSA private key, 1024 bit long modulus .............++++++ ................++++++ e is 65537 (0x10001) Enter pass phrase for server.key:输入私钥密码 Verifying - Enter pass phrase for server.key: 生成客户端私钥秘钥文件，des3是保护私钥的密码的加密算法 生成客户端的认证请求文件 [root@ayu certificate_keys]# openssl req -new -key server.key -out server.csr Enter pass phrase for server.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank.

Country Name (2 letter code) [XX]:CH 这些信息与CA的主机标识相同，否则认证会出错 State or Province Name (full name) []:hubei Locality Name (eg, city) [Default City]:wuhan Organization Name (eg, company) [Default Company Ltd]:ayu Organizational Unit Name (eg, section) []:ayu Common Name (eg, your name or your server's hostname) []:ayu Email Address []:123@163.com

Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:不输入密码 An optional company name []:不输入密码 [root@ayu certificate_keys]# ll 总用量 8 -rw-r--r--. 1 root root 668 3月 20 01:23 server.csr -rw-r--r--. 1 root root 963 3月 20 01:18 server.key 生成的csr文件即根据私钥文件生成的包含公钥的请求文件 4.CA认证请求证书 [root@ayu certificate_keys]# openssl ca -keyfile /root/certificate/newkey.pem -cert /root/certificate/newcert.pem -in server.csr -out server.crt Using configuration from /etc/pki/tls/openssl.cnf Enter pass phrase for /root/certificate/newkey.pem: /etc/pki/CA/index.txt: No such file or directory unable to open '/etc/pki/CA/index.txt' 140602402772808:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('/etc/pki/CA/index.txt','r') 140602402772808:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400: 出现报错 此时需要做以下操作 [root@ayu certificate_keys]# touch /etc/pki/CA/index.txt [root@ayu certificate_keys]# echo 01 > /etc/pki/CA/serial [root@ayu certificate_keys]# openssl ca -keyfile /root/certificate/newkey.pem -cert /root/certificate/newcert.pem -in server.csr -out server.crt Using configuration from /etc/pki/tls/openssl.cnf Enter pass phrase for /root/certificate/newkey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Mar 20 05:37:46 2018 GMT Not After : Mar 20 05:37:46 2019 GMT Subject: countryName = CH stateOrProvinceName = hubei organizationName = ayu organizationalUnitName = ayu commonName = ayu emailAddress = 123@163.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 00:4C:C6:86:B4:EF:88:51:FC:DB:59:C7:D8:32:20:08:81:7A:4B:D8 X509v3 Authority Key Identifier: keyid:8A:41:B4:0B:50:11:DC:27:24:A8:29:E6:3B:5A:D1:AB:66:29:3A:EC

Certificate is to be certified until Mar 20 05:37:46 2019 GMT (365 days) Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated [root@ayu certificate_keys]# ll 总用量 12 -rw-r--r--. 1 root root 3747 3月 20 01:37 server.crt -rw-r--r--. 1 root root 668 3月 20 01:23 server.csr -rw-r--r--. 1 root root 963 3月 20 01:18 server.key 创建成功。 测试https配置是否成功 在nginx配置问价加上以下字段 listen 443 ssl; ssl_certificate /usr/local/nginx/conf/certificate_keys/server.crt; ssl_certificate_key /usr/local/nginx/conf/certificate_keys/server.key;

重启nginx，测试访问：