自建CA证书搭建https服务器¶
1、创建相关目录¶
将openssl.cnf配置文件拷贝到当前目录下并创建以下在配置文件中指定的子文件夹
mkdir demoCA
cd demoCA
Note
index.txt为空,serial必须写入内容,且为字符串格式的数字(比如1000)
mkdir srl certs newcerts
touch index.txt serial
echo 1000 > serial
cd ..
cp /etc/pki/tls/openssl.cnf .
2、生成根证书¶
mkdir ca
a).生成根证书私钥(key文件)¶
openssl genrsa -aes256 -out ca/ca.key 2048
b).生成根证书签发申请文件(csr文件)¶
openssl req -utf8 -new -key ca/ca.key -out ca/ca.csr -config ./openssl.cnf
c).自签发根证书(crt文件)¶
openssl x509 -req -days 3650 -sha1 -extensions v3_ca -signkey ca/ca.key -in ca/ca.csr -out ca/ca.crt
3、用根证书签发server端证书¶
mkdir server
a).生成根证书私钥(key文件)¶
openssl genrsa -aes256 -out server/server.key 2048
cd server
cp server.key server.key.org
openssl rsa -in server.key.org -out server.key
cd ..
b).生成根证书签发申请文件(csr文件)¶
openssl req -utf8 -new -key server/server.key -out server/server.csr -config ./openssl.cnf
cp -rap demoCA/* /etc/pki/CA/
c).使用根证书签发服务端证书¶
openssl ca -in server/server.csr -out server/server.crt -cert ca/ca.crt -keyfile ca/ca.key -config ./openssl.cnf
将证书部署到nginx,做到这个步骤就行了,nginx需要用到的证书就在./server 目录下
部署到nginx
我们安装好nginx之后,只需要把/etc/nginx/nginx.conf里关于https配置的一些内容的注销取消掉,然后修改下ssl_certificate和ssl_certificate_key的路径就可以了。
$ yum install epel-release -y
$ yum install nginx -y
$ vi /etc/nginx/nginx.conf
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name _;
root /usr/share/nginx/html;
ssl_certificate "/root/server/server.crt";
ssl_certificate_key "/root/server/server.key";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
$ nginx -t
$ systemctl start nginx
$ setenforce 0
$ systemctl stop firewalld
d).将密钥和证书合并成一个文件¶
该操作是可选的,有需求就做,我们用nginx,就不用做下面这个操作了。
cp server/server.key server/server.pem
cat server/server.crt >> server/server.pem
mkdir client
openssl genrsa -aes256 -out client/client.key 2048
openssl req -new -key client/client.key -out client/client.csr -config ./openssl.cnf
openssl ca -in client/client.csr -out client/client.crt -cert ca/ca.crt -keyfile ca/ca.key -config ./openssl.cnf
cp client/client.key client/client.pem
cat client/client.crt >> client/client.pem
4、一键创建所有证书脚本参考¶
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 | #!/bin/bash
ca_key_password=sophiroth
server_key_password=sophiroth
ca_Country_Name=CN
ca_State_Name=广东
ca_Locality_Name=深圳
ca_Organization_Name=华为云安全
ca_Organizational_Unit_Name=华为云安全
ca_Common_Name=云堡垒
ca_Email_Address=''
server_Country_Name=CN
server_State_Name=广东
server_Locality_Name=深圳
server_Organization_Name=华为云安全
server_Organizational_Unit_Name=华为云安全
server_Common_Name=云堡垒
server_Email_Address=''
#Install expect
yum install expect -y &>/dev/null
mkdir demoCA
cd demoCA
mkdir srl certs newcerts
touch index.txt serial
echo 1000 > serial
cd ..
\cp /etc/pki/tls/openssl.cnf .
mkdir ca
expect <<eof
spawn openssl genrsa -aes256 -out ca/ca.key 2048
expect "Enter pass phrase"
send "${ca_key_password}\n"
expect "Verifying"
send "${ca_key_password}\n"
expect eof
eof
expect <<eof
spawn openssl req -utf8 -new -key ca/ca.key -out ca/ca.csr -config ./openssl.cnf
expect "Enter"
send "${ca_key_password}\n"
expect "Country Name"
send "$ca_Country_Name\n"
expect "State or Province Name"
send "$ca_State_Name\n"
expect "Locality Name"
send "$ca_Locality_Name\n"
expect "Organization Name"
send "$ca_Organization_Name\n"
expect "Organizational Unit Name"
send "$ca_Organizational_Unit_Name\n"
expect "Common Name"
send "$ca_Common_Name\n"
expect "Email Address"
send "$ca_Email_Address\n"
expect "A challenge password"
send "\n"
expect "An optional company name"
send "\n"
expect eof
eof
expect <<eof
spawn openssl x509 -req -days 3650 -sha1 -extensions v3_ca -signkey ca/ca.key -in ca/ca.csr -out ca/ca.crt
expect "Enter pass phrase"
send "$ca_key_password\n"
expect eof
eof
#生成根证书
mkdir server
expect <<eof
spawn openssl genrsa -aes256 -out server/server.key 2048
expect "Enter pass phrase"
send "${server_key_password}\n"
expect "Verifying"
send "${server_key_password}\n"
expect eof
eof
##取消密码
cd server
\cp server.key server.key.org
expect <<eof
spawn openssl rsa -in server.key.org -out server.key
expect "Enter pass phrase for"
send "${server_key_password}\n"
expect eof
eof
cd ..
expect <<eof
spawn openssl req -utf8 -new -key server/server.key -out server/server.csr -config ./openssl.cnf
expect "Country Name"
send "$server_Country_Name\n"
expect "State or Province Name"
send "$server_State_Name\n"
expect "Locality Name"
send "$server_Locality_Name\n"
expect "Organization Name"
send "$server_Organization_Name\n"
expect "Organizational Unit Name"
send "$server_Organizational_Unit_Name\n"
expect "Common Name"
send "$server_Common_Name\n"
expect "Email Address"
send "$server_Email_Address\n"
expect "A challenge password"
send "\n"
expect "An optional company name"
send "\n"
expect eof
eof
\cp -rap demoCA/* /etc/pki/CA/
expect <<eof
spawn openssl ca -in server/server.csr -out server/server.crt -cert ca/ca.crt -keyfile ca/ca.key -config ./openssl.cnf
expect "Enter pass phrase for"
send "$ca_key_password\n"
expect "Sign the certificate"
send "y\n"
expect "1 out of 1 certificate requests certified"
send "y\n"
expect eof
eof
ls -l server
ls -l ca
# ssl_certificate " /root/server/server.crt";
# ssl_certificate_key " /root/server/server.key";
|