制作ssl证书

制作根证书

openssl默认生成的是v1版本的证书，浏览器目前只支持v3版本的证书，v3 版本证书生成时需要在cnf配置文件中增加扩展属性

subjectAltName 扩展属性指定自签名证书ip地址或者dns；必须设置，不设置会导致浏览器提示不安全

配置文件在生成csr的时候可以设置默认值

配置文件在生成crt的时候可以设置扩展属性

ca.conf

[ req ]
default_bits       = 4096
distinguished_name = req_distinguished_name 

[ req_distinguished_name ]
countryName                 = Country Name (2 letter code)
countryName_default         = CN
stateOrProvinceName         = State or Province Name (full name)
stateOrProvinceName_default = BJ
localityName                = Locality Name (eg, city)
localityName_default        = BJ
organizationName            = Organization Name (eg, company)
organizationName_default    = soyuan
organizationalUnitName            = Organizational Unit Name (eg, section)
organizationalUnitName_default    = soyuan
commonName                  = Common Name (e.g. server FQDN or YOUR name)
commonName_max              = 64
commonName_default          = soyuan

[ root_ca ]
# 签发根证书时使用
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign

名字解释

Enter pass phrase for fd.key:					输入私钥的加密密码，如生成的是加密私钥
Country Name (2 letter code) [XX]:CN			输入国家名，至少两个字符
State or Province Name(ful name) []:JX			输入洲/省的名称
Locality Name（eg,city) [Default City]:GZ		输入地点名称(如城市)[默认城市]
Organization Name (eg, company) [Default Company Ltd]:JXUST				输入组织名称
Organizational Unit Name (eg, section) []:XA							输入部门名称
Common Name (eg, your name or your server's hostname) []:last-player	输入常用名称
Email Address []:asdad@asda.com					输入邮箱地址

生成服务器私钥

openssl genrsa -out ca.key 2048

创建根证书的申请文件

openssl req -new -key ca.key -out ca.csr -config ca.conf

创建一个自当前日期起为期十年的根证书

openssl x509 -req -days 3650 -sha256 -extfile ca.cnf -signkey ca.key -in ca.csr -out ca.crt

openssl req -config ca.conf -new -x509 -days 7300 -sha256 -extensions root_ca -key ca.key -out ca.crt

制作服务器证书

创建服务器证书密钥

openssl genrsa -out 172.16.100.92.key 2048

创建服务器证书的申请文件

生成服务器端证书的时候，要设置使用者ip 或域名，这个使用cnf文件

172.16.100.92.cnf

[ req ]
default_bits       = 4096
distinguished_name = req_distinguished_name
req_extensions     = req_ext

[ req_distinguished_name ]
countryName                 = Country Name (2 letter code)
countryName_default         = CN
stateOrProvinceName         = State or Province Name (full name)
stateOrProvinceName_default = BJ
localityName                = Locality Name (eg, city)
localityName_default        = BJ
organizationName            = Organization Name (eg, company)
organizationName_default    = 92SVC
organizationalUnitName            = Organizational Unit Name (eg, section)
organizationalUnitName_default    = 92SVC
commonName                  = Common Name (e.g. server FQDN or YOUR name)
commonName_max              = 64
commonName_default          = 92SVC

[ req_ext ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
IP.1    = 172.16.100.92
#DNS.1   = your-website.dev
#DNS.2   = another-website.dev

openssl req -new -key 172.16.100.92.key -out 172.16.100.92.csr -config 172.16.100.92.cnf

创建自当前日期起有效期为期两年的服务器证书

openssl x509 -req -days 730 -sha256 -extensions req_ext -extfile 172.16.100.92.cnf -CA ca.crt -CAkey server.key -CAserial 172.16.100.92.srl -CAcreateserial -in 172.16.100.92.csr -out 172.16.100.92.crt

• extensions 指定的扩展属性
• extfile 指定扩展属性的所在文件

把服务器秘钥不带密码的key解析出来

openssl rsa -in 172.16.100.92.key -out 172.16.100.92_unsecure.key

将证书合并成pfx文件

openssl pkcs12 -export -in 172.16.100.92.crt -inkey 172.16.100.92.key -out 172.16.100.92.pfx

将证书合并成pem文件

cat 172.16.100.92.key 172.16.100.92.crt > 172.16.100.92.pem