网上有很多介绍如何创建self-signed certificate的文章,但是有个缺点是每一步必须输入多个参数,写脚本的时候就得写成交互式的,为了写脚本的方便性,本文通过配置文件来创建一个self-signed certificate。
1. 先创建一个文件夹:
mkdir /etc/httpd/ssl
2. cd /etc/httpd/ssl
3. 写一个配置文件self_signed_certificate.conf
[ req ]
default_bits = 1024
default_keyfile = server.key
distinguished_name = subject
string_mask = utf8only
prompt = no #这一步必须加,否则还是会显示很多内容让输入
# The Subject DN can be formed using X501 or RFC 4514 (see RFC 4519 for a description).
# Its sort of a mashup. For example, RFC 4514 does not provide emailAddress.
[ subject ]
commonName =2003:db1::1093 #这里是httpd server的ip地址或者域名
stateOrProvinceName =The earth
countryName =CN
emailAddress =optional
organizationName =TEST
4. 运行:
openssl req -config self_signed_certificate.conf -new -x509 -sha256 -newkey rsa:1024 -nodes -keyout server.key -days 365 -out server.crt
5. 然后更改文件 vim /etc/httpd/conf.d/ssl.conf:
SSLCertificateFile /etc/httpd/ssl/server.crt
SSLCertificateKeyFile /etc/httpd/ssl/server.key
6. service httpd restart