####################
# 一、生成CA機構的私鑰,命令和生成服務器私鑰一樣,只不過這是CA的私鑰 >> ca.key openssl genrsa -out ca.key 4096 # 二、生成CA機構自己的證書申請文件 >> ca.crt openssl req -new -sha512 -subj "/C=CN/ST=hubei/L=wuhan/O=igoodful/OU=igoodful/CN=registry.igoodful.com/[email protected]" -key ca.key -out ca.csr # 三、生成自簽名證書,CA機構用自己的私鑰和證書申請文件生成自己簽名的證書,俗稱自簽名證書,這裏可以理解爲根證書 # -nodes 表示私鑰不加密,若不帶參數將提示輸入密碼; # x509的含義: 指定格式 # -in的含義: 指定請求文件 # -signkey的含義: 自簽名 openssl x509 -req -sha512 -days 3650 -extensions v3_ca -signkey ca.key -in ca.csr -out ca.crt ------------------------------------------------------------------------------------------------------- # 一、生成服務器私鑰。nginx中要求的server.key openssl genrsa -out server.key 4096 # 二、請求證書。根據服務器私鑰文件生成證書請求文件,這個文件中會包含申請人的一些信息,注意: 這一步也會輸入參數,要和上一次輸入的保持一致 openssl req -new -sha512 -subj "/C=CN/ST=hubei/L=wuhan/O=igoodful/OU=igoodful/CN=registry.igoodful.com/[email protected]" -key server.key -out server.csr # 三、使用CA證書籤署服務器證書。根據CA機構的自簽名證書ca.crt或者叫根證書生、CA機構的私鑰ca.key、服務器的證書申請文件server.csr生成服務端證書 # 請求證書,nginx中要求的server.crt # 證數各參數含義如下 # C 國家 Country Name # ST----省份 State or Province Name # L----城市 Locality Name # O----公司 Organization Name # OU----部門 Organizational Unit Name # CN----產品名 Common Name # emailAddress----郵箱 Email Address openssl x509 -req -sha512 -days 3650 -extensions v3_req -CAserial ca.srl -CAcreateserial -CA ca.crt -CAkey ca.key -in server.csr -out server.crt --------------------------------------------------------------------------------------- # 生成客戶端證書 # 一、生成客戶端私鑰 openssl genrsa -out client.key 4096 # 二、申請證書,注意:這一步也會輸入參數,要和前兩次輸入的保持一致 openssl req -new -sha512 -subj "/C=CN/ST=hubei/L=wuhan/O=igoodful/OU=igoodful/CN=registry.igoodful.com/[email protected]" -key client.key -out client.csr # 三、使用CA證書籤署客戶端證書 openssl x509 -req -sha512 -days 3650 -CAcreateserial -in client.csr -CA ca.crt -CAkey ca.key -out client.cer -extensions v3_req
------------------------------------------------------------------------ # ca證書 openssl req -newkey rsa:2048 -nodes -keyout ca.key -out ca.csr -subj "/C=CN/ST=hubei/L=wuhan/O=igoodful/OU=igoodful/CN=registry.igoodful.com/[email protected]" # openssl x509 -req -days 3650 -in ca.csr -signkey ca.key -out ca.crt --------------------------------------------------------------------------------- # 服務端 openssl genrsa -out server.key 2048 # 注意: 這一步也會輸入參數,要和上一次輸入的保持一致 openssl req -new -key server.key -out server.csr -subj "/C=CN/ST=hubei/L=wuhan/O=igoodful/OU=igoodful/CN=registry.igoodful.com/[email protected]" # openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 3650 ------------------------------------------------------------------------- # 客戶端 openssl genrsa -out client.key 2048 # 注意:這一步也會輸入參數,要和前兩次輸入的保持一致 openssl req -new -subj "/C=CN/ST=hubei/L=wuhan/O=igoodful/OU=igoodful/CN=registry.igoodful.com/[email protected]" -key client.key -out client.csr # openssl x509 -req -days 3650 -CAcreateserial -in client.csr -CA ca.crt -CAkey ca.key -out client.crt # 配置示例(Nginx): server { listen 80; listen 443 ssl; server_name 172.21.10.101; ssl_certificate /opt/server.crt; ssl_certificate_key /opt/server.key; if ($scheme = http) { return 301 https://$host$uri?$args; } #charset koi8-r; #access_log logs/host.access.log main; location / { #root html; #index index.html index.htm; proxy_pass http://172.xx.xx.xx:9000/xxx/xxx/; } error_page 500 502 503 504 /50x.html; location = /50x.html { root html; } } # 配置示例(Apache): <VirtualHost *:443> ServerName example.com SSLEngine on SSLCertificateFile /path/to/server.crt SSLCertificateKeyFile /path/to/server.key SSLCACertificateFile /path/to/ca.crt ... </VirtualHost> # 配置示例(Tomcat): <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" keystoreFile="/path/to/server.keystore" keystorePass="password" truststoreFile="/path/to/ca.crt" truststorePass="password" clientAuth="true" sslProtocol="TLS"/>
#######################