####################
# 一、生成CA机构的私钥,命令和生成服务器私钥一样,只不过这是CA的私钥 >> ca.key openssl genrsa -out ca.key 4096 # 二、生成CA机构自己的证书申请文件 >> ca.crt openssl req -new -sha512 -subj "/C=CN/ST=hubei/L=wuhan/O=igoodful/OU=igoodful/CN=registry.igoodful.com/[email protected]" -key ca.key -out ca.csr # 三、生成自签名证书,CA机构用自己的私钥和证书申请文件生成自己签名的证书,俗称自签名证书,这里可以理解为根证书 # -nodes 表示私钥不加密,若不带参数将提示输入密码; # x509的含义: 指定格式 # -in的含义: 指定请求文件 # -signkey的含义: 自签名 openssl x509 -req -sha512 -days 3650 -extensions v3_ca -signkey ca.key -in ca.csr -out ca.crt ------------------------------------------------------------------------------------------------------- # 一、生成服务器私钥。nginx中要求的server.key openssl genrsa -out server.key 4096 # 二、请求证书。根据服务器私钥文件生成证书请求文件,这个文件中会包含申请人的一些信息,注意: 这一步也会输入参数,要和上一次输入的保持一致 openssl req -new -sha512 -subj "/C=CN/ST=hubei/L=wuhan/O=igoodful/OU=igoodful/CN=registry.igoodful.com/[email protected]" -key server.key -out server.csr # 三、使用CA证书签署服务器证书。根据CA机构的自签名证书ca.crt或者叫根证书生、CA机构的私钥ca.key、服务器的证书申请文件server.csr生成服务端证书 # 请求证书,nginx中要求的server.crt # 证数各参数含义如下 # C 国家 Country Name # ST----省份 State or Province Name # L----城市 Locality Name # O----公司 Organization Name # OU----部门 Organizational Unit Name # CN----产品名 Common Name # emailAddress----邮箱 Email Address openssl x509 -req -sha512 -days 3650 -extensions v3_req -CAserial ca.srl -CAcreateserial -CA ca.crt -CAkey ca.key -in server.csr -out server.crt --------------------------------------------------------------------------------------- # 生成客户端证书 # 一、生成客户端私钥 openssl genrsa -out client.key 4096 # 二、申请证书,注意:这一步也会输入参数,要和前两次输入的保持一致 openssl req -new -sha512 -subj "/C=CN/ST=hubei/L=wuhan/O=igoodful/OU=igoodful/CN=registry.igoodful.com/[email protected]" -key client.key -out client.csr # 三、使用CA证书签署客户端证书 openssl x509 -req -sha512 -days 3650 -CAcreateserial -in client.csr -CA ca.crt -CAkey ca.key -out client.cer -extensions v3_req
------------------------------------------------------------------------ # ca证书 openssl req -newkey rsa:2048 -nodes -keyout ca.key -out ca.csr -subj "/C=CN/ST=hubei/L=wuhan/O=igoodful/OU=igoodful/CN=registry.igoodful.com/[email protected]" # openssl x509 -req -days 3650 -in ca.csr -signkey ca.key -out ca.crt --------------------------------------------------------------------------------- # 服务端 openssl genrsa -out server.key 2048 # 注意: 这一步也会输入参数,要和上一次输入的保持一致 openssl req -new -key server.key -out server.csr -subj "/C=CN/ST=hubei/L=wuhan/O=igoodful/OU=igoodful/CN=registry.igoodful.com/[email protected]" # openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 3650 ------------------------------------------------------------------------- # 客户端 openssl genrsa -out client.key 2048 # 注意:这一步也会输入参数,要和前两次输入的保持一致 openssl req -new -subj "/C=CN/ST=hubei/L=wuhan/O=igoodful/OU=igoodful/CN=registry.igoodful.com/[email protected]" -key client.key -out client.csr # openssl x509 -req -days 3650 -CAcreateserial -in client.csr -CA ca.crt -CAkey ca.key -out client.crt # 配置示例(Nginx): server { listen 80; listen 443 ssl; server_name 172.21.10.101; ssl_certificate /opt/server.crt; ssl_certificate_key /opt/server.key; if ($scheme = http) { return 301 https://$host$uri?$args; } #charset koi8-r; #access_log logs/host.access.log main; location / { #root html; #index index.html index.htm; proxy_pass http://172.xx.xx.xx:9000/xxx/xxx/; } error_page 500 502 503 504 /50x.html; location = /50x.html { root html; } } # 配置示例(Apache): <VirtualHost *:443> ServerName example.com SSLEngine on SSLCertificateFile /path/to/server.crt SSLCertificateKeyFile /path/to/server.key SSLCACertificateFile /path/to/ca.crt ... </VirtualHost> # 配置示例(Tomcat): <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" keystoreFile="/path/to/server.keystore" keystorePass="password" truststoreFile="/path/to/ca.crt" truststorePass="password" clientAuth="true" sslProtocol="TLS"/>
#######################