certificate

自建CA并签发证书

创建自签名CA,并签发SSL证书

Posted by Leon on March 29, 2020

自建CA,生成CA证书

方法一

  • 生成CA私钥, key
# openssl genrsa -out ca.key 4096
Generating RSA private key, 4096 bit long modulus
.....................................................++
............................................++
e is 65537 (0x10001)

# ls
ca.key

  • 生成证书请求文件, csr(无)

  • 签发CA证书,crt

# cat <<EOF > ca.cnf
[ req ]
req_extensions     = v3_req
distinguished_name = req_distinguished_name

[req_distinguished_name]

[ v3_req ]
keyUsage           = critical, keyCertSign, digitalSignature, keyEncipherment
basicConstraints   = critical, CA:true
EOF

# openssl req -x509 -new -nodes -key ca.key -days 1825 -out ca.crt \
        -subj "/CN=ca/OU=System/C=CN/ST=Shanghai/L=Shanghai/O=devops" \
        -config ca.cnf -extensions v3_req

# ls
ca.cert  ca.cnf  ca.key

方法二

# openssl req -nodes -subj "/CN=ca/OU=System/C=CN/ST=ShangHai/L=HaiShange/O=devops" -newkey rsa:4096 -sha256 -keyout ca.key -x509 -days 365 -out ca.crt
Generating a 4096 bit RSA private key
.....................................................................................................++
.................................................++
writing new private key to 'ca.key'
-----

# ls
ca.crt  ca.key

# openssl x509 -noout -text -in ca.crt

查看CA证书信息

# openssl x509 -noout -text -in ca.crt

自签证书

  • 创建私钥,key;证书请求文件,csr
# openssl req -newkey rsa:4096 -nodes -sha256 -keyout harbor.dev.ops.key \
        -out harbor.dev.ops.csr \
        -subj "/CN=harbor.dev.ops/C=CN/ST=ShangHai/L=HaiShange"
Generating a 4096 bit RSA private key
........................................................................................................................................++
..............................................................................................................................................................................................................................................++
writing new private key to 'harbor.dev.ops.key'
-----

# ls
harbor.dev.ops.csr  harbor.dev.ops.key
  • 使用自建CA证书,签发证书,crt
# openssl x509 -req -days 365 -in harbor.dev.ops.csr \
        -CA ../selfCA/ca.crt -CAkey ../selfCA/ca.key -CAcreateserial \
        -out harbor.dev.ops.crt
Signature ok
subject=/CN=harbor.dev.ops/C=CN/ST=ShangHai/L=HaiShange
Getting CA Private Key

# ls
harbor.dev.ops.crt  harbor.dev.ops.csr  harbor.dev.ops.key
  • 查看CA证书信息
# openssl x509 -noout -text -in harbor.dev.ops.crt
FEATURED TAGS
docker