一、创建私钥
[root@shuaishuai ~]# openssl genrsa -out ca.key 2048
示例:
注:此时目录下会生成一个 ca.key 文件
二、创建公钥
[root@shuaishuai ~]# openssl req -new -x509 -days 208 -key ca.key -out ca.crt
示例:
注:此时目录下会生成一个 ca.crt 文件
三、生成密钥对
1.先准备两个文件,分别是openssl.cnf 和 v3.ext
[root@shuaishuai ~]# vim openssl.cnf
openssl.cnf 内容如下:
[req] distinguished_name = req_distinguished_name req_extensions = v3_req
[req_distinguished_name] countryName = Country Name (2 letter code) countryName_default = US stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = NY localityName = Locality Name (eg, city) localityName_default = NYC organizationalUnitName = Organizational Unit Name (eg, section) organizationalUnitName_default = xxx commonName = xxx commonName_max = 64
[ v3_req ] # Extensions to add to a certificate request basicConstraints = CA:TRUE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names
[alt_names] IP.1 = 192.168.1.145 IP.2 = 192.168.1.140
[root@shuaishuai ~]# vim v3.ext
v3.ext 内容如下:
authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage=digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment subjectAltName=@alt_names [alt_names] IP.1 = 192.168.0.145 IP.2 = 192.168.1.140
注意:以上两个文件是相关联的
四、 生成服务器证书
1.生成私钥
[root@shuaishuai ~]# openssl genrsa -out server.key 2048
示例:
注:此时会生成一个 server.key 文件
2.生成公钥
[root@shuaishuai ~]# openssl req -new -days 208 -key server.key -out server.csr -config openssl.cnf
示例:
3.自签名
[root@shuaishuai ~]# openssl x509 -days 208 -req -sha256 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in server.csr -out server.crt
示例:
注:目录下会生成 server.key 和 server.crt 两个文件。 到这里就结束了!
文章来源
发表评论