自簽名ssl證書

三驾马车發表於2024-11-29

使用openssl工具進行自簽名ssl證書，方便在內網環境中部署使用，為你的網站安全加把鎖

自簽證書流程：建立 ca 私鑰--->用 ca 私鑰生成 ca 根證書--->建立 ssl 私鑰--->建立 ssl 證書csr--->用 ca 根證書籤署生成 ssl 證書

操作方法：

1、建立一個資料夾 ca 用來儲存 ca 證書檔案

sudo mkdir ca
cd ca

2、建立 ca 私鑰（建議設定密碼）

sudo openssl genrsa -des3 -out CA.key 2048

3、生成 ca 證書，自籤20年有效期，把此 ca 證書匯入需要訪問pc的“受信任的根證書頒發機構”中，後期用此 ca 簽署的證書都可以使用

sudo openssl req -x509 -new -nodes -key CA.key -sha256 -days 7300 -out CA.crt

　　#檢視證書資訊命令 sudo openssl x509 -in CA.crt -noout -text

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            65:d9:98:70:56:3f:c1:49:27:59:b3:a0:07:1f:80:b0:05:9f:52:0a
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = CN, ST = Shan Xi, L = Xi'An, O = kj inc, OU = it Dep, CN = xa.it.com, emailAddress = it@163.com
        Validity
            Not Before: Mar 27 08:18:26 2024 GMT
            Not After : Mar 22 08:18:26 2044 GMT
        Subject: C = CN, ST = Shan Xi, L = Xi'An, O = kj inc, OU = it Dep, CN = xa.it.com, emailAddress = it@163.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:b4:f9:ee:6c:5e:ef:81:6d:21:2b:17:7f:6e:ce:
                    c3:82:1c:46:e6:28:ca:36:fb:49:dd:99:9e:44:a2:
                    84:8e:f0:b6:16:f7:0d:20:56:2d:7b:96:30:3d:23:
                    74:2d:d2:c0:25:2a:fd:df:2f:b9:30:82:38:a4:9d:
                    c8:e8:2b:9d:e9:e2:24:59:44:cd:2b:fa:ed:27:b6:
                    2d:62:3f:73:45:5d:84:8e:75:48:3e:da:0b:67:45:
                    89:f1:9f:1f:35:39:1b:de:24:fd:1d:f0:b3:9a:38:
                    6e:fe:6d:04:d7:23:c2:74:28:4f:8b:e2:5d:8f:05:
                    78:ce:af:24:f0:c3:e4:9f:fd:74:9d:28:e4:ca:3e:
                    7e:ff:b4:b5:ac:4c:d5:a8:fa:8b:d4:dd:1f:8a:11:
                    9a:72:58:6e:8c:95:f0:74:eb:3b:38:25:31:62:c7:
                    81:c5:78:ce:16:50:52:be:0f:df:47:2c:98:1f:6a:
                    c5:3b:ca:80:f2:12:5e:5c:cf:42:c6:96:6c:d3:8f:
                    0c:9d:a7:12:5a:74:7f:2c:33:8a:95:1b:a4:3e:a9:
                    f9:6e:3b:39:c7:62:8a:35:bf:d3:ea:80:01:3d:da:
                    db:19:cd:00:71:e2:17:ea:ee:9d:23:35:42:0b:52:
                    67:88:af:ca:79:d2:6b:87:a0:6f:9e:09:e6:c7:3e:
                    9d:85
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                0D:EA:6A:EE:DA:E4:23:AA:C2:F6:53:F9:CF:BF:55:65:C3:5E:E0:CC
            X509v3 Authority Key Identifier:
                keyid:0D:EA:6A:EE:DA:E4:23:AA:C2:F6:53:F9:CF:BF:55:65:C3:5E:E0:CC

            X509v3 Basic Constraints: critical
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         85:3c:70:59:64:a4:e0:d0:69:ba:01:d2:c1:08:57:26:2c:2f:
         9b:ed:11:ea:36:48:9a:44:d2:3c:4c:f0:bf:0e:d9:2a:5b:b5:
         4e:bf:2b:89:0d:41:3d:9b:ce:65:6a:f2:43:c3:dc:89:fb:ee:
         43:9b:d7:74:a7:49:9c:d9:bc:f7:5c:2e:da:2d:49:c2:39:ca:
         c7:ba:23:e2:05:29:fa:ab:f5:56:5b:46:e2:29:06:4d:1b:53:
         72:b1:a9:10:0b:98:d1:60:bd:da:07:0f:b5:39:8b:0d:52:ae:
         6f:d7:43:a3:96:af:8f:22:36:2e:5e:ee:a4:77:e5:af:f6:63:
         de:b4:e4:3c:63:e0:ed:e5:17:e0:50:66:fc:eb:02:13:00:10:
         a5:f8:28:53:68:6b:91:dd:c4:02:d5:94:a2:dc:f9:d1:3d:b2:
         8c:59:5b:e5:c6:46:a5:65:a7:cf:87:0e:c8:1f:81:50:3b:75:
         5d:fd:62:e1:9f:09:1e:b7:26:92:b4:97:87:a7:6e:cc:d3:a8:
         8c:e8:cf:a9:03:0a:13:fe:ee:a0:81:7e:22:c6:0d:0f:16:74:
         25:48:42:03:11:ad:08:af:2b:00:d3:b1:5e:a3:99:78:e1:1d:
         c0:31:f3:bb:f0:b1:7f:a1:87:5f:7d:6b:da:2e:fb:ab:f8:7b:
         0e:e9:17:fb

4、建立ssl證書私鑰

cd ..
sudo mkdir certs
cd certs/
sudo openssl genrsa -out zabbix.key 2048        #建立ssl私鑰

5、建立ssl證書csr

sudo  openssl req -new -key zabbix.key -out zabbix.csr        #建立ssl證書csr

6、建立域名附加配置資訊，新建一個檔案，vim cert.ext，將下面程式碼貼上後儲存

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = localhost
IP.2 = 192.168.11.100
IP.3 = 192.168.10.200
DNS.4 = xa.it.com
DNS.5 = xiykj.com
DNS.6 = *.xa.com

　　# IP.2 = 192.168.11.100　　　　表示https要訪問的ip，IP.3也是ip，ssl證書說明可以自籤多個ip，這是自籤ip的證書

　　# DNS.4 = xa.it.com　　　　表示https要訪問的域名，DNS.5，DNS.6都一樣是域名，ssl證書說明可以自籤多個域名，這是自籤域名的證書

7、使用CA根證書籤署ssl證書，自籤ssl證書有效期20年

sudo openssl x509 -req -in zabbix.csr -out zabbix.crt -days 7300 -CAcreateserial -CA ../ca/CA.crt -CAkey ../ca/CA.key -CAserial serial -extfile cert.ext

8、檢視檔案，ls -al

檔案列表：

cert.ext            #ssl證書附加配置資訊
serial            #證書序列號
zabbix.crt        #ssl證書檔案，包含公鑰資訊
zabbix.csr        #ssl證書籤名檔案
zabbix.key        #ssl證書私鑰

9、檢視簽署的證書資訊，sudo openssl x509 -in zabbix.crt -noout -text

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            25:ec:c9:2f:00:1e:d8:99:82:3c:e8:29:31:7f:a5:7e:7e:83:7a:e9
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = CN, ST = Shan Xi, L = Xi'An, O = kj inc, OU = it Dep, CN = xa.it.com, emailAddress = it@163.com
        Validity
            Not Before: Mar 27 08:48:23 2024 GMT
            Not After : Mar 22 08:48:23 2044 GMT
        Subject: C = CN, ST = Shan Xi, L = Xi'An, O = kj inc, OU = it Dep, CN = xa.it.com, emailAddress = it@163.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:bb:90:90:b4:a6:99:87:e0:da:a5:3e:bf:f2:e5:
                    c0:ea:1a:62:87:31:8e:f4:f0:4d:3f:38:78:08:96:
                    3b:51:b6:69:d6:e6:22:f5:03:ea:40:46:9f:bd:b9:
                    0e:0a:c4:ae:81:26:0a:42:d5:47:6f:27:48:98:11:
                    e1:d7:b0:47:46:07:c1:f0:4e:d5:b6:a1:4d:a9:2a:
                    36:6a:d3:5f:76:15:57:9b:e5:09:17:8d:3c:6d:7e:
                    b1:5c:17:97:8f:7b:36:85:1f:51:fb:df:d9:6a:c5:
                    eb:6c:22:bb:10:2c:01:87:eb:c8:08:d6:20:ed:26:
                    87:c1:52:c7:3d:0f:ec:85:f2:86:ae:92:2b:fe:22:
                    8f:61:f6:de:d9:91:b7:55:b5:11:19:70:d4:f8:33:
                    50:c3:df:84:41:29:21:11:0c:a7:49:46:d7:cf:58:
                    81:ce:a2:94:76:27:99:c4:a0:33:04:3b:ea:b7:2d:
                    e3:7e:05:7e:d4:42:ae:b9:dc:e9:c5:04:72:1d:8b:
                    45:32:72:31:68:2c:dc:87:ff:39:c0:b0:e0:b7:c2:
                    4d:ac:db:1c:da:74:82:93:aa:9b:0f:6b:85:3f:3a:
                    51:f5:e4:fb:de:ce:85:7b:21:d5:75:37:21:a4:63:
                    7b:93:7c:51:36:5b:89:e2:5a:5e:40:23:ad:c7:be:
                    0c:c9
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier:
                keyid:0D:EA:6A:EE:DA:E4:23:AA:C2:F6:53:F9:CF:BF:55:65:C3:5E:E0:CC

            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Key Usage:
                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
            X509v3 Subject Alternative Name:
                DNS:localhost, IP Address:192.168.11.100, IP Address:192.168.10.200, DNS:xa.it.com, DNS:xiykj.com, DNS:*.xa.com
    Signature Algorithm: sha256WithRSAEncryption
         8a:b4:63:10:18:ac:69:c1:6c:aa:d7:28:5e:21:5e:a1:cb:14:
         83:9e:d4:88:1f:c6:94:3b:98:00:f8:81:2c:05:b1:25:c9:89:
         84:08:7d:78:75:9c:4f:c8:30:50:ba:a7:f5:6f:9a:ae:0a:07:
         cd:9e:85:e0:5b:79:19:3f:f9:31:c8:4a:8a:5e:d2:3f:97:52:
         ee:0c:e5:0c:59:dc:ca:70:a2:1b:8e:78:eb:b4:90:cd:3b:8f:
         aa:43:a7:bd:43:0f:f1:f4:7b:18:cc:71:da:e8:a1:eb:40:30:
         e7:fb:e4:34:e1:16:d2:7a:88:1e:58:f3:d7:f9:b5:f9:30:a4:
         6e:35:23:d6:82:83:83:90:15:2c:5d:f4:aa:30:bd:f0:c1:95:
         6a:f3:c0:93:6c:36:54:8d:47:f5:43:3d:51:ee:04:69:77:35:
         5a:2f:0a:cf:af:72:75:37:ba:35:aa:80:52:df:d8:1a:ef:26:
         b0:aa:e4:87:d5:8a:e6:0b:bd:b4:ec:50:5e:fb:8b:98:9b:33:
         54:0c:a9:94:2a:a0:2a:7a:d9:84:82:ad:23:f0:39:f0:5a:5a:
         6e:20:cd:81:0a:c9:04:51:5e:60:41:b7:93:8c:d4:9b:b5:0b:
         39:e8:f7:2b:64:68:52:6d:c8:63:1f:d6:3b:9b:57:a8:fc:27:
         7d:cf:0a:44

10、使用CA驗證ssl證書狀態，顯示 OK 表示透過驗證

sudo openssl verify -CAfile ../ca/CA.crt zabbix.crt

　　最後將 CA.crt 匯入到需要訪問的客戶端PC“受信任的根證書頒發機構”中，把 zabbix.crt、zabbix.key 檔案部署在伺服器上即可.
參考 https://www.cnblogs.com/xiykj/p/18099784

生成自簽名SSL證書
2017-11-03
自簽名SSL證書安全嗎？
2020-08-19
什麼是自簽名證書？自簽名SSL證書的優缺點?
2021-10-19
使用OpenSSL生成自簽名SSL證書
2019-04-21
自簽名SSL證書有風險嗎？
2022-05-16
什麼是自簽名SSL證書？自簽名證書有哪些安全隱患？
2022-11-14
如何快速建立自簽名 SSL 證書 -- [mkcert]
2022-01-20
mkcert
自簽名的SSL證書與專業的SSL證書有哪些區別？
2021-03-18
程式碼簽名證書與SSL證書區別
2020-08-03
自簽名證書安全性問題研究https（ssl）
2017-03-29
HTTP
openssl生成自簽名證書
2019-09-22
建立自簽名根證書-中間證書。
2019-07-05
自簽名證書 nginx tomcat
2019-02-28
NginxTomcat
使用mkcert建立自簽名證書
2019-05-02
mkcert
什麼是伺服器SSL證書是SSL加密證書還是程式碼簽名證書
2022-07-18
伺服器加密
Xamarin Android使用自簽名證書
2021-10-01
Android
從自簽名證書匯出pfx和cer證書
2015-09-16
SSL自簽名證書具備什麼樣的優點和缺點
2023-04-24
Apache 配置https 自簽名證書或者購賣證書
2019-02-13
ApacheHTTP
Shell指令碼實現生成SSL自簽署證書
2019-05-08
指令碼
IIS 7.0上用自簽證書來啟用SSL
2013-12-16
Akka-CQRS（13）- SSL/TLS for gRPC and HTTPS：自簽名證書產生和使用
2019-06-24
TLSRPCHTTP
程式碼簽名證書
2024-03-29
windows下使用makecert命令生成自簽名證書
2015-09-16
Windows
Net8 使用BouncyCastle 生成自簽名證書
2024-03-13
AST
為IP地址簽發SSL證書
2022-03-03
本地簽發ssl證書(https)
2024-10-22
HTTP
在IIS 7.0上使用自簽證書來啟用SSL
2008-06-23
ios簽名證書：什麼是證書？
2019-12-30
iOS
thawte程式碼簽名證書和Comodo程式碼簽名證書區別
2020-12-29
簡易實現 HTTPS （二）自簽名證書
2020-09-03
HTTP
OpenSSL 證書請求和自簽名命令 req 詳解
2016-07-27
iOS證書籤名機制&重簽名&防止重簽名
2019-12-04
iOS
EV程式碼簽名證書和標準程式碼簽名證書有何不同？
2020-07-29
Netty5使用自簽證書實現SSL安全連線
2016-02-23
Netty
蘋果簽名證書：共享證書和獨享證書找不同
2020-03-26
蘋果
netcore 內網部署https自簽名證書
2024-08-21
NetCore內網HTTP
使用OpenSSL生成自簽名證書（IIS）搭建Https站點
2016-02-14
HTTP

自簽名ssl證書

相關文章