環境準備
利用 OpenSSL 簽發證書需要 OpenSSL 軟體及庫,一般情況下 CentOS、Ubuntu 等系統均已內建, 可執行
openssl 確認,如果提示 oepnssl: command not found,則需手動安裝,以Centos為例:yum install openssl openssl-devel -y
生成證書請求檔案
新建openssl.cnf,內容如下:[req] distinguished_name = req_distinguished_name req_extensions = v3_req [req_distinguished_name] countryName = Country Name (2 letter code) countryName_default = CH stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = GD localityName = Locality Name (eg, city) localityName_default = ShenZhen organizationalUnitName = Organizational Unit Name (eg, section) organizationalUnitName_default = organizationalUnitName commonName = Internet Widgits Ltd commonName_max = 64 [ v3_req ] # Extensions to add to a certificate request basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names [alt_names] # 改成自己的域名 #DNS.1 = kb.example.com #DNS.2 = helpdesk.example.org #DNS.3 = systems.example.net # 改成自己的ip IP.1 = 172.16.24.143 IP.2 = 172.16.24.85
生成私鑰
10.0.11.17.key 為最終生成的檔名,一般以伺服器命名,可改。
openssl genrsa -out 10.0.11.17.key 2048
建立CSR檔案
建立CSR檔案命令:
openssl req -new -out 10.0.11.17.csr -key 10.0.11.17.key -config openssl.cnf
執行後,系統會提示輸入組織等資訊,按提示輸入如即可。
測試CSR檔案是否生成成功,可以使用下面的命令:
openssl req -text -noout -in san_domain_com.csr
//執行後,會看到類似如下的資訊:
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=US, ST=MN, L=Minneapolis, OU=Domain Control Validated, CN=zz
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
自簽名並建立證書
openssl x509 -req -days 3650 -in 10.0.11.17.csr -signkey 10.0.11.17.key -out 10.0.11.17.crt -extensions v3_req -extfile openssl.cnf
執行後,可看到本目錄下多了以下三個檔案 san_domain_com.crt san_domain_com.csr san_domain_com.key
至此,使用openssl生成證書已完成,可以將證書匯入nginx驗證證書是否生效。