生成自簽名SSL證書

下面介紹如何生成自簽名SSL證書。前提是系統已經安裝好openssl。

[root@mail ~]# cd /etc/pki/tls/certs

# 生成私鑰
[root@mail certs]# make server.key
umask 77 ; \
/usr/bin/openssl genrsa -aes128 2048 > server.key
Generating RSA private key, 2048 bit long modulus
..............................................................+++
.........+++
e is 65537 (0x010001)
Enter pass phrase:    #輸入密碼
Verifying - Enter pass phrase:  #重複輸入密碼

#下面這個步驟是刪除server.key中的密碼
[root@mail certs]# openssl rsa -in server.key -out server.key
Enter pass phrase for server.key:  #輸入剛才設定的密碼
writing RSA key

# 生成CSR（證書籤名請求）
[root@mail certs]# make server.csr
umask 77 ; \
/usr/bin/openssl req -utf8 -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN   #國家簡稱
State or Province Name (full name) []:Beijing   #省
Locality Name (eg, city) [Default City]:Beijing  #城市
Organization Name (eg, company) [Default Company Ltd]:OPS  #公司名
Organizational Unit Name (eg, section) []:OPS   #部門名
Common Name (eg, your name or your server's hostname) []:mail.opsky.top
Email Address []:admin@opsky.top  

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:  #直接按Enter
An optional company name []:  #直接按Enter

#生成自簽名證書
[root@mail certs]# openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 3650
Signature ok
subject=C = CN, ST = Beijing, L = Beijing, O = OPS, OU = OPS, CN = mail.opsky.top, emailAddress = admin@opsky.top
Getting Private key

#設定許可權
[root@mail certs]# chmod 400 server.*

生成自簽名證書後，就可以使用sever.crt和server.key加密通訊資料。