本文介绍如何使用shell脚本和openssl工具自建CA,并使用该CA签发证书。包括CA证书生成、签发过程及SAN证书生成。通过配置文件和命令行
操作,实现证书的生成和验证。
CA
1
| openssl ecparam -out $CA.key -name prime256v1 -genkey
|
1
| openssl req -new -sha256 -key $CA.key -out $CA.csr
|
1
| openssl x509 -req -sha256 -days 3650 -in $CA.csr -signkey $CA.key -out $CA.crt
|
签发
1
| openssl ecparam -out ssl.key -name prime256v1 -genkey
|
1
| openssl req -new -sha256 -key ssl.key -out ssl.csr
|
1
| openssl x509 -req -in ssl.csr -CA $CA.crt -CAkey $CA.key -CAcreateserial -out ssl.crt -days 3650 -sha256
|
1
| openssl x509 -in ssl.crt -text -noout
|
SAN证书生成
1
| openssl genrsa -out domain.dev.key 2048
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
| [ req ]
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
req_extensions = v3_req
[ req_distinguished_name ]
commonName = domain.dev
commonName_default = *.domain.dev
commonName_max = 64
countryName = China
countryName_default = CN
stateOrProvinceName = Province
stateOrProvinceName_default = Beijing
localityName = City
localityName_default = Beijing
organizationName = Organization
organizationName_default = Lenovo
organizationalUnitName = Department
organizationalUnitName_default = CAORG Team
emailAddress = Email
emailAddress_default = [email protected]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = domain.dev
DNS.2 = *.domain.dev
|
1
2
| openssl genrsa -out domain.dev.key 2048
openssl req -new -nodes -out domain.dev.csr -key domain.dev.key -config config.conf
|