自签名ssl证书
使用openssl工具进行自签名ssl证书,方便在内网环境中部署使用,为你的网站安全加把锁
自签证书流程:创建 ca 私钥--->用 ca 私钥生成 ca 根证书--->创建 ssl 私钥--->创建 ssl 证书csr--->用 ca 根证书签署生成 ssl 证书
操作方法:
1、创建一个文件夹 ca 用来保存 ca 证书文件
sudo mkdir ca
cd ca
2、创建 ca 私钥(建议设置密码)
sudo openssl genrsa -des3 -out CA.key 2048
3、生成 ca 证书,自签20年有效期,把此 ca 证书导入需要访问pc的“受信任的根证书颁发机构”中,后期用此 ca 签署的证书都可以使用
sudo openssl req -x509 -new -nodes -key CA.key -sha256 -days 7300 -out CA.crt
#查看证书信息命令 sudo openssl x509 -in CA.crt -noout -text
Certificate: Data: Version: 3 (0x2) Serial Number: 65:d9:98:70:56:3f:c1:49:27:59:b3:a0:07:1f:80:b0:05:9f:52:0a Signature Algorithm: sha256WithRSAEncryption Issuer: C = CN, ST = Shan Xi, L = Xi'An, O = kj inc, OU = it Dep, CN = xa.it.com, emailAddress = it@163.com Validity Not Before: Mar 27 08:18:26 2024 GMT Not After : Mar 22 08:18:26 2044 GMT Subject: C = CN, ST = Shan Xi, L = Xi'An, O = kj inc, OU = it Dep, CN = xa.it.com, emailAddress = it@163.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:b4:f9:ee:6c:5e:ef:81:6d:21:2b:17:7f:6e:ce: c3:82:1c:46:e6:28:ca:36:fb:49:dd:99:9e:44:a2: 84:8e:f0:b6:16:f7:0d:20:56:2d:7b:96:30:3d:23: 74:2d:d2:c0:25:2a:fd:df:2f:b9:30:82:38:a4:9d: c8:e8:2b:9d:e9:e2:24:59:44:cd:2b:fa:ed:27:b6: 2d:62:3f:73:45:5d:84:8e:75:48:3e:da:0b:67:45: 89:f1:9f:1f:35:39:1b:de:24:fd:1d:f0:b3:9a:38: 6e:fe:6d:04:d7:23:c2:74:28:4f:8b:e2:5d:8f:05: 78:ce:af:24:f0:c3:e4:9f:fd:74:9d:28:e4:ca:3e: 7e:ff:b4:b5:ac:4c:d5:a8:fa:8b:d4:dd:1f:8a:11: 9a:72:58:6e:8c:95:f0:74:eb:3b:38:25:31:62:c7: 81:c5:78:ce:16:50:52:be:0f:df:47:2c:98:1f:6a: c5:3b:ca:80:f2:12:5e:5c:cf:42:c6:96:6c:d3:8f: 0c:9d:a7:12:5a:74:7f:2c:33:8a:95:1b:a4:3e:a9: f9:6e:3b:39:c7:62:8a:35:bf:d3:ea:80:01:3d:da: db:19:cd:00:71:e2:17:ea:ee:9d:23:35:42:0b:52: 67:88:af:ca:79:d2:6b:87:a0:6f:9e:09:e6:c7:3e: 9d:85 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 0D:EA:6A:EE:DA:E4:23:AA:C2:F6:53:F9:CF:BF:55:65:C3:5E:E0:CC X509v3 Authority Key Identifier: keyid:0D:EA:6A:EE:DA:E4:23:AA:C2:F6:53:F9:CF:BF:55:65:C3:5E:E0:CC X509v3 Basic Constraints: critical CA:TRUE Signature Algorithm: sha256WithRSAEncryption 85:3c:70:59:64:a4:e0:d0:69:ba:01:d2:c1:08:57:26:2c:2f: 9b:ed:11:ea:36:48:9a:44:d2:3c:4c:f0:bf:0e:d9:2a:5b:b5: 4e:bf:2b:89:0d:41:3d:9b:ce:65:6a:f2:43:c3:dc:89:fb:ee: 43:9b:d7:74:a7:49:9c:d9:bc:f7:5c:2e:da:2d:49:c2:39:ca: c7:ba:23:e2:05:29:fa:ab:f5:56:5b:46:e2:29:06:4d:1b:53: 72:b1:a9:10:0b:98:d1:60:bd:da:07:0f:b5:39:8b:0d:52:ae: 6f:d7:43:a3:96:af:8f:22:36:2e:5e:ee:a4:77:e5:af:f6:63: de:b4:e4:3c:63:e0:ed:e5:17:e0:50:66:fc:eb:02:13:00:10: a5:f8:28:53:68:6b:91:dd:c4:02:d5:94:a2:dc:f9:d1:3d:b2: 8c:59:5b:e5:c6:46:a5:65:a7:cf:87:0e:c8:1f:81:50:3b:75: 5d:fd:62:e1:9f:09:1e:b7:26:92:b4:97:87:a7:6e:cc:d3:a8: 8c:e8:cf:a9:03:0a:13:fe:ee:a0:81:7e:22:c6:0d:0f:16:74: 25:48:42:03:11:ad:08:af:2b:00:d3:b1:5e:a3:99:78:e1:1d: c0:31:f3:bb:f0:b1:7f:a1:87:5f:7d:6b:da:2e:fb:ab:f8:7b: 0e:e9:17:fb
4、创建ssl证书私钥
cd .. sudo mkdir certs cd certs/ sudo openssl genrsa -out zabbix.key 2048 #创建ssl私钥
5、创建ssl证书csr
sudo openssl req -new -key zabbix.key -out zabbix.csr #创建ssl证书csr
6、创建域名附加配置信息,新建一个文件,vim cert.ext,将下面代码粘贴后保存
authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = localhost IP.2 = 192.168.11.100 IP.3 = 192.168.10.200 DNS.4 = xa.it.com DNS.5 = xiykj.com DNS.6 = *.xa.com
# IP.2 = 192.168.11.100 表示https要访问的ip,IP.3也是ip,ssl证书说明可以自签多个ip,这是自签ip的证书
# DNS.4 = xa.it.com 表示https要访问的域名,DNS.5,DNS.6都一样是域名,ssl证书说明可以自签多个域名,这是自签域名的证书
7、使用CA根证书签署ssl证书,自签ssl证书有效期20年
sudo openssl x509 -req -in zabbix.csr -out zabbix.crt -days 7300 -CAcreateserial -CA ../ca/CA.crt -CAkey ../ca/CA.key -CAserial serial -extfile cert.ext
8、查看文件,ls -al
文件列表:
cert.ext #ssl证书附加配置信息
serial #证书序列号
zabbix.crt #ssl证书文件,包含公钥信息
zabbix.csr #ssl证书签名文件
zabbix.key #ssl证书私钥
9、查看签署的证书信息,sudo openssl x509 -in zabbix.crt -noout -text
Certificate: Data: Version: 3 (0x2) Serial Number: 25:ec:c9:2f:00:1e:d8:99:82:3c:e8:29:31:7f:a5:7e:7e:83:7a:e9 Signature Algorithm: sha256WithRSAEncryption Issuer: C = CN, ST = Shan Xi, L = Xi'An, O = kj inc, OU = it Dep, CN = xa.it.com, emailAddress = it@163.com Validity Not Before: Mar 27 08:48:23 2024 GMT Not After : Mar 22 08:48:23 2044 GMT Subject: C = CN, ST = Shan Xi, L = Xi'An, O = kj inc, OU = it Dep, CN = xa.it.com, emailAddress = it@163.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:bb:90:90:b4:a6:99:87:e0:da:a5:3e:bf:f2:e5: c0:ea:1a:62:87:31:8e:f4:f0:4d:3f:38:78:08:96: 3b:51:b6:69:d6:e6:22:f5:03:ea:40:46:9f:bd:b9: 0e:0a:c4:ae:81:26:0a:42:d5:47:6f:27:48:98:11: e1:d7:b0:47:46:07:c1:f0:4e:d5:b6:a1:4d:a9:2a: 36:6a:d3:5f:76:15:57:9b:e5:09:17:8d:3c:6d:7e: b1:5c:17:97:8f:7b:36:85:1f:51:fb:df:d9:6a:c5: eb:6c:22:bb:10:2c:01:87:eb:c8:08:d6:20:ed:26: 87:c1:52:c7:3d:0f:ec:85:f2:86:ae:92:2b:fe:22: 8f:61:f6:de:d9:91:b7:55:b5:11:19:70:d4:f8:33: 50:c3:df:84:41:29:21:11:0c:a7:49:46:d7:cf:58: 81:ce:a2:94:76:27:99:c4:a0:33:04:3b:ea:b7:2d: e3:7e:05:7e:d4:42:ae:b9:dc:e9:c5:04:72:1d:8b: 45:32:72:31:68:2c:dc:87:ff:39:c0:b0:e0:b7:c2: 4d:ac:db:1c:da:74:82:93:aa:9b:0f:6b:85:3f:3a: 51:f5:e4:fb:de:ce:85:7b:21:d5:75:37:21:a4:63: 7b:93:7c:51:36:5b:89:e2:5a:5e:40:23:ad:c7:be: 0c:c9 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Authority Key Identifier: keyid:0D:EA:6A:EE:DA:E4:23:AA:C2:F6:53:F9:CF:BF:55:65:C3:5E:E0:CC X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment X509v3 Subject Alternative Name: DNS:localhost, IP Address:192.168.11.100, IP Address:192.168.10.200, DNS:xa.it.com, DNS:xiykj.com, DNS:*.xa.com Signature Algorithm: sha256WithRSAEncryption 8a:b4:63:10:18:ac:69:c1:6c:aa:d7:28:5e:21:5e:a1:cb:14: 83:9e:d4:88:1f:c6:94:3b:98:00:f8:81:2c:05:b1:25:c9:89: 84:08:7d:78:75:9c:4f:c8:30:50:ba:a7:f5:6f:9a:ae:0a:07: cd:9e:85:e0:5b:79:19:3f:f9:31:c8:4a:8a:5e:d2:3f:97:52: ee:0c:e5:0c:59:dc:ca:70:a2:1b:8e:78:eb:b4:90:cd:3b:8f: aa:43:a7:bd:43:0f:f1:f4:7b:18:cc:71:da:e8:a1:eb:40:30: e7:fb:e4:34:e1:16:d2:7a:88:1e:58:f3:d7:f9:b5:f9:30:a4: 6e:35:23:d6:82:83:83:90:15:2c:5d:f4:aa:30:bd:f0:c1:95: 6a:f3:c0:93:6c:36:54:8d:47:f5:43:3d:51:ee:04:69:77:35: 5a:2f:0a:cf:af:72:75:37:ba:35:aa:80:52:df:d8:1a:ef:26: b0:aa:e4:87:d5:8a:e6:0b:bd:b4:ec:50:5e:fb:8b:98:9b:33: 54:0c:a9:94:2a:a0:2a:7a:d9:84:82:ad:23:f0:39:f0:5a:5a: 6e:20:cd:81:0a:c9:04:51:5e:60:41:b7:93:8c:d4:9b:b5:0b: 39:e8:f7:2b:64:68:52:6d:c8:63:1f:d6:3b:9b:57:a8:fc:27: 7d:cf:0a:44
10、使用CA验证ssl证书状态,显示 OK 表示通过验证
sudo openssl verify -CAfile ../ca/CA.crt zabbix.crt
最后将 CA.crt 导入到需要访问的客户端PC“受信任的根证书颁发机构”中,把 zabbix.crt、zabbix.key 文件部署在服务器上即可