- 创建根证书的私匙(ca.key)
openssl genrsa -out ca.key 2048
- 创建根证书(ca.crt)
openssl req -new -x509 -days 36500 -key ca.key -out ca.crt -subj "/C=CN/ST=ShiChuan/L=ChengDu/O=Your Company Name/OU=Your Root CA"
- 创建SSL证书私匙(网站证书)(server.key)
openssl genrsa -out server.key 2048
- 创建SSL证书(网站证书)(server.crt)
openssl req -new -key server.key -out server.csr -subj "/C=CN/ST=ShiChuan/L=ChengDu/O=Your Company Name/OU=wangye.org/CN=wangye.org"/O字段内容必须与刚才的CA根证书相同;/CN字段为公用名称(Common Name),必须为网站的域名(不带www);/OU字段最好也与为网站域名
- 用CA根证书签署SSL自建证书
openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key报错:unable to open '/etc/pki/CA/index.txt'[root@localhost tmp]# touch /etc/pki/CA/index.txt报错:error while loading serial number140515054446496:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('/etc/pki/CA/serial','r')[root@localhost tmp]# echo 00 > /etc/pki/CA/serial [root@localhost tmp]# openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key Using configuration from /etc/pki/tls/openssl.cnfCheck that the request matches the signatureSignature okCertificate Details: Serial Number: 0 (0x0) Validity Not Before: Feb 7 02:13:45 2017 GMT Not After : Feb 7 02:13:45 2018 GMT Subject: countryName = CN stateOrProvinceName = ShiChuan organizationName = Your Company Name organizationalUnitName = wangye.org commonName = wangye.org X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 5E:D1:22:95:85:87:DF:FC:0C:C8:C9:BC:7F:73:A6:20:B9:80:83:8C X509v3 Authority Key Identifier: keyid:24:C0:24:B4:A9:E6:84:B6:9D:1B:DF:64:C0:52:96:C2:3D:FA:9C:85Certificate is to be certified until Feb 7 02:13:45 2018 GMT (365 days)Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base Updated 服务器需要的证书:server.crt和server.key 备注:由于是自签名证书,所以客户端需要安装根证书,将刚才第2步创建的根证书ca.crt下载到客户端,然后双击导入,否则会提示不受信任的证书发布商问题