openssl和ssl证书的那些事

介绍 openssl 的相关用法,自签 CA 证书,签发 SSL 证书、多域名证书、通配型证书等等

自建CA证书

### 配置openssl.cnf, 不修改也行,主要就是一些默认参数
--- /etc/pki/tls/openssl.cnf ---
...
[ CA_default ]
...
default_days    = 3650            # how long to certify for
...
[ req_distinguished_name ]
countryName            = Country Name (2 letter code)
countryName_default        = CN
countryName_min            = 2
countryName_max            = 2
stateOrProvinceName        = State or Province Name (full name)
stateOrProvinceName_default    = GD
localityName            = Locality Name (eg, city)
localityName_default        = GZ
0.organizationName        = Organization Name (eg, company)
0.organizationName_default    = Otokaze
organizationalUnitName        = Organizational Unit Name (eg, section)
organizationalUnitName_default    = Otokaze
commonName            = Common Name (eg, your name or your server\'s hostname)
commonName_max            = 64
emailAddress            = Email Address
emailAddress_default    = root@zfl9.com
emailAddress_max        = 64
...

### touch index.txt serial
cd /etc/pki/CA/
touch index.txt serial
echo 01 > serial

### 生成CA私钥
openssl genrsa -out private/cakey.pem 2048
chmod 600 private/cakey.pem

### 签署CA证书
openssl req -new -x509 -key private/cakey.pem -out cacert.pem

单域名证书

### 以nginx为例,apache同理
mkdir /etc/pki/nginx
cd /etc/pki/nginx/

### 生成私钥
openssl genrsa -out www.zfl.com.key 2048

### 生成csr证书签名请求
openssl req -new -key www.zfl.com.key -out www.zfl.com.csr  (Commone Name 填写域名)

### CA签署证书
openssl ca -in www.zfl.com.csr -out www.zfl.com.crt
或
openssl x509 -req -in www.zfl.com.csr -CA /etc/pki/CA/cacert.pem -CAkey /etc/pki/CA/private/cakey.pem -CAcreateserial -out www.zfl.com.crt

多域名SAN/通配符CN 证书

TXT_DB error number 2 错误

rm -fr /etc/pki/CA/index.txt
touch /etc/pki/CA/index.txt

导入CA证书

### 我们自己颁发的CA证书是不被系统信任的,需要自己添加,否则浏览器或提示证书不安全,curl也会报错

### windows
Win+R 运行 certmgr.msc
定位到 受信任的根证书颁发机构 -> 证书 -> 右键单击 -> 所有任务 -> 导入
选择你的证书文件 cacert.pem,导入即可

### linux
先备份系统默认的根证书 cp -af /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem{,.bak}
然后追加进去就行  cat /etc/pki/CA/cacert.pem >> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

查看证书链

# 查看证书链
openssl s_client -connect www.zfl9.com:443

# 可看到这些字段
Certificate chain
 0 s:/CN=www.zfl9.com
   i:/C=CN/O=TrustAsia Technologies, Inc./OU=Symantec Trust Network/OU=Domain Validated SSL/CN=TrustAsia DV SSL CA - G5
 1 s:/C=CN/O=TrustAsia Technologies, Inc./OU=Symantec Trust Network/OU=Domain Validated SSL/CN=TrustAsia DV SSL CA - G5
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5