首页 > 其他分享 >自签名ssl证书

自签名ssl证书

时间:2024-03-27 17:22:39浏览次数:23  
标签:证书 ca 23 ssl 签名 com CA

使用openssl工具进行自签名ssl证书,方便在内网环境中部署使用,为你的网站安全加把锁

自签证书流程:创建 ca 私钥--->用 ca 私钥生成 ca 根证书--->创建 ssl 私钥--->创建 ssl 证书csr--->用 ca 根证书签署生成 ssl 证书

操作方法:

1、创建一个文件夹 ca 用来保存 ca 证书文件

sudo mkdir ca
cd ca

 

2、创建 ca 私钥(建议设置密码)

sudo openssl genrsa -des3 -out CA.key 2048

 

3、生成 ca 证书,自签20年有效期,把此 ca 证书导入需要访问pc的“受信任的根证书颁发机构”中,后期用此 ca 签署的证书都可以使用

sudo openssl req -x509 -new -nodes -key CA.key -sha256 -days 7300 -out CA.crt

 

  #查看证书信息命令 sudo openssl x509 -in CA.crt -noout -text

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            65:d9:98:70:56:3f:c1:49:27:59:b3:a0:07:1f:80:b0:05:9f:52:0a
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = CN, ST = Shan Xi, L = Xi'An, O = kj inc, OU = it Dep, CN = xa.it.com, emailAddress = [email protected]
        Validity
            Not Before: Mar 27 08:18:26 2024 GMT
            Not After : Mar 22 08:18:26 2044 GMT
        Subject: C = CN, ST = Shan Xi, L = Xi'An, O = kj inc, OU = it Dep, CN = xa.it.com, emailAddress = [email protected]
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:b4:f9:ee:6c:5e:ef:81:6d:21:2b:17:7f:6e:ce:
                    c3:82:1c:46:e6:28:ca:36:fb:49:dd:99:9e:44:a2:
                    84:8e:f0:b6:16:f7:0d:20:56:2d:7b:96:30:3d:23:
                    74:2d:d2:c0:25:2a:fd:df:2f:b9:30:82:38:a4:9d:
                    c8:e8:2b:9d:e9:e2:24:59:44:cd:2b:fa:ed:27:b6:
                    2d:62:3f:73:45:5d:84:8e:75:48:3e:da:0b:67:45:
                    89:f1:9f:1f:35:39:1b:de:24:fd:1d:f0:b3:9a:38:
                    6e:fe:6d:04:d7:23:c2:74:28:4f:8b:e2:5d:8f:05:
                    78:ce:af:24:f0:c3:e4:9f:fd:74:9d:28:e4:ca:3e:
                    7e:ff:b4:b5:ac:4c:d5:a8:fa:8b:d4:dd:1f:8a:11:
                    9a:72:58:6e:8c:95:f0:74:eb:3b:38:25:31:62:c7:
                    81:c5:78:ce:16:50:52:be:0f:df:47:2c:98:1f:6a:
                    c5:3b:ca:80:f2:12:5e:5c:cf:42:c6:96:6c:d3:8f:
                    0c:9d:a7:12:5a:74:7f:2c:33:8a:95:1b:a4:3e:a9:
                    f9:6e:3b:39:c7:62:8a:35:bf:d3:ea:80:01:3d:da:
                    db:19:cd:00:71:e2:17:ea:ee:9d:23:35:42:0b:52:
                    67:88:af:ca:79:d2:6b:87:a0:6f:9e:09:e6:c7:3e:
                    9d:85
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                0D:EA:6A:EE:DA:E4:23:AA:C2:F6:53:F9:CF:BF:55:65:C3:5E:E0:CC
            X509v3 Authority Key Identifier:
                keyid:0D:EA:6A:EE:DA:E4:23:AA:C2:F6:53:F9:CF:BF:55:65:C3:5E:E0:CC

            X509v3 Basic Constraints: critical
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         85:3c:70:59:64:a4:e0:d0:69:ba:01:d2:c1:08:57:26:2c:2f:
         9b:ed:11:ea:36:48:9a:44:d2:3c:4c:f0:bf:0e:d9:2a:5b:b5:
         4e:bf:2b:89:0d:41:3d:9b:ce:65:6a:f2:43:c3:dc:89:fb:ee:
         43:9b:d7:74:a7:49:9c:d9:bc:f7:5c:2e:da:2d:49:c2:39:ca:
         c7:ba:23:e2:05:29:fa:ab:f5:56:5b:46:e2:29:06:4d:1b:53:
         72:b1:a9:10:0b:98:d1:60:bd:da:07:0f:b5:39:8b:0d:52:ae:
         6f:d7:43:a3:96:af:8f:22:36:2e:5e:ee:a4:77:e5:af:f6:63:
         de:b4:e4:3c:63:e0:ed:e5:17:e0:50:66:fc:eb:02:13:00:10:
         a5:f8:28:53:68:6b:91:dd:c4:02:d5:94:a2:dc:f9:d1:3d:b2:
         8c:59:5b:e5:c6:46:a5:65:a7:cf:87:0e:c8:1f:81:50:3b:75:
         5d:fd:62:e1:9f:09:1e:b7:26:92:b4:97:87:a7:6e:cc:d3:a8:
         8c:e8:cf:a9:03:0a:13:fe:ee:a0:81:7e:22:c6:0d:0f:16:74:
         25:48:42:03:11:ad:08:af:2b:00:d3:b1:5e:a3:99:78:e1:1d:
         c0:31:f3:bb:f0:b1:7f:a1:87:5f:7d:6b:da:2e:fb:ab:f8:7b:
         0e:e9:17:fb

 

4、创建ssl证书私钥

cd ..
sudo mkdir certs
cd certs/
sudo openssl genrsa -out zabbix.key 2048        #创建ssl私钥

 

5、创建ssl证书csr

sudo  openssl req -new -key zabbix.key -out zabbix.csr        #创建ssl证书csr

 

6、创建域名附加配置信息,新建一个文件,vim cert.ext,将下面代码粘贴后保存

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = localhost
IP.2 = 192.168.11.100
IP.3 = 192.168.10.200
DNS.4 = xa.it.com
DNS.5 = xiykj.com
DNS.6 = *.xa.com

  # IP.2 = 192.168.11.100    表示https要访问的ip,IP.3也是ip,ssl证书说明可以自签多个ip,这是自签ip的证书

  # DNS.4 = xa.it.com    表示https要访问的域名,DNS.5,DNS.6都一样是域名,ssl证书说明可以自签多个域名,这是自签域名的证书

 

7、使用CA根证书签署ssl证书,自签ssl证书有效期20年

sudo openssl x509 -req -in zabbix.csr -out zabbix.crt -days 7300 -CAcreateserial -CA ../ca/CA.crt -CAkey ../ca/CA.key -CAserial serial -extfile cert.ext

 

8、查看文件,ls -al

文件列表:

cert.ext            #ssl证书附加配置信息
serial            #证书序列号
zabbix.crt        #ssl证书文件,包含公钥信息
zabbix.csr        #ssl证书签名文件
zabbix.key        #ssl证书私钥

 

9、查看签署的证书信息,sudo openssl x509 -in zabbix.crt -noout -text

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            25:ec:c9:2f:00:1e:d8:99:82:3c:e8:29:31:7f:a5:7e:7e:83:7a:e9
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = CN, ST = Shan Xi, L = Xi'An, O = kj inc, OU = it Dep, CN = xa.it.com, emailAddress = [email protected]
        Validity
            Not Before: Mar 27 08:48:23 2024 GMT
            Not After : Mar 22 08:48:23 2044 GMT
        Subject: C = CN, ST = Shan Xi, L = Xi'An, O = kj inc, OU = it Dep, CN = xa.it.com, emailAddress = [email protected]
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:bb:90:90:b4:a6:99:87:e0:da:a5:3e:bf:f2:e5:
                    c0:ea:1a:62:87:31:8e:f4:f0:4d:3f:38:78:08:96:
                    3b:51:b6:69:d6:e6:22:f5:03:ea:40:46:9f:bd:b9:
                    0e:0a:c4:ae:81:26:0a:42:d5:47:6f:27:48:98:11:
                    e1:d7:b0:47:46:07:c1:f0:4e:d5:b6:a1:4d:a9:2a:
                    36:6a:d3:5f:76:15:57:9b:e5:09:17:8d:3c:6d:7e:
                    b1:5c:17:97:8f:7b:36:85:1f:51:fb:df:d9:6a:c5:
                    eb:6c:22:bb:10:2c:01:87:eb:c8:08:d6:20:ed:26:
                    87:c1:52:c7:3d:0f:ec:85:f2:86:ae:92:2b:fe:22:
                    8f:61:f6:de:d9:91:b7:55:b5:11:19:70:d4:f8:33:
                    50:c3:df:84:41:29:21:11:0c:a7:49:46:d7:cf:58:
                    81:ce:a2:94:76:27:99:c4:a0:33:04:3b:ea:b7:2d:
                    e3:7e:05:7e:d4:42:ae:b9:dc:e9:c5:04:72:1d:8b:
                    45:32:72:31:68:2c:dc:87:ff:39:c0:b0:e0:b7:c2:
                    4d:ac:db:1c:da:74:82:93:aa:9b:0f:6b:85:3f:3a:
                    51:f5:e4:fb:de:ce:85:7b:21:d5:75:37:21:a4:63:
                    7b:93:7c:51:36:5b:89:e2:5a:5e:40:23:ad:c7:be:
                    0c:c9
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier:
                keyid:0D:EA:6A:EE:DA:E4:23:AA:C2:F6:53:F9:CF:BF:55:65:C3:5E:E0:CC

            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Key Usage:
                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
            X509v3 Subject Alternative Name:
                DNS:localhost, IP Address:192.168.11.100, IP Address:192.168.10.200, DNS:xa.it.com, DNS:xiykj.com, DNS:*.xa.com
    Signature Algorithm: sha256WithRSAEncryption
         8a:b4:63:10:18:ac:69:c1:6c:aa:d7:28:5e:21:5e:a1:cb:14:
         83:9e:d4:88:1f:c6:94:3b:98:00:f8:81:2c:05:b1:25:c9:89:
         84:08:7d:78:75:9c:4f:c8:30:50:ba:a7:f5:6f:9a:ae:0a:07:
         cd:9e:85:e0:5b:79:19:3f:f9:31:c8:4a:8a:5e:d2:3f:97:52:
         ee:0c:e5:0c:59:dc:ca:70:a2:1b:8e:78:eb:b4:90:cd:3b:8f:
         aa:43:a7:bd:43:0f:f1:f4:7b:18:cc:71:da:e8:a1:eb:40:30:
         e7:fb:e4:34:e1:16:d2:7a:88:1e:58:f3:d7:f9:b5:f9:30:a4:
         6e:35:23:d6:82:83:83:90:15:2c:5d:f4:aa:30:bd:f0:c1:95:
         6a:f3:c0:93:6c:36:54:8d:47:f5:43:3d:51:ee:04:69:77:35:
         5a:2f:0a:cf:af:72:75:37:ba:35:aa:80:52:df:d8:1a:ef:26:
         b0:aa:e4:87:d5:8a:e6:0b:bd:b4:ec:50:5e:fb:8b:98:9b:33:
         54:0c:a9:94:2a:a0:2a:7a:d9:84:82:ad:23:f0:39:f0:5a:5a:
         6e:20:cd:81:0a:c9:04:51:5e:60:41:b7:93:8c:d4:9b:b5:0b:
         39:e8:f7:2b:64:68:52:6d:c8:63:1f:d6:3b:9b:57:a8:fc:27:
         7d:cf:0a:44

 

10、使用CA验证ssl证书状态,显示 OK 表示通过验证

sudo openssl verify -CAfile ../ca/CA.crt zabbix.crt

   最后将 CA.crt 导入到需要访问的客户端PC“受信任的根证书颁发机构”中,把 zabbix.crt、zabbix.key 文件部署在服务器上即可

标签:证书,ca,23,ssl,签名,com,CA
From: https://www.cnblogs.com/xiykj/p/18099784

相关文章

  • 【HTTPS】https证书详细解释
    一、HTTPS证书是什么?HTTPS证书,通常指的是SSL证书,是一种数字证书。它用于验证网站的身份并确保数据传输的安全。当网站部署了HTTPS证书后,其URL将以"https:/“开头,而不是"http://”,这表明网站启用了SSL/TLS加密层,能够对客户端与服务器之间的通信进行加密,防止数据在传输过程中被窃......
  • 免费的泛域名ssl
    免费的泛域名SSL证书是一种特殊的SSL证书类型,通常也被称为通配符SSL证书。什么是泛域名SSL证书。与传统的SSL证书相比,泛域名SSL证书可以保护无限数量的子域名,而不仅仅是一个特定的域名或几个子域名。例如,一个*.example.com的证书将保护mail.example.com、blog.example.com 等......
  • 详解SSL证书系列(7)HTTP的三大缺点
    我们已经了解到HTTP协议具有相当优秀和方便的一面,然而HTTP并非只有好的一面,事物皆具有两面性,它也是有不足之处的,那么HTTP有哪些缺点呢?窃听风险由于HTTP本身不具备加密的功能,所以也无法做到对通信内容进行加密,即HTTP报文是使用明文方式发送的。如果要问为什么通信时不加密是一......
  • SSL证书相关
    在握手过程中,网站会向浏览器发送SSL证书,SSL证书和我们日常用的身份证类似,是一个支持HTTPS网站的身份证明,SSL证书里面包含了网站的域名,证书有效期,证书的颁发机构以及用于加密传输密码的公钥等信息,由于公钥加密的密码只能被在申请证书时生成的私钥解密,因此浏览器在生成密码之前需要......
  • 业务架构师CBA证书是什么?怎么考试?考试费用多少?需要参加CBA认证培训吗?
    随着企业架构师就业前景的不断扩大,越来越多的国内大型企业开始重视业务架构师人才的培养。在这个充满机遇的岗位中,拥有CBA(CertifiedBusinessArchitect)认证的业务架构师备受瞩目。CBA业务架构师证书由商业架构协会(BusinessArchitectureGuild)颁发,是业务架构师行业权威的认可......
  • Android证书校验出现java.io.IOException: Invalid keystore format错误的解决方案
    使用下面命令keytool-list-v-keystore签名.keystore出现错误java.io.IOException:Invalidkeystoreformat一般出现这种错误的情况有2种可能1.密码错误2.JDK版本问题1.如果是JDK8生成的keystore,然后用JDK11(+)执行是没问题的,当前情况不需要解决,因为是成功......
  • hbuilderx打包苹果证书获取步骤
    简介:目前app开发,很多企业都用H5框架来开发,而uniapp又是这些h5框架里面最成熟的,因此hbuilderx就成为了开发者的首选。然而,打包APP是需要证书的,那么这个证书又是如何获得呢?生成苹果证书相对复杂一些,所以这里我重点说下ios证书的生成流程目前app开发,很多企业都用H5框架来......
  • 详解SSL证书系列(6)了解HTTP及网络基础
    使用HTTP协议访问Web你知道当我们在网页浏览器(比如Chrome)的地址栏中输入URL时,Web网页是如何呈现的吗? Web页面当然不会凭空显示出来。根据Web浏览器地址栏中指定的URL,Web浏览器从Web服务器端获取文件资源等信息,从而显示出Web页面。像这种通过发送请求然后获取服务器资源的Web......
  • Nginx配置SSL证书
    SSL证书介绍SSL(SecureSocketsLayer)是一种用于保护在Internet上进行数据传输的加密协议。它是一种为网络通信提供安全性的协议,最初由网景公司(Netscape)开发。SSL的目标是通过对数据进行加密和身份验证,确保敏感信息在用户与网站之间的传输中得到保护。SSL通过在通信的两端之......
  • 怎么制作iOS证书
    ​ 首先我们登录appuploder官网搜索appuploder第一个就是我们官网啦,网址是:Appuploaderhome--Atoolimproveiosdevelopefficiencysuchassubmitipatoappstoreandmanageioscertificate可以跨平台开发,无论是Windows还是Mac都可以使用。   ​我们现在......