使用openssl创建自签名CA并用它签发服务器证书
在开发测试计算机软件应用时,通常需要使用安全证书。在互联网公开发布的网络应用,通常使用商业机构颁发的安全证书,但是在一些独特场景下的TLS认证、一些公司内网服务中,也经常使用自签名证书。使用openssl制作自签名证书,是一种简单方便不花钱的选择。
创建目录结构
首先创建一个用于存放证书和相关文件的目录结构:
mkdir -p ca/{certs,crl,newcerts,private}
chmod 700 ca/private
touch ca/index.txt
echo 1000 > ca/serial
创建 CA 配置文件
创建一个名为 ca.cnf 的配置文件(假设我们的域名为example.com):
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = ./ca
certs = $dir/certs
crl_dir = $dir/crl
new_certs_dir = $dir/newcerts
database = $dir/index.txt
serial = $dir/serial
RANDFILE = $dir/private/.rand
private_key = $dir/private/ca.key.pem
certificate = $dir/certs/ca.crt.pem
crlnumber = $dir/crlnumber
crl = $dir/crl/ca.crl.pem
crl_extensions = crl_ext
default_crl_days = 30
default_md = sha256
name_opt = ca_default
cert_opt = ca_default
default_days = 375
preserve = no
policy = policy_strict
[ policy_strict ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
string_mask = utf8only
default_md = sha256
x509_extensions = v3_ca
prompt = no
[ req_distinguished_name ]
countryName = CN
stateOrProvinceName = SH
localityName = SH
organizationName = <Your org name>
organizationalUnitName = <Your org name>
commonName = example.com
emailAddress = <mail addr>
[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ v3_server ]
basicConstraints = CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = example.com
DNS.2 = *.example.com
DNS.3 = localhost
IP.1 = 127.0.0.1
IP.2 = ::1
[ crl_ext ]
authorityKeyIdentifier=keyid:always
创建CA私钥和证书
# 创建 CA 私钥
openssl genrsa -out ca/private/ca.key.pem 2048
chmod 400 ca/private/ca.key.pem
# 创建 CA 证书
openssl req -config ca.cnf -key ca/private/ca.key.pem -new -x509 -days 7300 -sha256 -extensions v3_ca -out ca/certs/ca.crt.pem
chmod 444 ca/certs/ca.crt.pem
在创建 CA 证书时,系统会提示您输入一些信息(配置文件中加入 prompt = no则不询问),例如:
Country Name: US
State or Province Name: California
Locality Name: San Francisco
Organization Name: Your Organization
Organizational Unit Name:
Common Name: example.com Root CA
Email Address:
为服务器创建私钥和证书签名请求
# 创建服务器私钥
openssl genrsa -out ca/private/server.key.pem 2048
# 创建证书签名请求
openssl req -config ca.cnf -key ca/private/server.key.pem -new -sha256 -out ca/certs/server.csr.pem
使用 CA 签发服务器证书
# 签发服务器证书
openssl ca -config ca.cnf -extensions v3_server -days 375 -notext -md sha256 -in ca/certs/server.csr.pem -out ca/certs/server.crt.pem -batch
签发过程中会提示您确认信息,输入 “y” 并按回车确认。(加 -batch就不再询问)
设置正确的权限:
chmod 444 ca/certs/server.crt.pem
chmod 400 ca/private/server.key.pem
验证证书
# 验证服务器证书
openssl x509 -noout -text -in ca/certs/server.crt.pem
应该输出:
X509v3 Subject Alternative Name:
DNS:example.com, DNS:*.example.com, DNS:localhost, IP Address:127.0.0.1, IP Address:::1
# 验证证书链
openssl verify -CAfile ca/certs/ca.crt.pem ca/certs/server.crt.pem
输出
ca/certs/server.crt.pem: OK
将根证书加入到系统信任列表中
windows:
双击ca.cert,安装到受信任列表中;
linux:
# 创建证书存放目录(如果不存在)
sudo mkdir -p /usr/local/share/ca-certificates/extra
# 复制证书到该目录(保持 .crt 扩展名)
sudo cp my_ca.crt /usr/local/share/ca-certificates/extra/
# 更新系统证书信任列表
sudo update-ca-certificates
# 查看证书是否在信任列表中
trust list | grep -i "你的证书名称"
针对特定应用的额外配置(如浏览器)
有些应用(如 Chrome/Chromium)可能使用自己的证书存储:
对于 Chrome/Chromium:
在地址栏输入 chrome://settings/certificates
切换到 “授权中心” 标签
点击 “导入” 并选择你的证书文件
勾选 “信任该证书用于标识网站” 等选项
对于 Firefox:
在地址栏输入 about:preferences#privacy
滚动到 “证书” 部分,点击 “查看证书”
切换到 “授权中心” 标签
点击 “导入” 并选择证书文件
勾选适当的信任选项