生成CA根证书 + 服务端证书(源服务器) + 客户端证书(反向代理服务器)的详细介绍和实现方法
生成CA根证书
创建ca-openssl.cnf文件
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = CN
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Some-State
organizationName = Organization Name (eg, company)
organizationName_default = Internet Widgits Pty Ltd
commonName = Common Name (eg, YOUR name)
commonName_default = AbelCA
[v3_req]
basicConstraints = CA:true
keyUsage = critical, keyCertSign生成CA根证书
openssl req -x509 -new -newkey rsa:2048 -nodes -keyout ca.key -out ca.pem -config ca-openssl.cnf -days 3650 -extensions v3_req生成服务端证书(源服务器)
创建server-openssl.cnf文件
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = CN
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Shanghai
localityName = Locality Name (eg, city)
localityName_default = Shanghai
organizationName = Organization Name (eg, company)
organizationName_default = Example, Co.
commonName = Common Name (eg, YOUR name)
commonName_max = 64
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = . # Where everything is kept
certs = $dir # Where the issued certs are kept
crl_dir = $dir # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir # default place for new certs.
certificate = $dir/ca.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
[v3_req]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = bluepost.cn
DNS.2 = *.bluepost.cn
IP.1 = 115.155.2.10记得修改上述配置文件中的 alt_names ,将域名和IP改为自己的域名和IP,如果多个域名,可以按DNS.1/DNS.2/…来添加,同时还支持IP地址的形式,填入IP.1 = x.x.x.x就可以了。
一定要将需要签名的域名都加入,通过IP访问的需要将服务器公网IP和域名加上,否则会报错安全证书没有指定主题备用名称
生成服务端证书
# 创建服务端私钥
openssl genrsa -out server.key.rsa 2048
# 将私钥转换成更通用的 pkcs#8 格式
openssl pkcs8 -topk8 -in server.key.rsa -out server.key -nocrypt
# 根据私钥生成请求文件
openssl req -new -key server.key -out server.csr -config server-openssl.cnf
# 结合私钥和请求文件创建服务端证书,有效期10年
openssl x509 -req -CA ca.pem -CAkey ca.key -CAcreateserial -in server.csr -out server.pem -extensions v3_req -extfile server-openssl.cnf -days 3650生成客户端证书(反向代理服务器)
反向代理服务器httpd-ssl.cnf需要配置SSLProxyMachineCertificateFile
# 创建客户端私钥
openssl genrsa -out proxy_client.key 2048
# 根据私钥生成请求文件
openssl req -new -key proxy_client.key -out proxy_client.csr
# 结合私钥和请求文件创建服务端证书,有效期10年
openssl x509 -req -CA ca.pem -CAkey ca.key -CAcreateserial -in proxy_client.csr -out proxy_client.pem -days 3650
# 将私钥和对应的证书链合成 PKCS#12 格式,KeyStore 密码和私钥密码均为 123456
openssl pkcs12 -export -CAfile ca.pem -in proxy_client.pem -inkey proxy_client.key -out proxy_client.p12 -passout pass:123456
# 把客户端证书和密钥合成一个文件,用于 **反向代理服务器作为客户端证书配置**
# 注意秘钥必需是pkcs1格式,如果不是,需要用命令 openssl rsa -in private-pkcs8.key -outform private.key
cat proxy_client.key proxy_client.pem > client_key_crt.pem转载请注明:半亩方塘 » 制作Apache免费自签名SSL证书,配置Apache反向代理开启后端服务器https证书验证
赞 (0)
支付宝扫码打赏
微信扫码打赏赏
支付宝扫码打赏微信扫码打赏赏 
