OpenSSL生成自签名证书

自建CA证书服务器

CA服务器 ssl证书目录结构

/etc/pki/CA/
            newcerts    存放CA签署（颁发）过的数字证书（证书备份目录）
            private     存放CA的私钥
            crl         吊销的证书
/etc/pki/tls/
             cert.pem    软链接到certs/ca-bundle.crt
             certs/      该服务器上的证书存放目录，放置个人证书和内置证书
                   ca-bundle.crt    内置信任的证书
             private    证书密钥存放目录
             openssl.cnf    openssl的CA主配置文件

CA私钥、根证书

准备工作

1
2
3

# cd /etc/pki/CA
# touch index.txt serial
# echo 01 > serial

生成CA服务器根密钥

1 2	# cd /etc/pki/CA/private # openssl genrsa -out cakey.pem 2048

生成CA服务器根证书

使用req命令生成自签名证书

1 2	# cd /etc/pki/CA/private # openssl req -new -x509 -key cakey.pem -out ../cacert.pem

nginx服务端

服务器端密钥对

生成服务端私钥

1 2	# cd /etc/nginx/ssl # openssl genrsa -out server.key 2048

生成服务端证书注册请求

# cd /etc/nginx/ssl
# openssl req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Shanghai
Locality Name (eg, city) [Default City]:xxxx
Organization Name (eg, company) [Default Company Ltd]:xxxx
Organizational Unit Name (eg, section) []:xxxx
Common Name (eg, your name or your server's hostname) []:xxx.xxx.xxx.xxx
Email Address []:xxx@xxx.xxx.xx.xx
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

使用私有CA签署证书

生成带签名证书
将nginx上的注册请求复制到CA服务器上，并运行以下命令

1
2

# openssl x509 -req -CA /etc/pki/CA/cacert.pem -CAkey /etc/pki/CA/private/cakey.pem -CAcreateserial -in server.csr -out server.crt
在CA服务器端运行以上命令，生成crt证书，并将该crt证书拷贝回nginx服务端

浏览器端（实际用户）

将CA服务器的根证书导入到个人信任证书中（eg:12306）。

参考来源