私有服务器创建自签名 SSL 证书_私有 ssl 证书-CSDN博客

本文链接：https://blog.csdn.net/qq_33215204/article/details/134625741

一、根域名生成

创建 root.cnf 文件，保存根证书的信息。

[ req ]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no

[ req_distinguished_name ]
C = CN
O = Liu Denghui (2677159776@qq.com)
OU = https://blog.csdn.net/qq_33215204/article/details/134625741
CN = Personal Root Certification Authority

[ v3_req ]
# Extensions to add to a certificate request
keyUsage = critical, keyCertSign, cRLSign
subjectKeyIdentifier = hash
basicConstraints = critical, CA:TRUE

执行命令root.cnf 文件生成根证书。

# 生成私钥
$ openssl ecparam -out root.key -name secp384r1 -genkey

# 生成证书请求文件
$ openssl req -new -sha384 -key root.key -out root.csr -config root.cnf

# 生成证书
$ openssl x509 -req -extfile root.cnf -extensions v3_req -sha384 -in root.csr -signkey root.key -out root.crt

# 查看证书信息
$ openssl x509 -in root.crt -noout -text

二、根域名签发新证书

创建 cert.cnf 文件，保存待签发的证书信息。

[ req ]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no

[ req_distinguished_name ]
# 签发通用域名证书
CN = *.zzlzd.com

[ v3_req ]
# Extensions to add to a certificate request
authorityKeyIdentifier = keyid
subjectKeyIdentifier = hash
subjectAltName = @alternate_names
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
basicConstraints = CA:FALSE

[ alternate_names ]
# 通用域名证书需要设置两个 DNS 信息
# 如果签发单个域名的话，就只需要一个具体的域名信息
DNS.1 = zzlzd.com
DNS.2 = *.zzlzd.com

执行以下命令，通过 cert.cnf 文件生成根证书。

# 生成私钥
$ openssl ecparam -out cert.key -name secp384r1 -genkey

# 生成请求文件
$ openssl req -new -sha384 -key cert.key -out cert.csr -config cert.cnf

# 使用根证书为域名证书签名
$ openssl x509 -req -extfile cert.cnf -extensions v3_req -in cert.csr -CA root.crt -CAkey root.key -CAcreateserial -out cert.pem -days 365 -sha384