Jim's Blog
Toggle navigation
Jim's Blog
Home
About Me
Archives
Tags
自签CA并更新根证书
2020-07-23 10:45:33
727
0
0
jim
# 自签 CA > 参考 https://2heng.xin/2018/12/16/your-own-ca-with-openssl/ 并修改部分参数 ``` #!/bin/bash openssl genrsa -out cakey.pem 2048 cat << EOF > root.conf [ req ] default_bits = 2048 default_keyfile = key.pem default_md = sha256 distinguished_name = req_distinguished_name req_extensions = req_ext string_mask = nombstr x509_extensions = x509_ext [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = CN stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = Shanghai localityName = Locality Name (eg, city) localityName_default = Shanghai organizationName = Organization Name (eg, company) organizationName_default = Dragonfly commonName = Common Name (e.g. server FQDN or YOUR name) commonName_max = 64 commonName_default = Dragonfly Fake Authority CA [ x509_ext ] authorityKeyIdentifier = keyid,issuer basicConstraints = CA:TRUE keyUsage = digitalSignature, keyEncipherment, keyCertSign, cRLSign subjectKeyIdentifier = hash [ req_ext ] basicConstraints = CA:TRUE keyUsage = digitalSignature, keyEncipherment, keyCertSign, cRLSign subjectKeyIdentifier = hash EOF openssl req -batch -new -x509 -key ./cakey.pem -out ./cacert.pem -days 7300 -config ./root.conf openssl x509 -inform PEM -in ./cacert.pem -outform DER -out ./CA.cer openssl x509 -in ./cacert.pem -noout -text ``` # 更新本地信任链 ``` #/bin/bash cp cacert.pem ca.crt . /etc/os-release case $ID in ubuntu) # Ubuntu cp ca.crt /usr/local/share/ca-certificates/ update-ca-certificates ;; debian) # Debian cp ca.crt /usr/share/ca-certificates/ echo ca.crt >> /etc/ca-certificates.conf update-ca-certificates ;; centos|fedora|rhel) # CentOS, Fedora, RedHat update-ca-trust force-enable cp ca.crt /etc/pki/ca-trust/source/anchors/ update-ca-trust ;; *) exit 1 ;; esac ``` # 自签证书 ``` cat << EOF > server.conf [ req ] default_bits = 2048 default_keyfile = key.pem default_md = sha256 string_mask = nombstr distinguished_name = req_distinguished_name req_extensions = req_ext x509_extensions = x509_ext [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = CN stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = Shanghai localityName = Locality Name (eg, city) localityName_default = Shanghai organizationName = Organization Name (eg, company) organizationName_default = Dragonfly commonName = Common Name (e.g. server FQDN or YOUR name) commonName_max = 64 commonName_default = *.df [ x509_ext ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment subjectAltName = @alt_names [ req_ext ] subjectKeyIdentifier = hash basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment subjectAltName = @alt_names [ alt_names ] DNS.1 = *.df DNS.2 = df IP.1 = 127.0.0.1 IP.2 = 8.8.8.8 EOF mkdir server # gen key openssl genrsa -out ./server/key.pem 2048 # gen csr openssl req -batch -new -key ./server/key.pem -out ./server/server.csr -config ./server.conf # review csr openssl req -in ./server/server.csr -noout -text # gen cert openssl x509 -req -in ./server/server.csr -CA cacert.pem -CAkey cakey.pem -CAcreateserial -out ./server/cert.pem # review cert openssl x509 -in ./server/cert.pem -noout -text ``` # Reference https://gist.github.com/soarez/9688998 https://2heng.xin/2018/12/16/your-own-ca-with-openssl/
Pre:
UEFI Operation
Next:
2019-03-06 书单统计
0
likes
727
新浪微博
微信
腾讯微博
QQ空间
人人网
Please enable JavaScript to view the
comments powered by Disqus.
comments powered by
Disqus
Table of content
jim
