openssl自建ca并颁发证书_在线自建ca证书网站-优快云博客

本文详述了如何在Ubuntu上利用OpenSSL自建CA，并为本地站点颁发证书，确保在火狐浏览器中访问时显示绿色锁标识。首先，创建工作环境和证书数据库，然后配置并生成CA根证书和私钥。接着，创建站点证书请求并使用CA签名。最后，配置Apache SSL服务，导入CA证书到浏览器，并测试HTTPS连接。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

目标

在同一台主机建立站点并访问，自建CA为该站颁发证书，使得在火狐浏览器访问该站时锁标识为绿色。

前提

已安装 apache 和 openssl
ubuntu 自带 apache 和 openssl
可使用以下命令查看二者的版本，若需更新查看该链接

apache2 -version
openssl version

本文使用 apache 2.2.22 和 openssl 1.0.1

实现

使用OpenSSL自建CA

注意，本阶段操作均在普通用户权限下进行。
1.1 创建工作环境

cd && mkdir -p myCA/signedcerts && mkdir myCA/private && cd myCA

1.2 创建证书数据库

echo '01' > serial  && touch index.txt

1.3 创建 ca 配置文件

sudo nano ~/myCA/caconfig.cnf

其内容如下：

# My sample caconfig.cnf file.
#
# Default configuration to use when one is 

not provided on the command line.
#
[ ca ]
default_ca      = local_ca
#
#
# Default location of directories and files 

needed to generate certificates.
#
[ local_ca ]
dir             = /home/<username>/myCA
certificate     = $dir/cacert.pem
database        = $dir/index.txt
new_certs_dir   = $dir/signedcerts
private_key     = $dir/private/cakey.pem
serial          = $dir/serial
#       
#
# Default expiration and encryption policies 

for certificates.
#
default_crl_days        = 365
default_days            = 1825
default_md              = sha1
#       
policy          = local_ca_policy
x509_extensions = local_ca_extensions
#
#
# Copy extensions specified in the 

certificate request
#
copy_extensions = copy
#       
#
# Default policy to use when generating 

server certificates.  The following
# fields must be defined in the server 

certificate.
#
[ local_ca_policy ]
commonName              = supplied
stateOrProvinceName     = supplied
countryName             = supplied
emailAddress            = supplied
organizationName        = supplied
organizationalUnitName  = supplied
#       
#
# x509 extensions to use when generating 

server certificates.
#
[ local_ca_extensions ]
basicConstraints        = CA:false
#       
#
# The default root certificate generation 

policy.
#
[ req ]
default_bits    = 2048
default_keyfile = 

/home/<username>/myCA/private/cakey.pem
default_md      = sha1
#       
prompt                  = no
distinguished_name      = 

root_ca_distinguished_name
x509_extensions         = root_ca_extensions
#
#
# Root Certificate Authority distinguished 

name.  Change these fields to match
# your local environment!
#
[ root_ca_distinguished_name ]
commonName              = MyOwn Root 

Certificate Authority
stateOrProvinceName     = NC
countryName             = US
emailAddress            = 

root@tradeshowhell.com
organizationName        = Trade Show Hell
organizationalUnitName  = IT Department
#       
[ root_ca_extensions ]
basicConstra