openssl自建ca并颁发证书

本文详述了如何在Ubuntu上利用OpenSSL自建CA,并为本地站点颁发证书,确保在火狐浏览器中访问时显示绿色锁标识。首先,创建工作环境和证书数据库,然后配置并生成CA根证书和私钥。接着,创建站点证书请求并使用CA签名。最后,配置Apache SSL服务,导入CA证书到浏览器,并测试HTTPS连接。

摘要生成于 C知道 ,由 DeepSeek-R1 满血版支持, 前往体验 >

目标

       在同一台主机建立站点并访问,自建CA为该站颁发证书,使得在火狐浏览器访问该站时锁标识为绿色。

前提

  • 已安装 apache 和 openssl
  • ubuntu 自带 apache 和 openssl
  • 可使用以下命令查看二者的版本,若需更新查看该链接
apache2 -version
openssl version
  • 本文使用 apache 2.2.22 和 openssl 1.0.1

实现

使用OpenSSL自建CA

       注意,本阶段操作均在普通用户权限下进行。
1.1 创建工作环境

cd && mkdir -p myCA/signedcerts && mkdir myCA/private && cd myCA

1.2 创建证书数据库

echo '01' > serial  && touch index.txt

1.3 创建 ca 配置文件

sudo nano ~/myCA/caconfig.cnf

       其内容如下:

# My sample caconfig.cnf file.
#
# Default configuration to use when one is 

not provided on the command line.
#
[ ca ]
default_ca      = local_ca
#
#
# Default location of directories and files 

needed to generate certificates.
#
[ local_ca ]
dir             = /home/<username>/myCA
certificate     = $dir/cacert.pem
database        = $dir/index.txt
new_certs_dir   = $dir/signedcerts
private_key     = $dir/private/cakey.pem
serial          = $dir/serial
#       
#
# Default expiration and encryption policies 

for certificates.
#
default_crl_days        = 365
default_days            = 1825
default_md              = sha1
#       
policy          = local_ca_policy
x509_extensions = local_ca_extensions
#
#
# Copy extensions specified in the 

certificate request
#
copy_extensions = copy
#       
#
# Default policy to use when generating 

server certificates.  The following
# fields must be defined in the server 

certificate.
#
[ local_ca_policy ]
commonName              = supplied
stateOrProvinceName     = supplied
countryName             = supplied
emailAddress            = supplied
organizationName        = supplied
organizationalUnitName  = supplied
#       
#
# x509 extensions to use when generating 

server certificates.
#
[ local_ca_extensions ]
basicConstraints        = CA:false
#       
#
# The default root certificate generation 

policy.
#
[ req ]
default_bits    = 2048
default_keyfile = 

/home/<username>/myCA/private/cakey.pem
default_md      = sha1
#       
prompt                  = no
distinguished_name      = 

root_ca_distinguished_name
x509_extensions         = root_ca_extensions
#
#
# Root Certificate Authority distinguished 

name.  Change these fields to match
# your local environment!
#
[ root_ca_distinguished_name ]
commonName              = MyOwn Root 

Certificate Authority
stateOrProvinceName     = NC
countryName             = US
emailAddress            = 

root@tradeshowhell.com
organizationName        = Trade Show Hell
organizationalUnitName  = IT Department
#       
[ root_ca_extensions ]
basicConstraint
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值