Skip to content

Instantly share code, notes, and snippets.

@ws2356

ws2356/setup-ca.md

Created June 16, 2019 01:28
Show Gist options
  • Save ws2356/672051ba42b08391d9bb104ba38d549d to your computer and use it in GitHub Desktop.
Save ws2356/672051ba42b08391d9bb104ba38d549d to your computer and use it in GitHub Desktop.
Download ZIP
自建ca
Raw
setup-ca.md

1, CA证书

创建ca私钥

openssl genrsa -out ca.home.org.key 2048

创建ca自签名证书

openssl req -new -x509 -key ca.home.key -out ca.home.crt

查看

openssl req -in share.home.csr -noout -text

按照不同系统的方式,添加到信任的根证书

2, 用户证书

生成用户私钥

openssl genrsa -out share.home.key 2048

生成csr

openssl req -new -key share.home.key -out share.home.csr

前两步可以替换成,一步生成key和csr,同时可以添加扩展字段

openssl req -new -out share.home.csr -config share.home.conf

ca 签名

openssl x509 -req -in share.home.csr -CA ca.home.crt -CAkey ca.home.key -CAcreateserial -out share.home.crt

ca签名2: 使用ca子命令,支持扩展

openssl ca -config share.home.ca.conf -out share.home.crt -extfile share.home.ca.ext.conf -in share.home.csr

关于crl文件

用于维护ca签发的证书唯一序列号;每次签名作为输入文件,会被ca更改,最好和ca的证书一起保管

查看

openssl x509 -in share.home.crt -noout -text

改为无密码保护的私钥(可选:如果私钥有密码保护)

遗留的问题

  • 通配符证书缺少extended validation,导致浏览器不显示🔒图标(不影响最终使用,github网站也没有绿色锁)
    Certificate sellers will refuse to issue wildcard certificates with EV, because cabforum.org, the regulatory body governing the issuance of EV SSL Certificates decided this is a big no no. EV certificates can, however, have as much SubjectAltName as you wish.

3, 参考教程(Credit is to Soarez)

https://gist.github.com/Soarez/9688998

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment