利用Openssl制作自签名证书

在apache或者nginx启用HTTPS后，需要加密证书才能正常工作。我们现在可以利用OpenSSL工具简单快速的创建一个自签名证书。

1 安装Openssl

在配置好yum源的情况下，可以使用yum方式快速安装openssl包。
首先检测当前系统是否安装openssl，然后查看openssl包的信息：

[root@Centos7 R4 ~]#rpm -ql opensslpackage openssl is not installed[root@Centos7 R4 ~]#yum info opensslLoaded plugins: fastestmirrorLoading mirror speeds from cached hostfileAvailable PackagesName        : opensslArch        : x86_64Epoch       : 1Version     : 1.0.1eRelease     : 60.el7Size        : 713 kRepo        : CDRomSummary     : Utilities from the general purpose cryptography library with TLS implementationURL         : http://www.openssl.org/License     : OpenSSLDescription : The OpenSSL toolkit provides support for secure communications between            : machines. OpenSSL includes a certificate management tool and shared            : libraries which provide various cryptographic algorithms and            : protocols.

开始安装

[root@Centos7 R4 ~]#yum install opensslLoaded plugins: fastestmirrorLoading mirror speeds from cached hostfileResolving Dependencies--> Running transaction check---> Package openssl.x86_64 1:1.0.1e-60.el7 will be installed--> Finished Dependency ResolutionDependencies Resolved======================================================================================= Package           Arch             Version                      Repository       Size=======================================================================================Installing: openssl           x86_64           1:1.0.1e-60.el7              CDRom           713 kTransaction Summary=======================================================================================Install  1 PackageTotal download size: 713 kInstalled size: 1.5 MIs this ok [y/d/N]: yDownloading packages:Running transaction checkRunning transaction testTransaction test succeededRunning transaction  Installing : 1:openssl-1.0.1e-60.el7.x86_64                                      1/1  Verifying  : 1:openssl-1.0.1e-60.el7.x86_64                                      1/1Installed:  openssl.x86_64 1:1.0.1e-60.el7                                                       Complete!

Openssl安装完成，会在/etc/pki目录下生成如下文件：

[root@Centos7 R4 ~]#rpm -ql openssl |grep '/etc/pki'/etc/pki/CA/etc/pki/CA/certs/etc/pki/CA/crl/etc/pki/CA/newcerts/etc/pki/CA/private/etc/pki/tls/certs/Makefile/etc/pki/tls/certs/make-dummy-cert/etc/pki/tls/certs/renew-dummy-cert/etc/pki/tls/misc/CA/etc/pki/tls/misc/c_hash/etc/pki/tls/misc/c_info/etc/pki/tls/misc/c_issuer/etc/pki/tls/misc/c_name

2 创建自签名证书

我们可以根据前面生成的/etc/pki/tls/certs/Makefile利用make命令生成自签名证书，但是要注意的是，使用make命令，需要先进入Makefile文件所在的路径/etc/pki/tls/certs/。

[root@Centos7 R4 certs]#lsca-bundle.crt  ca-bundle.trust.crt  make-dummy-cert  Makefile  renew-dummy-cert

现在我们开始使用make命令创建自签名证书：

[root@Centos7 R4 certs]#make ../private/httpd.crtumask 77 ; \/usr/bin/openssl genrsa -aes128 2048 > ../private/httpd.keyGenerating RSA private key, 2048 bit long modulus............................................................+++.......................+++e is 65537 (0x10001)Enter pass phrase:Verifying - Enter pass phrase:umask 77 ; \/usr/bin/openssl req -utf8 -new -key ../private/httpd.key -x509 -days 365 -out ../private/httpd.crt -set_serial 0Enter pass phrase for ../private/httpd.key:You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:CNState or Province Name (full name) []:HuBeiLocality Name (eg, city) [Default City]:WuhanOrganization Name (eg, company) [Default Company Ltd]:WUTOrganizational Unit Name (eg, section) []:IT DeptCommon Name (eg, your name or your server's hostname) []:test.comEmail Address []:abc@whut.edu.cn

make ../private/httpd.crt表示在../private/目录下创建证书，并命令为httpd.crt。命令执行过程中，上面的各个条目具体意义如下：

Country Name (2 letter code)    使用国际标准组织(ISO)国码格式，填写2个字母的国家代号State or Province Name (full name)  省份Locality Name (eg, city)    城市Organization Name (eg, company) 组织单位Organizational Unit Name (eg,section)   部门Common Name (eg, your websites domain name) 行使 SSL 加密的网站地址Email Address   邮件地址，可以不填

证书创建完成。

[root@Centos7 R4 certs]#ls /etc/pki/tls/private/httpd.crt  httpd.key

3 去除私钥文件加密密码

安装上述方式创建证书要求我们设置密码，以后每次读取证书的信息时，都需要密码验证，我们可以使用cat命令查看生成的私钥文件验证这一点：

[root@Centos7 R4 certs]#cat /etc/pki/tls/private/httpd.key-----BEGIN RSA PRIVATE KEY-----Proc-Type: 4,ENCRYPTEDDEK-Info: AES-128-CBC,E4F0636EF2E6E3FB37A2485B72646490yPP9T3CcZA9M3wE3JPWywfBuvOZdXl1k7Jt+UuznxyrpYuQTv+DvMDoLmof+RutRbGNvNgSzf+OnXjf+JNSlPXv7c3MU63cRiaagX5s+SZMwWmgtIg3kTkEGowrpfdKw1nEhrASSD1Y4+WpLE+do/U0TsjZKkPb+9bId65r8cMiVIDPqWQZzZfJkl3uNEJWkaVhd3IwkT/tKSJxo0oAhd5BCJrh7Bgwrc9QK5J70JEArpnpWjF4zv4ZFgADu5LjC…… ……

信息头ENCRYPTED表示。由于是自用的自签名证书，我们可以将密码去掉。去掉的的方法很简单，

[root@Centos7 R4 certs]#mv ../private/httpd.key ../private/httpd.key[root@Centos7 R4 certs]#openssl rsa -in ../private/httpd.key.bak -out ../private/httpd.keyEnter pass phrase for ../private/httpd.key.bak:writing RSA key

密码去掉时，需要验证我们在最开始创建自签名证书时设定的密码。现在再来看看私钥文件信息头：

[root@Centos7 R4 certs]#cat ../private/httpd.key-----BEGIN RSA PRIVATE KEY-----MIIEogIBAAKCAQEAsTzazQWnabUdgf89YRmGa2MapDYMRxaGuducOhjpJvp8Xpg5hq4VBw2gE5pxIIDBY+2DNXvT31RVxoHAxXnKMz4vCR8BHnkNnqHVfAm5dF+uyB+47y1mpSpRfgzOiZyoRMZQ+GIa5ktoDBzW1Jy1lMztSgo1GpLrrEmK/4CDQzYP96WmfdVVKysSf6VL6Xz28bYtQe8HSeLgi9GEJxqO4RTjg9dbQAFkewJCNYfAXTsScG78…… ……

此时，私钥文件的加密信息头已经消失，密码去除完成。