OpenSSL生成https服务器端数字证书

来源：互联网发布：淘宝数据包免费下载编辑：程序博客网时间：2024/06/06 19:55

1. 下载安装OpenSSL

可以从OpenSSL官网下载源码编译，也可以直接下载安装文件，地址：
http://download.csdn.net/download/nicholas_lin/10169024

2. 配置OpenSSL

打开bin/openssl.cfg文件，修改以下内容：

# 使用安装包的需要修改dir[ CA_default ]dir= ./PEM/demoCA# Where everything is kept# 确保req下存在以下2行（默认第一行是有的，第2行被注释了）[ req ]distinguished_name = req_distinguished_namereq_extensions = v3_req# 确保req_distinguished_name下没有 0.xxx 的标签，有的话把0.xxx的0. 去掉[ req_distinguished_name ]countryName= Country Name (2 letter code)countryName_default= CNcountryName_min= 2countryName_max= 2stateOrProvinceName= State or Province Name (full name)stateOrProvinceName_default= FujianlocalityName= Locality Name (eg, city)localityName_default = FuZhouorganizationName= Organization Name (eg, company)organizationName_default= Some Company Co., Ltd# we can do this but it is not needed normally :-)#1.organizationName= Second Organization Name (eg, company)#1.organizationName_default= World Wide Web Pty LtdorganizationalUnitName= Organizational Unit Name (eg, section)organizationalUnitName_default= Some departmentcommonName= Common Name (e.g. server FQDN or YOUR name)commonName_max= 64emailAddress= Email AddressemailAddress_max= 64# 新增最后一行内容 subjectAltName = @alt_names（前2行默认存在）[ v3_req ]# Extensions to add to a certificate requestbasicConstraints = CA:FALSEkeyUsage = nonRepudiation, digitalSignature, keyEnciphermentsubjectAltName = @alt_names# 新增 alt_names,注意括号前后的空格，DNS.x 的数量可以自己加[ alt_names ]DNS.1 = abc.example.comDNS.2 = dfe.example.orgIP.1 = 127.0.0.1IP.2 = 188.188.188.188

3. 生成自签名CA证书

命令行定位到bin目录，输入
openssl

生成CA密钥对
OpenSSL> genrsa -out ./demoCA/cakey.pem 2048

自签名CA生成根证书
OpenSSL> req -new -x509 -key ./demoCA/cakey.pem -out ./demoCA/cacert.pem -config openssl.cfg

导出CA根证书为DER格式
OpenSSL> x509 -outform der -in ./demoCA/cacert.pem -out ./demoCA/cacert.der

4. 生成服务器端证书

生成服务器端密钥对
OpenSSL> genrsa -out ./demoCA/server.key 2048

生成PKCS证书签名请求（请求中会包含alt_names的内容）
OpenSSL> req -new -key ./demoCA/server.key -out ./demoCA/server.csr -config openssl.cfg

签发服务器端证书
OpenSSL> ca -in ./demoCA/server.csr -out ./demoCA/server.crt -cert ./demoCA/cacert.pem -keyfile ./demoCA/cakey.pem -extensions v3_req -days 730 -config openssl.cfg

导出服务器端证书和密钥
OpenSSL> pkcs12 -export -in ./demoCA/server.crt -inkey ./demoCA/server.key -out ./demoCA/server.pfx

5. 导出服务器端证书库供Tomcat使用

打开命令行

导入根证书
CMD> keytool -importcert -v -file ./demoCA/cacert.pem -keystore ./demoCA/server.keystore

导入服务器端证书和密钥
CMD> keytool -importkeystore -v -srckeystore ./demoCA/server.pfx -srcstoretype PKCS12 -destkeystore ./demoCA/server.keystore

6. 配置Tomcat

/conf/server.xml

   <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"               maxThreads="150" SSLEnabled="true" scheme="https" secure="true"               clientAuth="false" sslProtocol="TLS" keystoreFile="/conf/server.keystore" keystorePass="12345678"   truststoreFile="/conf/server.keystore" truststorePass="12345678" />

7. 参考文章

使用openssl为ssl证书增加“使用者备用名称（DNS）

阅读全文

0 0