自建CA使用SAN签发证书

本文介绍如何使用shell脚本和openssl工具自建CA,并使用该CA签发证书。包括CA证书生成、签发过程及SAN证书生成。通过配置文件和命令行
操作,实现证书的生成和验证。

CA

1
2
#组织名称
CA="CAORG"
1
openssl ecparam -out $CA.key -name prime256v1 -genkey
1
openssl req -new -sha256 -key $CA.key -out $CA.csr
1
openssl x509 -req -sha256 -days 3650 -in $CA.csr -signkey $CA.key -out $CA.crt

签发

1
openssl ecparam -out ssl.key -name prime256v1 -genkey
1
openssl req -new -sha256 -key ssl.key -out ssl.csr
1
openssl x509 -req -in ssl.csr -CA  $CA.crt -CAkey $CA.key -CAcreateserial -out ssl.crt -days 3650 -sha256
1
openssl x509 -in ssl.crt -text -noout

SAN证书生成

1
openssl genrsa -out domain.dev.key 2048
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
[ req ]
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
req_extensions = v3_req


[ req_distinguished_name ]
commonName = domain.dev
commonName_default = *.domain.dev
commonName_max = 64

countryName = China
countryName_default = CN

stateOrProvinceName = Province
stateOrProvinceName_default = Beijing

localityName = City
localityName_default = Beijing

organizationName = Organization
organizationName_default = Lenovo

organizationalUnitName = Department
organizationalUnitName_default = CAORG Team

emailAddress = Email
emailAddress_default = [email protected]

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = domain.dev
DNS.2 = *.domain.dev
1
2
openssl genrsa -out domain.dev.key 2048
openssl req -new -nodes -out domain.dev.csr -key domain.dev.key -config config.conf
作者

默吟

发布于

2024-11-19

许可协议

CC BY-NC-SA 4.0

评论

Your browser is out-of-date!

Update your browser to view this website correctly.&npsb;Update my browser now

×