- 創建根私鑰、證書和證書請求文件
root@UBT-VM: /usr/lib/ssl/demoCA# openssl genrsa -out ca-key.pem 4096
root@UBT-VM: /usr/lib/ssl/demoCA# openssl req -new -out ca-req.csr -key ca-key.pem
root@UBT-VM: /usr/lib/ssl/demoCA# openssl x509 -req -in ca-req.csr -out ca-cert.pem -signkey ca-key.pem -days 3650
- 創建服務器私鑰、證書和證書請求文件
root@UBT-VM: /usr/lib/ssl/demoCA# openssl genrsa -out server-key.pem 4096
root@UBT-VM: /usr/lib/ssl/demoCA# openssl req -new -out server-req.csr -key server-key.pem
root@UBT-VM: /usr/lib/ssl/demoCA# openssl x509 -req -in server-req.csr -out server-cert.pem -signkey server-key.pem -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -days 3650
- 創建客服端私鑰、證書和證書請求文件
root@UBT-VM: /usr/lib/ssl/demoCA# openssl genrsa -out client-key.pem 4096
root@UBT-VM: /usr/lib/ssl/demoCA# openssl req -new -out client-req.csr -key client-key.pem
root@UBT-VM: /usr/lib/ssl/demoCA# openssl x509 -req -in client-req.csr -out client-cert.pem -signkey client-key.pem -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -days 3650
另一種生成證書的方法:
- 生成證書的腳本如下:
#!/usr/bin/env bash
openssl genrsa -out zk.private.pem 4096
openssl rsa -in ./zk.private.pem -out ./zk.public.pem
openssl req -new -key ./zk.private.pem -out ./zk.root.csr -config ./openssl.cnf -subj '/C=CN/ST=FJ/L=XM/OU=Zkteco Co., Ltd./O=ZKTeco Xiamen/CN=access.control.com'
openssl x509 -req -days 36500 -extensions v3_ca -set_serial 1 -in ./zk.root.csr -signkey ./zk.private.pem -sha256 -out ./zk.root.crt -extfile ./openssl.cnf
openssl pkcs12 -export -clcerts -in zk.root.crt -inkey zk.private.pem -out zk.p12
- openssl.cnf配置文件的內容:
[ req ]
# 生成的證書中RSA密鑰對的默認長度,取值是2的整數次方。建議使用4096以上
default_bits = 4096
# 讀取輸入私鑰文件時的口令,如果未設置那麼將會提示輸入。
input_password = zkteco-xm-mjjwlw-gjz
# 保存輸出私鑰文件時的口令,如果未設置那麼將會提示輸入。
output_password = zkteco-xm-mjjwlw-gjz
# 簽名默認使用的信息摘要算法,可以使用:md5,sha1,mdc2,md2
default_md = sha1
# 保存生成的私鑰文件的默認文件名
default_keyfile = zk.private.pem
# 定義輸入用戶信息選項的"特徵名稱"字段名,該擴展字段定義了多項用戶信息。
distinguished_name = req_distinguished_name
# 生成自簽名證書時要使用的證書擴展項字段名,該擴展字段定義了要加入到證書中的一系列擴展項。
x509_extensions = v3_ca
extensions = v3_ca
req_extensions = v3_ca
# 新簽發的證書默認有效期,以天爲單位
default_days = 36500
##### 要加入到證書請求中的一系列擴展項 #####
[ v3_ca ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
#authorityKeyIdentifier = keyid:always, issuer:always
keyUsage = critical, cRLSign, digitalSignature, keyCertSign
nsCertType = sslCA
subjectAltName = @acc_names
[req_distinguished_name ]
countryName = CN
countryName_default = CN
countryName_min = 2
countryName_max = 2
organizationName = match
organizationName_default = ZKTeco
#organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default = Condor Project
commonName = zkteco
commonName_default = zkteco Self Signed CA
commonName_max = 64
[ acc_names ]
# IPv4 localhost
DNS.1 = access.control.com
IP.1 = 192.168.227.90
IP.2 = 127.0.0.1
IP.3 = ::1