Linux基础
1 前言
一个问题,一篇文章,一出故事。
笔者由于配置Logstash与FileBeat的证书认证需要创建自签名证书,于是整理本章节。
2 最佳实践
2.1 创建CA证书和私钥
2.1.1 生成CA私钥
openssl genrsa -out ca.key 2048
2.1.2 生成CA证书
openssl req -x509 -new -nodes -key ca.key -sha256 -days 1024 -out ca.crt
命令行向导如下,
[...] Enter PEM pass phrase: ****** Verifying - Enter PEM pass phrase: ****** [...] Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:Guangdong Locality Name (eg, city) [Default City]:Dongguan Organization Name (eg, company) [Default Company Ltd]:cmdschool.org Organizational Unit Name (eg, section) []:CA Common Name (eg, your name or your server's hostname) []:cmdschool.org CA Email Address []:
以下命令等价上面的指令,参数预设,没有交互询问参数,
openssl req -x509 -new -nodes -key ca.key -sha256 -days 1024 -out ca.crt \ -subj "/C=CN/ST=Guangdong/L=Dongguan/O=cmdschool.org/OU=CA/CN=cmdschool.org CA"
2.2 创建服务器证书和私钥
2.2.1 生成服务器私钥
openssl genrsa -out server.key 2048
2.2.2 生成服务器证书签名请求(CSR)
openssl req -new -key server.key -out server.csr
创建证书的向导如下,
Enter pass phrase for server.key: ****** [...] Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:Guangdong Locality Name (eg, city) [Default City]:Dongguan Organization Name (eg, company) [Default Company Ltd]:cmdschool.org Organizational Unit Name (eg, section) []:Server Common Name (eg, your name or your server's hostname) []:hostname.cmdschool.org Email Address []: [...] A challenge password []: An optional company name []:
以下命令等价上面的指令,参数预设,没有交互询问参数,
openssl req -new -key server.key -out server.csr \ -subj "/C=CN/ST=Guangdong/L=Dongguan/O=cmdschool.org/OU=Server/CN=hostname.cmdschool.org"
2.2.3 使用CA证书签发服务器证书
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 365 -sha256
参阅文档
====================
没有评论