1 前言

一个问题，一篇文章，一出故事。
笔者由于配置Logstash与FileBeat的证书认证需要创建自签名证书，于是整理本章节。

2 最佳实践

2.1 创建CA证书和私钥

2.1.1 生成CA私钥

openssl genrsa -out ca.key 2048

2.1.2 生成CA证书

openssl req -x509 -new -nodes -key ca.key -sha256 -days 1024 -out ca.crt

命令行向导如下，

[...]
Enter PEM pass phrase: ******
Verifying - Enter PEM pass phrase: ******
[...]
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Guangdong
Locality Name (eg, city) [Default City]:Dongguan
Organization Name (eg, company) [Default Company Ltd]:cmdschool.org
Organizational Unit Name (eg, section) []:CA
Common Name (eg, your name or your server's hostname) []:cmdschool.org CA
Email Address []:

以下命令等价上面的指令，参数预设，没有交互询问参数，

openssl req -x509 -new -nodes -key ca.key -sha256 -days 1024 -out ca.crt \
  -subj "/C=CN/ST=Guangdong/L=Dongguan/O=cmdschool.org/OU=CA/CN=cmdschool.org CA"

2.2 创建服务器证书和私钥

2.2.1 生成服务器私钥

openssl genrsa -out server.key 2048

2.2.2 生成服务器证书签名请求(CSR)

openssl req -new -key server.key -out server.csr

创建证书的向导如下，

Enter pass phrase for server.key: ******
[...]
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Guangdong
Locality Name (eg, city) [Default City]:Dongguan
Organization Name (eg, company) [Default Company Ltd]:cmdschool.org
Organizational Unit Name (eg, section) []:Server
Common Name (eg, your name or your server's hostname) []:hostname.cmdschool.org
Email Address []:
[...]
A challenge password []:
An optional company name []:

以下命令等价上面的指令，参数预设，没有交互询问参数，

openssl req -new -key server.key -out server.csr \
  -subj "/C=CN/ST=Guangdong/L=Dongguan/O=cmdschool.org/OU=Server/CN=hostname.cmdschool.org"

2.2.3 使用CA证书签发服务器证书

openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 365 -sha256

参阅文档
====================

如何创建TLS/SSL自签名证书？