使用 openssl 產生憑證

[dtchang]

用openssl 產生各式檔案時,可以預先在 openssl.conf 設定好.
執行過程需要的資訊,其中:
COMMON NAME 為網域名稱(FQDN),如: star.im.chu.edu.tw
pass 為自設密碼
其餘為組織和機關的名稱和城市資料

step 1: 產生私用key (private key)(常用檔名: private.pem 或 server.key)(長度可用: 4096 或 2048; 以下的長度需一致)

代碼: 選擇全部

openssl genrsa -out server.key 4096

step 2: SHA256 產生需求

代碼: 選擇全部

openssl req -new -sha256 -key server.key -out server.csr

check:
openssl req –new –newkey rsa:2048 –nodes –keyout server.key –out server.csr

openssl req -new -newkey rsa:4096 -nodes -out star_im_chu_edu_tw.csr -keyout star_im_chu_edu_tw.key -subj "/C=TW/ST=Taiwan/L=Hsinchu/O=CHU/OU=IM/CN=star.im.chu.edu.tw"

step 1+2: 可以同時完成1和2

代碼: 選擇全部

openssl req -new -sha256 -nodes -newkey rsa:4096 -keyout server.key -out server.csr

step 3: Create self-signed certificate 使用 X509
openssl req -x509 -sha256 -nodes -newkey rsa:4096 -keyout server.key -days 730 -out server.pem

step 4: prepare x509.ext
step 4: my CA 自已當CA 認證核發單位

代碼: 選擇全部

openssl req -new -sha256 -nodes -newkey rsa:4096 -keyout CA.key -out CA.csr
openssl x509 -req -sha256 -extfile x509.ext -extensions ca -in CA.csr -signkey CA.key -days 1095 -out CA.pem
openssl req -new -sha256 -nodes -newkey rsa:4096 -keyout server.key -out server.csr
openssl x509 -req -sha256 -CA CA.pem -CAkey CA.key -days 730 -CAcreateserial -CAserial CA.srl -extfile x509.ext -extensions server -in server.csr -out server.pem

step 5: verify 檢視內容是否一致,確保無誤

代碼: 選擇全部

openssl x509 -in server.pem -noout -text
openssl req -in server.csr -noout -text

註: 相同的東西, 用 notepad++ 視檢可看到 PRIVATE 字眼
private.pem === server.key === server.pem (private key)

x509.ext 檔案參考設定

代碼: 選擇全部

[ ca ]
# X509 extensions for a ca
keyUsage                = critical, cRLSign, keyCertSign
basicConstraints        = CA:TRUE, pathlen:0
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always,issuer:always

[ server ]
# X509 extensions for a server
keyUsage                = critical,digitalSignature,keyEncipherment
extendedKeyUsage        = serverAuth,clientAuth
basicConstraints        = critical,CA:FALSE
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid,issuer:always

參考: 產生自用測試憑證

代碼: 選擇全部

openssl req -x509 -out localhost.crt -keyout localhost.key \
  -newkey rsa:2048 -nodes -sha256 \
  -subj '/CN=localhost' -extensions EXT -config <( \
   printf "[dn]\nCN=localhost\n[req]\ndistinguished_name = dn\n[EXT]\nsubjectAltName=DNS:localhost\nkeyUsage=digitalSignature\nextendedKeyUsage=serverAuth")

或

代碼: 選擇全部

openssl req -x509 -out localhost.crt -keyout localhost.key  -newkey rsa:2048 -nodes -sha256 

若成功則複製 localhost.key 和 localhost.crt 到 apache/conf 目錄下, 並修改 https-ssl.conf 檔, 設定憑證

代碼: 選擇全部

SSLCertificateKeyFile "${SRVROOT}/conf/localhost.key"
SSLCertificateFile "${SRVROOT}/conf/localhost.crt"

使用 https://127.0.0.1/ 連線測試. firefox 和 chrome 都會提出警告,此為自我授權的不安全連線. 按[進階]即可不管不安全連線.

修護錯誤

代碼: 選擇全部

AH01906: localhost:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)

套用產生無密碼的自用憑證,下例為: notEncodedPk.key (private key)和 website.crt
pass 部份直接按 [enter], 為了方便測試使用不同的key和crt (或cert) 檔名

代碼: 選擇全部

openssl genrsa -out notEncodedPk.key 3072
openssl req -new -out website.csr -sha256 -key notEncodedPk.key
openssl x509 -req -in website.csr -days 365 -signkey notEncodedPk.key -out website.crt -outform PEM