环境
系统:CentOS 7.8
安装
-
安装
# yum install gnutls-utils -
创建工作目录
# mkdir /data/ssl # cd /data/ssl
CA
-
创建CA模版
# vim ca.tmpl cn = "Your CA name" organization = "Your organization name" serial = 1 expiration_days = 3650 ca signing_key cert_signing_key crl_signing_key -
生成CA私钥
# certtool --generate-privkey --outfile ca-key.pem -
生成CA证书
# certtool --generate-self-signed \ --load-privkey ca-key.pem \ --template ca.tmpl \ --outfile ca-cert.pem
Server密钥和证书
-
创建Server证书模版
# vim server.tmpl cn = "Your hostname or IP" organization = "Your organization name" expiration_days = 3650 signing_key encryption_key tls_www_server -
生成Server私钥
# certtool --generate-privkey --outfile server-key.pem -
生成Server证书
# certtool --generate-certificate \ --load-privkey server-key.pem \ --load-ca-certificate ca-cert.pem \ --load-ca-privkey ca-key.pem \ --template server.tmpl \ --outfile server-cert.pem
Client密钥和证书
-
创建Client证书模版
# vim client-zhangsan.tmpl cn = "zhangsan" unit = "zhangsan unit" expiration_days = 3650 signing_key tls_www_client -
生成Client私钥
# certtool --generate-privkey --outfile client-zhangsan-key.pem -
生成Client证书
# certtool --generate-certificate \ --load-privkey client-zhangsan-key.pem \ --load-ca-certificate ca-cert.pem \ --load-ca-privkey ca-key.pem \ --template client-zhangsan.tmpl \ --outfile client-zhangsan-cert.pem -
转换为p12证书
# openssl pkcs12 -export \ -inkey client-zhangsan-key.pem \ -in client-zhangsan-cert.pem \ -certfile ca-cert.pem \ -out client-zhangsan.p12
网友评论