本博客适用于测试使用,因为生成的证书需导入客户端电脑,如需商用请购买证书
1.windows电脑下载openSSL软件
官方下载地址: https://www.openssl.org/source/
备用下载地址: http://slproweb.com/products/Win32OpenSSL.html
2.找个目录新建如下文件夹及文件
ca ├── certs 证书目录 ├── crl 证书吊销目录 ├── index.txt CA 签发证书列表 ├── index.txt.attr CA 签发证书列表配置 ├── newcerts CA 签发的证书备份 ├── openssl.cnf openssl 配置文件,-config 参数用 ├── private 私钥目录 └── serial CA 下一次签发证书时使用的序列号
附: openssl.cnf 文件(需要修改dir和alt_names)
打开serial文件写入数字"00",后期每生成pem,数字会增加1
[ ca ] # `man ca` default_ca = CA_default [ CA_default ] # Directory and file locations. dir = D:/ca #这里改成实际目录 certs = $dir/certs crl_dir = $dir/crl new_certs_dir = $dir/newcerts database = $dir/index.txt serial = $dir/serial RANDFILE = $dir/private/.rand # The root key and root certificate. private_key = $dir/private/ca.key.pem certificate = $dir/certs/ca.cert.pem # For certificate revocation lists. crlnumber = $dir/crlnumber crl = $dir/crl/ca.crl.pem crl_extensions = crl_ext default_crl_days = 30 # SHA-1 is deprecated, so use SHA-2 instead. default_md = sha256 name_opt = ca_default cert_opt = ca_default default_days = 375 preserve = no policy = policy_strict [ policy_strict ] # The root CA should only sign intermediate certificates that match. # See the POLICY FORMAT section of `man ca`. countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional [ policy_loose ] # Allow the intermediate CA to sign a more diverse range of certificates. # See the POLICY FORMAT section of the `ca` man page. countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional [ req ] # Options for the `req` tool (`man req`). default_bits = 2048 distinguished_name = req_distinguished_name string_mask = utf8only # SHA-1 is deprecated, so use SHA-2 instead. default_md = sha256 # Extension to add when the -x509 option is used. x509_extensions = v3_ca req_extensions = v3_req [ req_distinguished_name ] # See <https://en.wikipedia.org/wiki/Certificate_signing_request>. countryName = Country Name (2 letter code) stateOrProvinceName = State or Province Name localityName = Locality Name 0.organizationName = Organization Name organizationalUnitName = Organizational Unit Name commonName = Common Name emailAddress = Email Address # Optionally, specify some defaults. countryName_default = CN stateOrProvinceName_default = China localityName_default = 0.organizationName_default = zhihu #organizationalUnitName_default = #emailAddress_default = [ v3_req ] # Extensions to add to a certificate request basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names [ alt_names ] DNS.1 = word.com #这里修改为你的映射网址(hosts我修改为"我的ip地址 www.word.com") DNS.2 = *.word.com [ v3_ca ] # Extensions for a typical CA (`man x509v3_config`). subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer basicConstraints = critical, CA:true keyUsage = critical, digitalSignature, cRLSign, keyCertSign [ v3_intermediate_ca ] # Extensions for a typical intermediate CA (`man x509v3_config`). subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer basicConstraints = critical, CA:true, pathlen:0 keyUsage = critical, digitalSignature, cRLSign, keyCertSign [ usr_cert ] # Extensions for client certificates (`man x509v3_config`). basicConstraints = CA:FALSE nsCertType = client, email nsComment = "OpenSSL Generated Client Certificate" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = clientAuth, emailProtection [ server_cert ] # Extensions for server certificates (`man x509v3_config`). basicConstraints = CA:FALSE nsCertType = server nsComment = "OpenSSL Generated Server Certificate" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always keyUsage = critical, digitalSignature, keyEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [ crl_ext ] # Extension for CRLs (`man x509v3_config`). authorityKeyIdentifier=keyid:always [ ocsp ] # Extension for OCSP signing certificates (`man ocsp`). basicConstraints = CA:FALSE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer keyUsage = critical, digitalSignature extendedKeyUsage = critical, OCSPSigning
签发步骤
打开cmd命令工具或者powerSher进入到ca文件夹
3.生成 CA
生成私钥
openssl ecparam -genkey -name secp256r1 |openssl ec -out private/ca.key.pem
使用 ECC 算法生成 256 位 CA 私钥
生成自签署证书,类型由 openssl.cnf 中配置的扩展字段指定为 CA 证书类型
openssl req -config openssl.cnf -key private/ca.key.pem -new -x509 -days 7300 -sha256 -extensions v3_ca -out certs/ca.cert.pem
需要输入各项信息。由于是 CA 根证书, Common Name 字段不需要为域名。这里使用的 zhihuRootCA
生成后即可将 certs/ca.cert.pem 安装于客户端操作系统/浏览器中作为受信任的跟证书颁发机构,由此 CA 签署的证书均会被客户端信任
生成服务器密钥
生成私钥
openssl ecparam -genkey -name secp256r1 | openssl ec -out private/stf.key.pem
与 CA 私钥生成方法相同
生成证书请求文件
openssl req -config openssl.cnf -new -key private/stf.key.pem -out certs/stf.csr.pem
填写证书相关信息,这里 Common Name 字段需要为证书域名。需要提前在 openssl.cnf 中编辑好 subjectAltName 以保证证书扩展字段中 DNS 可选域名正确。
使用 CA 签发服务器证书
openssl ca -config openssl.cnf -extensions server_cert -days 1095 -md sha256 -in certs/stf.csr.pem -out certs/stf.cert.pem
需要提前在 openssl.cnf 中编辑好 subjectAltName 以保证证书扩展字段中 DNS 可选域名正确。
以上输入的两次国家组织等信息 尽量相同
至此:已经生成pem文件
因为nginx和tomcat不支持pem证书,所以需要转为jks证书
执行如下的openssl指令,将stf.cert.pem和stf.key.pem(证书和证书的密钥文件)导出到PKCS12格式的证书文件(p12证书):
把ca/private/stf.key.pem文件复制一份到ca\certs下 cmd命令进入到ca\certs下执行命令
openssl pkcs12 -export -out cert.p12 -in stf.cert.pem -inkey stf.key.pem
此时文件夹下已经有了.p12文件
4.将.p12转为jks文件
keytool.exe -importkeystore -srckeystore cert.p12 -srcstoretype PKCS12 -destkeystore cert.jks -deststorepass 123456
证书的使用
ca.cert.pem:打开浏览器 > 设置 > 安全 > 管理证书
导入ca.cert.pem(打开文件所在路径,后缀选择*.*) 证书存储选择"受信任的根证书颁发机构"
cert.jks:导入Java项目 配置properties
stf.cert.pem和stf.key.pem:将文件放到放到nginx的ssl目录下
配置nginx.conf 
重启项目,浏览器,nginx(之前启动过nginx的杀掉进程,重新启动)