本博客適用於測試使用,因為生成的證書需導入客戶端電腦,如需商用請購買證書
1.windows電腦下載openSSL軟件
官方下載地址: https://www.openssl.org/source/
備用下載地址: http://slproweb.com/products/Win32OpenSSL.html
2.找個目錄新建如下文件夾及文件
ca ├── certs 證書目錄 ├── crl 證書吊銷目錄 ├── index.txt CA 簽發證書列表 ├── index.txt.attr CA 簽發證書列表配置 ├── newcerts CA 簽發的證書備份 ├── openssl.cnf openssl 配置文件,-config 參數用 ├── private 私鑰目錄 └── serial CA 下一次簽發證書時使用的序列號
附: openssl.cnf 文件(需要修改dir和alt_names)
打開serial文件寫入數字"00",后期每生成pem,數字會增加1
[ ca ] # `man ca` default_ca = CA_default [ CA_default ] # Directory and file locations. dir = D:/ca #這里改成實際目錄 certs = $dir/certs crl_dir = $dir/crl new_certs_dir = $dir/newcerts database = $dir/index.txt serial = $dir/serial RANDFILE = $dir/private/.rand # The root key and root certificate. private_key = $dir/private/ca.key.pem certificate = $dir/certs/ca.cert.pem # For certificate revocation lists. crlnumber = $dir/crlnumber crl = $dir/crl/ca.crl.pem crl_extensions = crl_ext default_crl_days = 30 # SHA-1 is deprecated, so use SHA-2 instead. default_md = sha256 name_opt = ca_default cert_opt = ca_default default_days = 375 preserve = no policy = policy_strict [ policy_strict ] # The root CA should only sign intermediate certificates that match. # See the POLICY FORMAT section of `man ca`. countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional [ policy_loose ] # Allow the intermediate CA to sign a more diverse range of certificates. # See the POLICY FORMAT section of the `ca` man page. countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional [ req ] # Options for the `req` tool (`man req`). default_bits = 2048 distinguished_name = req_distinguished_name string_mask = utf8only # SHA-1 is deprecated, so use SHA-2 instead. default_md = sha256 # Extension to add when the -x509 option is used. x509_extensions = v3_ca req_extensions = v3_req [ req_distinguished_name ] # See <https://en.wikipedia.org/wiki/Certificate_signing_request>. countryName = Country Name (2 letter code) stateOrProvinceName = State or Province Name localityName = Locality Name 0.organizationName = Organization Name organizationalUnitName = Organizational Unit Name commonName = Common Name emailAddress = Email Address # Optionally, specify some defaults. countryName_default = CN stateOrProvinceName_default = China localityName_default = 0.organizationName_default = zhihu #organizationalUnitName_default = #emailAddress_default = [ v3_req ] # Extensions to add to a certificate request basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names [ alt_names ] DNS.1 = word.com #這里修改為你的映射網址(hosts我修改為"我的ip地址 www.word.com") DNS.2 = *.word.com [ v3_ca ] # Extensions for a typical CA (`man x509v3_config`). subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer basicConstraints = critical, CA:true keyUsage = critical, digitalSignature, cRLSign, keyCertSign [ v3_intermediate_ca ] # Extensions for a typical intermediate CA (`man x509v3_config`). subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer basicConstraints = critical, CA:true, pathlen:0 keyUsage = critical, digitalSignature, cRLSign, keyCertSign [ usr_cert ] # Extensions for client certificates (`man x509v3_config`). basicConstraints = CA:FALSE nsCertType = client, email nsComment = "OpenSSL Generated Client Certificate" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = clientAuth, emailProtection [ server_cert ] # Extensions for server certificates (`man x509v3_config`). basicConstraints = CA:FALSE nsCertType = server nsComment = "OpenSSL Generated Server Certificate" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always keyUsage = critical, digitalSignature, keyEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [ crl_ext ] # Extension for CRLs (`man x509v3_config`). authorityKeyIdentifier=keyid:always [ ocsp ] # Extension for OCSP signing certificates (`man ocsp`). basicConstraints = CA:FALSE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer keyUsage = critical, digitalSignature extendedKeyUsage = critical, OCSPSigning
簽發步驟
打開cmd命令工具或者powerSher進入到ca文件夾
3.生成 CA
生成私鑰
openssl ecparam -genkey -name secp256r1 |openssl ec -out private/ca.key.pem
使用 ECC 算法生成 256 位 CA 私鑰
生成自簽署證書,類型由 openssl.cnf 中配置的擴展字段指定為 CA 證書類型
openssl req -config openssl.cnf -key private/ca.key.pem -new -x509 -days 7300 -sha256 -extensions v3_ca -out certs/ca.cert.pem
需要輸入各項信息。由於是 CA 根證書, Common Name 字段不需要為域名。這里使用的 zhihuRootCA
生成后即可將 certs/ca.cert.pem 安裝於客戶端操作系統/瀏覽器中作為受信任的跟證書頒發機構,由此 CA 簽署的證書均會被客戶端信任
生成服務器密鑰
生成私鑰
openssl ecparam -genkey -name secp256r1 | openssl ec -out private/stf.key.pem
與 CA 私鑰生成方法相同
生成證書請求文件
openssl req -config openssl.cnf -new -key private/stf.key.pem -out certs/stf.csr.pem
填寫證書相關信息,這里 Common Name 字段需要為證書域名。需要提前在 openssl.cnf 中編輯好 subjectAltName 以保證證書擴展字段中 DNS 可選域名正確。
使用 CA 簽發服務器證書
openssl ca -config openssl.cnf -extensions server_cert -days 1095 -md sha256 -in certs/stf.csr.pem -out certs/stf.cert.pem
需要提前在 openssl.cnf 中編輯好 subjectAltName 以保證證書擴展字段中 DNS 可選域名正確。
以上輸入的兩次國家組織等信息 盡量相同
至此:已經生成pem文件
因為nginx和tomcat不支持pem證書,所以需要轉為jks證書
執行如下的openssl指令,將stf.cert.pem和stf.key.pem(證書和證書的密鑰文件)導出到PKCS12格式的證書文件(p12證書):
把ca/private/stf.key.pem文件復制一份到ca\certs下 cmd命令進入到ca\certs下執行命令
openssl pkcs12 -export -out cert.p12 -in stf.cert.pem -inkey stf.key.pem
此時文件夾下已經有了.p12文件
4.將.p12轉為jks文件
keytool.exe -importkeystore -srckeystore cert.p12 -srcstoretype PKCS12 -destkeystore cert.jks -deststorepass 123456
證書的使用
ca.cert.pem:打開瀏覽器 > 設置 > 安全 > 管理證書
導入ca.cert.pem(打開文件所在路徑,后綴選擇*.*) 證書存儲選擇"受信任的根證書頒發機構"
cert.jks:導入Java項目 配置properties
stf.cert.pem和stf.key.pem:將文件放到放到nginx的ssl目錄下
配置nginx.conf 
重啟項目,瀏覽器,nginx(之前啟動過nginx的殺掉進程,重新啟動)