[SSL] 自簽憑證過程
SSL是讓Web應用程式能有機密傳輸特性的一個機制,運作在應用層上,然而要申請一個有效的憑證,過程是非常耗時的,若在開發、測試階段,可先用字簽憑證來應急。但是!要上線的系統最好等有了合法憑證再發布,避免中間人攻擊(Man in tHE Middle, MITM)。
- ⾸先為我們的 CA 產⽣⼀把私鑰
openssl genrsa -out root/ca.key 4096
- ⽤這把私鑰產⽣⼀份⾃我簽署的憑證
openssl req -new -x509 -days 365 -sha256 \ -subj "/C=TW/ST=Taipei/O=your_company/OU=your_department/CN=localhost" \ -key root/ca.key \ -out root/ca.crt
- 產⽣不加密之 PEM 格式的私密⾦鑰
openssl genrsa -out server/server.key 2048
- 產⽣憑證請求檔 CSR
openssl req -new -key server/server.key \ -subj "/C=TW/ST=Taipei/O=your_company/OU=your_department/CN=your_service_FQDN" \ -out server/server.csr
- 把剛剛產⽣的 CSR 丟給 CA 簽署
openssl x509 -req -CAcreateserial -days 30 -sha256 \ -CA root/ca.crt -CAkey root/ca.key \ -in server/server.csr \ -out server/server.crt
- 現在⽬錄應該有以下這些文件,server.key是私鑰,server.crt是公鑰
$ ls -alR . ./root: total 20 drwxrwxr-x 2 user user 4096 Oct 21 02:05 . drwxrwxr-x 4 user user 4096 Oct 7 22:40 .. -rw-rw-r-- 1 user user 1968 Oct 21 02:05 ca.crt -rw------- 1 user user 3243 Oct 21 02:05 ca.key -rw-rw-r-- 1 user user 41 Oct 21 02:05 ca.srl ./server: total 20 drwxrwxr-x 2 user user 4096 Oct 21 02:05 . drwxrwxr-x 4 user user 4096 Oct 7 22:40 .. -rw-rw-r-- 1 user user 1501 Oct 21 02:05 server.crt -rw-rw-r-- 1 user user 972 Oct 21 02:05 server.csr -rw------- 1 user user 1679 Oct 21 02:05 server.key
留言
張貼留言