惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Google DeepMind News
Google DeepMind News
Stack Overflow Blog
Stack Overflow Blog
Hugging Face - Blog
Hugging Face - Blog
博客园_首页
T
The Blog of Author Tim Ferriss
博客园 - 叶小钗
N
Netflix TechBlog - Medium
腾讯CDC
C
Check Point Blog
P
Proofpoint News Feed
Engineering at Meta
Engineering at Meta
GbyAI
GbyAI
S
SegmentFault 最新的问题
F
Fortinet All Blogs
美团技术团队
U
Unit 42
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
博客园 - 司徒正美
F
Full Disclosure
Recorded Future
Recorded Future
D
DataBreaches.Net
博客园 - 【当耐特】
Martin Fowler
Martin Fowler
J
Java Code Geeks
I
InfoQ
Y
Y Combinator Blog
A
About on SuperTechFans
AI
AI
爱范儿
爱范儿
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
Forbes - Security
Forbes - Security
W
WeLiveSecurity
M
MIT News - Artificial intelligence
雷峰网
雷峰网
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Simon Willison's Weblog
Simon Willison's Weblog
Schneier on Security
Schneier on Security
The GitHub Blog
The GitHub Blog
Security Archives - TechRepublic
Security Archives - TechRepublic
aimingoo的专栏
aimingoo的专栏
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
G
GRAHAM CLULEY
Know Your Adversary
Know Your Adversary
Latest news
Latest news
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
D
Docker
Recent Commits to openclaw:main
Recent Commits to openclaw:main
量子位
V2EX - 技术
V2EX - 技术
Project Zero
Project Zero

博客园 - 三驾马车

Claude Code 官宣:可以在 IDEA 用了! idea gitee 更新已取消 解决方案 ByteBuffer和ByteBuf区别 Marshalling.getProvidedMarshallerFactory("serial") 参数有那些 ProtobufVarint32FrameDecoder和ProtobufDecoder区别 protobuf 的 Varint 编码规范 netty initChannel ch.pipeline().addLast 先后顺序很重要 ChannelInboundHandlerAdapter 的channelRead和channelReadComplete的区别 Unpooled.buffer()和Unpooled.copiedBuffer区别 ServerBootstrap 和Bootstrap 区别 childhandler 和 handler 区别 ChannelInitializer<SocketChannel> 的作用详解 ChannelHandlerAdapter 和 ChannelInboundHandlerAdapter 的区别 SimpleChannelInboundHandler 中的 messageReceived 和 channelRead0 ChannelHandlerAdapter 与 ChannelInboundHandler 的区别 Application run failed .ParserException: while parsing a block mapping in 'reader' openssl genrsa 上传本地项目到新建git项目 save download pdf
自签名ssl证书
三驾马车 · 2024-11-29 · via 博客园 - 三驾马车

使用openssl工具进行自签名ssl证书,方便在内网环境中部署使用,为你的网站安全加把锁

自签证书流程:创建 ca 私钥--->用 ca 私钥生成 ca 根证书--->创建 ssl 私钥--->创建 ssl 证书csr--->用 ca 根证书签署生成 ssl 证书

操作方法:

1、创建一个文件夹 ca 用来保存 ca 证书文件

2、创建 ca 私钥(建议设置密码)

sudo openssl genrsa -des3 -out CA.key 2048

3、生成 ca 证书,自签20年有效期,把此 ca 证书导入需要访问pc的“受信任的根证书颁发机构”中,后期用此 ca 签署的证书都可以使用

sudo openssl req -x509 -new -nodes -key CA.key -sha256 -days 7300 -out CA.crt

  #查看证书信息命令 sudo openssl x509 -in CA.crt -noout -text

复制代码

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            65:d9:98:70:56:3f:c1:49:27:59:b3:a0:07:1f:80:b0:05:9f:52:0a
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = CN, ST = Shan Xi, L = Xi'An, O = kj inc, OU = it Dep, CN = xa.it.com, emailAddress = it@163.com
        Validity
            Not Before: Mar 27 08:18:26 2024 GMT
            Not After : Mar 22 08:18:26 2044 GMT
        Subject: C = CN, ST = Shan Xi, L = Xi'An, O = kj inc, OU = it Dep, CN = xa.it.com, emailAddress = it@163.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:b4:f9:ee:6c:5e:ef:81:6d:21:2b:17:7f:6e:ce:
                    c3:82:1c:46:e6:28:ca:36:fb:49:dd:99:9e:44:a2:
                    84:8e:f0:b6:16:f7:0d:20:56:2d:7b:96:30:3d:23:
                    74:2d:d2:c0:25:2a:fd:df:2f:b9:30:82:38:a4:9d:
                    c8:e8:2b:9d:e9:e2:24:59:44:cd:2b:fa:ed:27:b6:
                    2d:62:3f:73:45:5d:84:8e:75:48:3e:da:0b:67:45:
                    89:f1:9f:1f:35:39:1b:de:24:fd:1d:f0:b3:9a:38:
                    6e:fe:6d:04:d7:23:c2:74:28:4f:8b:e2:5d:8f:05:
                    78:ce:af:24:f0:c3:e4:9f:fd:74:9d:28:e4:ca:3e:
                    7e:ff:b4:b5:ac:4c:d5:a8:fa:8b:d4:dd:1f:8a:11:
                    9a:72:58:6e:8c:95:f0:74:eb:3b:38:25:31:62:c7:
                    81:c5:78:ce:16:50:52:be:0f:df:47:2c:98:1f:6a:
                    c5:3b:ca:80:f2:12:5e:5c:cf:42:c6:96:6c:d3:8f:
                    0c:9d:a7:12:5a:74:7f:2c:33:8a:95:1b:a4:3e:a9:
                    f9:6e:3b:39:c7:62:8a:35:bf:d3:ea:80:01:3d:da:
                    db:19:cd:00:71:e2:17:ea:ee:9d:23:35:42:0b:52:
                    67:88:af:ca:79:d2:6b:87:a0:6f:9e:09:e6:c7:3e:
                    9d:85
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                0D:EA:6A:EE:DA:E4:23:AA:C2:F6:53:F9:CF:BF:55:65:C3:5E:E0:CC
            X509v3 Authority Key Identifier:
                keyid:0D:EA:6A:EE:DA:E4:23:AA:C2:F6:53:F9:CF:BF:55:65:C3:5E:E0:CC

            X509v3 Basic Constraints: critical
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         85:3c:70:59:64:a4:e0:d0:69:ba:01:d2:c1:08:57:26:2c:2f:
         9b:ed:11:ea:36:48:9a:44:d2:3c:4c:f0:bf:0e:d9:2a:5b:b5:
         4e:bf:2b:89:0d:41:3d:9b:ce:65:6a:f2:43:c3:dc:89:fb:ee:
         43:9b:d7:74:a7:49:9c:d9:bc:f7:5c:2e:da:2d:49:c2:39:ca:
         c7:ba:23:e2:05:29:fa:ab:f5:56:5b:46:e2:29:06:4d:1b:53:
         72:b1:a9:10:0b:98:d1:60:bd:da:07:0f:b5:39:8b:0d:52:ae:
         6f:d7:43:a3:96:af:8f:22:36:2e:5e:ee:a4:77:e5:af:f6:63:
         de:b4:e4:3c:63:e0:ed:e5:17:e0:50:66:fc:eb:02:13:00:10:
         a5:f8:28:53:68:6b:91:dd:c4:02:d5:94:a2:dc:f9:d1:3d:b2:
         8c:59:5b:e5:c6:46:a5:65:a7:cf:87:0e:c8:1f:81:50:3b:75:
         5d:fd:62:e1:9f:09:1e:b7:26:92:b4:97:87:a7:6e:cc:d3:a8:
         8c:e8:cf:a9:03:0a:13:fe:ee:a0:81:7e:22:c6:0d:0f:16:74:
         25:48:42:03:11:ad:08:af:2b:00:d3:b1:5e:a3:99:78:e1:1d:
         c0:31:f3:bb:f0:b1:7f:a1:87:5f:7d:6b:da:2e:fb:ab:f8:7b:
         0e:e9:17:fb

复制代码

4、创建ssl证书私钥

cd ..
sudo mkdir certs
cd certs/
sudo openssl genrsa -out zabbix.key 2048        #创建ssl私钥

5、创建ssl证书csr

sudo  openssl req -new -key zabbix.key -out zabbix.csr        #创建ssl证书csr

6、创建域名附加配置信息,新建一个文件,vim cert.ext,将下面代码粘贴后保存

复制代码

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = localhost
IP.2 = 192.168.11.100
IP.3 = 192.168.10.200
DNS.4 = xa.it.com
DNS.5 = xiykj.com
DNS.6 = *.xa.com

复制代码

  # IP.2 = 192.168.11.100    表示https要访问的ip,IP.3也是ip,ssl证书说明可以自签多个ip,这是自签ip的证书

  # DNS.4 = xa.it.com    表示https要访问的域名,DNS.5,DNS.6都一样是域名,ssl证书说明可以自签多个域名,这是自签域名的证书

7、使用CA根证书签署ssl证书,自签ssl证书有效期20年

sudo openssl x509 -req -in zabbix.csr -out zabbix.crt -days 7300 -CAcreateserial -CA ../ca/CA.crt -CAkey ../ca/CA.key -CAserial serial -extfile cert.ext

8、查看文件,ls -al

复制代码

文件列表:

cert.ext            #ssl证书附加配置信息
serial            #证书序列号
zabbix.crt        #ssl证书文件,包含公钥信息
zabbix.csr        #ssl证书签名文件
zabbix.key        #ssl证书私钥

复制代码

9、查看签署的证书信息,sudo openssl x509 -in zabbix.crt -noout -text

复制代码

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            25:ec:c9:2f:00:1e:d8:99:82:3c:e8:29:31:7f:a5:7e:7e:83:7a:e9
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = CN, ST = Shan Xi, L = Xi'An, O = kj inc, OU = it Dep, CN = xa.it.com, emailAddress = it@163.com
        Validity
            Not Before: Mar 27 08:48:23 2024 GMT
            Not After : Mar 22 08:48:23 2044 GMT
        Subject: C = CN, ST = Shan Xi, L = Xi'An, O = kj inc, OU = it Dep, CN = xa.it.com, emailAddress = it@163.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:bb:90:90:b4:a6:99:87:e0:da:a5:3e:bf:f2:e5:
                    c0:ea:1a:62:87:31:8e:f4:f0:4d:3f:38:78:08:96:
                    3b:51:b6:69:d6:e6:22:f5:03:ea:40:46:9f:bd:b9:
                    0e:0a:c4:ae:81:26:0a:42:d5:47:6f:27:48:98:11:
                    e1:d7:b0:47:46:07:c1:f0:4e:d5:b6:a1:4d:a9:2a:
                    36:6a:d3:5f:76:15:57:9b:e5:09:17:8d:3c:6d:7e:
                    b1:5c:17:97:8f:7b:36:85:1f:51:fb:df:d9:6a:c5:
                    eb:6c:22:bb:10:2c:01:87:eb:c8:08:d6:20:ed:26:
                    87:c1:52:c7:3d:0f:ec:85:f2:86:ae:92:2b:fe:22:
                    8f:61:f6:de:d9:91:b7:55:b5:11:19:70:d4:f8:33:
                    50:c3:df:84:41:29:21:11:0c:a7:49:46:d7:cf:58:
                    81:ce:a2:94:76:27:99:c4:a0:33:04:3b:ea:b7:2d:
                    e3:7e:05:7e:d4:42:ae:b9:dc:e9:c5:04:72:1d:8b:
                    45:32:72:31:68:2c:dc:87:ff:39:c0:b0:e0:b7:c2:
                    4d:ac:db:1c:da:74:82:93:aa:9b:0f:6b:85:3f:3a:
                    51:f5:e4:fb:de:ce:85:7b:21:d5:75:37:21:a4:63:
                    7b:93:7c:51:36:5b:89:e2:5a:5e:40:23:ad:c7:be:
                    0c:c9
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier:
                keyid:0D:EA:6A:EE:DA:E4:23:AA:C2:F6:53:F9:CF:BF:55:65:C3:5E:E0:CC

            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Key Usage:
                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
            X509v3 Subject Alternative Name:
                DNS:localhost, IP Address:192.168.11.100, IP Address:192.168.10.200, DNS:xa.it.com, DNS:xiykj.com, DNS:*.xa.com
    Signature Algorithm: sha256WithRSAEncryption
         8a:b4:63:10:18:ac:69:c1:6c:aa:d7:28:5e:21:5e:a1:cb:14:
         83:9e:d4:88:1f:c6:94:3b:98:00:f8:81:2c:05:b1:25:c9:89:
         84:08:7d:78:75:9c:4f:c8:30:50:ba:a7:f5:6f:9a:ae:0a:07:
         cd:9e:85:e0:5b:79:19:3f:f9:31:c8:4a:8a:5e:d2:3f:97:52:
         ee:0c:e5:0c:59:dc:ca:70:a2:1b:8e:78:eb:b4:90:cd:3b:8f:
         aa:43:a7:bd:43:0f:f1:f4:7b:18:cc:71:da:e8:a1:eb:40:30:
         e7:fb:e4:34:e1:16:d2:7a:88:1e:58:f3:d7:f9:b5:f9:30:a4:
         6e:35:23:d6:82:83:83:90:15:2c:5d:f4:aa:30:bd:f0:c1:95:
         6a:f3:c0:93:6c:36:54:8d:47:f5:43:3d:51:ee:04:69:77:35:
         5a:2f:0a:cf:af:72:75:37:ba:35:aa:80:52:df:d8:1a:ef:26:
         b0:aa:e4:87:d5:8a:e6:0b:bd:b4:ec:50:5e:fb:8b:98:9b:33:
         54:0c:a9:94:2a:a0:2a:7a:d9:84:82:ad:23:f0:39:f0:5a:5a:
         6e:20:cd:81:0a:c9:04:51:5e:60:41:b7:93:8c:d4:9b:b5:0b:
         39:e8:f7:2b:64:68:52:6d:c8:63:1f:d6:3b:9b:57:a8:fc:27:
         7d:cf:0a:44

复制代码

10、使用CA验证ssl证书状态,显示 OK 表示通过验证

sudo openssl verify -CAfile ../ca/CA.crt zabbix.crt

   最后将 CA.crt 导入到需要访问的客户端PC“受信任的根证书颁发机构”中,把 zabbix.crt、zabbix.key 文件部署在服务器上即可.
参考 https://www.cnblogs.com/xiykj/p/18099784