https签名

制作流程

为服务器端和客户端准备公钥、私钥

#私钥
>openssl genrsa -out server.key 1024 -config E:\Git\mingw64\ssl\openssl.cnf

#公钥
>openssl rsa -in server.key -pubout -out server.pem

生成 CA 证书

 <!--more--> 
#ca私钥
>openssl genrsa -out ca.key 1024 -config E:\Git\mingw64\ssl\openssl.cnf

第一次填写信息

>openssl req -new -key ca.key -out ca.csr -config E:\Git\mingw64\ssl\openssl.cnf

Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:localhost
Email Address []:

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:12345678
An optional company name []:cs

>openssl x509 -req -in ca.csr -signkey ca.key -out ca.crt -days 365

生成服务器端证书

服务器端需要向 CA 机构申请签名证书，在申请签名证书之前依然是创建自己的 CSR 文件 与第一次信息填写一样

>openssl req -new -key server.key -out server.csr -config E:\Git\mingw64\ssl\openssl.cnf

向自己的 CA 机构申请证书，签名过程需要 CA 的证书和私钥参与，最终颁发一个带有 CA 签名的证书

>openssl x509 -req -CA ca.crt -CAkey ca.key -CAcreateserial -in server.csr -out server.crt

Signature ok
subject=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=localhost
Getting CA Private Key

生成cer文件

使用openssl 进行转换

>openssl x509 -in server.crt -out server.cer -outform der

生成p12

F:\logs\http>openssl pkcs12 -export -clcerts -in server.crt -inkey server.key -out client.p12
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
Loading 'screen' into random state - done
Enter Export Password:12345678
Verifying - Enter Export Password:12345678

浏览器信任

运行脚本 浏览器导入自制pem

ssl.sh

bash  ./ssl.sh
#!/bin/bash


# 定义变量
name=${1:-'local.org'}
KEY_FILE="${name}.key"
CSR_FILE="${name}.csr"
CRT_FILE="${name}.crt"
PEM_FILE="${name}.pem"
CONFIG_FILE="openssl.cnf"


# 直接在脚本中定义配置内容并赋值给变量  
#如果使用引号可以防止被解析cat <<"EOF"
CONFIG_CONTENT=$(cat << EOF
[req]
default_bits = 2048
distinguished_name = req_distinguished_name
copy_extensions = copy
req_extensions = req_ext
x509_extensions = v3_req
prompt = no


[req_distinguished_name]
countryName = CN
stateOrProvinceName = GuangDong
localityName = ShenZhen
organizationName = SRE
commonName = $name


[req_ext]
basicConstraints = CA:FALSE
subjectAltName = @alt_names


[v3_req]
basicConstraints = CA:FALSE
subjectAltName = @alt_names


[alt_names]
IP.1 = 192.168.122.1
IP.2 = 192.168.1.100
IP.3 = 127.0.0.1
DNS.1 = $name
DNS.2 = *.$name
EOF
)


# 将配置内容写入文件
[ -d "$name" ] || mkdir -p $name
echo "$CONFIG_CONTENT" > "$name/$CONFIG_FILE"
if [ ! -f "$name/$CONFIG_FILE" ]; then
    echo "配置文件创建失败，退出脚本。"
    exit 1
fi






# 生成私钥
openssl genrsa -out "$name/$KEY_FILE" 2048
if [ ! -f "$name/$KEY_FILE" ]; then
    echo "私钥生成失败，退出脚本。"
    exit 1
fi


# 创建自签名证书
openssl req -x509 -new -nodes -key "$name/$KEY_FILE" -sha256 -days 3650 -out "$name/$PEM_FILE" -subj "/C=CN/ST=GuangDong/O=SRE/CN=local.org"
if [ ! -f "$name/$PEM_FILE" ]; then
    echo "证书生成失败，退出脚本。"
    exit 1
fi


# 生成CSR
openssl req -new -key "$name/$KEY_FILE" -config "$name/$CONFIG_FILE" -out "$name/$CSR_FILE"
if [ ! -f "$name/$CSR_FILE" ]; then
    echo "CSR生成失败，退出脚本。"
    exit 1
fi


# 使用CA证书和私钥签署CSR
openssl x509 -req -in "$name/$CSR_FILE" -CA "$name/$PEM_FILE" -CAkey "$name/$KEY_FILE"  \
   -CAcreateserial -out "$name/$CRT_FILE" -days 3650 -sha256 -extensions v3_req -extfile "$name/$CONFIG_FILE"
if [ ! -f "$name/$CRT_FILE" ]; then
    echo "证书签署失败，退出脚本。"
    exit 1
fi


# 验证证书
openssl verify -CAfile "$name/$PEM_FILE" "$name/$CRT_FILE"
if [ $? -ne 0 ]; then
    echo "证书验证失败。"
    exit 1
else
    echo "证书验证成功。"
fi


echo "所有步骤执行完毕。"




<
#默认local.org
bash  ./ssl.sh  k8s.org


EOF