openssl req -new -x509 -newkey rsa:4096 -keyout client.key -out client.crt -config openssl.cnf -days 365
ps:当前文件夹下必须得有openssl.cnf配置文件,直接copy系统默认的配置文件过来就好.是openssl相关的
另外,末尾的-days 365 表示该证书有效期为365天
添加一些配置到openssl.cnf这个文件:
[ req ]
x509_extensions = v3_req
[v3_req]
subjectAltName = @subjectAltNames
[subjectAltNames]
DNS.1 = winbet888.net
DNS.2 = www.winbet888.net
#IP.1 = 127.0.0.1
ps: subjectAltNames下可以添加键值对,域名用dns,ip用IP
终端会提示设置一些东西,其他都可以不填
Common Name (eg, fully qualified host name) []:
Email Address []:
这两个必填,可以随意填
PS:subjectAltNames设置是关键,键值对直接决定了浏览器验证你的证书信息和域名和访问的位置是否能对上!!
最后生成一个crt文件和key文件,客户端安装crt就行了.服务器两个都用.
服务器部署的时候,会提示无法找到私钥,执行以下命令,
openssl rsa -in client.key -out client.key
拿着新的client.key去替换之前的
如果安装的openssl没有默认的配置文件,那么可以使用以下这个(只在windows系统上的openssl测试可行):
==================
################################################################
# openssl example configuration file.
# This is mostly used for generation of certificate requests.
#################################################################
[ ca ]
default_ca= CA_default # The default ca section
#################################################################
[ CA_default ]
dir=C:/Program Files/Apache Group/Apache2/conf/ssl # Where everything is kept
certs=$dir # Where the issued certs are kept
crl_dir= $dir/crl # Where the issued crl are kept
database= $dir/index.txt # database index file
new_certs_dir= $dir/new_certs # default place for new certs
certificate=$dir/CA/OrbixCA # The CA certificate
serial= $dir/serial # The current serial number
crl= $dir/crl.pem # The current CRL
private_key= $dir/CA/OrbixCA.pk # The private key
RANDFILE= $dir/.rand # private random number file
default_days= 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md= md5 # which message digest to use
preserve= no # keep passed DN ordering
# A few different ways of specifying how closely the request should
# conform to the details of the CA
policy= policy_match
# For the CA policy [policy_match]
countryName= match
stateOrProvinceName= match
organizationName= match
organizationalUnitName= optional
commonName= supplied
emailAddress= optional
# For the `anything' policy
# At this point in time, you must list all acceptable `object'
# types
[ policy_anything ]
countryName = optional
stateOrProvinceName= optional
localityName= optional
organizationName = optional
organizationalUnitName = optional
commonName= supplied
emailAddress= optional
[ req ]
default_bits = 1024
default_keyfile= privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
[ req_distinguished_name ]
countryName= Country Name (2 letter code)
countryName_min= 2
countryName_max = 2
stateOrProvinceName= State or Province Name (full name)
localityName = Locality Name (eg, city)
organizationName = Organization Name (eg, company)
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (eg. YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 40
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName= An optional company name
ps:注意,以上配置可以根据需要修改.
或者下面这一段也行:
[ req ]
#default_bits = 2048
#default_md = sha256
#default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_req
[v3_req]
subjectAltName = @subjectAltNames
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (eg, fully qualified host name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
[subjectAltNames]
IP.1 = 127.0.0.1
ps:注意,以上配置根据需要修改.