自建CA签发SSL证书（Easy-RSA）

环境

系统：CentOS 7.5
软件：easy-rsa-master.zip

安装

# git clone https://github.com/OpenVPN/easy-rsa.git
# mv easy-rsa/easyrsa3 /usr/local/

创建证书和秘钥

• 配置默认属性（可选）

  # cd /usr/local/easyrsa3
  # cp vars.example vars
  # vim vars
  set_var EASYRSA_REQ_COUNTRY     "CN"
  set_var EASYRSA_REQ_PROVINCE    "GuangDong"
  set_var EASYRSA_REQ_CITY        "ShenZhen"
  set_var EASYRSA_REQ_ORG         "Company"
  set_var EASYRSA_REQ_EMAIL       "[email protected]"
  set_var EASYRSA_REQ_OU          "IT"
  

• 初始化

  # ./easyrsa init-pki
  

• 创建CA

  # ./easyrsa build-ca nopass
  

• 创建Diffie-Hellman

  # ./easyrsa gen-dh
  

• 创建服务端证书和秘钥

  # ./easyrsa build-server-full hostname.domain.com nopass
  

• 创建客户端证书和秘钥

  # ./easyrsa build-client-full zhangsan nopass
  

• 吊销证书

  # ./easyrsa revoke zhangsan
  # ./easyrsa gen-crl
  # mv pki/issued/zhangsan.crt pki/private/zhangsan.key pki/reqs/zhangsan.req /tmp/