制作免费的数字签名证书

使用CACert.org在线免费制作签名证书, 官方网站https://www.cacert.org/index.php

文中制作签名证书以域名xmkk.net为例

依赖包: openssl

验证域名授权

a) Domains->Add: 添加需验证的域名;

b) 验证Email: 点击Email中的验证地址, 确认通过;

c) Domains->View: 查看状态是通过验证;

制作服务器证书

1. 生成服务器证书私钥

# openssl genrsa -out ssl/domain_key_xmkk.net.pem 4096
# openssl req -new -key ssl/domain_key_xmkk.net.pem -out ssl/xmkk.net.csr -subj '/CN=xmkk.net'
# cat ssl/xmkk.net.csr

2. 生成服务器证书公钥

a) 将上面CSR文件输出的内容, 用于CAcert.org进行签名: Server Certificates->New;

b) 将CAcert.org的服务器证书公钥拷贝到本地

# cat > ssl/domain_cert_xmkk.net.pem << EOF
-----BEGIN CERTIFICATE-----
MIIF5zCCA8+gAwIBAgIDAQKKMA0GCSqGSIb3DQEBBQUAMFQxFDASBgNVBAoTC0NB
Y2VydCBJbmMuMR4wHAYDVQQLExVodHRwOi8vd3d3LkNBY2VydC5vcmcxHDAaBgNV
BAMTE0NBY2VydCBDbGFzcyAzIFJvb3QwHhcNMTIwODAxMTQzOTA3WhcNMTQwODAx
.
.
.
vcx9+LYSwVLCr33NkDx9zqBn3Qp2ZcaUxOdSo/QxdnE2Wj7J06D309RuDRCxZA7E
cvfc3qE1Q0ESbEOAmN+ZYHhCHZjKe3jNlxED
-----END CERTIFICATE-----
EOF

制作客户端证书, 使用keytool命令

a) 生成keystore, 输入keystore的密码, 输入客户端私钥证书的密码, 这里好像要求密码一致

$ keytool -genkey -alias fenng -keyalg RSA -keysize 4096 -keystore  ssl/.fenng.keytool -dname '[email protected]'

b) 生成客户端证书私钥

$ keytool -certreq -alias fenng -file ssl/fenng.csr -keystore ssl/.fenng.keytool -storepass mysecret
$ cat ssl/fenng.csr
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIEZDCCAkwCAQAwHzEdMBsGA1UEAwwUZGFuaWVsQHBvY29jay5jb20uYXUwggIiMA0GCSqGSIb3
DQEBAQUAA4ICDwAwggIKAoICAQC/ySJt3ZNulDnWG7MtrE+Y6Rkl6ln/ovdefxFdoaBSkg4Bqg8K
.
.
.
cfsbPXSEcdZTYKzPaQpTtkCeWMRKh5R4M61IOd40tANhVbZbf32sZlAeRos7
-----END NEW CERTIFICATE REQUEST-----

c) 获取输出内容到CAcert做客户端公钥证书, 并拷贝至本地

# cat > ssl/fenng.crt << EOF
-----BEGIN CERTIFICATE-----
MIIF5zCCA8+gAwIBAgIDAQKKMA0GCSqGSIb3DQEBBQUAMFQxFDASBgNVBAoTC0NB
Y2VydCBJbmMuMR4wHAYDVQQLExVodHRwOi8vd3d3LkNBY2VydC5vcmcxHDAaBgNV
BAMTE0NBY2VydCBDbGFzcyAzIFJvb3QwHhcNMTIwODAxMTQzOTA3WhcNMTQwODAx
.
.
.
vcx9+LYSwVLCr33NkDx9zqBn3Qp2ZcaUxOdSo/QxdnE2Wj7J06D309RuDRCxZA7E
cvfc3qE1Q0ESbEOAmN+ZYHhCHZjKe3jNlxED
-----END CERTIFICATE-----
EOF

d) 使用根证书对客户端证书公钥进行签名

$ keytool -import -alias root -keystore ssl/.fenng.keytool -storepass mysecret -trustcacerts -file ssl/root_cert_cacert.org.pem
...
Trust this certificate? [no]:  yes
Certificate was added to keystore

$ $ keytool -importcert -alias fenng -file ssl/fenng.crt -keystore ~/.fenng.keytool -storepass mysecret
Certificate reply was installed in keystore