在配置HTTPS监听时,您可以使用自签名的CA证书,并且使用该CA证书为客户端证书签名。
sudo mkdir ca
cd ca
sudo mkdir newcerts private conf server
[ ca ]
default_ca = foo
[ foo ]
dir = /root/ca
database = /root/ca/index.txt
new_certs_dir = /root/ca/newcerts
certificate = /root/ca/private/ca.crt
serial = /root/ca/serial
private_key = /root/ca/private/ca.key
RANDFILE = /root/ca/private/.rand
default_days = 365
default_crl_days= 30
default_md = md5
unique_subject = no
policy = policy_any
[ policy_any ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = match
localityName = optional
commonName = supplied
emailAddress = optional
cd /root/ca
sudo openssl genrsa -out private/ca.key
执行结果如下图所示。
sudo openssl req -new -key private/ca.key -out private/ca.csr
说明Common Name需要输入负载均衡的域名。
sudo openssl x509 -req -days 365 -in private/ca.csr -signkey private/ca.key -out private/ca.crt
sudo echo FACE > serial
sudo touch index.txt
sudo openssl ca -gencrl -out /root/ca/private/ca.crl -crldays 7 -config "/root/ca/conf/openssl.conf"
输出为:
Using configuration from /root/ca/conf/openssl.conf
sudo mkdir users
sudo openssl genrsa -des3 -out /root/ca/users/client.key 1024
说明创建key时要求输入pass phrase,这个是当前key的口令,以防止本密钥泄漏后被人盗用。两次输入同一个密码。
sudo openssl req -new -key /root/ca/users/client.key -out /root/ca/users/client.csr
输入该命令后,根据提示输入上一步输入的pass phrase,然后根据提示输入对应的信息。
说明A challenge password是客户端证书口令。注意将它和client.key的口令进行区分。
sudo openssl ca -in /root/ca/users/client.csr -cert /root/ca/private/ca.crt -keyfile /root/ca/private/ca.key -out /root/ca/users/client.crt -config "/root/ca/conf/openssl.conf"
当出现确认是否签名的提示时,两次都输入y。
sudo openssl pkcs12 -export -clcerts -in /root/ca/users/client.crt -inkey /root/ca/users/client.key -out /root/ca/users/client.p12
按照提示输入客户端client.key的pass phrase。再输入用于导出证书的密码。这个是客户端证书的保护密码,在安装客户端证书时需要输入这个密码。
cd users
ls