生成证书的命令.docxVIP

多级证书 平时我们自己签发CA证书再签发服务器证书的场景其实都非常简单。浏览器把自签CA导入后，就可以信任由这个CA直接签发的服务器证书。??? 但是实际上网站使用的证书肯定都不是由根CA直接签发的，比如 淘宝登陆服务器使用的证书。我之前是自己写了脚本由自签CA直接签发服务器证书，为了真清楚的理解一下证书链的作用就直接使用openssl先签发2层的子CA，再由子CA去签发服务器证书。手动签发证书的脚本如下：生成自签CA # cat makerootca.sh #!/bin/bash DIR=/root/ssl.test2 mkdir -p $DIR/demoCA/{private,newcerts} touch $DIR/demoCA/index.txt echo 01 $DIR/demoCA/serial openssl genrsa -des3 -out $DIR/demoCA/private/cakey.pem 2048 openssl req -new -x509 -days 3650 -key $DIR/demoCA/private/cakey.pem -out $DIR/demoCA/careq.pem 签发二级CA的脚本 cp f /root/ssl.test2 # cat no2domain.sh #!/bin/bash [ $# -ne 1 ] echo $0 NAME exit NAME=$1 DIR=/root/ssl.test2/autoget mkdir -p $DIR openssl genrsa -des3 -out $DIR/$NAME.key 2048 openssl x509 -in $DIR/../demoCA/careq.pem -noout -text openssl rsa -in $DIR/$NAME.key -out $DIR/$NAME.key openssl req -new -days 3650 -key $DIR/$NAME.key -out $DIR/$NAME.csr openssl ca -extensions v3_ca -in $DIR/$NAME.csr -config $DIR/../f -days 3000 -out $DIR/$NAME.crt -cert $DIR/../demoCA/careq.pem -keyfile $DIR/../demoCA/private/cakey.pem 签发三级CA的脚本 # cat no3domain.sh #!/bin/bash #[ $# -ne 1 ] echo $0 NAME exit NAME=calv3 DIR=/root/ssl.test2/autoget openssl genrsa -des3 -out $DIR/$NAME.key 2048 openssl x509 -in $DIR/../demoCA/careq.pem -noout -text openssl rsa -in $DIR/$NAME.key -out $DIR/$NAME.key openssl req -new -days 3650 -key $DIR/$NAME.key -out $DIR/$NAME.csr openssl ca -in $DIR/$NAME.csr -extensions v3_ca -config $DIR/../f -days 3000 -out $DIR/$NAME.crt -cert $DIR/calv2.crt -keyfile $DIR/calv2.key 由三级CA签发服务器证书的脚本 # cat no4domain.sh #!/bin/bash [ $# -ne 1 ] echo $0 NAME exit NAME=$1 DIR=/root/ssl.test2/autoget openssl genrsa -des3 -out $DIR/$NAME.key 2048 openssl x509 -in $DIR/../demoCA/careq.pem -noout -text openssl rsa -in $DIR/$NAME.key -out $DIR/$NAME.key openssl req -new -days 3650 -key $DIR/$NAME.key -out $DIR/$NAME.csr openssl ca -in $DIR/$NAME.csr -config $DIR/../f -days 3000 -out $DIR/$NAME.crt -cert $DIR/calv3.crt -keyfile $DIR/calv3.key o