创建私有CA证书签署自定义域名证书


一 创建 CA 证书

#!/bin/bash

mkdir CA
cd CA
openssl genrsa -out ca.key 4096
// openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt -subj "/C=CN/ST=Beijing/L=Beijing/O=mogu/OU=CA/CN=mogu/emailAddress=admin@mogu.com"
echo "1" > serial

# Useage: sh createCA.sh

二 签名域名

#!/bin/bash

mkdir ${1}
cd ${1}
echo "[ req ]
default_bits       = 4096
distinguished_name = req_distinguished_name
req_extensions     = req_ext

[ req_distinguished_name ]
countryName                 = Country Name (2 letter code)
countryName_default         = CN
stateOrProvinceName         = State or Province Name (full name)
stateOrProvinceName_default = Beijing
localityName                = Locality Name (eg, city)
localityName_default        = Beijing
organizationName            = Organization Name (eg, company)
organizationName_default    = www
organizationalUnitName            = Organizational Unit Name (eg, section)
organizationalUnitName_default    = IT
commonName                  = Common Name (e.g. server FQDN or YOUR name)
commonName_max              = 64
commonName_default          = ${1}

[ req_ext ]
subjectAltName = @alt_names

[alt_names]
DNS.1   = ${1}
" > san.conf

openssl genrsa -out ${1}.key 4096

openssl req -new -key ${1}.key -out ${1}.csr -config san.conf -sha256

# serial 唯一
serial=$(cat ../CA/serial)
openssl x509 -req -days 3650 -in ${1}.csr -CA ../CA/ca.crt -CAkey ../CA/ca.key -set_serial $((serial+1)) -out ${1}.crt -extfile san.conf -extensions req_ext
echo $((serial+1)) > ../CA/serial

# Useage: sh signDoamin.sh localhost

三 配置 CA 证书

# /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem