一 创建 CA 证书
#!/bin/bash
mkdir CA
cd CA
openssl genrsa -out ca.key 4096
// openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt -subj "/C=CN/ST=Beijing/L=Beijing/O=mogu/OU=CA/CN=mogu/emailAddress=admin@mogu.com"
echo "1" > serial
# Useage: sh createCA.sh
二 签名域名
#!/bin/bash
mkdir ${1}
cd ${1}
echo "[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
req_extensions = req_ext
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = CN
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Beijing
localityName = Locality Name (eg, city)
localityName_default = Beijing
organizationName = Organization Name (eg, company)
organizationName_default = www
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = IT
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
commonName_default = ${1}
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = ${1}
" > san.conf
openssl genrsa -out ${1}.key 4096
openssl req -new -key ${1}.key -out ${1}.csr -config san.conf -sha256
# serial 唯一
serial=$(cat ../CA/serial)
openssl x509 -req -days 3650 -in ${1}.csr -CA ../CA/ca.crt -CAkey ../CA/ca.key -set_serial $((serial+1)) -out ${1}.crt -extfile san.conf -extensions req_ext
echo $((serial+1)) > ../CA/serial
# Useage: sh signDoamin.sh localhost
三 配置 CA 证书
# /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem