1 安装

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
# root用户
export OpensslVersion="1.1.1q"
umask 002
yum install gcc gcc-c++ -y

# 下载最新版
cd /usr/local/src/
curl -k https://www.openssl.org/source/openssl-${OpensslVersion}.tar.gz -o openssl-${OpensslVersion}.tar.gz

# 解压
tar xf openssl-${OpensslVersion}.tar.gz

# 编译安装
cd openssl-${OpensslVersion}
./config --prefix=/opt/openssl --openssldir=/usr/local/ssl
make -j4 && make install

# 备份老版本
mv /usr/bin/openssl /usr/bin/openssl.bak
mv /usr/include/openssl /usr/include/openssl.bak 

# 软连接新版本
ln -s /opt/openssl/bin/openssl /usr/bin/openssl
ln -s /opt/openssl/include/openssl /usr/include/openssl
echo "/opt/openssl/lib" >> /etc/ld.so.conf.d/openssl-x86_64.conf
ldconfig -v

# 检查版本
openssl version -a

2 查看验证证书

2.1 查看证书信息

1
openssl x509 -in example.com.crt -noout -text

2.2 查看私钥sha256值

1
openssl pkey -in server.key -pubout -outform pem | sha256sum

2.3 查看证书sha256值

1
openssl x509 -in example.com.crt -pubkey -noout -outform pem | sha256sum

2.4 查看csrsha256值

1
openssl req -in example.com.csr -pubkey -noout -outform pem | sha256sum

3. 私签证书

3.1 生成ca证书的私钥

1
2
openssl genrsa -out ca.key 4096
openssl rand -writerand .rnd

3.2 生成ca证书

1
openssl req -x509 -new -nodes -sha512 -days 36500  -subj "/C=CN/ST=JiangSU/L=Nanjing/O=example/OU=Personal/CN=example.com"  -key ca.key  -out ca.crt

3.3 生成域名证书的私钥

1
openssl genrsa -out example.com.key 4096

3.4 生成证书请求文件

1
2
3
4
openssl req -sha512 -new \
    -subj "/C=CN/ST=JiangSU/L=Nanjing/O=example/OU=Personal/CN=example.com" \
    -key example.com.key \
    -out example.com.csr

3.5 添加其他可信域名或IP配置文件

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
cat >v3.ext<<EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=example.com
IP.1=192.168.1.100
EOF

3.6 生成域名证书

1
2
3
4
5
openssl x509 -req -sha512 -days 36500 \
    -extfile v3.ext \
    -CA ca.crt -CAkey ca.key -CAcreateserial \
    -in example.com.csr \
    -out example.com.crt