1 安装 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 # root用户 export OpensslVersion="1.1.1q" umask 002 yum install gcc gcc-c++ -y # 下载最新版 cd /usr/local/src/ curl -k https://www.openssl.org/source/openssl-${OpensslVersion}.tar.gz -o openssl-${OpensslVersion}.tar.gz # 解压 tar xf openssl-${OpensslVersion}.tar.gz # 编译安装 cd openssl-${OpensslVersion} ./config --prefix=/opt/openssl --openssldir=/usr/local/ssl make -j4 && make install # 备份老版本 mv /usr/bin/openssl /usr/bin/openssl.bak mv /usr/include/openssl /usr/include/openssl.bak # 软连接新版本 ln -s /opt/openssl/bin/openssl /usr/bin/openssl ln -s /opt/openssl/include/openssl /usr/include/openssl echo "/opt/openssl/lib" >> /etc/ld.so.conf.d/openssl-x86_64.conf ldconfig -v # 检查版本 openssl version -a 2 查看验证证书 2.1 查看证书信息 1 openssl x509 -in example.com.crt -noout -text 2.2 查看私钥sha256值 1 openssl pkey -in server.key -pubout -outform pem | sha256sum 2.3 查看证书sha256值 1 openssl x509 -in example.com.crt -pubkey -noout -outform pem | sha256sum 2.4 查看csrsha256值 1 openssl req -in example.com.csr -pubkey -noout -outform pem | sha256sum 3. 私签证书 3.1 生成ca证书的私钥 1 2 openssl genrsa -out ca.key 4096 openssl rand -writerand .rnd 3.2 生成ca证书 1 openssl req -x509 -new -nodes -sha512 -days 36500 -subj "/C=CN/ST=JiangSU/L=Nanjing/O=example/OU=Personal/CN=example.com" -key ca.key -out ca.crt 3.3 生成域名证书的私钥 1 openssl genrsa -out example.com.key 4096 3.4 生成证书请求文件 1 2 3 4 openssl req -sha512 -new \ -subj "/C=CN/ST=JiangSU/L=Nanjing/O=example/OU=Personal/CN=example.com" \ -key example.com.key \ -out example.com.csr 3.5 添加其他可信域名或IP配置文件 1 2 3 4 5 6 7 8 9 10 cat >v3.ext<