linux 生成 ca 证书
自建证书
创建用私钥签名的证书
生成私钥
openssl genrsa -out private.key 2048
生成证书请求
openssl req -new -key private.key -out server.csr
这一步需要填写证书信息,如
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:GD
Locality Name (eg, city) [Default City]:GZ
Organization Name (eg, company) [Default Company Ltd]:GZGZ
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:XXXXX.XXXX.com
Email Address []:xxxxxxxx@xx.comPlease enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
其中,Common Name 填写证书绑定的域名,否则证书不能通过信任验证。
生成服务器的私钥
openssl rsa -in private.key -out server.key
使用私钥生成服务器证书
openssl x509 -req -in server.csr -out server.crt -outform pem -signkey server.key -days 365 -sha256
下面的 gitlab 的自建证书过程
Generation of a Self Signed Certificate
Generation of a self-signed SSL certificate involves a simple 3-step procedure:
STEP 1: Create the server private key
openssl genrsa -out gitlab.key 2048
STEP 2: Create the certificate signing request (CSR)
openssl req -new -key gitlab.key -out gitlab.csr
STEP 3: Sign the certificate using the private key and CSR
openssl x509 -req -days 3650 -in gitlab.csr -signkey gitlab.key -out gitlab.crt
Congratulations! You now have a self-signed SSL certificate valid for 10 years.
Strengthening the server security
This section provides you with instructions to strengthen your server security. To achieve this we need to generate stronger DHE parameters.
openssl dhparam -out dhparam.pem 2048