欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页

双向TLS证书

程序员文章站 2022-07-12 21:59:05
...
#!/bin/bash
COUNTRY=CN
PROVINCE=jiangsu
CITY=Suzhou
ORGANIZATION=Test
GROUP=Devops
HOST=test.com
SUBJ="/C=$COUNTRY/ST=$PROVINCE/L=$CITY/O=$ORGANIZATION/OU=$GROUP/CN=$HOST"

#============================================#
#                   签发根证书               #
#============================================#
openssl genrsa -out my_root_ca.key 2048
faketime '1970-01-01 00:00:00' /bin/bash -c "openssl req -x509 -new -nodes -key my_root_ca.key -sha256 -days 365000 -out my_root_ca.pem -subj $SUBJ"

#============================================#
#          用根证书签发server端证书          #
#============================================#
openssl genrsa -out emqx.key 2048
cat <<EOF >openssl.cnf
[req]
default_bits  = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
countryName = CN
stateOrProvinceName = jinagsu
localityName = suz
organizationName = devops
commonName = dreame.com
[req_ext]
subjectAltName = @alt_names
[v3_req]
subjectAltName = @alt_names
[alt_names]
IP.1 = 127.0.0.1
DNS.1 = dreame.com
DNS.2 = $HOST
DNS.3 = *.com

EOF
openssl req -new -key ./emqx.key -config openssl.cnf -out emqx.csr
faketime '1970-01-01 00:00:00' /bin/bash -c 'openssl x509 -req -in ./emqx.csr -CA my_root_ca.pem -CAkey my_root_ca.key -CAcreateserial -out emqx.pem -days 365000 -sha256 -extensions v3_req -extfile openssl.cnf'

#============================================#
#          用根证书签发client端证书          #
#============================================#

openssl genrsa -out client.key 2048
openssl req -new -key client.key -out client.csr -subj "/C=CN/ST=Zhejiang/L=Hangzhou/O=EMQX/CN=client"
faketime '1970-01-01 00:00:00' /bin/bash -c 'openssl x509 -req -days 365000 -in client.csr -CA my_root_ca.pem -CAkey my_root_ca.key -CAcreateserial -out client.pem'

相关标签: TLS