下面是生成自签证书的过程:
1.生成密钥
openssl genrsa -out trustauth.cn.key 2048
2.生成证书请求文件,运行之后会出现一大堆要输入的东西,输入之后就生成.csr的文件了
openssl req -new -key trustauth.cn.key -out trustauth.cn.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:trustauth.cn
Organizational Unit Name (eg, section) []:test
Common Name (eg, your name or your server’s hostname) []:www.trustauth.cn
Email Address []:root@trustauth.cn
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:trustauth
3.生成证书crt
openssl x509 -req -days 365 -in trustauth.cn.csr -signkey trustauth.cn.key -out trustauth.cn.crt
4.复制文件到相应的目录
cp trustauth.cn.crt /etc/pki/tls/certs
cp trustauth.cn.key /etc/pki/tls/private/
cp trustauth.cn.csr /etc/pki/tls/private/
5.修改配置文件
vim /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/pki/tls/certs/trustauth.cn.crt
SSLCertificateKeyFile /etc/pki/tls/private/trustauth.cn.key
6.重启apache
service httpd restart
7.这时再使用https访问,查看证书详情的时候就会看到
Issued to: www.trustauth.cn
Issued by: www.trustauth.cn
颁发者: www.trustauth.cn
颁发给: www.trustauth.cn
自签名HTTPS证书可以随意签发,没有第三方监督审核,不受浏览器信任,常被用于伪造证书进行中间人攻击,劫持SSL加密流量。很多软件开发商为了节约成本,采用自签名SSL证书,其实是给自己的产品埋下了安全隐患,随时可能被不法份子利用。如果处于成本考虑,建议去GDCA申请免费的HTTPS证书来使用。
附免费DV证书申请网址:https://www.trustauth.cn/free-ssl
GDCA专注于网络信息安全领域,通过了WebTrust 的国际认证,具备国际化电子认证服务能力,是全球可信的证书签发机构。GDCA签发的证书有SSL证书、代码签名证书、PDF证书,还有SSL硬件产品。更多证书资讯,请关注https://www.trustauth.cn。