备注:
1)对于CA以及通信加解密的一些其他基本知识知识库的另外一篇文章有做讲解,这里不做过多阐述,只讲一下自签CA以及多域名签署的过程
2)以下都以CentOS 7环境为例进行说明,CentOS 7默认就安装了openssl包,如果没有openssl的相关工具包,请通过yum install -y openssl openssl-devel进行安装
3)在构建私有CA前需要对openssl的配置文件做一个简要的说明,openssl的默认配置文件在/etc/pki/tls/openssl.cnf,此配置文件中定了CA工作的主目录,以及必要的文件和其他文件存放的目录,以下是截取的关于CA部分的配置文件内容:

  1. [ CA_default ]
  2. dir             = /etc/pki/CA           # Where everything is kept
  3. certs           = $dir/certs            # Where the issued certs are kept
  4. crl_dir         = $dir/crl              # Where the issued crl are kept
  5. database        = $dir/index.txt        # database index file.
  6. #unique_subject = no                    # Set to 'no' to allow creation of
  7.                                         # several certs with same subject.
  8. new_certs_dir   = $dir/newcerts         # default place for new certs.
  9. certificate     = $dir/cacert.pem       # The CA certificate
  10. serial          = $dir/serial           # The current serial number
  11. crlnumber       = $dir/crlnumber        # the current crl number
  12.                                         # must be commented out to leave a V1 CRL
  13. crl             = $dir/crl.pem          # The current CRL
  14. private_key     = $dir/private/cakey.pem# The private key
  15. x509_extensions = usr_cert              # The extensions to add to the cert

关键字段说明:
dir = /etc/pki/CA #CA工作的目录
certs = $dir/certs #保存CA签署的证书目录,实际情况可自己保存在任意位置
crl_dir = $dir/crl #证书吊销文件保存目录
database = $dir/index.txt #记录CA以签发过的证书,在此文件进行记录
new_certs_dir = $dir/newcerts #默认新证书的存放路径
certificate = $dir/cacert.pem #定义CA机构自己的证书
serial = $dir/serial #表示证书对应的序列号,一般从 01开始
crlnumber = $dir/crlnumber #表示吊销证书对应的序列号
crl = $dir/crl.pem #表示当前证书吊销列表文件
private_key = $dir/private/cakey.pem #CA的私钥文件存放位置
4)所以在生成CA私钥和CA自签证书时请保存到对应的目录下面,否则在后面做证书签署以及需要用到CA的证书和私钥时都需要跟上参数指定CA的私钥和证书文件
-cert CA自签证书
-keyfile CA私钥
5)如果在签署证书时,不想用默认的/etc/pki/tls/openssl.cnf配置文件,可以跟-config选项指定自定义的配置文件
-config openssl配置文件路径

1 创建私有CA

1)在CA服务器上创建必要的文件和目录,若存在则无需执行

  1. [root@localhost ~]# mkdir -pv /etc/pki/CA/{certs,crl,newcerts}
  2. [root@localhost ~]# touch /etc/pki/CA/{serial,index.txt}
  3. [root@localhost ~]# echo 01 >/etc/pki/CA/serial

2)生成CA私钥

[root@localhost ~]# (umask 077; openssl genrsa -out /etc/pki/CA/private/cakey.pem 4096)
Generating RSA private key, 4096 bit long modulus
............................................++
....++
e is 65537 (0x10001)

3)签署CA的自签证书

[root@localhost ~]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 36500
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN 
State or Province Name (full name) []:SC
Locality Name (eg, city) [Default City]:CD
Organization Name (eg, company) [Default Company Ltd]:XSC
Organizational Unit Name (eg, section) []:devops
Common Name (eg, your name or your server's hostname) []:ca.xsc.org
Email Address []:505597666@qq.com

-new:生成新证书签署请求
-x509:生成自签格式证书,专用于创建私有CA时;
-key:生成请求时用到的私有文件路径(从私钥文件中提取公钥)
-out:生成的请求文件路径,如果自签操作将直接生成签署过的证书
-days:证书的有效时常,单位时day;
4)查看CA自签证书

[root@localhost ~]# openssl x509 -in /etc/pki/CA/cacert.pem -noout -text

2 证书签署

以下讲述一次签署多个域名的情况,在做多域名签署时,需要修改openssl.cnf配置文件
1)修改配置文件

#取消[req]配置段如下的注释行
req_extensions = v3_req # The extensions to add to a certificate request

#在v3_req配置段增加以下内容,DNS.X后跟多个域名,即可完成对多个域名的签署工作
[ v3_req ]

# Extensions to add to a certificate request

basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName=@alt_names
[alt_names]
DNS.1=*.xsc.org
DNS.2=*.cce.xsc.org
DNS.3=*.evn.com
DNS.4=*.cce.evn.com

2)生成私钥
这里将私钥生成到root家目录了,实际情况请根据环境而定

[root@localhost ~]# (umask 077; openssl genrsa -out ./webdemo.key 2048)           
Generating RSA private key, 2048 bit long modulus
............+++
................+++
e is 65537 (0x10001)

3)生成证书请求文件
在输入信息的过程中请保持Country Name 、State or Province Name、Locality Name、Organization Name与CA的信息一致,否则证书签署时会报错,同时注意如下在输入Common Name的过程中,请保持名称为openssl.cnf配置文件中[alt_names]段中的内容

[root@localhost ~]# openssl req -new -key webdemo.key -out ./webdemo.csr -days 36500
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN 
State or Province Name (full name) []:SC
Locality Name (eg, city) [Default City]:CD
Organization Name (eg, company) [Default Company Ltd]:XSC
Organizational Unit Name (eg, section) []:ops
Common Name (eg, your name or your server's hostname) []:*.xsc.org
Email Address []:5055999@qq.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

4)查看证书请求文件的内容

[root@localhost ~]# openssl req -in webdemo.csr -noout -text

5)以可靠方式将证书请求文件传递CA机构,这里即发送到私有CA服务器
6)CA对证书进行签署

[root@localhost ~]# openssl ca -in webdemo.csr -out webdemo.crt -days 36500 -extensions v3_req -config /etc/pki/tls/openssl.cnf 
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Nov 10 07:34:51 2021 GMT
            Not After : Oct 17 07:34:51 2121 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = SC
            organizationName          = XSC
            organizationalUnitName    = ops
            commonName                = *.xsc.org
            emailAddress              = 5055999@qq.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Key Usage: 
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Subject Alternative Name: 
                DNS:*.xsc.org, DNS:*.cce.xsc.org, DNS:*.evn.com, DNS:*.cce.evn.com
Certificate is to be certified until Oct 17 07:34:51 2121 GMT (36500 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

7)验证证书是否有效

[root@localhost ~]# openssl verify -CAfile /etc/pki/CA/cacert.pem webdemo.crt 
webdemo.crt: OK

8)查看签署证书文件内容

[root@localhost ~]# openssl x509 -in webdemo.crt -noout -text

-serial 可查看证书的序列号
-subject 可查看证书的基本摘要信息
如看到以下内容,表示多域名证书签署成功

            X509v3 Subject Alternative Name: 
                DNS:*.xsc.org, DNS:*.cce.xsc.org, DNS:*.evn.com, DNS:*.cce.evn.com

拿到CA签署的证书就可以对如httpd或者nginx等web服务进行https的配置了。