bindiego/certificate.conf

## readme.md

      
    Raw
  

              readme.md
            
          
    Create Root CA - Do it once

Create the root key

This is the key used to sign the certificate requests, anyone has this can sign certificates on your behalf. So keep it extremely safe!
openssl genrsa -des3 -out rootCA.key 4096                  

or without a password protection
openssl genrsa -out rootCA.key 4096

Create and self sign the root certificate

Now we use the created root key to create a root certificate that will be distributed in all the computers that have to trust us.
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1095 -out rootCA.crt -config certificate.conf

Create a certificate - Do it for each server

We need to do this for each server that needs a trusted certificate from our CA
Create the certificate key

openssl genrsa -out bindiegoserver.com.key 2048

Create the certificate signing request

The request is where we specify the details for the certificate we want to generate. This request should be processed by the owner of the Root key to generate the certificate.
Important: It's very important to specify the Common Name by providing IP address or domain name for the service, otherwise the certificate cannot be verified.
openssl req -new -sha256 -key bindiegoserver.com.key -subj "/C=US/ST=CA/O=Elastic, Inc./CN=bindiegoserver.com" -out bindiegoserver.com.csr

Or you may want to pass additional config, you can use the -config parameter, here for instance you can add alternative names to the certificate.
openssl req -new -sha256 \
  -key bindiegoserver.com.key \
  -subj "/C=US/ST=CA/O=Elastic, Inc./CN=bindiegoserver.com" \
  -reqexts SAN \
  -config <(cat /etc/ssl/openssl.cnf \
      <(printf "\n[SAN]\nsubjectAltName=DNS:bindiegoserver.com,DNS:www.bindiegoserver.com")) \
  -out bindiegoserver.com.csr

Verify the csr's content

openssl req -in bindiegoserver.com.csr -noout -text

Generate the certificate using the bindiegoserver csr and key along with the CA Root key

openssl x509 -req -in bindiegoserver.com.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out bindiegoserver.com.crt -days 365 -sha256

Verify the certificate's content

openssl x509 -in bindiegoserver.com.crt -text -noout


## readme_cn.md

      
    Raw
  

              readme_cn.md
            
          
    这里只对整个流程做一个简述，详细信息还请参考英文文档。
构建 Root CA - 一次就好，我带你去看天涯海角

构建一个root key先啊

这个就是传说中的root key了，会用来各种签名，所以务必保全齐安全性。不然其他人或者机构就可以用来冒充你或者你的机构胡作非为了。这里构建一个没有密码保护的，如须密码，添加 -des3 参数。
openssl genrsa -out rootCA.key 4096

然后给这个认证签个名用刚生成好的key，有效期3年吧。
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1095 -out rootCA.crt -config certificate.conf

构建认证 - 每个服务器都要做

给你的服务器生成个key先哪

openssl genrsa -out bindiegoserver.com.key 2048

构建个 certificate signing request, 就是csr文件，中文名字叫啥辛苦高手指正

这里要注意一定指定一个 Common Name， IP地址啊，域名啊都好，不然这个认证就没法被核实。
openssl req -new -sha256 -key bindiegoserver.com.key -subj "/C=US/ST=CA/O=Elastic, Inc./CN=bindiegoserver.com" -out bindiegoserver.com.csr

好，最后一步，大功告成，有效期1年，明年要给钱才给他续啊，可能涨价呢。

openssl x509 -req -in bindiegoserver.com.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out bindiegoserver.com.crt -days 365 -sha256


## certificate.conf
[req]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
[dn]
C = AU
ST = Victoria
L = Melbourne
O = Elastic
OU = Elastic Inc
emailAddress = bin.wu@elastic.co
CN = bindiego.com
[req_ext]
subjectAltName = @alt_names
[alt_names]
DNS.1 = bindiego.com
	[req]
	default_bits = 2048
	prompt = no
	default_md = sha256
	req_extensions = req_ext
	distinguished_name = dn
	[dn]
	C = AU
	ST = Victoria
	L = Melbourne
	O = Elastic
	OU = Elastic Inc
	emailAddress = bin.wu@elastic.co
	CN = bindiego.com
	[req_ext]
	subjectAltName = @alt_names
	[alt_names]
	DNS.1 = bindiego.com
No results found