本部分内容中CA(Certificate Authority)均代表数字证书认证机构。
如果已经有搭建的CA,请跳过此步骤。
CA服务器为TLS安全性保证的关键节点,请客户自行构建CA服务器,本流程仅供测试使用,安全性不保证。
- 选择一台服务器做为CA,创建如下目录及文件。
mkdir -p /opt/gcache/secure/CACerts mkdir -p /opt/gcache/secure/CACerts/certs mkdir -p /opt/gcache/secure/CACerts/crl mkdir -p /opt/gcache/secure/CACerts/csr mkdir -p /opt/gcache/secure/CACerts/newcerts mkdir -p /opt/gcache/secure/CACerts/private mkdir -p /opt/gcache/secure/CACerts/public touch /opt/gcache/secure/CACerts/index.txt echo 01 > /opt/gcache/secure/CACerts/serial
- 拷贝位于系统目录的openssl.conf并修改。
cp /etc/pki/tls/openssl.cnf /opt/gcache/secure/CACerts/openssl.cnf chmod 600 /opt/gcache/secure/CACerts/openssl.cnf vi /opt/gcache/secure/CACerts/openssl.cnf
修改如下内容(有则修改,无则添加)。[ CA_default ] dir = /opt/gcache/secure/CACerts certs = $dir/certs crl_dir = $dir/crl unique_subject = no certificate = $certs/ca.crt crl = $crl_dir/crl.pem private_key = $dir/private/ca.self default_md = default [ req ] default_md = sm3 [ v3_req ] keyUsage = nonRepudiation, digitalSignature [ v3enc_req ] # Extensions to add to a certificate request basicConstraints = CA:FALSE keyUsage = keyAgreement, keyEncipherment, dataEncipherment [ v3_ca ] keyUsage = cRLSign, keyCertSign
- CA节点生成公私钥,生成公私钥时请输入CA密码,保证密码复杂度。因为后续执行证书签发需要此密码,请妥善保存。
cd /opt/gcache/secure/CACerts openssl genrsa -aes256 -out private/ca.self 4096
openssl rsa -in private/ca.self -pubout -out public/ca.common
- CA节点为自己签发证书。
openssl req -new -x509 -key private/ca.self -days 3650 -out certs/ca.crt -subj "/C=CN/ST=HZ/L=Binjiang/O=Huawei/CN=GCACHED"
